New data benchmarks for employment records

The Employment Records Code is almost in its final form.  But what are the implications for employers
and staff?

The Information Commissioner has recently published the second part of the
Employment Practices Data Protection Code on Employment Records. The Code is
expected to come into force later this year but, unlike the earlier Codes on
Recruitment and Monitoring at Work, the Code on Employment Records is virtually
in its final form.

The Code consists of what the Information Commissioner calls a series of
benchmarks. Explanatory guidance is given on each benchmark. The precise legal
status of these benchmarks is unclear, since the legal requirement on an
employer is to comply with the Data Protection Act 1998. It is clear that the
Information Commissioner will be guided by the benchmarks set out in the Code
in deciding whether or not to take enforcement action against employers for an
alleged breach of the Data Protection Act. A court or tribunal may also
consider the Code’s recommendations in deciding legal proceedings brought under
the DPA.

It should also be remembered that the Information Commissioner is under a
statutory duty to promote good practice and some of the organisational
benchmarks and the recommendations on consultation should be read in that
context, but others relating to data security or unauthorised disclosure or
rights or access are more directly related to the DPA itself and so are likely
to carry more weight.

The benchmarks in the Code on Employment Records are perhaps less
controversial than the earlier draft Code on Monitoring at Work. The key
recommendations run to about 40 pages, ranging from general recommendations on
collecting and keeping employment records, data security, equal opportunities
monitoring and retention of records to more specific recommendations in relation
to sickness and absence records, pension and insurance scheme information,
references, disclosure requests and disciplinary and grievance procedures and
the disclosure of information in TUPE transfers.

Key points

– In relation to retention of records, the Code wisely recommends that this
be judged by any relevant legal requirement to hold information for a
particular period of time and by business need and good practice.

Gone are the specific recommendations for particular timeframes. However,
this does not remove the need for employers to consider how long it is
necessary to retain information for any particular purpose and how much
information needs to be retained.

– In relation to sickness and absence records, the Code again adopts a
somewhat more flexible approach than the earlier draft Code. The Code
distinguishes between absence records, which simply record a reason for
absence, and sickness records, which give details of the illness or condition
responsible for a worker’s absence. It recommends the two be kept separately.

However, whereas it will normally be reasonable to hold and process absence
records without the worker’s consent, this will only be true of sickness
records (or accident records) where employer’s are under a legal obligation to
hold such information (for example, for health and safety purposes).

The Information Commissioner’s view is that explicit consent is not
sufficient unless it is freely given. So such consent may be challenged by a
worker where there is a threat of dismissal on health grounds.

– In relation to disclosure generally, the Code reminds employers that it
can be a criminal offence to disclose personal data without the worker’s
agreement other than where there is a legal requirement to do so, or where the
information is used for the prevention or detection of crime.

Furthermore, even here, the employer is under a duty to take reasonable
steps to ensure the person making the enquiry is authorised to do so and to
disclose no more information than is necessary to meet the legal requirement.

Anthony Korn is a barrister at 199 Strand Chambers

Comments are closed.