The Information Commissioner's Office issued its latest Good Practice Note in the spirit of improving transparency, not secrecy. It acknowledged that you do not need to pass on a confidential reference that you wrote about your own employee if asked to do so by that person. But if you hold a confidential reference that you received from someone else, you generally do need to disclose it upon request – unless the manner in which it is held is not covered by the Data Protection Act.
This carve-out is significant. Many people think that they can ask an organisation to reveal every piece of personal data they hold that relates to them. Not so. They are obliged to reveal personal data only where it is covered by the Act – and some of it won't be. (The Government did widen the Act for public authorities; but it specifically exempted personnel data.)
Electronically stored data generally will be covered. So you can see the emails that refer to you (subject to the censorship of, for example, the personal data of others). But as Michael Durant learned from the Court of Appeal in his landmark privacy fight, paper documents escape such "subject access" requests unless they form part of a "highly structured manual filing system."
The Court of Appeal seemed to think that averagely-structured manual filing systems do not count. "An ability of staff readily to identify and locate whole files, even those organised chronologically and/or by reference to his and others' names, is not enough," it wrote.
The upshot is that email is caught by the Act and therefore there are more opportunities for emails to come back to bite you. You probably know the dangers of email already. You are probably wise to the risks of writing job references, too. Smart bosses keep them bland and devoid of opinion: "She joined us in 2003 and left in 2005. The end."
The real issue – which crystallised when Durant's hopes of an appeal were dashed by the House of Lords in December – is that a loophole exits in Britain's Data Protection Act, that is open to exploitation by unscrupulous employers. It's not just about job references.
We learned recently of a man who suspected his employer was paying private investigators to spy on him. He exercised his right to make a subject access request – and learned that whatever monitoring activity was taking place, whatever reports were being written about him, none of it was subject to the Act. Want to hide something? Shove it in a drawer.
So what's the resolution? Well, an obvious step would be to legislate. Make all employee data subject to the Data Protection Act, regardless of storage medium. I put this to David Smith, who has just taken up the post of Deputy Commissioner at the Information Commissioner's Office.
Mr Smith was promoted from his 15-year tenure as Assistant Commissioner to become the lead for data protection. He pointed out that, while his office is looking out for the rights of the individual, it also wants "to make life as simple as possible for business."
"There are arguments for clarifying the law in this area," he said. "Whether the Government is likely to be moved in that direction I would have some doubts at the moment." He pointed out that the emphasis is to avoid further regulation – "and bringing more records within the scope of the Act could only be termed as further regulation."
But would extending the Act to any employment records not be of greater protection to the employee? "Yes," said Mr Smith, "there can be no doubt that it would improve the protection for individuals."
He accepted that sending a job reference by post makes it less likely that it gets covered by the Act; he also accepted that this is one of the "areas where the Act could be improved or made simpler or both."
But he continued: "What I am a bit reluctant to do is base our approach in the short and medium term on there being changes in the law. I don't know that it is very likely that there will be significant changes in the law and those are in the hands of the Government."
I put to Mr Smith that he is in the best position to lobby the Government for change. "There is no doubt," he replied, "that we have the Government's ear … but the Parliamentary timetable as you know is very busy."
"If we set out our stall on the basis of changing the law, it's going to be some time – if ever – before we make real progress," he said. "We are concentrating our efforts on working with what we've got but at the same time bearing in mind that, yes, there could be improvements."
So are there many cases where the Commissioner's office receives complaints and simply has to say that you can't help because this was an unstructured manual file – or is that a rare thing?
"No, it's not rare," replied Mr Smith. "That happens … I can only agree that additional protection would be provided for individuals particularly in the employment area were all records to be covered – and don't interpret me as saying in any way we would be against that. But what I am saying is that just sort of lobbying Government to achieve that is not at number one on our list of current issues."
Perhaps change will be driven another way. The European Commission has threatened action against the UK Government for wrongly implementing its Data Protection Directive and the Durant decision forms part of its evidence.
The golden rule in all of this is summarised by someone who has used the disclosure of smoking gun emails in crusades against corporate scandal. New York Attorney General Eliot Spitzer said recently: "Never write when you can talk. Never talk when you can nod. And never put anything in an email."
By Struan Robertson, Editor of OUT-LAW. These are the personal views of the author and do not necessarily represent the views of Pinsent Masons.
