Our continuing series of guides to major employment legislation puts key
information at your fingertips and brings you up to date with the latest
developments. This week Charlotte
Hamer, a professional support lawyer in the employment, pensions and benefits
group of law firm Stephenson Harwood, examines the impact of the Employment
Practices Data Protection Code
The first of four parts of the Employment Practices Data Protection Code was
issued in March. The code is not law itself, but will be taken into account by
the Information Commissioner when considering whether or not an employer has
complied with the Data Protection Act. In proceedings for breaching the DPA,
any failure to adhere to the code will require careful explaining.
Part one of the code deals with the recruitment and selection of workers,
this includes: applicants and former applicants (successful and unsuccessful);
and employees, agency workers, casual workers and contract workers (current and
former). Some aspects also apply to others in the workplace such as volunteers
and those on work experience placements.
Throughout the code there are benchmarks by which employers will be measured
together with explanatory notes:
– Data protection: Employers are expected to comply with the DPA and
make it an integral part of their employment practices. Overall responsibility
for compliance should be allocated to an individual within the organisation.
This section’s benchmarks include a requirement to ensure all staff are fully
trained on their obligations under the DPA, including liability for breaches.
Employers should also assess what personal data is held, who is holding it and
where, whether it should be kept or destroyed and, if it is sensitive data,
whether the additional provisions are complied with.
While not a strict legal requirement, it is preferable that workers, their
representatives or trade unions are consulted on the development and
implementation of policies concerning the processing of personal data.
– Advertising: people applying for jobs must be informed of the
company’s name and, unless self evident, how their information will be used. If
a recruitment agency has supplied the information, the candidate should be told
who holds the information and the purposes for which it will be used. And
candidates must be informed if the information is kept for any reason.
– Applications: applications include responses to specific job
advertisements and speculative applications, whether on tailor-made forms or
The benchmarks cover that:
– Application forms should state to whom the information is being provided,
how it will be used and whether or not information will be verified
– Information should only be sought if it is relevant to the recruitment
– Criminal convictions should only be requested if justified by the role.
Spent convictions are not relevant (unless covered by exceptions under the
Rehabilitation of Offenders Act 1974), and
– The applications must be capable of being sent in a secure way.
– Verification: when verifying an applicant’s details firms should
not go beyond checking the information supplied in the application or
recruitment process. The process of checking information should also be
explained. If it is necessary to obtain information or documents from a third
party, applicants should sign a consent form. The individual must also be
allowed to explain any apparent discrepancies that may arise.
– Shortlisting: shortlisting procedures should be applied
consistently. Applicants must be told if automated tests are the sole selection
method and are entitled to make representations. Where psychological testing is
used, only those sufficiently trained in the method should analyse the
Interviews: firms should only keep personal data that is relevant to
the recruitment process or which may be used to defend the process if it is
challenged. You need to bear in mind that applicants are normally entitled to
have access to any interview notes that are retained.
– Pre-employment vetting: firms should only make further enquiries
about an applicant when it is absolutely necessary. Comprehensive vetting
should only be conducted when the applicant is successful and information only
sought if it is specifically needed. The recruitment process should make it
clear vetting will take place. It should also explain how it will be conducted.
Again, get the applicant’s consent where necessary.
– Retention of recruitment records: there is no specific time limit
on the retention of personal data but it should not be kept any longer than is
necessary. The code’s guidance includes:
– Information obtained through vetting should be destroyed as soon as
possible or within six months. A record of the result of vetting or
verification can be retained
– Information that is irrelevant to ongoing employment should be deleted
– Unsuccessful applicants may request the removal of their details from the
file and should be advised of any intention to keep them for future vacancies
– Personal data obtained during the recruitment process must be securely
stored or destroyed.
– Ensure a senior employee has overall responsibility for DPA compliance
– Carry out comprehensive training and retraining
– Ensure that the existing application forms contain all the relevant
– If CVs are used, ensure applicants are provided with all prescribed
– Ensure that only relevant information is requested, store it securely and
restrict access to those who need it
– Check what sensitive personal data is collated and that additional
safeguards are in place.
– Have a policy on the use of personal data and ensure that all policies
involving processing personal data are fully compliant.