The Data Protection Act applies to information about living, identifiable people, such as job applicants and employees. Through the data protection principles, it regulates the way information about these people can be collected, handled or used. The act also gives employees the right to access the information that is kept on them. The Data Protection Act applies to computerised information and to well structured manual records, such as information about job applicants. Vista Refurbishment Ltd adheres to the eight principles of the Data Protection Act.
The Eight Principles of the Data Protection Act
The principles require that personal data shall:
- Be processed fairly and lawfully and shall not be processed unless certain conditions are met
- Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
- Be adequate, relevant and not excessive for those purposes
- Be accurate and, where necessary, kept up to date
- Not be kept for longer than is necessary for that purpose
- Be processed in accordance with the data subject’s rights
- Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures
- And not be transferred to a country or territory outside the European Economic Area, unless the country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
Recruitment and Selection
When recruiting for a position within the Company the following guidelines must be observed:
- Use the information you collect for recruitment or selection purposes only, such as application forms, CVs etc.
- Ensure that those involved in recruitment and selection are aware that data protection rules apply and that they must handle personal information with respect
- Do not collect more personal information than you need
- Do not collect from all applicants information that you only need from the person that you are going on to appoint, such as bank details
- Keep the personal information that you obtain secure, all documentation must be kept in a lockable filing cabinet or cupboard
- If you are going to verify the information a person provides, e.g. references, make sure they know how this will be done and what information will be checked
- Only keep information obtained through a recruitment exercise for as long as there is a clear business need for it, this will be for six months after the recruitment process has been completed for that role
- All recruitment information for unsuccessful candidates, such as application forms and CVs must be kept for all candidates for 6 months, after this time you may dispose of this information
- Only write comments on application forms and CVs that will help you to make a decision and that you would be happy for the candidate to see, as any applicant can request to view any documentation that we hold on them
When keeping employee records the following guidelines must be adhered to:
- Ensure that those who have access to employment records are aware that data protection rules apply and that personal information must be handled with respect
- Be careful when disclosing information in an employee’s employment record. Remember that those asking for information about an employee may not actually be who they claim to be. If you receive such a request refer them to your line Manager
- Data protection does not stand in the way where you are legally obliged to disclose information, for example informing the Inland Revenue about payments to employees
- Keep employment records secure. Keep paper records under lock and key and use password protection for computerised ones. Ensure that only employees with proper authorisation and the necessary training have access to employment records
- Where possible, keep sickness records containing details of an employee’s illness or medical condition separate from other less sensitive information, for example a record of absence. Details of absence should be recorded and all other relevant information pertaining to an employee’s health should be kept on their personnel file
- When you no longer have a business need or legal requirement to keep an employee’s employment record, make sure it is securely disposed of, for example by shredding it. Once an employee has left the business their personnel file must be stored for the legally required amount of time before being disposed of. This is currently 7 years.
All employees who are the subject of personal data held by the Company are entitled to:
- Ask what information the Company holds about them and why
- Ask how to gain access to it
- Be informed how to keep it up to date
- Be informed what the Company is doing to comply with its obligation under the 1998 Data Protection Act
All employees are responsible for:
- Checking that any personal data that they provide to the Company is accurate and up to date
- Informing the Company of any changes to information which they have provided, e.g. changes of address
The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted.
All employees are responsible for ensuring that:
- Any personal data which they hold is kept securely
- Personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party
- Customer information may only be accessed for business purposes and not for personal use
Rights to Access Information
Employees of personal data held by the Company have the right to access any personal data that is being kept about them on computer and also have access to paper-based data held in a manual filing system. Any person who wishes to exercise this right should make the request in writing to their line manager. If such a request is made the Company may make a charge to the employee to honour this request, once this has been received the information will be released. If personal details are inaccurate, they can be amended upon request.
The Company aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days of receipt of a request.
Any breach of the Data Protection Act will be taken seriously and may result in disciplinary action being taken.