Jim Lister: Employers must consider the potential risks involved in data mining

The mining of staff data raises data protection issues, although in-house mining is usually much less problematic than wider big data projects.

Jim Lister

Any third party that employers use to mine their data will be considered to be a ’data processor’ for the purposes of the Data Protection Act. That means that employers will need to tie them up to a data processor agreement, which commits them to good data protection practices. 

A data mining report is unlikely to create new personal data. It will usually identify trends, but not name individual staff members. But any data trawl is itself considered to be ‘processing’, even if it is automated, and that processing must be conducted lawfully and in accordance with the eight data protection principles in the act.

Data mining associated with incentive schemes will usually involve processing both ‘ordinary’ and ‘sensitive’ personal data. Information relating to sickness and maternity leave, for example, will be ‘personal data’ and must be handled accordingly.

Consideration must be given to whether the individual consent of staff members is needed before a data trawl is undertaken. It is strongly arguable that the general consent wording appearing in most modern contracts of employment, which permits processing for normal HR purposes, would be sufficient to allow data mining of both ordinary and sensitive data. Most organisations will proceed on that basis, without seeking specific consent, perhaps taking comfort that the exemption in the act relating to processing data to facilitate management forecasting is also likely to apply. 

The issue that could really hurt employers is data security. Fines for breach of data security can be very substantial, up to £500,000 in serious cases. Employers should therefore ensure that only staff who really need to, if any, are able to access mined data.

Jim Lister is a principal lawyer at Pannone, part of Slater and Gordon