provide an up-to-date snapshot of employers’ current policies and procedures on
the use of personal data in employer-employee relationships, IRS and leading
employment law firm DLA jointly surveyed a panel of employers on the eve of the
first anniversary of the Data Protection Act 1998 (DPA) coming into force.
questioned them about the extent to which practice in their organisations
complies with the Act in several key areas, and about how far they make use of
some of the "good-practice" procedures set out by the Data Protection
Commissioner in the draft Code of Practice on the use of personal data in
employer-employee relationships. A summary of the main findings follows.
protection policies: Half of the panel have adopted a formal data
protection policy that includes employment practices such as payroll, personnel
and work-planning administration. Public-sector organisations are more likely
to have adopted such a policy than their private-sector counterparts.
Three-fifths of public-sector employers have a written data protection policy
covering employment issues, compared with half of private-sector manufacturing
and utility companies, and only two-fifths of private service-sector firms.
than four-fifths of respondents whose organisations do not have a formal policy
plan to introduce one in the future. This leaves only four respondents who told
us their organisations neither have a policy nor have plans to introduce one.
protection register notification: Well over four-fifths of our panel
members report that their organisation has a data protection register entry.
Broken down by broad sector, the proportion of employers with a register entry
amounts to more than nine-tenths in the public sector, just less than
three-quarters among private manufacturing and utility firms, and just over
four-fifths among private-service sector companies. Just under one-sixth of
respondents told us their organisations do not have a register entry.
manager: About three-quarters of IRS/DLA panel members measure up to the
Data Protection Commissioner’s notion of "good practice" in relation
to the management of employment data – in that their organisations have a
specific individual who has overall responsibility for ensuring that employment
practices comply with the Act. This, of course, leaves a quarter that fall
short of the commissioner’s idea of good practice.
to know" criteria: Only half our respondents separate employment data
into categories and limit HR/personnel staff access to employment records
according to "need to know" criteria. This means that the other half
of the IRS/DLA panel appear to be in danger of failing to comply with the Act
as interpreted by the commissioner.
those employers which separate data into categories with limited access, the
most common such category is remuneration/pension, cited by half the relevant
respondent group, followed by sickness absence, cited by one-third of
managers: Only one-third of panel members have formal procedures governing
the holding of employee records by line managers, leaving two-thirds appearing
to fall short of what the commissioner regards as "good practice".
There are no major differences between the broad sectors on this issue,
although private manufacturing and utility firms are slightly less likely than
public-sector employers and private services companies to have formal
files: Just under two-thirds of panel members have arrangements in place to
spring-clean personnel files to weed out expired disciplinary warnings and
remove excessive and out-of-date information about employees, leaving just over
one-third who may not be complying with the Act as interpreted by the
records: Three-quarters of our panel have established maximum retention
periods for the records of unsuccessful job applicants, leaving a quarter who
may be not be complying with the Act as interpreted by the commissioner. In the
public sector, almost all respondents say their organisations have such
periods, while in private services companies and manufacturing and utility
firms the proportion is about three-fifths.
employee updates: Less than one-third of respondents say their organisations
provide each employee with a copy of their basic personnel record each year and
ask them to identify any inaccuracies or amendments needed. This leaves more
than two-thirds of the panel failing to live up to the commissioner’s notion of
good practice in this area.
access procedures: About three-fifths of panel members have a procedure in
place through which employees can make an access request to see their records,
and learn the uses to which their personal data will be put. A further quarter
of respondents report that their organisations plan to introduce such a
procedure. All but one of the latter group expect to introduce their procedures
later this year. Therefore, by 2002, it appears that just under one-sixth of
the panel may be in danger of failing to comply with this provision of the Act
as interpreted by the commissioner.
personal data: Seventy per cent of respondents report that their
organisations have arrangements for ensuring that sensitive personal data is
processed only with the explicit consent of the employee concerned, leaving the
remaining 30 per cent appearing not to comply with the Act as interpreted by
absence records: Just under 30 per cent of respondents told us that their
organisations have obtained the specific consent of employees to hold sickness
absence records, leaving a big majority of almost 70 per cent whose
organisations appear not to be complying with the Act as interpreted by the
One-third of respondents report that data protection last featured in a
communication to employees in the past three months, a further third report a
communication in the past six months and another sixth in the past year. This
gives a total of just under four-fifths of our sample who have communicated
with employees on data protection issues in the past year.
summary is of a report that appears in IRS Employment Review 724, March 2001,
available from Fawzia Ittoo, Industrial Relations Services. Tel: 020-7354 6747,
e-mail firstname.lastname@example.org, price £25. www.irseclipse.co.uk