With legislation such as the National Minimum Wage Act 1998 and the Working Time Regulations 1998 requiring that employers keep more and more information on their employees, the Data Protection Act 1998 (DPA) came into force not a moment too soon. This article looks in particular at what trade unions need to know as 'data controllers' but also looks at what protection and rights are afforded to employees (union members). This article is intended as an introductory guide to what is a complex piece of legislation.

The DPA has been designed with openness and access to information in mind. It has been drawn up in line with the EC Data Protection Directive 1995. Article 1 of the Directive stipulates its purpose as being to protect the rights and freedoms of people, in particular their privacy. Unlike the 1984 Act of the same name, the Act covers manual records, where they are held in 'a relevant filing system', as well as computer records and will therefore have a huge impact in the workplace as most personnel files are paper based. The Act came into force on 1 March 2000 but will not become fully effective until 23 October 2007. The Act comes into force in stages repealing not only the 1984 Act but also the Access to Health Records Act 1990 for all employment related purposes.

Trade unions as data controllers

The Data Protection Act applies to almost anyone who stores personal data. The Act refers to such a person or body such as a trade union, as the 'data controller'. This means that trade union members have the same rights as employees when it comes to data storage.

To make sure that all information is handled properly, employers and trade unions are required to comply with eight data protection principles and ensure that before any personal data (meaning any data where a living individual can be identified) is processed, they are included in the register of notifications maintained by the Data Protection Commissioner. Unions, as data controllers, are likely to be exempt from notification. Non-profit making organisations are exempted where the data is held for 'the purposes of establishing or maintaining membership of or support for the body or association or providing or administering activities for individuals who are either members of the body or have regular contact with'. Unions are still subject, however, to the eight principles.

The Eight Principles, embodying the fundamental purpose of the Act, require that information is: 

  1.  fairly and lawfully processed 
  2.  processed for limited purposes 
  3.  adequate, relevant and not excessive 
  4.  accurate 
  5.  not kept for longer than is necessary 
  6.  processed in line with employees and members rights 
  7.  secure 
  8.  not transferred to countries without adequate protection

Contravention of the principles may result in the Commissioner issuing an enforcement notice.

To process personal data, consent of the member will need to be obtained. Consent is not defined in the Act, for this we need to turn to the Directive where it is defined as 'any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.' Completion of a membership form should therefore be sufficient depending on the wording on the application form.

The Act singles out certain information as sensitive personal data and this specifically affects trade unions. This data is defined as racial or ethnic origin, political opinions, union membership, religious belief, physical or mental health, sexual life, the commission or alleged commission of an offence and any proceedings for any offence. The processing of this data not only has to comply with the eight principles, but also further strict criteria set out in schedule 3 to the act. Unions will need the explicit consent of members if faced with any requests as to whether or not a person is a union member. Without this, requests should be refused.

There is a requirement for data controllers, including those exempt from notification, to make processing details public on request. If faced with such a request, it may be possible to comply by voluntary notification.

Members' rights as employees

Part II of the Act gives employees their all important rights including rights of access and to amend. Although under the 1984 Act employees did have access to certain information stored on them, the DPA 1998 gives employees much wider access and will have a larger impact as they will be able to access certain paper-based files, including from 23 October 2001, their personnel files. The request for information must be in writing and employers are able to charge up to £10 for supplying this information. A request must be complied with promptly, and in any event within 40 days from the date the request is received. There are exceptions to the information employees may have access to and this includes references.

To amend inaccurate data, an employee (data subject) can ask the data controller (employer), or ask the Data Protection Commissioner for an assessment or seek an order from the court. There are also rights in relation to health and criminal records, automated decisions, to see 'relevant particulars' and to prevent processing likely to cause damage or distress.

Enforcement

The Data Protection Commissioner and the courts have powers to deal with breaches. 
The Commissioner has powers to serve information notices and enforcement notices. An enforcement notice can require a data controller to take or refrain from taking certain action. There is a right of appeal. The Commissioner also has powers of entry and inspection.

A person can bring a claim in the County Court or High Court for any breach of the Act where damage has occurred.

In force

Although the Act came into force on 1 March 2000, there are two transitional stages bringing in the legislation up to 23 October 2001 and then the second period up to 23 October 2007.