This book is the second edition of the author's study of data protection issues in the workplace. Its purpose is to provide an updated user-friendly handbook which provides advice on compliance with the Data Protection Act 1998.
Twenty five years after the introduction of data protection legislation, this area is still seen as complex and confusing. Therefore the author aims to provide guidance for employers, human resources professionals and data protection officers, and, like the author's previous publications aimed at employers, it is marked by an approach which is focused, practical and holistic. There is an underlying theme within the work that matters involving data protection in the workplace cannot be considered in a vacuum, and the relationship of data protection with many other areas pertaining to the protection and disclosure of information in the workplace is explored in a lively and accessible way.
Guidance on data protection compliance is offered in the following areas: recruitment and selection, employee records, health records, equality and equal opportunities monitoring, employee monitoring and freedom of information. There arc many recent legal changes and developments in the areas of disclosure of information, notification requirements under TUPE 2006, and the effects of new technologies on the protection of employee data. Macdonald explores these effectively in the new edition emphasising that all have an impact on employers and lack of compliance has serious consequences.
A particularly notable feature of the work is the links to useful sources of guidance, for example the reader is encouraged to use various codes of practice. Checklists on compliance with the various areas are provided and a restrained approach to the use of authorities is employed which is appropriate and useful to the target readership.
An initial overview of the Data Protection Act 1998 (DPA) and the Freedom of Information Act 2000 (FOI) is given. The DPA principles are then explored and useful examples and action points for compliance with the principles are suggested. The author goes on to deal with notification requirements in some detail and considers the effect of the DPA in practice. The impact of advances in technology on the risk of personal data being recorded, used, or disclosed is discussed. The author then examines the new statutory duty to provide information about employees under TUPE 2006, with a section on good practice guidelines for both the original and new employer.
A key discussion is that which deals with data protection issues on the recruitment and selection of employees. The commercial focus of the author is particularly apparent here: the guidance and practical examples for compliance given will be extremely useful to employers. The discussion on advertising by recruitment agencies is pertinent given the growth in this method of recruitment. The thorny issue of disclosure of references is examined with guidance on the law and the handling of subject access requests. A new and topical section on the use of social networking sites has been added to this edition, and the author highlights the issues and problems of using this as a method to vet potential recruits. The effect of the Immigration, Asylum and Nationality Act 2006 on recruitment and selection is considered and, as the author points out, reconciling these requirements with compliance with the Race Relations Act can be a challenge for employers.
Time limits for the holding of recruitment records are discussed, and this leads on to a consideration of data protection issues regarding employees' records. The impact of new technologies and new ways of working are taken into account when listing measures to ensure the security of employee records. The importance of rules and procedures is emphasised and some useful sample clauses for inclusion in employee contracts are given regarding confidentiality and the use of passwords. There is a detailed section on dealing with the security of, and access to, disciplinary records and the disclosure of witness statements. Given the recent repeal of legislation in the area of discipline and grievance procedures, and the developments on liability for workplace bullying, the importance of comprehensive records, properly protected, cannot be over-stated and the author's emphasis is appropriate.
A new section on the National Staff Dismissal Register has been added to this edition. A more detailed exploration of an area with such human rights implications would be welcomed in the future. Human rights issues are implicit in the next topic of employees' health records and as health records are regarded as 'sensitive data' under the DPA the author gives a detailed explanation of the principles and suggests the policies and procedures which should be followed by employers. The impact of disability legislation on data protection in this area is essential to understanding, and the author gives a useful overview of the Disability Discrimination Act before examining the impact of the DPA. Drugs and alcohol testing are examined and the chapter concludes with an overview of the rapidly developing areas of genetic testing and if it can be justified in the workplace. Equal opportunities monitoring is then examined and the brief overview of each area of discrimination before discussion of data protection compliance is useful for refreshing knowledge of the area.
In the chapter on employee monitoring the author has produced a detailed section on the inter-relationship between the DPA and the Lawful Business Practice Regulations 2000. Different types of monitoring are examined (eg CCTV, audio, in-vehicle, third-party monitoring and searches of employees). Excellent guidance is provided on the introduction of policies on monitoring employees' communication and a checklist on monitoring.
Finally, there is a new chapter on the Freedom of Information Act 2000(FOl). This is a useful overview of this highly topical piece of legislation, and there are suggestions regarding sources of further information and a discussion on the relationship of data protection and freedom of information.
The approach to each topic is one where the law is stated, current guidance examined and a sound commercial style applied in examining various considerations and suggesting solutions to issues.
As the author points out, HR managers may believe data protection issues are impossibly complicated. This book, with its detailed but accessible approach and strong practical focus will provide a useful toolkit to guide HR professionals and is an invaluable addition to the shelves of any HR department.
Diane Williams
Law School. Bangor University
Communications Law, 2009.
Protocols concerning legal issues continue to increase in importance within all types of business and protocols relating to data protection provide no exception. The data protection protocols which are often implemented by human resource departments provide an opportunity for the organisation to guide individuals through activities that can have harmful legal ramifications if these activities are executed incorrectly. Accurate drafting of protocols is problematic in itself, as often a range of scenarios have to be considered and subsequently factored into the process of writing and updating. Adding in the dynamic area of data protection with its raft of legally mandated duties can provide significant problems. These problems are tacked within this book.
The book moves from the general principles of the legislation to the specifics of application very well. I personally would have liked to see further use of practical examples in certain elements of the more complicated areas of the legislation; however, for those working within the human resources field this is not likely to be a substantial issue. It is reassuring that the index reads like a checklist of the key elements within the organisational data protection field: An overview, the general principles, notification, the Data Protection Act, recruitment and selection, employee records, health equal opportunities, monitoring and finally freedom of information. Each section of the book provides a practical take on the issues and produces up to date insight phrased in an understandable way. The one comment I will make concerns the conclusion, which begins as follows:
HR [Human Resources] managers may believe data protection issues are impossibly complicated. Whilst it is true that very detailed guidance […] needs to be considered and followed, in practice most of the rules amount to little more than commonsense. (p.205)
I agree with the statement on a very general level; however a reader who works in but may not be fully aware of the full implications of the area will have read through a book dealing with complicated legal issues. It may be slightly disheartening for that reader to be confronted with a “it is all common sense” passage at the end of the book.
This book will provide best value for those running or working within human resource departments. However, the audience is unlikely to widen beyond individuals working within or providing services to the human resources field.
For those new to the area, the book presents a frightening array of pitfalls that will lead to various types of liability. For those within the sector it clarifies many of the issues and may introduce ideas that will aid in the improvement of protocols related to the legal compliance with the data protection legislation. Lynda Macdonald has written a book that endeavours and subsequently succeeds in outlining the significant and often overlooked risks involved for those organisations dealing with information. This book is likely to be of significant value for those working within the human resources field.
International Journal of Law and Management, May 2010.