Data Protection code needs close scrutiny

The new draft data protection code ranges across personnel issues and HR managers would be wise to study it carefully. Stephen Overell reports

Have you ever had the urge to test your employees’ genes? No? Well that is not surprising because as far as anyone knows the only employer in Britain to use genetic information in employment is the Ministry of Defence. It tests air crews for susceptibility to sickle cell disease, which can cause severe sickness if there is a sudden drop in air pressure.

The Human Genetics Advisory Commission scoured the land for employers keen to screen out genetic disappointments among their staff. It found none. Maybe when the geneticists isolate the leadership gene, HR professionals will feel differently. But the point is that no one is doing it yet.

It may raise eyebrows, then, that the draft Code of Practice on Data Protection, published this month, covers genetic testing as part of its remit. The 60-page code represents the first government attempt to say what is defensible in the field of genetics and employment – the regulation, in effect, of non-existent activity.

Rod Armitage, head of the company and commercial law group at the CBI, says, "I was surprised to find it in there."

The inclusion of guidelines on genetic tests illustrates the key challenge of the draft code, which is that it covers every potential situation where data could be exchanged in the employment relationship. For the record, the code does not ban tests. It says such tests should be voluntary, reliable, justified on safety grounds and the results should be communicated to the person involved.


HR issues


The draft code – the second produced by the Data Protection Commissioner – traverses a range of technical HR matters, including recruitment, shortlisting, managing employment records, references, monitoring, drug testing and discipline. Intended to help employers grasp their obligations under both the Data Protection Act and the Human Rights Act, in practice it will doubtless mean many employers are likely to want to examine their systems yet again.

Business organisations have so far concentrated concern on the e-mail aspects of the code which appears to clash with existing regulations (News, 17 October). They are reserving judgement on the finer points. The CBI, for instance, has set up a specialist committee to examine the draft.

James Davies, an employment partner for solicitors Lewis Silkin, who will respond to the code on behalf of the Employment Lawyers’ Association, says it is likely to be significantly rehashed in the light of the regulations on monitoring. "Outside the stuff on monitoring of e-mail, my first reaction is that it seems reasonable."

The CIPD is likely to have concerns on some of the detailed points. On verifying job candidates, the draft code says, "Do not obtain personal information from applicants and then seek to verify it solely to test their honesty" except in certain circumstances. "It rather flies in the face of what we have been telling members," argues the institute’s employee relations adviser Diane Sinclair.


Fair process


The key principle is that what employers do should be "necessary and proportionate" and they must aim to be as open with any information that concerns an employee as is possible.

"A fair process requires the response to be proportionate," says David Trower, strategic policy manager at the Data Protection Commissioner’s office. "As a rule of thumb, that would prevent employers from going on fishing expeditions to detect illegal drug abuse among employees for example, but where there is a reasonable suspicion of abuse placing others at risk, that would be proportionate."

But the idea of proportionality is obviously subjective. For instance, the code says that employers should not "seek personal information from new employees that is irrelevant or excessive to the employment relationship." This could raise questions around psychometric tests, used by many employers.

The new draft code, however, says automated systems should only be used if they can be shown to be "consistent and fair". Consistent is easy: machines are nothing if not consistent. But it is less clear whether the tests are fair.

The code says that where a test is the sole basis for a recruitment decision, the applicant should be told and be able to make representations that should be considered before a decision is made. At this level of technical detail, employers may be grateful for the three months left to mull over the proposals before any official code comes into effect.


What the code says on monitoring


The Draft Code of Practice on the Use of Personal Data in Employer/ Employee Relationships places emphasis on the rights of the employee to private communications. It advises the following.


  • Do not monitor the content of e-mail messages unless it is clear the business purpose for which the monitoring is undertaken cannot be achieved by the use of a record of e-mail traffic.

  • When deciding if monitoring is justified, take into account privacy of sender and recipient.

  • "Virus protection does not warrant the reading of incoming e-mails."

  • Employers should provide employees with a means to expunge from the system e-mails they receive or send.

  • If monitoring is to detect pornography, it should be justified on the grounds of "a realistic analysis of the risks faced".

  • No record should be kept of the sites employees have visited or the content they have viewed.

But the Telecommunications (Lawful Business Practice (Interception of Communications) Regulations 2000, which come into force under the Regulation of Investigatory Powers Act today, take a different approach. They place greater emphasis on staff’s rights to private communication.

www.dataprotection.gov.uk

www.dti.gov.uk/cii/lbpresponse

Comments are closed.