Cracking the code

The draft Data Protection Code, which purports to offer employers guidance
on managing employee’s records, has so far caused more confusion than clarity.
Linda Farrell and Alison Hollingsworth take at look at the most likely
scenarios where the code may apply and offer some practical solutions


C Limited has sustained a series of break-ins recently and has lost a
substantial amount of new computer equipment. The MD suspects that it is an
inside job. As access to the premises has been gained through the front
entrance and a skylight on the third floor, the MD arranges for concealed CCTV
cameras to be installed in the reception area and also in the open plan offices
on the third floor. On reviewing the footage one morning, the MD is surprised
to find a recording of his secretary and the office manager in a somewhat compromising

LF comments
The Data Protection Commissioner has issued a code of practice dealing with
CCTV in public areas (which could include the reception area in this case if
the public has largely unrestricted access). A draft code has also been issued
covering the use of personal data in the workplace, which contains guidance on
the use of various types of surveillance techniques to monitor compliance with
employment contracts.

Both codes make it clear that covert monitoring can only be justified in
very limited circumstances, for example where use of signage would be likely to
prejudice the prevention or detection of crime. In this case, as specific
criminal activity has already been identified and the involvement of employees
is suspected, it is likely that C Limited will be able to justify covert
monitoring for a short period, but this should be restricted to out of office
hours when the offences have occurred.

CCTV monitoring for the detection of crime will amount to the processing of
sensitive personal data and must be justified by reference to one of the
conditions in schedule 2 of the Data Protection Act and one in schedule 3. In
this case, for schedule 2, C Limited can argue that the processing is necessary
for the purposes of its legitimate interests, and for schedule 3 that it is
necessary for the prevention/ detection of crime (SI 2000/417). However, as the
cameras were sited for the purpose of detecting crime, use of the images
showing the amorous antics of the two members of staff for another purpose, for
example, disciplinary proceedings, would not be justified unless the evidence
reveals criminal activity or gross misconduct.

Access to personal data

John has been dismissed by M Limited. A settlement was reached but the
circumstances of his departure were less than amicable and it is well known
that he and his manager had not seen eye to eye for some time. Over the next
few months references are provided to other companies to whom John applies for
work. After six months, John is still out of work but has twice received offers
only to have those offers withdrawn for no obvious reason. He becomes highly
suspicious that his former manager may have provided bad references. John sends
an email to the company secretary of M Limited in which he asks to see all
records that the company holds about him, including any e-mails that exist and
any references that have been given about him to prospective employers since he

AH comments
Under the Data Protection Act, John has the right to make a written request
for access to personal data held about him. The information requested must be
supplied promptly and, in any event, within 40 days of the request being
received. However, this does not necessarily mean that John can see all the
personal data that the company holds about him.

The company is not required to supply copies of the information if it would
involve a disproportionate effort to do so. Further, where the request would
result in the disclosure of information relating to another individual (for
example, identifying John’s manager as the source of the information), the
company may not be able to comply, unless the manager’s identity can be removed
from the documents, or he has consented, or it is reasonable to disclose the
information without consent. In assessing reasonableness, the company should
take account of any duty of confidentiality owed to John’s manager (for
example, if any comments were made by him on the understanding that they would
remain confidential).

John is not entitled to see any references given by the company. However, he
might be able to obtain these by making a subject access request of the
recipients of the references.

Pre-employment vetting

Bob has applied for a job with a young offenders’ institution. He has successfully
completed the interview process, but his prospective employer now intends to
carry out pre-employment vetting, including collecting information about Bob’s
family members and close associates, before making a firm job offer.

AH comments
Pre-employment vetting is by its nature an intrusive process, since it
involves seeking information about Bob from a range of third-party sources. It
should only be carried out in circumstances where it can be justified, such as
here where security is an issue, and should only take place at this stage, when
the decision to appoint has been taken.

The reason for carrying out the vetting is to reduce the potential risks to
the institution, and so the checks should be proportionate to those risks,
taking into account the seniority of the post for which Bob has applied. Bob
should be informed of the range of sources, the nature and the extent of the
information to be sought and should be asked for his consent to the information
being provided by the third parties. The institution is not entitled to pursue
a general "fishing expedition" – it should only seek information from
sources which are likely to have information relevant to the decision whether
or not to employ Bob.

So, for example, it may need to find out about Bob’s family and friends or
associates in order to make sure, so far as possible, that they do not have any
criminal connections which might cause Bob to compromise the security of the

Information about criminal convictions or prosecutions relating to Bob’s
family or friends will be sensitive personal data, so it will be necessary for
the institution to ensure that one of the conditions for the processing of such
data is satisfied. If the explicit consent of the individuals cannot be obtained
then the institution may need to rely on one of the other conditions in, for
instance, schedule 3, that the processing is necessary for the institution to
exercise its statutory duties.

Internet misuse

X Limited is experiencing problems with its employees’ use of the Internet
and e-mail system. It has become aware of pornographic material being
circulated among employees, emanating from both inside and outside the company.
Some employees are believed to be spending a considerable amount of time on the
Internet during working hours, visiting leisure sites and chatrooms. X Limited
has a basic Internet policy which permits reasonable private use of the
internet outside normal working hours. It is proposing to install new software
that will enable it to monitor e-mail and Internet use.

LF comments
In October 2000 The Lawful Business Practice Regulations came into force,
permitting employers to monitor and record communications in certain
circumstances without the consent of their employees (although an employer is
required to make all reasonable efforts to inform users of the system – which
may include external contacts – that interception may take place). The
regulations legitimise conduct that would otherwise be unlawful under the
Regulation of Investigatory Powers Act 2000. Under these regulations, X Limited
is permitted to monitor its employees’ Internet use for the purpose of the
investigation or detection of unauthorised use of its computer systems.

X Limited must also ensure that it complies with the Data Protection Act,
which requires that the processing of personal data must be justified.
Employers should preferably obtain their employees’ consent to the monitoring
process. If the consent route is not taken, they may be able to argue that
monitoring is necessary for their legitimate interests. The draft Code of
Practice on the use of personal data by employers, states that any monitoring
should operate in such a way that it does not intrude unnecessarily on
employees’ privacy.

The code also states that employers should identify the specific business
purposes for which monitoring is to be introduced at the outset and where
possible should enforce the policy by technical means rather than monitoring
behaviour. If this is not practicable, the least intrusive method of monitoring
should be adopted. The code emphasises that monitoring should be proportionate
to the mischief it is designed to detect and that covert monitoring will only
be justified in very limited circumstances, that is where specific criminal
activity has been identified and disclosure of the monitoring is likely to
hinder detection.

X Limited should also regularly review its Internet and email policy to
ensure that it complies with current legislation and that it is enforceable in

Linda Farrell is a partner and Alison Hollingsworth an associate at

Comments are closed.