The Information Commissioner's Office issued its latest Good
Practice Note in the spirit of improving transparency, not secrecy.
It acknowledged that you do not need to pass on a confidential
reference that you wrote about your own employee if asked to do so
by that person. But if you hold a confidential reference that you
received from someone else, you generally do need to disclose it
upon request – unless the manner in which it is held is not covered
by the Data Protection Act.
This carve-out is significant. Many people think that they can
ask an organisation to reveal every piece of personal data they
hold that relates to them. Not so. They are obliged to reveal
personal data only where it is covered by the Act – and some of it
won't be. (The Government did widen the Act for public authorities;
but it specifically exempted personnel data.)
Electronically stored data generally will be covered. So you can
see the emails that refer to you (subject to the censorship of, for
example, the personal data of others). But as Michael Durant
learned from the Court of Appeal in his landmark privacy fight,
paper documents escape such "subject access" requests unless they
form part of a "highly structured manual filing system."
The Court of Appeal seemed to think that averagely-structured
manual filing systems do not count. "An ability of staff readily to
identify and locate whole files, even those organised
chronologically and/or by reference to his and others' names, is
not enough," it wrote.
The upshot is that email is caught by the Act and therefore
there are more opportunities for emails to come back to bite you.
You probably know the dangers of email already. You are probably
wise to the risks of writing job references, too. Smart bosses keep
them bland and devoid of opinion: "She joined us in 2003 and left
in 2005. The end."
The real issue – which crystallised when Durant's hopes of an
appeal were dashed by the House of Lords in December – is that a
loophole exits in Britain's Data Protection Act, that is open to
exploitation by unscrupulous employers. It's not just about job
references.
We learned recently of a man who suspected his employer was
paying private investigators to spy on him. He exercised his right
to make a subject access request – and learned that whatever
monitoring activity was taking place, whatever reports were being
written about him, none of it was subject to the Act. Want to hide
something? Shove it in a drawer.
So what's the resolution? Well, an obvious step would be to
legislate. Make all employee data subject to the Data Protection
Act, regardless of storage medium. I put this to David Smith, who
has just taken up the post of Deputy Commissioner at the
Information Commissioner's Office.
Mr Smith was promoted from his 15-year tenure as Assistant
Commissioner to become the lead for data protection. He pointed out
that, while his office is looking out for the rights of the
individual, it also wants "to make life as simple as possible for
business."
"There are arguments for clarifying the law in this area," he
said. "Whether the Government is likely to be moved in that
direction I would have some doubts at the moment." He pointed out
that the emphasis is to avoid further regulation – "and bringing
more records within the scope of the Act could only be termed as
further regulation."
But would extending the Act to any employment records not be of
greater protection to the employee? "Yes," said Mr Smith, "there
can be no doubt that it would improve the protection for
individuals."
He accepted that sending a job reference by post makes it less
likely that it gets covered by the Act; he also accepted that this
is one of the "areas where the Act could be improved or made
simpler or both."
But he continued: "What I am a bit reluctant to do is base our
approach in the short and medium term on there being changes in the
law. I don't know that it is very likely that there will be
significant changes in the law and those are in the hands of the
Government."
I put to Mr Smith that he is in the best position to lobby the
Government for change. "There is no doubt," he replied, "that we
have the Government's ear … but the Parliamentary timetable
as you know is very busy."
"If we set out our stall on the basis of changing the law, it's
going to be some time – if ever – before we make real progress," he
said. "We are concentrating our efforts on working with what we've
got but at the same time bearing in mind that, yes, there could be
improvements."
So are there many cases where the Commissioner's office receives
complaints and simply has to say that you can't help because this
was an unstructured manual file – or is that a rare thing?
"No, it's not rare," replied Mr Smith. "That happens … I can
only agree that additional protection would be provided for
individuals particularly in the employment area were all records to
be covered – and don't interpret me as saying in any way we would
be against that. But what I am saying is that just sort of lobbying
Government to achieve that is not at number one on our list of
current issues."
Perhaps change will be driven another way. The European
Commission has threatened action against the UK Government for
wrongly implementing its Data Protection Directive and the Durant
decision forms part of its evidence.
The golden rule in all of this is summarised by someone who has
used the disclosure of smoking gun emails in crusades against
corporate scandal. New York Attorney General Eliot Spitzer said
recently: "Never write when you can talk. Never talk when you can
nod. And never put anything in an email."
By Struan
Robertson, Editor of OUT-LAW. These are the personal views of
the author and do not necessarily represent the views of Pinsent
Masons.
