Employers have taken the wrong approach to the data protection code of
practice, according to the Information Commission.
In response to continued complaints about its length and complexity, Iain
Bourne, commission strategic policy adviser, countered that firms should not be
trying to work out which parts of the code are legal requirements and which are
He believes employers are confusing the code’s recommendations with their
legal obligations under the Data Protection Act 1998, which the code is
designed to accompany. "The code sets out what they have to do to make
sure they are complying with the Act," he said.
Strictly speaking, it is the Act employers must comply with, not the code.
But the Information Commission has made it clear that should any enforcement
action be taken against employers, the code of practice will be used to
establish if the employer is in breach of the DPA.
Employers and the Better Regulation Taskforce (see above) have argued there
are too many benchmarks for the code to be of any real use. But in a letter to
taskforce chairman David Arculus, Bourne said there were no plans to review the
code. "It is going to be some length as it must explain the Act properly.
Employers do not need to memorise the code, just use it as and when
needed," he said.