Data Act lets you peek into your company file

Hand £10 over to your employer and you can gain access to confidential company records on your performance as an employee, writes...

Hand £10 over to your employer and you can gain access to confidential company records on your performance as an employee, writes Roisin Woolnough.

Individuals have had the right to view sensitive information about themselves, such as sickness records, disciplinary or training records, appraisal notes, e-mail logs and general personnel files, since the Data Protection Act 1998 came into force in 2000.

The Office of the Information Commissioner - an independent government body that promotes observance of the Data Protection Act and can serve enforcement notices to oblige companies to comply with the law - is in the process of issuing a code of practice that interprets the Data Protection Act.

"It is the commissioner's view of good practice," says Iain Bourne, strategic policy manager at the Office of the Information Commissioner. "It is a comprehensive description of the Act, with its own set of standards."

The commissioner interprets various acts, issuing guidelines on how employers should comply with them. While the codes of practice do not have legal status, they often act as a benchmark at employment tribunals as to how employers should behave.

"It won't ever take on the status of statutory law," says Bourne. "But once a code of practice has been issued it can take on a quasi-legal force in its use. There are things that the code states as good practice that you cannot do and still comply with the Data Protection Act."

Diane Sinclair, employee relations advisor at the Chartered Institute of Personnel and Development (CIPD) says that, as with Advisory, Conciliation and Arbitration Service (Acas) codes, should an employer be found to have ignored the code of practice at a tribunal it will most likely count against them.

"Employers will be vulnerable if they have not followed the code, but will not automatically be in breach of the law," she explains. "You don't have to follow the code, but as the code interprets the principles of the Act, you have to show that you have followed the principles of the code.

"The Acas code of practice on grievous and disciplinary procedures is frequently cited in tribunal cases of unfair dismissal, when people have not followed it."

Sinclair thinks the information commissioner's code of practice could have a big impact on how employers and employees behave. She criticises the Data Protection Act for not being very clear or accessible for either employers or employees and welcomes the code's clarification of it.

Originally, the code was presented as one booklet, but Sinclair says the CIPD and other industry bodies felt it was too long and confusing and called for it to be broken down into separate parts.

The result is that the information commissioner is now issuing the code in four parts, the first part of which is currently available and covers recruitment and selection.

The second part, which Bourne predicts will be available to the public in a few weeks' time, covers the collecting, storing, disclosure and deletion of records, while the other two cover monitoring at work and medical testing. Workplace monitoring concerns the individual's use of telephones, e-mail, the Internet and vehicles. Medical testing concerns occupational health, drugs and genetic screening.

Sinclair is looking forward to the publication of the section on e-mail and Internet use. "This is the one to watch, as part of the original code said accessing soft porn was acceptable," she says.

"We criticised that very strongly indeed."

What information can I access?
Individuals are barred from accessing certain information, such as data relating to criminal investigations, promotion, transfer or redundancy plans. Once an employee has submitted a written "subject access request" (either by letter or e-mail), their employer must process it within 40 days. Information that an employee might typically find should they access their records includes:
  • Salary and bank account details
  • Sickness records, covering physical and mental health
  • Disability details
  • Racial origin information

  • Trade union membership details.

Know your rights
Useful sources for finding out more about the Information Commissioner's code of practice, the Data Protection Act 1998 and employee rights:
  • Charteed Institute of Personnel and Development; 020-8971 9000
  • Information Commissioner; 01625-545 745
  • Stationary Office; 08700-600 5522.

Read more on IT risk management