Who’s watching?

first_imgRelated posts:No related photos. Howwill the Employment Practices Data Protection Code on Monitoring at Work,published in June, help OH comply with the Data Protection Act and will itencourage employers to adopt good practice? By Linda Goldman & Joan Lewis There is a public perception that the workplace is a hothouse for nurturinglitigation. On one hand, the raft of European and domestic legislation designed toensure health and safety at work opens a door to legal intervention. On the other, the current trend towards fair and flexible internal grievanceresolution, supported by statutory dispute resolution procedures has not yetreduced the numbers of people making claims in courts and tribunals. Underpinning any successful solution to otherwise irreconcilable differencesis the need for accurate information, properly acquired. Once facts are on record, the Data Protection Act 1998 (DPA) becomes theframework for justice. In June 2003, the Information Commissioner published Part 3 of the EmploymentPractices Data Protection Code on Monitoring at Work. This will help OHpractitioners comply with the DPA and, in particular, encourage their employersto adopt good practice. Rights of the data subject The facts that comprise information about an individual are called data. TheDPA contains eight principles by which data is acquired, stored and used. Theseare set against the background of the most important fact of all: data is theproperty of the person to whom it relates. Responsibilities of data control OH practitioners acquire and store data. They are therefore datacontrollers, on whom the duty to process data fairly and lawfully can only befulfilled by attaining consent from the subject. Consent will also relate to the release of data in certain specifiedsituations, including for legal proceedings. In a life or death situation,consent for the use of data can be given by a third party. Data may also be disclosed where necessary for medical purposes if it isundertaken by a health professional subject to an ethical duty ofconfidentiality. It is also worth noting that in some circumstances, OH may be privy toinformation that may need to be disclosed in the ‘public interest’. Take, for example, a drugs test that reveals the use of an illegal drug bysomeone applying for another job who works in a potentially hazardousoccupation, say, a bus driver or fork-lift driver. What is the duty of the OH department, which has carried out the healthsurveillance for the new employer to inform the employee’s current employer, ofthe results of the drugs test? Here the question of disclosure arises because of the risk to the public ofa driver with drugs in his system. Disclosure should only be made to his otheremployer if so advised by the practitioner’s legal advisers, as it will have topick up the tab if it turns out that disclosure should not have been made. The DPA provides in section 29 for disclosure for the purposes ofinvestigating crime. If the drug is an illegal substance and the police are theagency for investigating crime, disclosure to the police may be made, providedthe insurer agrees that any steps should be taken at all. Since data should only be kept for the purpose for which it is needed andfor a justifiable period, the OH practitioner must bear in mind that there willbe cases where records may need to be preserved if there is a risk of personalinjury litigation. For example, three years is the limitation period runningfrom the date of knowledge of the accident or injury for a claim in negligence.Where further health records need to be kept because of the risk oflong-term illness such as asbestosis or other chemical or product relatedissues, a view should be taken on maintaining records for longer. As a matter of good practice, health and safety legislation should beconsulted to see if any aspect of the work carried out by the at-risk employeerequires retention for longer periods. The information contained in retained records remains the property of theindividual who, for a standard fee of £10, is entitled to have a copy for theirown information. It is advisable to keep a record of the fact that any changesto records have taken place, such as when deletions are made. The Information Commissioner is in the protracted process of issuing acomplete code of practice in relation to employment practices in theimplementation of the DPA. To date, three parts of the code have beenpublished. The fourth part will relate to medical information, and is expectedto be published by the end of the year. The parts of the code issued to date suggest that a very high standard ofcompliance with the DPA is required. For OH practitioners, these standards accord with ethical principles. Since the fourth data principle requires accuracy of data and the fifthrequires data to be kept for no longer than necessary, more interaction withdata subjects may be useful. It is suggested that employees be shown theirrecords at regular intervals so updates can be made and inaccuracies identified.Effect of the code of practice on workplace monitoring Stringent precautions should be taken when transmitting data, particularlycontaining medical information, by e-mail, fax or post to ensure securityencryption and receipt by the named addressee. E-mail is an increasing problem. Many complaints are made to the InformationCommissioner about refusal of access to information held in e-mails, usuallywhen the data controller believes they have been deleted, but in fact a back-upsystem has ensured retention. The commissioner has the power to assess whether there has been a failure toprovide access to personal data held in e-mails by making his owninvestigation. In using that power, he will ascertain whether there has beencompliance with the applicable part of the code of practice. As a general rule, a code of practice does not have the full force of thelaw, but the employer’s failure to comply may be taken into account as evidencetending to support a breach of the Act having been committed. Transmission of OH records occurs at the stage when they are released undercircumstances, which include the request of the subject and change of OHprovider. In the latter instance, the affected data subjects should be informed of thewhereabouts of their records and the nature and scope of the new dataprotection system. When in doubt about the transferral or storage of records,particularly if the original employer becomes insolvent, the Employment MedicalAdvisory Service may be able to advise. www.hse.gov.ukwww.hsedirect.comLinda Goldman is a barrister at 7 New Square, Lincoln’s Inn. She is headof training and education for ACT Associates & Virtual Personnel. Joan Lewisis the senior consultant and director of Advisory, Consulting & TrainingAssociates and Virtual Personnel, employment law and advisory serviceconsultancies and licensed by the General Council of the Bar in employmentmatters under BarDirect. Sketchplan of data protection principlesData must be:– fairly and lawfully processed – processed for limited purposes compatible with those purposes– adequate, relevant and not excessive for the purpose – accurate– maintained for no longer than necessary – processed in accordance with the rights of the individual– kept securelyData must not be:– transferred outside the EU without consent of the subjectunless that country can assure the rights of the data subjectCasebook – practical aspects ofconfidentialityThe new Employment Practices DataProtection Code on Monitoring at WorkThe latest tranche of the code gives detailed guidance onmonitoring at work and covers an employer’s use of CCTV cameras and automatedchecking software to collect information about workers.Although there may be a bona fide purpose in surveillance, itsuse often has implications for OH confidentiality. For example, it is notunknown for workers ostensibly on sick leave to have their activities outsidethe workplace videoed to collect evidence that they may not actually be sick. E-mail or internet abuse is often a serious disciplinaryoffence. Distributing or receiving pornographic e-mails is high on the list ofreasons for dismissal and is considered to be justification for monitoringe-mail systems. However, general monitoring may affect the way the OHdepartment deals with external communications. According to the code, the employer should make it clear tostaff the circumstances in which, if at all, they may use the e-mail system andinternet access for private communications. As for medical matters, provisionfor confidentiality is made by suggesting the use of clearly marked internalpost, probably because of the inherent back-up systems in computers wherebyotherwise confidential material may be accessed later. Specific details areavailable on the Information Commissioner’s website. www.dataprotection.gov.uk/dpr/dpdoc.nsfZ v Finland (1998) 25 EHRR 371The European Court of Human Rights determined that Z’s medicalrecords were legally disclosed in proceedings in which her husband was chargedwith rape and manslaughter for knowingly infecting his victims with HIV.However, disclosure of her identity was a breach of Article 8of the Human Rights Convention, which provides that the protection of personaldata, not least medical data, is of fundamental importance to a person’senjoyment of their respect for private and family life. The court held that itis crucial not only to respect the sense of privacy of a patient, but also topreserve their confidence in the medical profession and in the health servicesin general. Without such protection, those in need of medical assistance may bedeterred from revealing such information of a personal and intimate nature asmay be necessary in order to receive appropriate treatment and, even fromseeking such assistance, thereby endangering their own health and, in the caseof transmissible diseases, that of the community.Z resisted police attempts to discover her HIV status. Thepolice then seized her medical records from hospital. They were included in thecourt file to be released to the public in 2002. The seizure of records waslawful because it was in pursuance of the legitimate aim of investigating and prosecutinga crime and was proportionate.London Borough of Hammersmith andFulham v Farnsworth (2000) IRLR 691 EATFarnsworth was offered a job subject to ‘medical clearance’.Her medical records showed she had suffered from mental illness in the past. Theborough’s OH physician reported, “…[although] the GP reports her healthhas been good over the last year, in view of her medical history I am concernedshe may be liable to further recurrence in the future… [that would] affect[her] attendance.” The employment tribunal found she had suffered disabilitydiscrimination. The borough ignored the reference, which showed no absence fromwork in her previous post. The EAT upheld the decision, stating that there wasno valid distinction between the borough and its agent, the OH physician. They were under a duty to continue any enquiry as toFarnsworth’s fitness to work. This puts a curious slant on confidentiality. Theapplicant’s agreement that her medical records could be disclosed to thepotential employer meant they were deemed to be within the knowledge of theemployer, having been seen by the medical officer. Further, the decisionconfirms that an employer cannot rely on the employee/applicant’s failure tomake formal confirmation of disability status to avoid a finding of disabilitydiscrimination. Comments are closed. Previous Article Next Article Who’s watching?On 1 Aug 2003 in Personnel Todaylast_img read more