There are two legal issues here, the first concerns data protection, and the second concerns your duty of care to employees.
Dealing first with the data protection issues, it is highly likely that the staff directory will be ‘personal data’ and therefore be subject to the Data Protection Act 1998. This does allow use (and disclosure) of personal information but only in accordance with certain conditions. The principle one in relation to this sort of activity is that making the details available is “fair and lawful” (under the first data protection principle). Fairness is gauged on the circumstances, balancing the benefit of making the information available versus the effect on staff privacy. In order to be “lawful”, the publication of the information must comply with one of the conditions listed in Schedule 2 of the Data Protection Act 1998. The relevant conditions in this situation might be:
• Consent - this is often attractive, as it is certain. As long as employees give their informed consent (either by opt-in, or by not opting-out given a reasonable opportunity), lawfulness is assured; however, the risk is having to manage non-release of information for those who do opt-out; or
• Contract - the Act states that publication of the information will be lawful if required in fulfilment of a contract of which the member of staff is a party. It could be argued that, in some cases, employment contracts may require visitors (and perhaps the public) to have access to a member of staff’s contact details. However, if you are not currently making the details available, it may be very difficult to argue that making the details available is “required” by the employment contract; or
• Legitimate interests of the data controller - as the body with control over the personal data, you may make the staff directory available if you can show it is in the employer’s legitimate interest to do so (that it fulfills some substantial and proportionate benefit) and that there is no unwarranted prejudice to staff. However, this provision is unlikely to sanction release of the complete staff directory – there is likely to be very little benefit in the contact details of cleaning staff being made more widely accessible, for example, whereas other staff are much more likely to have contact from visitors and external enquirers, and release of their details might therefore be considered legitimate. The employer will need to take into account the possibility of prejudice to staff, for example, from anti-animal experimentation activists when weighing up the benefits v affect on privacy that greater release of the staff information might have.
Overall, a decision will need to be taken as to what is fair, and then secondly, as to which of the above three conditions is to be relied upon to ensure lawfulness, with particular care in cases where release (or lowering of security) may be prejudicial to staff. In any event, keeping staff informed prior to changes is worthwhile and providing a procedure for staff to object to their information being made more widely available are both likely to assist showing fairness. Staff will always have the right, under s.10 of the Act, to stop their information being released if they could demonstrate it will lead to substantial damage or distress to them (subject to certain conditions).
With regards to duty of care, there are two aspects to this. Under any contract of employment, there are implied terms requiring employers to have respect for employees and to take steps to ensure the health and safety of staff. In addition, the law requires everyone to consider the potential harm that could come about through their actions, and to take the steps that would be taken by a reasonable person in that position to avoid such damage (known as the “duty of care”). Both the contract and tort duties require the employer to consider what harm might happen through this action, to make a risk assessment, and to take reasonable actions to avoid such harm. Such actions may include not going ahead with the change of access, consultation with staff, deciding on a higher level of security, and/or restricting the change only to certain staff where there is clear benefit and low risk of prejudice to the staff.