The Data Protection Act 1998 allows employees to access data held by their employer ("the data controller"). The main aim of the act is to allow an individual to challenge inaccuracies and even claim for compensation. Employment solicitors have found it being used more frequently by employees. The data that an employee can ask for includes not just computer based information (e.g. e-mails between colleagues referring to the employee) but also information that is recorded as part of a relevant filing system such as manual records (e.g., personnel files).
The employer must comply with the eight data protection principles, that data must be:- fairly and lawfully processed; accurate and up to date; adequate, relevant and not excessive; not kept longer than is necessary; processed in accordance with the individual's rights; kept secure; only transferred outside the EU if there are adequate levels of protection.
For further information please look at our links page for the Office of the Information Commissioner's website.
The key element that is of interest for employees is the ability to do a subject access request to gain information relating to them. A subject access request can be made to any organisation processing data and they must respond within 40 days. A small administrative fee of up to £10 may be charged.
In respect of employers, as is usual, the approach is a damage limitation exercise - any data that could give rise to a dispute should not be entered or written down to avoid being used as evidence at a later date.
In Ezsias v Welsh Ministers (2008) in the High Court, it was held that an employer would only have to carry out a reasonable and proportionate search. The Information Commissioner's current guidelines state that the provision of copies and not the scope of the search should be proportionate. Consequently, organisations may be justified in reducing the parameters of the search, but what is proportionate and reasonable is a matter of fact and is dependent on the circumstances.