‘Open and detailed’ is how the commission sees its new code of practice on
recruitment, while HR views it as unhelpfully complex. So who is right? Paul
The long-awaited code of practice on recruitment and selection giving
employers advice on how to comply with the Data Protection Act has finally
The code – the first of four to be issued by the Information Commission –
outlines organisations’ responsibilities concerning the handling of personal
data relating to the recruitment process. But employers bodies and HR
professionals are concerned that the code is too long and misleading.
The code was originally due to be published six months ago but was delayed
after employers criticised the draft for being too long and ambiguous.
In July last year assistant information commissioner David Smith, told a
consultation conference: "If the code does not make sense and is not
understandable by HR managers then it has not done its job."
Initial reaction to the 56-page final version of the code suggests there are
still concerns over its usability, which could have serious consequences for
The CIPD believes the code does not make a clear distinction between Data
Protection legal requirements and best practice recommendations.
"It is 13,500 words and 56 pages, which is still too long. It would
have a bigger impact if it was more concise, said Diane Sinclair, CIPD employee
"The code is still not clear what is necessary to comply with the law
and what, in the Information Commissioner’s view, is good practice."
The document states that employers must give a staff member responsibility
for compliance and make serious breaches of the code a disciplinary offence.
HR responsibilities under the code include ensuring interview notes on job
applicants are retained and that records on people’s salaries from previous
employers are destroyed.
Employers can only request data about an applicant that is relevant to
recruitment and job applicants must give their consent if documents are needed
from a third party – such as a reference.
According to the CBI, many employers will find the code inaccessible.
Susannah Haan, legal adviser at the CBI, said: "It is confusing, as some of
the benchmarks are legally binding and others are just good practice – this is
misleading. In its current state, the only people who will read it are
HR professionals are also unhappy with the final version of the code.
Alison Warner, head of HR at city law firm Stephenson Harwood, complains
that the code is too long and its language overly complex. "I can see how
some people might find it difficult and may get lost," she said.
The document’s format is also criticised by Vauxhall personnel director
Bruce Warman. He commented: "My first reaction is that it is complicated.
It is far too comprehensive and very difficult. It is so long that I do not
think it will be used. It is not user-friendly."
Both the CIPD and the CBI have urged the Information Commission to change
the structure for the final three parts of the code on monitoring, employment
records and medical information, due to be published over the next three
months, to make them more usable. They have called for these to include a simple
checklist format, similar to the Acas code on disciplinary procedure.
Employment lawyer Jonathan Chamberlain, partner at Wragge & Co, also
advocates this approach. "I don’t see why it can’t be reduced to
legally-binding do’s and don’ts. There is always a conflict between flexibility
and certainty, but the Acas code of practice on disciplinary procedure is only
a few pages and has stood the test of time for 20 years," he said.
The Information Commission defended the code, claiming that it had to be a
detailed document in order to be relevant to all employers.
"The code provides guidelines on how to process data. It had to be open
so it was accessible for all industries and sectors," said David Clancy,
strategic policy adviser at the Information Commission.
"We could not have produced prescriptive legal requirements as it would
have been impossible. For example, the keeping of data for as long as it is
needed, would differ greatly from sector to sector and at different
Clancy said that if the code had been more prescriptive it would have caused
problems with other legislation including the Human Rights Act and the
Regulation of Investigatory Powers Act.
"We have attempted to produce a balanced approach, producing central
benchmarks that are a form of loose guidance that if followed will mean
companies are complying with the Data Protection Act," he said.
The code: what HR must do to comply
– Make a staff member responsible for
– Make serious data protection breaches a disciplinary offence
– Only request data about an applicant that is relevant to
– Only request details of criminal convictions if justified for
– Ensure job applicants sign consent form if documents are
needed from a third party
– Inform applicants if automated short-listing system is the
sole basis of decision
– Retain interview notes
– Establish a retention period for recruitment records based on
– Destroy information on an individual’s recruitment within six
– Dispose of salary information from previous employers
– Only ask for sensitive personal data for successful applicants