News & Updates

You’re responsible for your employees’ personal data

If you want, or need, an external third party to process any of your employees’ personal data,
perhaps for pension or payroll purposes, the responsibility for its security still lies with you.
So what must you do to protect your business?

A Costly oversight
When the Scottish Borders Council recently engaged an outside company to digitise the pension
records of all former employees, it failed to obtain guarantees over the security of that personal data
and monitor how it was being handled. Over 600 confidential paper records (which contained names,
addresses, NI numbers and, in some cases, salary and bank account details) were later found
dumped in a paper recycling bank at a supermarket car park. As a result, the Information
Commissioner’s Office slapped the council with an eye-watering £250,000 fine.

Data protection Act 1998
Under the Data protection Act 1998 (DPA) any employer that uses an external organisation to
undertake data processing functions on its behalf, e.g pension or payroll administration, remains
legally responsible for:

  • The security of its (existing and former) employees’ personal data; and
  • Protecting the rights of those individuals whose data is being processed.

Putting protection in place
Also, when using an external organisation for this purpose, the DPA requires employers to:

  • Select a data processor who can provide sufficient guarantees that they will properly meet the
    DPA requirements
  • Enter into a written contract with the data processor which specifies that it: (1) may act only
    on their instructions; and (2) must comply with the seventh data protection principle.

Good practice recommendations
Therefore, as well as selecting a reputable business which offers suitable guarantees as to the
security of your employees’ personal data, you should:

  • Make sure the external data processor has appropriate security measures in place e.g. as to how it disposes of data and carries out checks on its own staff.
  • Require the data processor to report any security breaches and/or other DPA problems to you
  • Have adequate procedures in place to deal with these breaches if they arise; and
  • Put a clear and legally enforceable written contract in place.