BOLA HRM/Personnel Data

HRM/Personnel Data

The administration of personnel systems involves considerable data capture, verification, storage and processing. The bureaucratic functions of personnel work are evident (see BOLA section on recruitment and information processing). We need to be aware of

the data we are using,
how we capture it and for what purposes.
we must ensure its integrity, accuracy and manage the security of how it is stored.
we have to control who will access it and who it will not be disclosed to.

Computerised systems enable more data to be kept and accessed. The technology transcends company and community boundaries. This itself increases the need for accuracy, security and confidentiality.

How much more information does an employer need on staff?

Merely because personnel information systems permit greater flexibility in processing - does more personal data need to be kept?
To what extent is keeping more information and marginal information an invasion of the employee's privacy?
Whatever data is kept, there are sensitivities associated with the data? What level of confidentiality is needed?

Personnel Master files

Generally personnel records are of a permanent but dynamic nature whether kept in a kardex file or by a database-oriented personnel records, multi-user software package. When a new employee joins the firm (or even when an application is received), a new record is created. More and more data is then added to the employee record and related records as the employee's length of service increases. The record is updated from time to time.

What aggregates of data are typical?

Applicant data
application forms/CVs	interview notes	medical results
results of tests	references
Employee data
employee details: name, DOB, address, next of kin etc	contract of employment (terms and conditions)	probationary period outcomes
training needs, training undertaken and outcomes	records of qualifications and competencies	appraisal/performance reports/ratings
job assignments, objectives/priorities, promotions, transfers and re-deployment	occupational health and accident records	training activities and outcomes
room, telephone, computer system, vehicle and equipment assignments	time sheets, attendances including rota slots, holidays	sickness certificates
pay and taxation, commissions and bonuses, benefits/company car, pensions, expenses, deductions	disciplinary action	grievance raised
references to new employers and for employee support	equal opportunities monitoring information

Informal Information

work loads and conflicts
employee interests and problems known to others
values and pre-dispositions - factual knowledge and opinions that others have of the employee
the employees feelings about self and others
aspirations for learning, career development
team contributions and roles

Employer Obligations: Ethical and Legal

Under contract of employment?
- Honesty, natural justice? Not to misrepresent the employee in ways that would damage their interests? Not to behave disingenuously? Treat others as you yourself would expect to be treated?
- Respect the employees natural right to privacy? Employees provide confidential information in support of their job relationship with the employer. The latter has social and ethical obligation (confidentiality and fidelity) not to disclose this without the employee's agreement.
- Between manager-employee or employee-employee, disclosure of confidential information can be embarrassing and damaging. A real or imagined threat to disclose confidential information may bind the employee to the employer - blackmail or abuse of the employee?
- an employee may resign and claim constructive dismissal arising from an employer's mishandling of personal information relating to themselves.
Data Protection Act 1998
Seeks to safeguard/protect individuals with regard to processing of personal data (held on computer) in relation to them. Defines principles which all data users are obliged to observe. Employers must register the personal data they keep and the legitimate uses to which it will be put.
Data subjects have rights of access to their data and to correct or have it erased if wrong. There is also redress if damage results from inaccuracy or loss of the personal data.
Excluded from the scope of the Act is data used solely for payroll purposes only. However employee data extends beyond this and the DPA affects
- data held for administrative purposes relating to current, prospective and past employees. This includes contract staff, people on placement with the firm, temps and voluntary workers.
- staff data used to plan and manage workloads and programmes of activity e.g. project management and staff appraisal.
Data users may only use the data for registered purposes. It must be kept up-to-date, accurate, relevant (kept only as long as necessary for registered purposes) and secure. There are controls over who it may be disclosed to, who may use it.
Sanctions, applied by the Data Protection Registrar include: enforcement notices (requirement to comply), fines and seizure of data. A de-registration notice may also be issued if a data user continues to process data covered by an enforcement notice (a criminal offence).
Access to Medical Reports Act 1988
Deals with medical reports for employment or insurance purposes.
- Employers must notify employees and obtain their consent before requesting medical reports from medical practitioners.
- Employees have the right to see medical reports, request corrections and even veto disclosure to the employer.
- Medical practitioners must retain medical reports for 6 months and withhold reports only if he/she believes the disclosure would
  - cause serious harm (physical or mental)
  - reveal the identity of another person who has given in formation to the practitioner
- provides for company doctors to prepare reports for employers providing the employee consents to a medical examination
- gives employees the right to see medical reports compiled by company employees or retained medical staff.
Access to Health Records Act 1990
- gives rights of access by employees to health records made after 1 Nov 1991. Reports made by health professionals retained by an employer are included.
- access may be refused where it would be harmful to the patient or reveal information about a third party
- on application, the courts may require enforced disclosure
European Directive on data protection (95/46)
This directive (July 1995 and to be implemented in member states within 3 years) on individual protections with regard to the processing and free movement of personal data adds to the regulative demands on employers. It
- includes computerised and some manual data
- covers personal data transferred to non-EU countries
- exempts personal data processed for journalistic (scoops on employee behaviour, papparazzi?), artistic or literary purposes
- gives special consideration to "sensitive" personal data

Personnel Policy Implications

Based on these, the implications then include

apply the same rules to manual and computerised employee data.
collect data systematically, verify it and ensure its integrity (if the same item of data is held in two or more places in the company - ensure that the two items tally) and accuracy
inform employees about access provisions
- what is held and why (registered purposes)
- how and where data is held
- who has sight of it and can access it for registered purposes
- how they can inspect data about themselves
Confidentiality
take all reasonable steps to ensure the data is secure
reviewed annually why data items are kept. Do a rolling audit to ensure that legal requirements are met. Audit system integrity e.g. triennially
control data access (strict need to know) to those who need to use it for legitimate and registered management purposes only
record/log all data items to be found in an employee's primary file
Disclosures to Others
references should be factual and accurate. Facts and opinions should be verifiable.
do not use data for commercial purposes except as registered with the DPA and with employee knowledge
make unauthorised disclosure employee data to a third party a disciplinary offence
log disclosures Data storage.
do not leave personal data unattended or use it in ways that conflict with registered purposes
take measures to secure data against damage, loss or accidental disclosure

Discuss
Are there exceptions to this where access might breach third party confidentiality (references)? Could access to personal data by data subjects undermine the current employer-employee relationship? What is the value of data which you do not wish to disclose to employees?
if subjective data e.g. on performance is collected, those who offer the judgments should be prepared to explain them to the staff concerned
question the shelf-life of data (particularly subjective data) and rule how long it will be kept. Discourage retention of redundancy, dead data. What are the rules on deletion/archiving. Is archiving really necessary once it has served its purpose or becomes dated.
How can controls be established on who will use the data?

Developed and maintained by Chris Jarvis

HRM/Personnel Data

Personnel Master files

Informal Information

Employer Obligations: Ethical and Legal

Under contract of employment?

Data Protection Act 1998

Access to Medical Reports Act 1988

Access to Health Records Act 1990

European Directive on data protection (95/46)

Personnel Policy Implications

Discuss