Data file: data protection code of practice

The Information Commissioner is producing a code of practice to deal with a
range of data protection issues that impact the employee-employer relationship,
following the introduction of the Data Protection Act 1988.

The Employment Practices Data Protection Code aims to strike a balance
between an employee’s right to respect for his private life and an employer’s
legitimate need to run its business.

The code is in four parts, the first of which, Recruitment and Selection, was
published on 14 March 2002. The key features of this part of the code are:

● Employers must make it clear to employees through their policies and
procedures that a breach of the Data Protection Act is a disciplinary offence

● Trade unions or employee representatives should be consulted by
employers when practices that involve processing employees’ data are

● If an employer uses an employment agency then the employer should
ensure that the agency has made the applicant aware as soon as possible that
the employer has received and is holding his or her data, and

● When recruiting, if possible, an employer should only request
sensitive personal data just before they confirm an applicant’s appointment.

Four-part code

The three additional parts of the code deal with the following areas:

Part 2: Employment records – the collecting, storing, disclosing and
deleting of records

Part 3: Monitoring at work – monitoring the employee’s use of telephones,
e-mails and vehicles

Part 4: Medical information – occupational health issues, medical testing,
drug testing and genetic screening.

Sensitive data

Part 2 of the code is due to be published within the next couple of months,
however, the draft states that:

● Employers can carry out ‘covert’ monitoring of employees if specific
criminal activity is identified. However, employees should be made aware in
general terms that such monitoring will take place

● The code will not prevent an employer from accessing an employee’s
private e-mail, however, to comply with the code, the employer will have to
meet high standards to justify this monitoring

● If an employer processes sensitive data as a result of monitoring an
employee’s private e-mails, (as will almost certainly be the case),then they
must ensure that they can comply with the conditions laid down in the Data
Protection Act for processing sensitive data

● Ensuring employees’ e-mails are opened when they are off sick or on
holiday will not be regarded as monitoring

Employers will have a duty to comply with the Regulation of Investigatory
Powers Act 2000.

Although the code itself is not legally binding, employers should remember
that non-compliance could lead to them breaching the Act. Any failure to comply
with the code may lead to adverse inferences being drawn at an Employment
Tribunal or in court.

The code can be obtained from the Information Commissioner’s website

General data protection issues

For information on Data Protection issues generally, contact:

● The Lord Chancellors Freedom of Information and Data Protection
● The British Computer Society Data Protection Committee,

● The Data Protection Act 1988 can be obtained from Her Majesty’s
Stationery Office,
● The National Association of Data Protection Officers,

Managing records

The Society of Archivists has produced a Data Protection Code of Practice
which is specifically aimed at those responsible for managing records,

International contacts

For international matters, a list of worldwide Data Protection organisations
can be found at

Other sources

For further comment on the Code, contact:
● Trades Union Congress

● Financial Times

By Deborah McCallum at Berwin Leighton Paisner


Comments are closed.