Rely on the most comprehensive, up-to-date legal content designed and curated by lawyers for lawyers
Work faster and smarter to improve your drafting productivity without increasing risk
Accelerate the creation and use of high quality and trusted legal documents and forms
Streamline how you manage your legal business with proven tools and processes
Manage risk and compliance in your organisation to reduce your risk profile
Stay up to date and informed with insights from our trusted experts, news and information sources
Access the best content in the industry, effortlessly — confident that your news is trustworthy and up to date.
With over 30 practice areas, we have all bases covered. Find out how we can help
Our trusted tax intelligence solutions, highly-regarded exam training and education materials help guide and tutor Tax professionals
Regulatory, business information and analytics solutions that help professionals make better decisions
A leading provider of software platforms for professional services firms
In-depth analysis, commentary and practical information to help you protect your business
LexisNexis Blogs shed light on topics affecting the legal profession and the issues you're facing
Legal professionals trust us to help navigate change. Find out how we help ensure they exceed expectations
Lex Chat is a LexisNexis current affairs podcast sharing insights on topics for the legal profession
Printer Friendly Version
Data protection often gets a bad name.
I recall a few years back being called by a chap from some utility company.
I wasn't sure whether he'd got the right number and mentioned this to him. I asked him to confirm my name to which his response was:
I'm sorry but I can't tell you what your name is for data protection reasons”
“You rang me but yet you can't tell me who I am?”
Even a Gallic shrug of French philosophers would struggle to understand the existential crisis that we found ourselves in.
It got me thinking: why is data protection so misunderstood by businesses? I'm sure that many businessmen and women simply box data protection off in their heads under 'overcomplicated legal regime that doesn't really apply to my business.' They believe that, so long as they don't leave their computers plugged in on a street corner with yellow sticky notes affixed to their screens with all relevant passwords scribbled onto them, they'll be OK.
Well, it will be of no surprise to learn that this is not the case. Indeed, one of the biggest challenges in recent years for many businesses, with increasingly amounts of temporary workers employed by them, is dealing with such temporary staff in the context of data protection.
So for today's post , we are republishing a helpful interview with Lizzie Charlton of Eversheds. In this interview, Lizzie discusses whether employers are sufficiently training their temporary workers on data protection issues following the ICO's recent warning in this respect.
Any organisation which collects personal data and determines the purpose(s) for which it will be processed will be a ‘data controller’ for the purposes of the UK’s Data Protection Act 1998 (DPA 1998).
A business is capable of being a data controller in respect of any personal data of its past, present and potential employees and customers.
An employer’s responsibility as a data controller extends to cover any temporary workers it employees to the extent that:
The ICO is able to impose sanctions for non-compliance which include the power to serve enforcement notices, information notices and monetary penalties of up to £500,000. Failure to comply with an ICO sanction could attract criminal liability.
Crucially, data security breaches are often heavily reported by the press and can result in some tricky public relations issues for reputable companies.
Organisations should ensure all workers (including temporary workers) who are likely to handle personal data as part of their role, are given adequate data protection training to help minimise the risk of a data security breach.
Organisations should also give consideration to any third parties which process personal data on their behalf and ensure DPA 1998 compliance by including sufficient safeguards in their contractual arrangements.
In addition, employers should implement robust and transparent privacy notices which notify employees and contractual workers if, how and why their personal data may be processed by the organisation.
Employers’ data protection responsibilities apply across all sectors. In light of the ICO’s recent comments, those sectors which engage with high numbers of temporary workers, such as the retail, hospitality and travel industries, should be particularly vigilant to ensure that all such workers are trained to safeguard personal data. However, as more businesses turn to temporary workers to provide flexibility (particularly in the current climate), the issue is one which has the potential to touch all sectors.
Businesses such as healthcare organisations and financial institutions, which process large amounts of ‘sensitive personal data’ (as defined in DPA 1998) or commercially sensitive personal data (eg customers’ financial information), should be particularly cautious when considering their data protection obligations, due to the potential damage or distress a security breach could cause. Likewise, businesses should look at particular teams where there is heavier use of temporary workers, for example IT departments, and the degree of access persons in those roles may have to personal data.
Some examples of ICO sanctions issued in response to employment related security breaches include:
This interview was originally published in LexisPSL Commercial on 9 January 2014. Interviewed by Nicola Laver. The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.
0330 161 1234