New code
is too long and leaves many questions unanswered, say employers.
The Data
Protection Code is intended to offer guidance to employers on the use of
employees’ personal data. Unfortunately, it has raised more questions than it
has answered.
Employers
have angrily lobbied the Data Protection Commissioner Elizabeth France in
response to the Government’s proposals on the draft code of practice.
About 100
UK employers expressed their views on the draft version of the code during the
three-month consultation period, which ended at the beginning of January (News,
16 January).
Many HR
professionals contacted by Personnel Today are unsure about both the detail and
the possible impact of the code once it is published in April.
Nicola
Smith, personnel officer for Vickers Defence System, said, "The amount of
work needed to implement the requirements will provide an administrative burden
for employers.
"There
is a lack of definition of key terms within the data protection code and this
needs to be reviewed. I don’t think there has been enough consultation for this
document either."
But
employers will not be able to avoid it, and breaches of the code could land
them in trouble.
David
Beswick, partner at law firm Eversheds, said tribunals and courts would take
into account a company’s adherence to the code and would not look favourably on
those firms that had broken it.
Beswick
said, "This code will have the same status as codes under other acts, such
as the Disability Discrimination Act."
The
application of the code will also depend on the interpretation of the Data
Protection Commissioner.
Ellen
Temperton, partner at law firm Baker McKenzie, said, "It is unclear how
Elizabeth will use the code. At first she is likely to recommend remedial
solutions and then she is likely to escalate her actions if there is continued
infringement of the code."
The code
highlights what is acceptable behaviour when handling data and what is a breach
of the existing law.
But it
also provides instructions about what the data protection commissioner feels is
good practice when handling personal information.
Lawyers
are advising employers to read it carefully. The plain text in the code sets
out what companies are legally obliged to do, whereas italicised text contains
France’s advice on best practice.
Beswick
hopes that the final code will be published in two forms – a best practice
guide and a legal guide.
Robbie
Gilbert, chief executive of the Employers’ Forum on Statute and Practice,
believes employers need more information on how the code will be enforced. He
is worried that the code threatens employers with legal action for breaches,
but doesn’t clarify what form this action would take.
In
addition to the confusion over how the code will be applied, employers have
also raised serious doubts over its structure and content.
The draft
code is too long, claim employers. The eight principles have been developed
into 207 standards and more than 70 pages of text.
Diane Sinclair,
CIPD employee relations adviser, is calling for a revised draft version to be
drawn up that highlights the key principles but avoids preaching to HR
professionals on how to perform their work.
She
said,"We feel that a simpler, shorter code would be far more effective –
the code as it stands is far too prescriptive."
The CIPD
is concerned that the code could lead employers to destroy information vital to
tribunals, as reported in Personnel Today last week. France claims in the code that asking for employees’ consent
before holding files on the number of sick days they have taken is best
practice.
But this
could present serious problems for employers should they face tribunal
proceedings following the sacking of an employee over prolonged absences.
Another
concern is the treatment of employee monitoring. Temperton believes the code
undermines employers’ capability to police the workplace.
Gilbert
says the code is too focused on employee rights. He says, "The code
seriously fails to appreciate the nature of e-mail and Internet communication
in a business context and that its approach places unreasonable obligations on
the employer while offering excessive licence to the employee."
The CBI’s
head of employment relations Dominic Johnson has described the document as
"unworkable".
It is
clear that France has a lot of work to do if the code is to become a useful
tool for handling employee data.
Staff
privacy, or too much licence?
Employee monitoring
The
monitoring of employees has proved the most contentious issue covered by the
draft code of practice.
The code
calls on employers to establish a specific business purpose for the need to
monitor, and warns that monitoring should not intrude unnecessarily on
employees’ privacy or autonomy. Generally, employers feel the code is too
restrictive. Mike Duffay, joint managing director of Northampton-based
Employment Law Advice Centre, said, "I don’t see why there should be
privacy for the employee at work. They are being paid to do their job, not make
personal telephone calls and e-mails.
"I
think the employer has the right to monitor them to make sure they are not
abusing the facilities."
Employers
are angry at the code’s position on covert monitoring. It states that, "It
is difficult to see how covert monitoring of performance can ever be
justified." It goes on to suggest that it should only be used if
"specific criminal activity has been identified".
The
Employers’ Forum on Statute and Practice (EFSP) believes this is
"seriously restrictive" and doesn’t allow for a preventative approach
by employers if they have reasonable suspicions about an employee.
Security issue
It is also
concerned with the proposal that suggests employers should provide a means by
which employees can get rid of e-mails they have sent or received. EFSP
believes this would create a significant security issue with employees needing
access to a company’s server. The forum concludes that the code "places
unreasonable obligations on the employer while offering excessive licence to
the employee".
The TUC’s
senior employment rights officer Sarah Veale said, "We think the code is
very clear in terms of definition. It introduces checks and balances on the
surveillance of e-mail and guarantees employees a right of privacy.
Employers
have also criticised the retention period for employee information as being too
short.
The code
calls on employers to implement a system whereby, "records are not kept
beyond the standard retention time unless there is a justified business reason
for doing so". It warns that "information should not be retained
simply on the basis it might come in useful one day".
EFSP
claims it is necessary for employers to be able to hold on to information in
the longer term because it provides an accurate record in the event of a claim
being instigated by an employee.
The code
also instructs employers not to hold records about employee’s sickness or union
membership without their permission.
Diane
Sinclair, CIPD employee relations adviser, said, "These regulations are at
odds with employment tribunal proceedings and leave employers uncertain about
their legal situation."
Vance
Kearney, vice-president of HR at Oracle, said, "How are we supposed to
record how much to pay people who are sick when we cannot keep a record of when
they were off?"
Many of
the employers Personnel Today contacted feel that it is often difficult to
predict the timing of cases for unfair dismissal so it is necessary to keep
records of sickness absence for a reasonable period of time.
ITN’s head
of HR Martyn Hurd agreed, "If an employer cannot hold records about an
employee’s sickness without an employee’s permission, this means that employers
will be unable to identify patterns of absenteeism or sickness, which clashes
with health and safety legislation."
Mergers and acquisitions
The code
sates that, "If employers are transferred to a new employer but with
continuity of employment their employment records can be transferred. They
should be advised that this is happening and be given an opportunity to check
the accuracy of the key information that is passed on."
The EFSP
is concerned that this will place an obligation on the employer to actively
offer every employee being transferred the option of checking the information
held on them before a transfer.
If a large
number of employees is to be transferred and each requires to see and comment
on the information, it could render the process unmanageable within set
timescales, the EFSP submission claims. It suggests it would be sufficient for
employees to be able to access the information within a reasonable time of
making a request as a general rule under the Data Protection Act.
Leaving no room for uncertainty
Following
the Data Protection Act 1998 the Data Protection Commissioner was given the
power to produce a code of practice to police areas where there was a need for
guidance.
Iain
Bourne, strategic policy manager for the Data Protection Commissioner,
explained, "We thought that the relationship between the employer and
employee was a fertile ground for uncertainty. The code is to make sure that
individuals have some sort of rights and to make clear to employers what the
standards expected of them are."
Bourne
said the commissioner had taken on board criticisms that the code was too long
and unwieldy and was planning to break it down into different sections that
would be like user manuals, to make it more accessible and clearer.
Sign up to our weekly round-up of HR news and guidance
Receive the Personnel Today Direct e-newsletter every Wednesday
There are
likely to be separate guides, which advise on issues such as recruitment,
record keeping, surveillance and drug testing.
By Richard
Staines
