The shifting sands of data protection law

Failure to comply with data protection laws could leave you personally liable for breaches. Owen Warnock advises IT directors to...

Failure to comply with data protection laws could leave you personally liable for breaches. Owen Warnock advises IT directors to check their organisation's monitoring policies.

Employers face considerable difficulties in interpreting data protection legislation as the law beds in. For example, issues such as how far a person's right to privacy should be protected come under constant scrutiny.

Although the provisions of the Data Protection Act 1998 are designed to protect people's right to privacy, the Act allows a degree of flexibility in order for common sense to prevail. But this is where difficulties arise. If there is room for interpretation, how can there ever be consistency in how organisations comply with the Act?

Over the past 18 months the information commissioner has issued four parts to a code of practice which, once completed, will provide comprehensive guidance on complying with the Act.

Although not legally binding, the code aims to encourage organisations to adopt good practice. It deals with the impact of data protection laws on the employment relationship and relates to the following:

Part one: recruitment and selection

Part two: record management

Part three: monitoring at work

Part four: information about workers' health.

Part three deals with the sensitive issue of monitoring staff in the workplace, covering mainly systematic or routine monitoring, but also occasional monitoring of workers. This includes randomly opening individuals' e-mails, listening to their voicemails or monitoring their website use. It details seven areas of good practice to be followed.

IT directors are advised to take this opportunity to review any monitoring that is currently taking place and assess its impact on employees.

It is important for IT directors to consider whether or not the monitoring is permitted within the wider legal framework of the Regulation of Investigatory Powers Act 2000, the Lawful Business Practice Regulations 2000 and the Human Rights Act 1998.

IT directors should also consider whether they are complying with their other obligations under Data Protection law, including those imposed under the EU Directive on Privacy and Electronic Communications, which came into force on 11 December. This covers issues such as the extent to which businesses can carry out e-mail marketing.

So which areas of the Data Protection Act have the greatest impact on IT directors?

The seventh of the eight principles in the Data Protection Act is perhaps the most relevant to IT directors. This states, "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

This is interpreted as employers or IT directors keeping up with technological developments. In practice, the seventh principle also means that the IT director should consider the costs of ensuring a level of security appropriate to any harm that might result from unlawful data processing, loss or damage.

Directors, including senior IT staff, could find themselves personally liable for breaches of the Data Protection Act.

Perhaps now is a good time for organisations to carry out an audit of their organisation's data protection compliance to ensure the information commissioner does not come knocking at their door.

Owen Warnock is a partner at law firm Eversheds

Read more on IT risk management