In conjunction with The Data Protection Act, the Employment Practices Data
Protection Code has been produced to help establish good practice for handling
personal data in the workplace. Paul Jenkinson explains part one of the Code
The Data Protection Act 1998 (‘the Act’) requires organisations to process
personal data fairly and lawfully and in accordance with principals contained
within that Act. It regulates the use of personal data and gives effect in UK
law to the European Directive on Data Protection. Its provisions cover both
manual – paper-based – as well as computerised records.
The Information Commissioner has produced the Employment Practices Data
Protection Code, to be issued in four parts concerning recruitment and selection,
employment records, monitoring at work and medical information. It is intended
that each part will be issued during the course of the next few months. The
Code provides benchmarks that are designed to bring about compliance with the
Act and to establish good practice for handling personal data in the workplace.
Part one is divided into sections relating to different elements of the
recruitment and selection process and includes compliance and best practice
guidance on the following topics:
– Managing Data Protection
– Pre-employment vetting
– Retention of recruitment records
Each section contains benchmarks and useful notes and examples as to how
these relate to everyday situations.
Who do the provisions of code relate to?
– Applicants and former applicants
– Agency workers
– Casual workers
– Contract workers
In the case of applicants, it relates to those both successful and unsuccessful
and for the other categories includes current and former staff.
What is the legal status of this code?
The legal requirement on employers is to comply with the Act itself.
However, the status of the Code is similar to the existing Codes of Practice
for disability discrimination in that the benchmarks in the Code can be cited
by individuals or the commissioner if any enforcement actions arise. The aim of
the Code is to strike a balance between the needs of the employer and each
individual’s right to respect for his or her private life throughout the
recruitment and selection process.
The main tenets of the Code are relevance, openness and proportionality.
How should the recruitment process be managed?
The Code highlights that data protection compliance is not solely the
preserve of the HR department but that other aspects of a business, for
example, the IT staff or marketing department have data protection
responsibilities in the way that they process personal data.
The Code stresses the need for those responsible for putting employment
practices into place, including line managers, to understand their individual
and collective responsibilities and to ensure that staff within the
organisation are aware of how data should be processed. The recommendation is
for a single individual within an organisation to be responsible for data
What should applicants know at the outset?
Any individual providing personal data, even if limited to their contact
details, should be made aware of who they are providing their details to and,
unless it is self-evident, how the information will be used. Where recruitment
agencies are used on behalf of an employer, that agency must identify itself
and explain how the data will be used and disclosed, again, unless this is
Only information that is relevant to the recruitment decision should be
requested on application forms or where it is necessary for a related purpose
such as equal opportunities monitoring. For example, application forms may
request details as to current salary or interests. For the initial selection
stage, this information would need to be justified as being relevant. The issue
is whether the information is needed to process an application for employment.
Applications should be tailored to the specific requirements of the job rather
than standardised forms containing irrelevant questions.
What about verification and checks?
Verification of details supplied by applicants should not go beyond checking
information obtained during the recruitment process. This process should be
open, with applicants informed of what and how any information provided will be
checked. If any of the checks produce information different to that already
supplied then the applicant should be given the opportunity of explaining why
this is the case and in no circumstances should applicants be forced to obtain
records or provide information about themselves.
Sometimes checks may include investigation into an applicant’s background.
This is particularly intrusive and should only be used where there are specific
or significant risks to the employer and no alternative method of obtaining the
information is available. If vetting forms are part of the process then this
should be advised early in the selection process to the applicant. Again, the
applicant should be given the opportunity of explaining any results. Vetting
must be proportionate to the risks posed to the business and should only obtain
information that is relevant to the employment decision.
How should interviews be conducted?
The benchmark is to ensure that personal data recorded and retained
following the interview can be justified as being relevant and necessary for
the recruitment process or for defending any future challenge as to the reason
for (non)-selection. Interview notes fall within the definition of
"processing" in the Act and applicants will normally be entitled to
have access to those notes about them which are retained. It is therefore
important, and clearly good practice in any event, that any interview notes are
accurate, relevant and objective.
Where short-listing is carried out, applicants should be made aware of the
criteria used and this criteria should be consistently applied throughout the
process. Where short-listing is carried out by wholly automatic means,
applicants should be advised of this and provided with the opportunity to make
representations before any final decision is made.
What about references?
There is no general exemption from the right of subject access with regard
to references. However, where the provider of a reference has specifically
requested confidentiality then this request can be honoured in the hands of the
new employer. Without such specific requests, the worker can have access to
that reference from the new employer although steps can be taken to delete the
source of the reference being identified.
How long should recruitment information be retained?
The Act does not provide any specific period for retention but personal data
should not be kept for longer than is necessary for its particular purpose.
Certain information obtained at recruitment will form part of a worker’s
employment records throughout the period of their employment. Employers should
carry out a realistic review of information obtained following the selection
process. Any irrelevant information should be destroyed. However, information
which may be of assistance to defend employment-related claims should be
If an unsuccessful applicant’s details are to be retained, then they should
be made aware of this and have the opportunity of having their details deleted.
As with all personal data, any retained information should be securely stored
and any unwanted information suitably destroyed.
What about defending legal claims?
The requirement is that personal data should not be kept for longer than is
necessary for the specific purpose for which it was obtained. However, given
there are no specific time periods within the Act, then the minimum period of
time for which an employer should retain information are the statutory
limitation periods after which claims would be time barred. There is,
therefore, a careful assessment to be carried out between what information is
irrelevant at any given time but which may become important in the future.
Paul Jenkinson is a solicitor specialising in employment law at Bond
Pearce Solicitors. The firm has advised extensively on data protection issues,
and has offices in London, Southampton, Bristol, Leeds, Exeter and Plymouth.
The full code is available from the
Information Commissioner’s website at www.dataprotection.gov.uk
Information about training for HR and line managers can obtained from Paul Jenkinson,
or Ken Allison, head of HR consulting at Bond Pearce, on 023 8082 8879 (firstname.lastname@example.org, or visit www.bondpearce.com)