Lawrence
This is certainly personal data and I find it hard to fault your
comments.
I think this COULD be done, by consent, which you would certainly need
to avoid the principle 3 points, and you could satisfy 7 with passwords
(a nightmare), but why would you want to do this? Most of the times and
in most teams it may not be a problem , but then you will get someone
who is struggling for 'personal reasons' and you will be falling foul of
the employment practices code.
My system is that staff keep their timesheets in their own secure
personal area*. As required they email a copy to their manager who keeps
it in his secure personal area for as long as needed.
* Technology neutral !
Phillip Bradshaw
Information Manager
Democratic Services
Room CY5C, County Hall
EMail: [log in to unmask]
Phone: 029 2087 3346
Mobile : 07890 265987
Fax: 029 2087 3349
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Lawrence Serewicz
Sent: 17 February 2011 13:44
To: [log in to unmask]
Subject: [data-protection] When is employee information personal
information (Is it a continuum or a clear dividing line?)
Dear All,
I am trying to think through some data protection principles relating to
the following scenario. We are setting up a share point system for a
relatively small section less than 20 people working in the same area.
Someone has suggested that all the electronic timesheets for each person
could be stored centrally so that everyone in that team could have
access to them.
My initial response was that this was a bad idea. I saw it as running
counter to the 1st principle of being fair and lawful. Having this
information held in this way would allow people without a managerial
need to know to view the time sheets of other staff. I also saw it as
bad from the 3rd principle in that this is excessive processing, i.e.
being available to all in the team. It would also contravene the
Seventh in that it allows unauthorised processing.
The counter argument is that this is not personal information because it
relates to their working practices in that it like their job title or
their email address. (Of course this raises the question of whether this
counts as an employment record) Further, the argument is that this is
not being disclosed outside the organisation so it would not be a breach
of the Act because it is internal to the organisation. It would be on
par with their attendance in the building in that anyone can see when
anyone else is in work or not such as putting an out of office reminder
on the email account. The final counter argument is that the timesheets
have the name on them, but it is not about the person, as such, but
about their work. In effect, there is a continuum from strictly personal
to strictly public and that information within work, for work, is
tending towards the public with fewer protections.
Furthermore, the defence of this approach would rely upon schedule 2 (6)
in that it is in the legitimate interests of the data controller to
process the information in this way.
My view is that timesheets are personal information and should not be
stored centrally in an area where other people, without an immediate
need to know, can view them. I see this as leading to more problems
than it can solve and in a senses, it could be viewed as potentially
intimidating practice in that an employee will not know who else has
seen their timesheet but could have someone else checking on its
accuracy aside from their manager. I would counter argue that it is not
in the legitimate interest of the data controller because more than line
managers have access to the information and therefore, it would
contravene principle one in that it would not be fair. At this stage,
the staff cannot see the timesheets for the managers.
In sum, my view is that this is a bad idea from a DPA point of view (and
a managerial point of view) so would be encouraged to be avoided as it
would breach the Data Protection Act as unfair processing of personal
information. I would be interested in the views of others on the issue
relating to the balance between personal and public within the
workplace.
Best,
Lawrence
Help protect our environment by only printing this email if absolutely
necessary. The information it contains and any files transmitted with it
are confidential and are only intended for the person or organisation to
whom it is addressed. It may be unlawful for you to use, share or copy
the information, if you are not authorised to do so. If you receive this
email by mistake, please inform the person who sent it at the above
address and then delete the email from your system. Durham County
Council takes reasonable precautions to ensure that its emails are virus
free. However, we do not accept responsibility for any losses incurred
as a result of viruses we might transmit and recommend that you should
use your own virus checking procedures.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user
commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
**********************************************************************
Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of the Council of the City and County of Cardiff shall be understood as neither given nor endorsed by it. All e-mail sent to or from this address will be processed by Cardiff County Councils Corporate E-mail system and may be subject to scrutiny by someone other than the addressee.
**********************************************************************
Mae'n bosibl bod gwybodaeth gyfrinachol yn y neges hon. Os na chyfeirir y neges atoch chi'n benodol (neu os nad ydych chi'n gyfrifol am drosglwyddo'r neges i'r person a enwir), yna ni chewch gopio na throsglwyddo'r neges. Mewn achos o'r fath, dylech ddinistrio'r neges a hysbysu'r anfonwr drwy e-bost ar unwaith. Rhowch wybod i'r anfonydd ar unwaith os nad ydych chi neu eich cyflogydd yn caniatau e-bost y Rhyngrwyd am negeseuon fel hon. Rhaid deall nad yw'r safbwyntiau, y casgliadau a'r wybodaeth arall yn y neges hon nad ydynt yn cyfeirio at fusnes swyddogol Cyngor Dinas a Sir Caerdydd yn cynrychioli barn y Cyngor Sir nad yn cael sel ei fendith. Caiff unrhyw negeseuon a anfonir at, neu o'r cyfeiriad e-bost hwn eu prosesu gan system E-bost Gorfforaethol Cyngor Sir Caerdydd a gallant gael eu harchwilio gan rywun heblaw'r person a enwir.
**********************************************************************
--
Scanned by iCritical.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
