0330 161 1234
Data protection often gets a bad name.
I recall a few years back being called by a chap from some utility company.
I wasn't sure whether he'd got the right number and mentioned this to him. I asked him to confirm my name to which his response was:
I'm sorry but I can't tell you what your name is for data protection reasons”
“You rang me but yet you can't tell me who I am?”
Even a Gallic shrug of French philosophers would struggle to understand the existential crisis that we found ourselves in.
It got me thinking: why is data protection so misunderstood by businesses? I'm sure that many businessmen and women simply box data protection off in their heads under 'overcomplicated legal regime that doesn't really apply to my business.' They believe that, so long as they don't leave their computers plugged in on a street corner with yellow sticky notes affixed to their screens with all relevant passwords scribbled onto them, they'll be OK.
Well, it will be of no surprise to learn that this is not the case. Indeed, one of the biggest challenges in recent years for many businesses, with increasingly amounts of temporary workers employed by them, is dealing with such temporary staff in the context of data protection.
So for today's post , we are republishing a helpful interview with Lizzie Charlton of Eversheds. In this interview, Lizzie discusses whether employers are sufficiently training their temporary workers on data protection issues following the ICO's recent warning in this respect.
Any organisation which collects personal data and determines the purpose(s) for which it will be processed will be a ‘data controller’ for the purposes of the UK’s Data Protection Act 1998 (DPA 1998).
A business is capable of being a data controller in respect of any personal data of its past, present and potential employees and customers.
An employer’s responsibility as a data controller extends to cover any temporary workers it employees to the extent that:
The ICO is able to impose sanctions for non-compliance which include the power to serve enforcement notices, information notices and monetary penalties of up to £500,000. Failure to comply with an ICO sanction could attract criminal liability.
Crucially, data security breaches are often heavily reported by the press and can result in some tricky public relations issues for reputable companies.
Organisations should ensure all workers (including temporary workers) who are likely to handle personal data as part of their role, are given adequate data protection training to help minimise the risk of a data security breach.
Organisations should also give consideration to any third parties which process personal data on their behalf and ensure DPA 1998 compliance by including sufficient safeguards in their contractual arrangements.
In addition, employers should implement robust and transparent privacy notices which notify employees and contractual workers if, how and why their personal data may be processed by the organisation.
Employers’ data protection responsibilities apply across all sectors. In light of the ICO’s recent comments, those sectors which engage with high numbers of temporary workers, such as the retail, hospitality and travel industries, should be particularly vigilant to ensure that all such workers are trained to safeguard personal data. However, as more businesses turn to temporary workers to provide flexibility (particularly in the current climate), the issue is one which has the potential to touch all sectors.
Businesses such as healthcare organisations and financial institutions, which process large amounts of ‘sensitive personal data’ (as defined in DPA 1998) or commercially sensitive personal data (eg customers’ financial information), should be particularly cautious when considering their data protection obligations, due to the potential damage or distress a security breach could cause. Likewise, businesses should look at particular teams where there is heavier use of temporary workers, for example IT departments, and the degree of access persons in those roles may have to personal data.
Some examples of ICO sanctions issued in response to employment related security breaches include:
This interview was originally published in LexisPSL Commercial on 9 January 2014. Interviewed by Nicola Laver. The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.
* denotes a required field
