Managing Employee Data

(This article was originally published in the iTech Supplement of the Times of Malta in June 2002)

Managing your employee data properly will improve the efficiency of your business and help reduce employee grievances but does your system of processing such data meet the legal obligations imposed by the new Maltese Data Protection legislation?

Employers and employees, both in the public as well as in the private sector, must be aware that many activities performed routinely in the employment context entail the processing of personal data, sometimes of very sensitive information.

The Maltese Data Protection Act (DPA) has created a new framework whereby employers have to comply with a number of obligations in relation to the processing of personal data they hold about their employees.

Data protection principles impinge on many facets of employee data including data processed in connection with health, insurance schemes, tax information, promotions and transfers, marketing, just to name a few.

Processing, under the Maltese Data Protection Act, includes collection, holding, access, use, disclosure and destruction of data. Both manual and computerized processing of personal data are covered by the DPA.

The Maltese legislation, similar to the EU Data Protection Directive 46/95, does not contain a definition for employee data. It is clear, however, that the Act encompasses information collected about individuals in their professional business and employee capacities as well as in their consumer and personal capacities.

Employers are collecting personal data from their staff members for many different purposes. The process commences prior to employment, that is at interview stage, and beyond and post termination of the said employment. During the recruitment process, individuals who are applying for a post provide personal data to their potential employers who, at the same time, usually process this information in order to asses the merits of the candidates. Information is collected during employment for further assessment or due to statutory requirements imposed on the employer ( health certificates for sickness benefits) and beyond employment again for statutory reasons, historical and statistical purposes

Organizations should carefully establish what information they collect relating to their employees and how such information is processed and used. They should therefore inventory such information and its uses.

Once a company understands what data it collects, it should examine why it is collecting the information and this to ensure that it has a specified, explicit, and legitimate purpose for such collection. The DPA sets a high standard for legitimacy, using a "necessary" requirement. In addition, the proportionality requirement bars collection and use of information that is excessive in relation to the purposes for which they are collected. Thus, all information must be tested under these standards and any "nice to have," but unnecessary information, should cease to t be collected and slowly removed from the 'stock' of data held on employees.

Asking employees to give their written consent to the processing of their data e.g. in the application form, is a step that many data-protection aware employers will eventually start considering.

Increased attention should be paid to any information, such as health, racial or ethnic background as well as trade union membership, that is considered as sensitive information under the DPA, and which thus requires special handling.

An area that employers have also to keep in mind and that has also been an issue in other jurisdictions is that of monitoring of workers' email or Internet access. This activityhas important data protection aspects.

The monitoring of email necessary involves the processing of personal data. The monitoring of Internet Access, unless conducted in a way that access to particular sites or patterns of access cannot be linked to specific individuals and only aggregated information is produced, necessarily involves the processing of personal data about the workers gaining access.

Under the new data protection regime employees will have strong access rights in respect to their personal data held by their employers. Employees have the right to check data that is held on them and inform their employer of any mistakes or omissions found therein. The employer is obliged to rectity any mistakes noted.. Organizations must decide how this will work in practice and need to advise their staff membersabout it. Adopting proper procedures to take care of such complaints is necessary.

Companies must review the security of their systems and ensure that only those who need access to personal data have it. Storing employee data on a Personnel Database will make it easier to manage, audit and report.

Companies also should ensure that they have appropriate procedures in place to guarantee the accuracy of information and the deletion of information no longer required for the purposes for which it was collected.

Organizations have to assess their procedures from a data protection standpoint so that they meet their DP obligations, including registration and notification requirements to the Data Protection Commissioner.

Many EU Member States are either drafting additional legislation or proposing codes of practice addressing data protection issues in the employment context. The United Kingdom issued a draft Code of Practice on the use of personal data in employer/employee relationships. The UK Draft Code covers a wide range of topics including recruitment, employment records, access and disclosure, and employee monitoring. A new Finnish Act on Privacy Protection in Employee Relations went into effect on October 1, 2001. In addition to these initiatives, Data Protection Authorities in Belgium, France, The Netherlands, and Greece are in the process of adopting recommendations addressing different aspects of the use of personal data in the employer/employee relationship. Legislation covering the privacy of employee data is also being considered in Sweden, Denmark, and Germany.

Two separate groups also have taken an interest in the privacy of employment information at an EU-wide level. In July 2001, the DG Employment and Social Affairs of the European Commission adopted a consultation document on the protection of employees' personal data. Also, in September 2001 the Article 29 Data Protection Working Party adopted Opinion 8/2001 on the processing of personal data in the employment context.

Due to the novelty of Data Protection legislation in Malta, it will take us some time till we have ad hoc employee data guidelines, regulations or codes of practice. Nevertheless, such enactments will create a clearer data protection landscape for persons who control and process employee data.

The importance of taking the protection of employee data responsibly has to be kept in mind. Efforts should be made to develop a culture in which privacy, data protection, security and confidentiality of personal information are taken seriously.