Employment practices Data Protection Code

First published in Newsbrief, Autumn 2003

The Information Commission has published The Employment Practices Data Protection Code based on the Data protection Act 1998. The code is divided into 4 parts, 3 of which have so far been published. This article aims to highlight the main concepts which have been introduced and of which employers should be vigilant.

Part 1 deals with recruitment and selection, everything from advertising through to the interview. In brief it suggests the following:

• Nominate a member of staff to be responsible for compliance
• Retain interview notes after recruitment but destroy vetting information immediately
• Dispose of salary information from previous employers after recruitment
• Only request details of criminal convictions if justified for the role
• Only ask for sensitive data for successful applicants i.e. health
• Advise unsuccessful applicants if their details are to be held on file.

Part 2 relates to employment records and how employers can collect, store, disclose and delete such records. In brief it suggests:

• Ensure employees know what information is kept
• Have a security system and restricted access
• Absence and sickness records should be kept separate

Part 2 makes very important suggestions relating to the giving of a reference. Employers must ensure that they have a clear corporate policy on who can give references and have access to them. Furthermore, reference should only be given where the employer is satisfied that this is the worker's wish otherwise the employer may be in breach of the Data Protection Act.

One specific aspect of monitoring and keeping records which has been addressed is the practice of employers keeping an accident book. Most accident books kept by employers allow personal details and information to be seen by anyone making or reading an entry in the book. This is in breach of the Data Protection Act. There is a proposal that every employer must have an accident book, which complies with the Act by 31^st December 2003. The new form of book will have to record incidents separate to the details of the individual.

Part 3 of the code was published on the 11^th June 2003. It sets out the basic rules for employers who monitor, or are planning to monitor, employee activities. It will be of particular use for the monitoring of e-mails and the Internet but will also cover the telephone and other electronic communication. The key theme of this part of the code is that the employer must ensure that the employees know what is being monitored, how it is being done and the reasons for it. It is therefore advisable for employers to have a written policy addressing the matter.

Part 4 of the code has not yet been published but it is anticipated it will cover occupational health issues, medical testing and drug and genetic screening.

Each part of the code has been designed to stand-alone and therefore employers are well advised to familiarise themselves with the code to ensure that they do not fall fowl of the Data Protection Act.