In a message dated 09/05/2002 15:50:55 GMT Daylight Time, [log in to unmask]
writes:
<< Can anyone see real problems with asking staff to use their NI
number?? The HR dept and Finance already have this number on file for
obvious reasons, so its just the IT guys who would have access to it too
(although they probably already have through Admin privileges on our
Finance system). Your NI number is not sensitive personal data either - I
think? So would there be any other problems with this approach? >>
---------
It would almost certainly be in breach of the third Principle of the DPA98 to
use a person's NI number for anything other than national insurance, tax or
benefits purposes. It cannot even be used as an internal identifier to avoid
record duplication.
Some organisations ask for NI numbers on job application forms - even though
it is excessive data if the person is not employed. It is better to collect
such information when you appoint.
Once collected, it should be held securely - although not classed as
"sensitive" in the Act, there is a legitimate expectation that it is not made
generally available and only used for NI/tax/benefits purposes. It might be
a good idea to restrict access to personnel records and if your IT staff have
"back door" entry facilities to the data it might be worth closing such
facilities or installing a low-level audit trail.
User names need not be secure, it could be the person's own name or payroll
number. The password they use is the secure part - or should be - of the
entry key.
Ian Buckland
Managing Director
Keep IT Legal Ltd
Please Note: The information contained in this document does not replace or
negate the need for proper legal advice and/or representation. It is
essential that you do not rely upon any advice given without contacting your
solicitor. If you need further explanation of any points raised please
contact Keep I.T. Legal Ltd at the address below:
55 Curbar Curve
Inkersall, Chesterfield
Derbyshire S43 3HP
(Reg 3822335)
Tel: 01246 473999
Fax: 01246 470742
E-mail: [log in to unmask]
Website: www.keepitlegal.co.uk
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|