When interviewed by Personnel Today at the beginning of the year, Information Commissioner Richard Thomas said he hoped there were ‘very few’ HR professionals who were unaware of the Data Protection Act situation.
Certainly, any HR professional worth their salt knows its organisation has a legal obligation to comply with the Data Protection Act 1998 (DPA), and that they have a major role to play in that compliance. However, in a profession already swamped by legislation, it isn’t helpful that some of the codes of employment practices alone run to 96 pages.
Rather than getting bogged down in details, grasping the principles of data protection (see box) is the best way to approach the Act.
Remember, the aim of the Act is not to try to catch you out, but to promote best practice when it comes to processing personal data. The codes attempt to strike a balance between preserving workers’ legitimate rights to their private life and an employer’s legitimate need to run its business.
“A lot of data protection is common sense,” says Kussum Sharma, compliance manager at the Information Commission-er’s Office (ICO). “Be transparent and be open when processing personal data about employees. Keep personal records secure and don’t use them in a way which is incompatible with the purpose for which they were obtained.”
What follows is a snapshot of some of the key areas covered by the four codes of practices that cover employment issues.
Recruitment and selection
The individual’s rights begin at the point the job is advertised and, even if using an agency, the applicant must be told as soon as possible who holds their details.
One of the eight principles of the Act is that data must be ‘relevant for the purpose’. If you stick to this throughout the recruitment process, you shouldn’t go far wrong. For example, you can only request information about criminal convictions if it can be justified in terms of the role. You should also explain any verification checks that are going to be carried out and if any sensitive data, such as health records, is collected during the process.
While the employer can set the retention period for recruitment records, the Act requires that personal data shouldn’t be kept for longer than is necessary. Those wishing to build a talent pool must be aware of this, says John Spiers, chief marketing and information officer with online recruitment company, StepStone. “If you want to contact a candidate in the future, you must take this into account and get their permission,” he says.
The Act recognises some monitoring of employees is necessary. However, it is important HR recognises that any adverse impacts from monitoring, such as intrusion into employees’ privates lives, must be justified in terms of benefits to the employer or colleagues. To assess this, the code recommends organisations carry out an impact assessment that should:
– identify the purpose behind the monitoring and the benefits it is likely to deliver
– identify any possible adverse impact of the monitoring
– consider alternatives to monitoring or different ways it could be carried out
– take account of any legal/compliance obligations that arise from monitoring
– judge whether monitoring is justified.
Unless a covert form of monitoring is required – which is hard to justify – employees should be made aware of the nature, extent and reasons of the monitoring. Employers are allowed to carry out internet monitoring but an impact assessment is still recommended. It is good practice to set out a policy document explaining what is permitted and what is considered abuse of the internet.
This is a huge subject area, but there are five benchmarks on collecting and keeping records that provide guidelines for working:
– Ensure new workers are aware of the nature and source of any information kept about them, how it will be used and to whom it will be disclosed
– Inform new workers, and remind existing ones, of their rights, including details of their rights of access to this data
– Ensure there is a clear and foreseeable need for any information collected and that data meets that need
– Provide each worker with a copy of the information that may be subject to change (such as home address) annually, and ask them to check it for accuracy
– Build accuracy, consistency and validity checks into the system.
HR’s ability to comply with the codes depends on a good relationship with IT, especially when it comes to managing records. “IT is good at archiving data but HR must know and understand the content of what is being stored and how to get to it,” says Mike Hill, vice-president of marketing at Chronicle Solutions, who specialise in data storage technologies.
Information about workers’ health
The Act’s sensitive data rules are key to this, as this part of the code of practice covers the collection and use of information about a worker’s physical or mental health. To assess whether you are satisfying the main conditions under which such data could be processed, some of the questions you should ask are:
– Is the processing necessary to enable the employer to meet its legal obligations – for example, to ensure health and safety at work or to comply with the requirement not to discriminate against workers on the grounds of disability?
– Is the processing for medical purposes and undertaken by a health professional or someone working under an equivalent duty of confidentiality (such as an occupational health doctor)?
– Has the worker given consent explicitly to the processing of his or her medical information?
This is only a small part of a code that is at draft stage. It is hoped a final version will be published before the end the year.
The codes can be downloaded by searching for ‘codes’ on the Information Commissioner’s website: www.informationcommissioner.gov.uk
Eight principles of data protection
Personal information must be:
– Fairly and lawfully processed
– Processed for specified purposes
– Adequate, relevant and not excessive
– Accurate and up to date (where appropriate)
– Not retained for longer than necessary
– Processed in line with the rights of the individual
– Securely kept
– Not transferred to countries outside the European Economic Area (the EU, plus Norway, Iceland and Liechtenstein)