Failure to comply with data protection laws could leave you
personally liable for breaches. Owen Warnock advises IT directors
to check their organisation's monitoring policies.
Employers face considerable difficulties in interpreting data
protection legislation as the law beds in. For example, issues such
as how far a person's right to privacy should be protected come
under constant scrutiny.
Although the provisions of the Data Protection Act 1998 are
designed to protect people's right to privacy, the Act allows a
degree of flexibility in order for common sense to prevail. But
this is where difficulties arise. If there is room for
interpretation, how can there ever be consistency in how
organisations comply with the Act?
Over the past 18 months the information commissioner has issued
four parts to a code of practice which, once completed, will
provide comprehensive guidance on complying with the Act.
Although not legally binding, the code aims to encourage
organisations to adopt good practice. It deals with the impact of
data protection laws on the employment relationship and relates to
the following:
Part one: recruitment and selection
Part two: record management
Part three: monitoring at work
Part four: information about workers'
health.
Part three deals with the sensitive issue of monitoring staff in
the workplace, covering mainly systematic or routine monitoring,
but also occasional monitoring of workers. This includes randomly
opening individuals' e-mails, listening to their voicemails or
monitoring their website use. It details seven areas of good
practice to be followed.
IT directors are advised to take this opportunity to review any
monitoring that is currently taking place and assess its impact on
employees.
It is important for IT directors to consider whether or not the
monitoring is permitted within the wider legal framework of the
Regulation of Investigatory Powers Act 2000, the Lawful Business
Practice Regulations 2000 and the Human Rights Act 1998.
IT directors should also consider whether they are complying with
their other obligations under Data Protection law, including those
imposed under the EU Directive on Privacy and Electronic
Communications, which came into force on 11 December. This covers
issues such as the extent to which businesses can carry out e-mail
marketing.
So which areas of the Data Protection Act have the greatest impact
on IT directors?
The seventh of the eight principles in the Data Protection Act is
perhaps the most relevant to IT directors. This states,
"Appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal
data."
This is interpreted as employers or IT directors keeping up with
technological developments. In practice, the seventh principle also
means that the IT director should consider the costs of ensuring a
level of security appropriate to any harm that might result from
unlawful data processing, loss or damage.
Directors, including senior IT staff, could find themselves
personally liable for breaches of the Data Protection Act.
Perhaps now is a good time for organisations to carry out an audit
of their organisation's data protection compliance to ensure the
information commissioner does not come knocking at their
door.
Owen Warnock is a partner at law firm
Eversheds
