Processing sensitive personal data for health and safety reasons and still complying with data protection laws has until recently created uncertainty for employers. However, the Information Commissioner's Office (ICO), the UK's independent authority set up under the Data Protection Act 1998 (the Act) to protect personal information, has now published Guidance on the use of Violent Warning Markers outlining how employers can protect their staff in the workplace and still fulfil their obligations under the Act.
The Guidance focuses on violent warning markers, used by employers as a means of identifying and recording concerns that some individuals pose, or are likely to pose, a risk to the members of staff who come into contact with them. This counts as personal data, and often sensitive personal data, under the Act, and as such the employer must comply with the 8 data protection principles outlined in the Act when using this data.
The Act states that personal data, including sensitive personal data, should not be processed unless one of the conditions set out in the Act is met. Finding a condition which precisely fits with the processing of data to protect the health and safety of your employees, particularly when the data relates to a third party, is quite a difficult thing to achieve. The ICO's advisors have long since advised that the ICO considers the processing of data for this purpose to be legitimate, but relying on that advice without clear written guidance is risky. The new Guidance states that the condition in the Act that permits the processing of information where it is necessary to comply with any legal obligation imposed on the data controller (in this case the employer) allows the processing of personal data contained in the markers. For sensitive personal data, the appropriate condition is that the processing is necessary to comply with any legal obligation imposed on the data controller in connection with employment. The ICO has confirmed that the legal obligation referred to in both these conditions can be health and safety law, which confers a duty of care on employers towards their staff.
The Guidance and Practice Note issued by the ICO put into writing for the first time the more flexible approach the ICO had previously taken that the Act did not prevent the use of such markers, but that in using them the principles of data protection must be adhered to at all times. It also demonstrates that the ICO is receptive to employers' concerns regarding compliance with both health and safety law to protect their employees and data protection laws. The ICO has shown it is willing to provide assistance on this issue by taking a wide interpretation of the Act.
The appropriate condition for processing sensitive personal data does not however allow employers to pass the information to other organisations, as the condition relates to a legal obligation on the employer for their own staff, not other organisations staff. However, the ICO has advised that it will examine whether there is a good reason for passing the information to another organisation, such as to alert them to the potential risk to their staff, and the key will be whether the processing is justified and fair.
In practice, this means the employer must have a clear and established policy and review procedure in place which outlines objective and clearly defined criteria on which the decision should be based. In order to be fair, the ICO advises that the individual should be informed of the marker and the incident that led to its inclusion, who the information may be passed to, and when the marker will be reviewed/removed in accordance with the review procedure.
It is emphasised in the Guidance that all files containing an indication that an individual is potentially violent must be retained securely and kept no longer than necessary, and staff must receive appropriate training in the relevant systems in place, in keeping with the other principles of the Act.