Personnel Today
  • OHW+
  • Resources
    • Clinical governance
    • Disability
    • Ergonomics
    • Health surveillance
    • OH employment law
    • OH service delivery
    • Research
    • Return to work and rehabilitation
    • Sickness absence management
    • Wellbeing and health promotion
  • Conditions
    • Mental health
    • Musculoskeletal disorders
    • Blood pressure
    • Cancer
    • Cardiac
    • Dementia
    • Diabetes
    • Respiratory
    • Stroke
  • CPD
  • Webinars
  • Jobs
  • Personnel Today

Personnel Today

Register
Log in
Personnel Today
  • OHW+
  • Resources
    • Clinical governance
    • Disability
    • Ergonomics
    • Health surveillance
    • OH employment law
    • OH service delivery
    • Research
    • Return to work and rehabilitation
    • Sickness absence management
    • Wellbeing and health promotion
  • Conditions
    • Mental health
    • Musculoskeletal disorders
    • Blood pressure
    • Cancer
    • Cardiac
    • Dementia
    • Diabetes
    • Respiratory
    • Stroke
  • CPD
  • Webinars
  • Jobs
  • Personnel Today

Agency workersCriminal recordsMental healthHR practiceRecruitment & retention

Protecting who?

by Marcus Turle 1 Mar 2004
by Marcus Turle 1 Mar 2004


In the wake of Ian Huntley’s murder convictions for the deaths of two young girls, what are employers’ legal options in data retention and verification issues when recruiting new staff?


Think back to a recent BBC2 Newsnight programme in which interviewer Jeremy Paxman suggested that the Humberside Police’s policy of weeding computer records every month was flawed – and that in so doing, had allowed Ian Huntley to get a job as caretaker at Soham Village College.


Humberside chief constable David Westwood walked out of the interview, having defended the practice of deleting suspected offenders’ names, and saying it had been necessary to delete nine allegations of sexual misconduct against Huntley because of Data Protection Act (DPA) requirements.


Westwood’s comments brought a swift riposte from information commissioner Richard Thomas. “It is ridiculous that organisations should hide behind data protection as a smokescreen for practices which no reasonable person would ever find acceptable.”


But Humberside’s policy, be it right or wrong, throws up important questions.   Clearly, there is concern that paedophiles or persons showing signs of violent tendencies should not slip through employment vetting, however:




  • Is it fair to deprive someone of a position merely because of unproven allegations?


  • What is the legal position in relation to allegations that are never proven?


  • Can such unproven allegations be included in records used for vetting and, if so, what guidelines are there for this?

The DPA’s overriding principle is that all personal data – data relating to an identifiable living individual such as Ian Huntley – must be processed “fairly and lawfully”. Data should also only be held and used for limited purposes and should not be kept for longer than necessary.  


Information about an individual’s criminal record, and information about allegations that are not proven, is classified in the DPA as “sensitive” personal data.  However, a further set of rules apply to this kind of information, on top of the general principles mentioned already. While retention of information about unproven allegations must be “lawful” and “fair”, and not kept for longer than necessary, anyone can hold this kind of data where necessary:




  • to protect the vital interests of the data subject or another person


  • in connection with legal proceedings (including prospective legal proceedings), or


  • for the exercise of any functions conferred on any person by any enactment.  

The Data Protection (Processing of Sensitive Personal Data) Order 2000 also permits the holding and use of this kind of sensitive data where necessary:




  • in the public interest


  • for the purposes of prevention or detection of any unlawful act, or


  • for the exercise of functions conferred on any person by any rule of law.  

The problem facing us all is interpreting and applying these rules in a way that  not only meets the requirements of the law, but also allows us to operate our business or organisation efficiently and effectively on a daily basis. Humberside did still have the records of allegations made against Huntley, but only in paper form.   It does not consult its paper records for vetting because to do so would take months for every enquiry.  


Even for lawyers, the DPA can seem virtually impenetrable. Even the Court of Appeal has called it “cumbersome and inelegant”. This impenetrability stems primarily from its rules hanging on a framework of “principles” – broad, widely drafted guidelines that offer little practical help to HR departments and other organisations dealing with employment vetting.


Invariably, there is room for interpretation, and quite often ambiguity or even conflict.


On the question of retaining records for employment vetting, there is, on the one hand, a general principle of not keeping data for longer than necessary. And, on the other hand, the specific allowances for disclosing details of convictions or unproven allegations where “necessary” for the various reasons described above.         


The information commissioner says: “It’s for the police to decide what purposes they’re holding information for, and as long as they are holding it for legitimate purposes, such as the investigation or prevention of crime, they can hold information in some cases for a very long time.”


Clearly, there are compelling arguments for holding data relating to allegations of underage sex, rape or indecent assault for a very long time. Modern forensic techniques and DNA analysis can lead to the arrest of a suspect long after the event.   On this basis, Humberside’s practice of deleting data every month seems injudicious.


The police’s own industry guidelines also seem to contradict the arguments put forward by Humberside’s chief constable.   The Association of Chief Police Officers (ACPO) Code of Practice for data protection – issued with the support of the Information Commissioner in October 2002 – seems clear: police forces have a duty “to ensure that personal information is periodically reviewed and information that is no longer required is removed” and “information should not be retained on the grounds that it may possibly become relevant in the future”.


But the code permits retention for five years where a sexual offence is alleged – even if the suspect is acquitted or the case is discontinued because of lack of evidence. This period can be extended where the circumstances of the allegation would give cause for concern if the individual applied for employment involving substantial access to vulnerable persons.  


This suggests that it is not the law at fault, but Humberside’s procedures.   However, ACPO has recently been subject to enforcement action by the information commissioner for “over retention of conviction data”, so it seems even its guidelines are controversial.


Conclusion


In the absence of specific guidance from the information commissioner, common sense must dictate how employers respond to these issues. The right to privacy, and the right to have data retained no longer than necessary, must be balanced with the need to protect the public from people who might have criminal tendencies.  


Marcus Turle is a solicitor with London law firm Field Fisher Waterhouse


What can employers do?


Pre-employment vetting –
Data Protection Act guidance:




  • It should only be used where there are particularly significant risks to the employer, clients, customers or others and where there is no less intrusive and reasonably practicable alternative


  • Vetting should only be carried out at an appropriate point in the recruitment process, for example, comprehensive vetting should only be conducted on a successful applicant; it should be made clear to the candidate when and how it will be conducted, and it should only be used to obtain specific information


  • Information should only be sought from likely sources and the applicant should be allowed to make representations regarding information that will affect the employer’s final decision of whether to appoint or not. Obtaining the candidate’s explicit consent to vetting is always a sensible measure to take

The Criminal Records Bureau is operational and an employer may, in appropriate circumstances, check whether a candidate has a criminal record


Erica Neustadt, Field Fisher Waterhouse


Employers’ retention of data


The Data Protection Act 1998 does not override any statutory requirement to keep records, for example for the purposes of working time, minimum wage, statutory sick pay or PAYE. While the original draft of the Data Protection Code contained guideline retention times for different categories of data, the final version provides only guidance for employers on developing a practice of standard retention times based on actual rather than theoretical need, leaving employers, therefore, to make their own decisions.


It might be sensible to retain basic employment details, such as names, dates of birth, dates of employment and national insurance numbers, indefinitely. 


Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

As far as other records are concerned, an employer must balance the risk of a future claim against the cost of the administration involved in retaining records and the possibility of an enforcement action or a claim for damages under the act.


Erica Neustadt, Field Fisher Waterhouse

Marcus Turle

previous post
Time for review
next post
Government launches £4m NHS recruitment campaign

You may also like

Recruitment outlook improves, despite employment law fears

29 May 2025

How businesses can transform their approach to mental...

28 May 2025

Three ways technology can boost wellbeing outcomes

27 May 2025

Six ways to kickstart conversations about team stress...

22 May 2025

How neuroscience can unlock employee recognition

22 May 2025

Workplace stress: Why it’s time to rebrand resilience

22 May 2025

Employers ‘worryingly’ ignorant about stress risk assessments

20 May 2025

Awareness weeks fuel spike in demand for mental...

19 May 2025

Workers ‘wait and see’ as companies struggle to...

16 May 2025

Healthcare workers prioritise mental health support in new...

12 May 2025

  • Preparing for a new era of workforce planning (webinar) WEBINAR | Employers now face...Read more
  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • OHW+
  • Resources
    • Clinical governance
    • Disability
    • Ergonomics
    • Health surveillance
    • OH employment law
    • OH service delivery
    • Research
    • Return to work and rehabilitation
    • Sickness absence management
    • Wellbeing and health promotion
  • Conditions
    • Mental health
    • Musculoskeletal disorders
    • Blood pressure
    • Cancer
    • Cardiac
    • Dementia
    • Diabetes
    • Respiratory
    • Stroke
  • CPD
  • Webinars
  • Jobs
  • Personnel Today