As part of the corporate support work that I often take part in, undertaking due diligence exercises for organisations inheriting staff under TUPE, I am often horrified at the level of personal data that I have access to. Often this isn’t just people’s names and their ages (for the purposes of doing redundancy calculations) but often their addresses and other personal information, including sensitive personal data in relation to their health. It often bothers me that few seem to have regard to the Data Protection angle of this kind of work.
The Information Commissioner’s Office has just released further information for employers in relation to the disclosure of employee information under TUPE. You will be familiar with the idea that, under TUPE, the transferor has to disclose ’employee liability information’ within 28 days of the transfer. Prior to 1st May 2014 this had been 14 days.
This employee liability information will include an employee’s identity, their age, information about terms and conditions applicable to them, their disciplinary record for the last two years, details of any grievance they have raised and any claims they have brought. The disclosure of such information is permitted under the Data Protection Act because it is a legal requirement, however the Information Commissioner’s Office emphasises in their guidance that an employer still has to act in accordance with the principles of the Data Protection Act.
This means the employer should, wherever possible, try and anonymise identifiers, certainly during the bidding stages of a process where more than one party may be involved and it’s not yet clear who the employer who is actually going to inherit the staff is. If the employer wants to disclose certain information they may need the consent of the employee, or put in place safeguards to make sure that the information is only used in connection with the proposed transfer and won’t be kept once that purpose has fallen away.
When the transfer actually occurs there isn’t a problem with transferring the employment records to the new employer who is stepping into the shoes of the transferor. However, the new employer should consider whether they actually need all of the personnel information that has been kept over the years and whether unnecessary information should be destroyed. I remember, years ago, doing a Data Protection audit in the police and discovering personnel files that contained information going back to the 1970s including information about members of staff’s previous marriages, their home arrangements and other information which would all not be relevant to keep.
The old employer may still have to keep some information about former employees in order to deal with liabilities that might arise such as claims after the transfer has taken place. This is permitted as long as the employer has a justifiable need to keep that information and they should only keep that information for as long as is necessary. Any information they are not going to keep should be securely destroyed.
If you have any further questions on this issue please do not hesitate to email me.