New employee database: solution to a genuine employer problem or a step too far?

It is being established by a partnership between major retailers under the umbrella of the British Retail Consortium and the Home Office called Action Against Business Crime. The point is to warn future employers about suspect employees. However, the new database, called the National Staff Dismissal Register (Register), has raised substantial issues across many areas of law, in particular on data protection compliance.

The purpose of the Register is to reduce business costs and losses due to dishonest employees and to make the recruitment process more efficient, by allowing potential new employers to assess whether prospective employees have a history which they have not disclosed. The Register will hold information on any employee who was dismissed or otherwise left their role whilst under suspicion of:

• theft;

• fraud or forgery;

• causing loss to the company, or its suppliers or customers;

• causing damage to the company's property.

Employers will be able to search for data including the employee's name, address, date of birth, National Insurance number and previous employer, and will able to access the Register online.

It has been suggested that the Information Commissioner was regularly consulted during the development of the Register. However, Nick Graham, a partner specialising in data protection law at Denton Wilde Sapte, explained that there were a number of key data protection risks and issues arising from this apparent processing of personal data:

• the fair processing obligations set out in the data protection legislation require individual employees to be informed about the database and the purposes for which it may be used. This may be possible to do going forward with existing and future employees, but is likely to be much more difficult in relation to legacy data held on former employees. However, the consequences of inclusion on the Register are likely to be more immediate for former employees than current ones;

• it is an open question as to whether the information being provided to the Register would be "sensitive personal data", as the mere listing of an individual on the Register may be the equivalent of an allegation of an offence being committed. If the data processed is sensitive data then there is a requirement to collect explicit consents from each employee before the data may be shared on the Register;

• if the data is not sensitive, then the collection and use of the data will probably need to be within the former employers'/ subscribers' "legitimate interests" (unless individual consents are collected) and must not involve any collection or use of data which is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the relevant employees;

• if employers gather individual consents from their current employees to permit this use of their personal data, then that consent must be specific and informed; and

• the database will also need to comply with the general data protection principles and so data must be adequate, relevant and not excessive, kept up to date and not kept longer than necessary.

Shona Harper, a lawyer with Denton Wilde Sapte, also explained that data protection was not the only law that may impact on employers' use of employee data in this way. If an employer were to list an employee on the Register without being able to justify the underlying relevant suspicions, they may leave themselves open to the risk of litigation being brought by the employee, with possible claims of defamation, negligence and in some circumstances, discrimination. Interestingly, many employers no longer give detailed references in relation to employees to avoid this very risk of being sued by their former employee, preferring instead to simply confirm basic facts about the employee's period of employment. However, use of the Register seems to be a step back towards the days when prospective employers were provided with more detailed information about prospective employees.

The new Register also raises some general concerns about its usage, such as whether it reverses or dilutes the basic principle that individuals are "innocent until proven guilty". There may be a risk that the Register is open to illegitimate manipulation of suspicions to force an employee to leave his or her role rather than the employer going through the standard dismissal process. It is not clear how long the Register will retain the data in question so allegations without any solid proof could turn out to be more damaging to an employee than an actual criminal conviction. Further, the Criminal Records Bureau (CRB) already exists to allow employers to check whether potential employees have criminal records, thereby relying on the high standards of criminal law being met before an employee's record is tarnished. However, it is not clear how the Register will fit with the CRB.

The new Register is one of the many new databases being created to allow commercial parties (and, in other cases, Government departments) to share data and use it more effectively. However, as Nick Graham explains above, there are a number of data protection issues that seem to arise together with associated employment law risks. Its use does seem to represent a cultural shift backwards in respect of employer liability, with employers using the Register facing similar risks to those previously associated with giving of detailed employment references. Subscribers using the Register should ensure that their proposed use of the Register is fully compliant with all applicable laws and regulatory guidance prior to starting that use.