What form do the experts think the much criticised data protection codes
should take? Paul Nelson asks them to
give us their views
Last week Personnel Today revealed that new Information Commissioner Richard
Thomas is to radically overhaul the design of all four of the data protection
codes of practice.
Thomas has taken on board criticism from employers that the codes, supposed
to help employers manage staff information without breaching the 1998 Data
Protection Act, are too long and too complex.
The commissioner, who took over from Elizabeth France in December, will
start by revamping the draft monitoring code – scheduled to have been published
months ago.
This code, now due for release this spring, is vital for employers because
it includes guidance on staff rights to privacy when using the e-mail and the
internet.
He will then switch his attention to the medical records code before
revisiting the recruitment and selection code and records management code,
published last year.
We have asked employers, employment law experts and the TUC, to outline how
they want the revised codes to look.
Susannah Haan, legal adviser at the CBI, called on the Information
Commission to significantly reduce the size and length of the code.
She would like to see the individual codes reduced to no more than a handful
of pages each, which clearly separate the legal requirements and best practice.
She recommended the Company Law Review – a document of four pages – as a
template for the revised Data Protection codes.
Haan said the ‘benchmark’ section in the current codes – which includes both
legal requirements and best practice advice – must be scrapped because it is
confusing for employers.
"The current codes go into too much detail. The big issue is the
separation of legal status and best practice – the codes must have clear
definitions.
"This will make it easy to understand and clarify the legal
standing," Haan said.
"The codes should state what employers need to know, how it should be
done and when."
Haan added that the language used in the existing codes also needs a review.
She feels it is too long-winded and complicated by legal jargon.
"The language must be simpler to understand – it is currently aimed at
lawyers. They have to sit down and interpret the codes’ meaning," she
said.
The Chartered Institute of Personnel and Development’s lead adviser on
public policy, Diane Sinclair, said the revised data protection codes
should provide a simple checklist of minimum legal standards that employers
need to comply with.
Sinclair supported the move to overhaul presentation of the codes, despite
its delaying their final publication further.
"A significantly redrafted code will be of much more value to HR
practitioners. It is currently too long and complicated," she said.
"It should offer a checklist of minimum legal standards that companies
must work to."
Sinclair would like the benchmark sections – which include best practice and
legal requirements – scrapped and replaced with clear separate sections so
employers can understand the code.
Paul Pagliari, HR director, Scottish Water. Pagliari urged the
commission to produce a code that is much shorter and simpler than the existing
version.
He said there are far too many ambiguities in the design of the current
codes and would like it changed to a shorter, bullet-point format with clear
headings.
Pagliari argued that the codes should include five clear sections; basic
data protection principles, employer responsibilities, staff’s course of appeal
and a practical question and answer paragraph.
"It does need updating. The code must be simple and clear, that way
companies will follow it. If employers are unable to do something then we must
be told so," he said.
"It must be accessible, not a tome that is pulled out at the end of the
day."
Paula Rome, HR, training and development solicitor at law firm Eversheds.
Rome backed the commissioner’s decision to overhaul the design of the data
protection codes.
She agreed the current codes are too complex and difficult for employers to
understand.
"The new codes must highlight the minimum legal guidance. That way
employers will be able to tick the boxes and say they have complied with the
law," said Rome.
She is concerned though, that the extra delay due to the revamp will place
organisations in "limbo", with little guidance on how to comply with
the 1998 Data Protection Act which came into force in October 2001.
The TUC’s employment rights officer Hannah Reed defended the existing
design of the data protection codes.
She argued that data protection is a complex piece of legislation and to
fully understand and comply, employers need prescriptive guidance.
"We disagree that the code should be shorter; it is complex legislation
and the existing code offers clear guidelines," said Reed.
"It is very helpful in its current state."
Reed supported the benchmark sections of the codes, which incorporate both
the legal requirements as well as best practice.
She said it is hard to differentiate between the two.
"The Information Commission’s office is required to advise employers on
best practice and law, and they should both be in the code," she said.
"In many situations involving data protection, it is very difficult to
squeeze out the difference between the two – best practice means that employers
are complying with the act," she said.
Reed claimed employers are dragging out the consultation process to delay
the implementation of the codes.
