Moira,

Here's my two pence from across the big pond.

I agree with everything said to date.  Cindy Burnes is on target raising the
issue of the limited value of consent in the employment context.  The
Article 29 Working Party has a long paper on processing in the employment
context (see the Sept 1 2001 paper at
http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wpdocs_2001.htm
), containing some very strong restrictions on the role of consent in the
workplace.  Since the paper reflects the thinking of the OIC, I recommend
giving it a careful read.

One way of dealing with the fact that the conditions required for consent
are mostly absent in the employment context is to reposition what you call
"consent" to "an acknowledgment of notice".  You are, after all, required to
give employees notice concerning the purposes and uses of information
collected from them, so the sign-off you refer to could be re-described as
such an acknowledgment.

Even as a notice statement, however, it seems deficient, in its brevity,
generality ("administration and business management purposes") and omission
of reference to other information that should be provided, such as reference
to the organization's privacy policy, a point of contact for inquiry and
complaints, data subject access and correction rights, safeguards that will
be employed, and so forth.  The requirements of fair information practice,
as well as the 1998 DP Act, cannot be adequately met with such uninformative
short paragraphs.

As for the issue of responsibility, I believe it confuses things to mix a
"consent/acknowledgment" statement with a confidentiality agreement.  The
former is addressed to a data subject; the latter to a data user.
Responsibilities can and should be placed upon data users, but again not in
a one sentence statement such as your HR section proposes.  This does not
mean that the organization is less accountable than before, since both
organizations AND data users are responsible parties.  What the
responsibilities of data users are needs to be spelled out, however, both
for the sake of the user's peace of mind and to ensure effective privacy
protection in the organization.

Don

* * * * * * * * * * * * * * * * * * *
Dr. Donald F. Harris
President, HR Privacy Solutions, Ltd.
1202 Lexington Avenue, Suite 318
New York, NY 10028
Phone/Fax:  (212)396-1184
E-mail:  [log in to unmask]
Website: www.hrprivacy.com
* * * * * * * * * * * * * * * * * * *

-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]]On Behalf Of Moira Forbes
Sent: Wednesday, July 17, 2002 5:12 AM
To: [log in to unmask]
Subject: employee contract clause


Dear All,

My HR section have requested my approval of the following statement:

"From time to time xxx may process Personal Data and sensitive Personal
Data about you which is covered by the Data Protection Act 1998 for
administration and business management purposes. Processing will take place
in accordance with the provisions of the Data Protection Act 1998. By
signing this contract you acknowledge that you are providing xxx with
consent to these uses.

It is your responsibility to ensure that where, in the course of your
employment with xxx, you process data covered by the Data Protection 1998,
you comply with this legislation."


Initially I thought it was fine, but now I wonder whether it removes the
individual's right to give explicit and informed consent to sensitive
personal data. I realise the Act allows HR sections to process certain
sensitive data in the course of their work (eg sickness records) but is
this statement a step too far? I also wonder about the terminology "your
responsibility to ensure" with no reference to the employer providing
training/guidance etc -  or am I being too picky?

Comments would be most welcome.

Thanks

Moira

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^