Retailers crackdown on dishonest staff

The National Staff Dismissal Register (NSDR) is due to be launched later this month. Many press reports have referred to this database as a 'blacklist' however retailers must be aware of the data protection issues that this type of register will raise.

A database that contains information relating to employees or ex-employees will be caught by the Data Protection Act 1998 (DPA). The DPA provides a framework governing how the information must be treated, for example, how long it can be retained for, keeping it up to date and having appropriate security measures in place to safeguard it. The DPA also provides certain rights that may be exercised by those employees/ex-employees that have information about them on a database, for example, a right to see what personal data is held about them and have their personal data corrected.

Vin Bange, a data privacy law expert at international law firm Eversheds, comments:

"Clearly the DPA raises many implications for such a 'blacklist' database to ensure it complies with the DPA framework of obligations as well as the ex-employee's rights in relation to their personal data on the blacklist."

The detailed working of such a blacklist database will have to have the DPA as an integral part of its make-up. For example if an ex-employee was unable to access the information about them on the blacklist and have it corrected then that would create serious DPA concerns.

"Potential employers will have to tread carefully to ensure that they take a 'fair' approach in how they use the information on the blacklist. Under the DPA, a potential employer has to tell the applicant if and when any details supplied by the candidate will be verified and how it will be verified. This usually calls for transparency and consent as a prerequisite."

While press reports may refer to the National Staff Dismissal Register as a blacklist, there are clear risks in using the information as part of a simple blacklist process without further verification of the information obtained. This especially applies to the risks of such information being out of date or subject to dispute, for example, where there has been no successful prosecution or the event leading up to the entry is contested.

Any such database would need safeguards around the information used to populate it, update it, and keep it secure. Safeguards would also be required by the potential users of that information, and given the impact of the decisions made using this information, potential employers need to have a robust process to ensure they also comply with the DPA.