Who's watching?
How will the Employment Practices Data Protection Code on Monitoring at Work, published in June, help OH comply with the Data Protection Act and will it encourage employers to adopt good practice? By Linda Goldman & Joan Lewis.
There is a public perception that the workplace is a hothouse for nurturing litigation.
On one hand, the raft of European and domestic legislation designed to ensure health and safety at work opens a door to legal intervention.
On the other, the current trend towards fair and flexible internal grievance resolution, supported by statutory dispute resolution procedures has not yet reduced the numbers of people making claims in courts and tribunals.
Underpinning any successful solution to otherwise irreconcilable differences is the need for accurate information, properly acquired.
Once facts are on record, the Data Protection Act 1998 (DPA) becomes the framework for justice.
In June 2003, the Information Commissioner published Part 3 of the Employment Practices Data Protection Code on Monitoring at Work. This will help OH practitioners comply with the DPA and, in particular, encourage their employers to adopt good practice.
Rights of the data subject
The facts that comprise information about an individual are called data. The DPA contains eight principles by which data is acquired, stored and used. These are set against the background of the most important fact of all: data is the property of the person to whom it relates.
Responsibilities of data control
OH practitioners acquire and store data. They are therefore data controllers, on whom the duty to process data fairly and lawfully can only be fulfilled by attaining consent from the subject.
Consent will also relate to the release of data in certain specified situations, including for legal proceedings. In a life or death situation, consent for the use of data can be given by a third party.
Data may also be disclosed where necessary for medical purposes if it is undertaken by a health professional subject to an ethical duty of confidentiality.
It is also worth noting that in some circumstances, OH may be privy to information that may need to be disclosed in the 'public interest'.
Take, for example, a drugs test that reveals the use of an illegal drug by someone applying for another job who works in a potentially hazardous occupation, say, a bus driver or fork-lift driver.
What is the duty of the OH department, which has carried out the health surveillance for the new employer to inform the employee's current employer, of the results of the drugs test?
Here the question of disclosure arises because of the risk to the public of a driver with drugs in his system. Disclosure should only be made to his other employer if so advised by the practitioner's legal advisers, as it will have to pick up the tab if it turns out that disclosure should not have been made.
The DPA provides in section 29 for disclosure for the purposes of investigating crime. If the drug is an illegal substance and the police are the agency for investigating crime, disclosure to the police may be made, provided the insurer agrees that any steps should be taken at all.
Since data should only be kept for the purpose for which it is needed and for a justifiable period, the OH practitioner must bear in mind that there will be cases where records may need to be preserved if there is a risk of personal injury litigation. For example, three years is the limitation period running from the date of knowledge of the accident or injury for a claim in negligence.
Where further health records need to be kept because of the risk of long-term illness such as asbestosis or other chemical or product related issues, a view should be taken on maintaining records for longer.
As a matter of good practice, health and safety legislation should be consulted to see if any aspect of the work carried out by the at-risk employee requires retention for longer periods.
The information contained in retained records remains the property of the individual who, for a standard fee of £10, is entitled to have a copy for their own information. It is advisable to keep a record of the fact that any changes to records have taken place, such as when deletions are made.
The Information Commissioner is in the protracted process of issuing a complete code of practice in relation to employment practices in the implementation of the DPA. To date, three parts of the code have been published. The fourth part will relate to medical information, and is expected to be published by the end of the year.
The parts of the code issued to date suggest that a very high standard of compliance with the DPA is required.
For OH practitioners, these standards accord with ethical principles.
Since the fourth data principle requires accuracy of data and the fifth requires data to be kept for no longer than necessary, more interaction with data subjects may be useful. It is suggested that employees be shown their records at regular intervals so updates can be made and inaccuracies identified.
Effect of the code of practice on workplace monitoring
Stringent precautions should be taken when transmitting data, particularly containing medical information, by e-mail, fax or post to ensure security encryption and receipt by the named addressee.
E-mail is an increasing problem. Many complaints are made to the Information Commissioner about refusal of access to information held in e-mails, usually when the data controller believes they have been deleted, but in fact a back-up system has ensured retention.
The commissioner has the power to assess whether there has been a failure to provide access to personal data held in e-mails by making his own investigation. In using that power, he will ascertain whether there has been compliance with the applicable part of the code of practice.
As a general rule, a code of practice does not have the full force of the law, but the employer's failure to comply may be taken into account as evidence tending to support a breach of the Act having been committed.
Transmission of OH records occurs at the stage when they are released under circumstances, which include the request of the subject and change of OH provider.
In the latter instance, the affected data subjects should be informed of the whereabouts of their records and the nature and scope of the new data protection system. When in doubt about the transferral or storage of records, particularly if the original employer becomes insolvent, the Employment Medical Advisory Service may be able to advise.
Linda Goldman is a barrister at 7 New Square, Lincoln's Inn. She is head
of training and education for ACT Associates & Virtual Personnel. Joan Lewis
is the senior consultant and director of Advisory, Consulting & Training
Associates and Virtual Personnel, employment law and advisory service
consultancies and licensed by the General Council of the Bar in employment
matters under BarDirect.
Sketchplan of data protection principles
Z v Finland (1998) 25 EHRR 371