What you need to know about data protection if you employ temporary staff

Data protection often gets a bad name.

I recall a few years back being called by a chap from some utility company.

I wasn't sure whether he'd got the right number and mentioned this to him. I asked him to confirm my name to which his response was:

I'm sorry but I can't tell you what your name is for data protection reasons”

 “You rang me but yet you can't tell me who I am?”

Even a Gallic shrug of French philosophers would struggle to understand the existential crisis that we found ourselves in.

It got me thinking: why is data protection so misunderstood by businesses? I'm sure that many businessmen and women simply box data protection off in their heads under 'overcomplicated legal regime that doesn't really apply to my business.' They believe that, so long as they don't leave their computers plugged in on a street corner with yellow sticky notes affixed to their screens with all relevant passwords scribbled onto them, they'll be OK.

Well, it will be of no surprise to learn that this is not the case. Indeed, one of the biggest challenges in recent years for many businesses, with increasingly amounts of temporary workers employed by them, is dealing with such temporary staff in the context of data protection.

So for today's post , we are republishing a helpful interview with Lizzie Charlton of Eversheds. In this interview, Lizzie discusses whether employers are sufficiently training their temporary workers on data protection issues following the ICO's recent warning in this respect.

What data protection duties are expected of employers in relation to temporary workers?

Any organisation which collects personal data and determines the purpose(s) for which it will be processed will be a ‘data controller’ for the purposes of the UK’s Data Protection Act 1998 (DPA 1998).

A business is capable of being a data controller in respect of any personal data of its past, present and potential employees and customers.

An employer’s responsibility as a data controller extends to cover any temporary workers it employees to the extent that:

  • the worker handles personal data in performing their role
  • the worker’s own personal data is processed by the employer

What are the potential sanctions for employers who fail to implement adequate training?

The ICO is able to impose sanctions for non-compliance which include the power to serve enforcement notices, information notices and monetary penalties of up to £500,000. Failure to comply with an ICO sanction could attract criminal liability.

Crucially, data security breaches are often heavily reported by the press and can result in some tricky public relations issues for reputable companies.

What are your best practice tips?

Organisations should ensure all workers (including temporary workers) who are likely to handle personal data as part of their role, are given adequate data protection training to help minimise the risk of a data security breach.

Organisations should also give consideration to any third parties which process personal data on their behalf and ensure DPA 1998 compliance by including sufficient safeguards in their contractual arrangements.

In addition, employers should implement robust and transparent privacy notices which notify employees and contractual workers if, how and why their personal data may be processed by the organisation.

Are there any particular sectors most at risk?

Employers’ data protection responsibilities apply across all sectors. In light of the ICO’s recent comments, those sectors which engage with high numbers of temporary workers, such as the retail, hospitality and travel industries, should be particularly vigilant to ensure that all such workers are trained to safeguard personal data. However, as more businesses turn to temporary workers to provide flexibility (particularly in the current climate), the issue is one which has the potential to touch all sectors.

Businesses such as healthcare organisations and financial institutions, which process large amounts of ‘sensitive personal data’ (as defined in DPA 1998) or commercially sensitive personal data (eg customers’ financial information), should be particularly cautious when considering their data protection obligations, due to the potential damage or distress a security breach could cause. Likewise, businesses should look at particular teams where there is heavier use of temporary workers, for example IT departments, and the degree of access persons in those roles may have to personal data.

How has the ICO dealt with past failures in this area?

Some examples of ICO sanctions issued in response to employment related security breaches include:

  • November 2013—The ICO required Great Ormond Street Hospital for Children NHS Foundation Trust to enter into an undertaking to improve its data protection practices after it was discovered that communications containing sensitive personal data were sent by staff (including temporary workers) to the wrong address
  • August 2013—The ICO issued a monetary penalty notice for £100,000 to Aberdeen City Council after an employee accessed work documents from home and caused a data breach resulting in sensitive information relating to social services involvement with several individuals being published online
  • October 2012—The ICO issued an enforcement notice to Stoke-on-Trent City Council after a number of emails containing ‘sensitive personal data’ in relation to a child protection case were sent in error to an incorrect email address. The enforcement notice required the council to prepare, implement and monitor a training programme for all employees whose job involved handling personal data

This interview was originally published in LexisPSL Commercial on 9 January 2014. Interviewed by Nicola Laver. The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

Area of Interest