Lawrence This is certainly personal data and I find it hard to fault your comments. I think this COULD be done, by consent, which you would certainly need to avoid the principle 3 points, and you could satisfy 7 with passwords (a nightmare), but why would you want to do this? Most of the times and in most teams it may not be a problem , but then you will get someone who is struggling for 'personal reasons' and you will be falling foul of the employment practices code. My system is that staff keep their timesheets in their own secure personal area*. As required they email a copy to their manager who keeps it in his secure personal area for as long as needed. * Technology neutral ! Phillip Bradshaw Information Manager Democratic Services Room CY5C, County Hall EMail: [log in to unmask] Phone: 029 2087 3346 Mobile : 07890 265987 Fax: 029 2087 3349 -----Original Message----- From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Lawrence Serewicz Sent: 17 February 2011 13:44 To: [log in to unmask] Subject: [data-protection] When is employee information personal information (Is it a continuum or a clear dividing line?) Dear All, I am trying to think through some data protection principles relating to the following scenario. We are setting up a share point system for a relatively small section less than 20 people working in the same area. Someone has suggested that all the electronic timesheets for each person could be stored centrally so that everyone in that team could have access to them. My initial response was that this was a bad idea. I saw it as running counter to the 1st principle of being fair and lawful. Having this information held in this way would allow people without a managerial need to know to view the time sheets of other staff. I also saw it as bad from the 3rd principle in that this is excessive processing, i.e. being available to all in the team. It would also contravene the Seventh in that it allows unauthorised processing. The counter argument is that this is not personal information because it relates to their working practices in that it like their job title or their email address. (Of course this raises the question of whether this counts as an employment record) Further, the argument is that this is not being disclosed outside the organisation so it would not be a breach of the Act because it is internal to the organisation. It would be on par with their attendance in the building in that anyone can see when anyone else is in work or not such as putting an out of office reminder on the email account. The final counter argument is that the timesheets have the name on them, but it is not about the person, as such, but about their work. In effect, there is a continuum from strictly personal to strictly public and that information within work, for work, is tending towards the public with fewer protections. Furthermore, the defence of this approach would rely upon schedule 2 (6) in that it is in the legitimate interests of the data controller to process the information in this way. My view is that timesheets are personal information and should not be stored centrally in an area where other people, without an immediate need to know, can view them. I see this as leading to more problems than it can solve and in a senses, it could be viewed as potentially intimidating practice in that an employee will not know who else has seen their timesheet but could have someone else checking on its accuracy aside from their manager. I would counter argue that it is not in the legitimate interest of the data controller because more than line managers have access to the information and therefore, it would contravene principle one in that it would not be fair. At this stage, the staff cannot see the timesheets for the managers. In sum, my view is that this is a bad idea from a DPA point of view (and a managerial point of view) so would be encouraged to be avoided as it would breach the Data Protection Act as unfair processing of personal information. I would be interested in the views of others on the issue relating to the balance between personal and public within the workplace. Best, Lawrence Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ********************************************************************** Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of the Council of the City and County of Cardiff shall be understood as neither given nor endorsed by it. All e-mail sent to or from this address will be processed by Cardiff County Councils Corporate E-mail system and may be subject to scrutiny by someone other than the addressee. ********************************************************************** Mae'n bosibl bod gwybodaeth gyfrinachol yn y neges hon. Os na chyfeirir y neges atoch chi'n benodol (neu os nad ydych chi'n gyfrifol am drosglwyddo'r neges i'r person a enwir), yna ni chewch gopio na throsglwyddo'r neges. Mewn achos o'r fath, dylech ddinistrio'r neges a hysbysu'r anfonwr drwy e-bost ar unwaith. Rhowch wybod i'r anfonydd ar unwaith os nad ydych chi neu eich cyflogydd yn caniatau e-bost y Rhyngrwyd am negeseuon fel hon. Rhaid deall nad yw'r safbwyntiau, y casgliadau a'r wybodaeth arall yn y neges hon nad ydynt yn cyfeirio at fusnes swyddogol Cyngor Dinas a Sir Caerdydd yn cynrychioli barn y Cyngor Sir nad yn cael sel ei fendith. Caiff unrhyw negeseuon a anfonir at, neu o'r cyfeiriad e-bost hwn eu prosesu gan system E-bost Gorfforaethol Cyngor Sir Caerdydd a gallant gael eu harchwilio gan rywun heblaw'r person a enwir. ********************************************************************** -- Scanned by iCritical. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^