Controlling Access to Personal Information

By: Matthew Strawbridge - Updated: 25 May 2018 | comments

Information Data Business Access Protect

Personal information has value and must be safeguarded. It is understandable that people wish to keep private all manner of information about themselves. When they trust their information to an organisation, that organisation has a duty of care to secure the details and to use them responsibly.

In fact, their responsibility extends beyond a duty of care – companies have a legal obligation to collect, use and store personal records responsibly. The Data Protection Act 1998, enforced by the Information Commissioner’s Office, governs how UK businesses may handle knowledge about living people.

Customers

When a company collects facts about its customers, it must state how it intends to use and store them and must not do something else instead. Businesses may not pass their lists on to third parties without consent, and must not keep the contents longer than necessary.

Employees

Although the Data Protection Act is usually thought of in terms of knowledge about customers, it is equally applicable to the details a business holds about its own employees.

The Human Resources department will keep records about their staff. This will cover the obvious things such as addresses and telephone numbers. Staff that are paid electronically into their bank accounts will also have handed over their bank details, and records will be kept of national insurance numbers, tax codes and the total remuneration package they receive. All of these things have some value to people outside the organisation: fraudsters looking to commit identity theft, or the company’s competitors who would like to know how much they pay their staff.

Because of this, it is important that records about employees are held securely, and that the right to use them is rigorously controlled.

Practical Measures to Control Access to Information

Suppose a company keeps a computerised list of its personal customers. This represents a major business asset, and it should be defended. It could be very harmful, for example, if an employee were to be poached by a competitor and decided to take a copy of all the customer records to his or her new job!

So it makes sense for the company to hold customer records in a form that cannot easily be copied; at the very least, such copying should be logged by the system. Just think of all the bad publicity that has come from government departments losing people’s records that should never have been copied to unsecured systems in the first place.

Stringent security measures not only secure the assets of the company, but they also protect the individuals to whom the data relates. Other things that can help are granting rights on a “need to know” basis, and using passwords and encryption.

Even if personal information is being held on paper, there needs to be adequate physical security in place to control who has access to it.

Defending Your Own Information

Under the Data Protection Act, you have the right to access information held about you and to correct it if it is inaccurate. This right is known as subject access. You may have to pay a small fee to cover the administration of your request.

NB*The EU General Data Protection Regulation (GDPR) superseded the UK Data Protection Act 1998 on May 25, 2018. The new policy expands the rights of individuals to control how their personal data is collected and processed. It places a range of new obligations on organisations to be more accountable for data protection.

Organisations are obliged to have technical and procedural measures in place to safeguard the personal information they hold.

EMPLOYEE PRIVACY RIGHTS IS FOR SALE: This website is for sale [more info].

You might also like...

Vetting Potential Employees

Ensuring Physical Privacy for Employees

Employee Medical Histories

Writing an Official Privacy Policy

Privacy of Employee Remuneration

Share Your Story, Join the Discussion or Seek Advice..

Someone at work has been instructed to look after Health and Safety for the company.The system that they have proposed also covers HR and so they are trying to gain access to the current HR system.The top management do not see a problem with this, but as an employee, I feel extremely uncomfortable with this person effectively having access to all the HR personnel files when previously they were not allowed.To be clear, this person has had no formal promotion or change of job title to reflect accessing the HR department.Where do I stand legally on this?Do I have the right to complain about this? Thanks

Anon - 20-Feb-17 @ 12:38 PM

Hello MJP60, thanks for you reply. Me and some colleagues were discussing this. Much appreciated your answer. thanks very much.

lobo - 16-Feb-17 @ 7:28 AM

Hi all, my company just recently changed their "absence policy". I was talking to some colleagues and there is one paragraph that we don't really agree with. Would please someone let us know if this is alright in a legal perspective? Do they have the right to change it and ask for records? This is what follows: "The Company reserves the right to request details from medical practitioners about the state of health of its employees when that information is considered reasonably necessary for employment purposes. By signing this policy, you agree, at the request of the Company, to undergo one or more medical examinations performed by a doctor appointed and paid for by the Company. You also authorise the Company to have unconditional access to any report or reports (including copies) produced as a result of any such examination as the Company may from time to time reasonably require. You also authorise your own doctor to disclose and discuss with the Company and/or its medical advisers any information about your health or medical records having an actual or potential bearing upon your ability to perform your duties." thanks you for you help, Mauricio

lobo - 13-Feb-17 @ 1:59 PM

Title:

(never shown)

Firstname:

(never shown)

Surname:

(never shown)

Email:

(never shown)

Nickname:

(shown)

Comment:

Validate:

Enter word:

Latest Comments

Bamaboy
Re: What to Do If Your Privacy is Invaded at Work
I started a job recently and My co-worker went through my boss' desk and took pictures of my personal…

10 June 2021
Kicki
Re: Worker-Manager Confidentiality
My boss called me after work to ask why I wanted to reduce my hours. I unwillingly told her that I can’t deal with my coworker…

3 June 2021
Mikki
Re: Introduction to the Data Protection Act
I resigned from my post and on my last day, my manager was off so he gave access to my data to his subordinates who…

29 May 2021
Monika
Re: Pictures of Me on Facebook: Is This Breach of Privacy?
I'm trying to find a no win no fee solicitor, who can help me with challenge my former employer…

17 May 2021
Dav
Re: Introduction to the Data Protection Act
My work has given my address out to another work colleague to hand deliver letters on a couple of occasions and a…

5 May 2021
BIGglen86
Re: Worker-Manager Confidentiality
Hey all. Recently my employer has shared my addreas and personal information with another member of staff, which has resulted in…

23 April 2021
Why me
Re: Personal Possessions in the Workplace
Somebody has been going through my handbag at work , taking all my pens apart ,god knows why , nothing has been stolen…

19 April 2021
Anna
Re: What to Do If Your Privacy is Invaded at Work
I work for a large food business. We have a new manager. She gained access to the Facebook messenger group…

2 April 2021
Churchill
Re: Introduction to the Data Protection Act
A colleague invited me to read (but I declined) another colleagues personal file which had been left in a box in…

28 March 2021
Concerned
Re: Access Information Your Employer Holds About You
Is my company’s Internal Audit department allowed to see my personnel file without my permission??? They…

15 March 2021