There must be a radical rethink of Data Protection Code if it is to be fair
to both employers and staff
Late last autumn, the Information Commissioner’s 60-page draft Data
Protection Code arrived on desks for consultation and received a swift response
from employers. The number and nature of the 200 responses prompted the
Commissioner to delay the timetable for introducing the code and release it in
What the British Chambers of Commerce and other business organisations
wanted was a code that was fair, workable and commercial. As it currently
stands, it is none of these. No attempt has been made to take into account the
context in which business will implement the code. The increasing burden of
business regulation and the attendant administrative costs can fall heavily on
businesses in a highly competitive market, and fall disproportionately on
smaller businesses that do not have the established in-house resources to deal
The BCC represents 135,000 businesses in the UK. We attach great importance
to our consultations, which give us real- life reactions to the theory.
Striking the right balance is key to writing a code of practice and doing so
through listening to the practical experience of businesses that try to behave
well is the key to getting that balance right.
Businesses tell us the draft code is far too complex and, as it stands,
unworkable. If the essential content of the code goes ahead unchanged,
employers could be exposed to misuse of time and cost by employees. They will
also be vulnerable to impersonation, computer viruses, loss of data and
intellectual property, potential loss of patents and copyright breaches. There
is also a strong chance that employees would end up more vulnerable, because
the code supports tough restrictions on the use of CCTV which many employees
welcome, and some of the recommendations in the code could see an increase in
an employee’s vulnerability to harassment.
The reasons why an employer will undertake monitoring should be understood.
No employer goes to the expense of monitoring unless there is a sound
commercial reason to do so. Few employees make it a policy to prohibit all
personal communications from the workplace. Where they do so, it can be, as
with call centres, for reasons of maintaining system integrity or for measuring
performance. In practice, most employers allow modest personal use, but need to
protect costs and avoid legal or other liabilities.
The draft code is doomed to failure in seeking to establish what level of
monitoring is proportionate and attempting to specify it. Employers must be
able to protect their business, its costs, reputation, systems and liabilities.
They should also be able to alert employees at the start of their employment to
the fact there is monitoring and create reasonable means for the employee to
have privacy in personal communications.
The draft code is especially unrealistic where the Internet is concerned.
Given the risks associated with inappropriate Internet access and time wasted,
routine or random monitoring of Internet usage should be commonplace, not the
Simply promising to make the code shorter, calling employees
"workers" and providing a summary, although helpful, is not enough
(News, July 3). The content of the code must change fundamentally. The
Information Commissioner must ask herself when writing the final version
whether it is realistic about the needs of business; whether it is fair and
ensures employees are given a proportionate and timely warning. Above all, it
must be reasonable, balancing personal access with protection for the employer.
Finally, it must be commercial, recognising the need for performance
measurement and the fact that some employers incur serious risks from
inappropriate behaviour by staff. If it is all these things, it will have
struck the right balance and it will be welcomed by all businesses, whether
they have eight employees or 8,000.
By Sally Low, a senior policy adviser to the British Chambers of Commerce