The Information Commissioner has published part two of the Employment
Practices Data Protection Code and its requirements are effective immediately.
Warren Wayne explains the code and what you need to do to comply with it
Part two of the Employment Practices Data Protection Code guides employers
over the handling and retention of various types of employee records. Although,
strictly speaking, still within the second transitional period (which expires
on 23 October 2007) under the Data Protection Act 1998, the Act is now fully
effective in relation to the rights of data subjects and the maintenance of
Whose records are covered?
In the context of the employment relationship, the code applies to records kept
on the following people:
– Current job applicants (whether successful or not)
– Previous job applicants (whether successful or not)
– Current employees
– Former employees
– Agency workers (both current and former)
– Casual workers (both current and former)
– Contract workers and freelancers (both current and former)
What does the code demand of these records?
The code applies the eight data protection principles to these categories of
staff. The most relevant of these are the third, fourth and fifth principles,
which require employee records to be:
– Not excessive in relation to the purposes for which they are used and
– Kept up-to-date where necessary
– Not kept for longer than is necessary
What is the legal status of this code?
Although the code is not legally binding, it sets standards of good
practice. According to the commissioner, this includes both compliance with the
letter of the law and the spirit of the legislation. Naturally, there is some
disquiet among employers over this approach, as it suggests the commissioner
will enforce higher standards than those strictly required by the legislation.
What do employers need to do in order to comply?
The code contains numerous recommendations and benchmarks and employers will
need to look through all of these. The code can be downloaded from the
Information Commissioner’s website (see links). However, the main
– Workers should be provided with a copy of their basic employment record
annually. This should either be a paper record, or supplied in another
easily-intelligible, permanent form.
– Personal data which is irrelevant or excessive should be eliminated from
files. This is an awkward task for HR departments, as it will require files to
be individually reviewed.
– Staff should be informed that if they knowingly or recklessly disclose
personal data about other workers, they could be committing a criminal offence
and be personally liable. The best approach here is to incorporate this into
disciplinary procedures and to ensure staff are warned of their data protection
obligations during the induction process.
– It is recommended that employees’ contracts contain confidentiality
clauses that ensure the security of staff data.
– There should be established procedures and security rules for removing
staff records from the workplace, including those on laptops or palmtops.
– A distinction should be drawn between ‘sickness records’, which include
details of the illness, and ‘absence records’, which do not refer to any
particular medical condition, but may give the absence reason as ‘sickness’.
This is because the details of a particular illness will constitute ‘sensitive
personal data’ under the Act, making them a restricted form of record.
– As a result of the above, it is recommended that sickness records and
absence records should be kept separately and used in different contexts. For
example, when company sick pay is being calculated, the payroll department will
only need to refer to the length of the absence and will not need details of
the illness itself.
– Taking this further, managers should be permitted to have access to
sickness records, so they can investigate persistent short-term illness or
long-term illness absence issues. This information should only be available to
those who reasonably require it as part of their duties (including HR
– Although staff are not entitled to have access to references written by
their current employer, the commissioner regards it as good data protection
practice to allow staff to see these references so they can challenge
information which they believe is inaccurate or misleading. This recommendation
places the code at odds with the strict legal position.
– In relation to general record keeping, information should not be kept just
because ‘it might be useful one day’.
– The commissioner requires that employers conduct a risk analysis, by
balancing the risks to workers of data being kept, against the consequences of
keeping information that is only rarely used. No specific guidelines are given
as to how long records should be kept, but it is difficult to see how the
commissioner can object to records being kept for up to a year after
termination, in case they are needed as evidence in employment-related
What can the Information Commissioner do to enforce these rules?
The Commissioner has a variety of enforcement powers, although they have
rarely (if ever) been used in the employment context. The powers are:
– Enforcement action. The commissioner can revoke the employer’s
notification, which effectively prevents all further data processing in the
organisation. Continued breaches after this will be a criminal offence.
– Prosecution. This is likely to occur where personal data has been
unlawfully obtained or unlawfully sold.
– Assessment. The commissioner has powers to investigate and assess a
company’s use of personal data. The commissioner must investigate if asked to
do so by an individual who makes a legitimate complaint. She has wide
discretion over the way in which the investigation is conducted and has the
power to serve an information notice.
Staff also have the right to claim compensation in the civil courts, but
only if they have suffered both damage and distress. It is unlikely that many
employees will be able to prove that they have suffered financial damage as a
result of any breach of data protection, although it is possible in some
Is this code really necessary?
This part of the code is helpful to employers, in as much as it gives much
needed clarity in an area which has previously been beset by confusion. Data
protection practices will no doubt continue to evolve as employers adjust to
Warren Wayne is a partner in the Employment Group at Boodle Hatfield – www.boodlehatfield.co.uk
Employment Practices Data Protection Code Part 2: Employment records
can be found at www.dataprotection.gov.uk
under Codes of practice, our responses & other papers