Protecting who?

In the wake of Ian Huntley’s murder convictions for the deaths of two young girls, what are employers’ legal options in data retention and verification issues when recruiting new staff?

Think back to a recent BBC2 Newsnight programme in which interviewer Jeremy Paxman suggested that the Humberside Police’s policy of weeding computer records every month was flawed – and that in so doing, had allowed Ian Huntley to get a job as caretaker at Soham Village College.

Humberside chief constable David Westwood walked out of the interview, having defended the practice of deleting suspected offenders’ names, and saying it had been necessary to delete nine allegations of sexual misconduct against Huntley because of Data Protection Act (DPA) requirements.

Westwood’s comments brought a swift riposte from information commissioner Richard Thomas. “It is ridiculous that organisations should hide behind data protection as a smokescreen for practices which no reasonable person would ever find acceptable.”

But Humberside’s policy, be it right or wrong, throws up important questions.   Clearly, there is concern that paedophiles or persons showing signs of violent tendencies should not slip through employment vetting, however:

  • Is it fair to deprive someone of a position merely because of unproven allegations?

  • What is the legal position in relation to allegations that are never proven?

  • Can such unproven allegations be included in records used for vetting and, if so, what guidelines are there for this?

The DPA’s overriding principle is that all personal data – data relating to an identifiable living individual such as Ian Huntley – must be processed “fairly and lawfully”. Data should also only be held and used for limited purposes and should not be kept for longer than necessary.  

Information about an individual’s criminal record, and information about allegations that are not proven, is classified in the DPA as “sensitive” personal data.  However, a further set of rules apply to this kind of information, on top of the general principles mentioned already. While retention of information about unproven allegations must be “lawful” and “fair”, and not kept for longer than necessary, anyone can hold this kind of data where necessary:

  • to protect the vital interests of the data subject or another person

  • in connection with legal proceedings (including prospective legal proceedings), or

  • for the exercise of any functions conferred on any person by any enactment.  

The Data Protection (Processing of Sensitive Personal Data) Order 2000 also permits the holding and use of this kind of sensitive data where necessary:

  • in the public interest

  • for the purposes of prevention or detection of any unlawful act, or

  • for the exercise of functions conferred on any person by any rule of law.  

The problem facing us all is interpreting and applying these rules in a way that  not only meets the requirements of the law, but also allows us to operate our business or organisation efficiently and effectively on a daily basis. Humberside did still have the records of allegations made against Huntley, but only in paper form.   It does not consult its paper records for vetting because to do so would take months for every enquiry.  

Even for lawyers, the DPA can seem virtually impenetrable. Even the Court of Appeal has called it “cumbersome and inelegant”. This impenetrability stems primarily from its rules hanging on a framework of “principles” – broad, widely drafted guidelines that offer little practical help to HR departments and other organisations dealing with employment vetting.

Invariably, there is room for interpretation, and quite often ambiguity or even conflict.

On the question of retaining records for employment vetting, there is, on the one hand, a general principle of not keeping data for longer than necessary. And, on the other hand, the specific allowances for disclosing details of convictions or unproven allegations where “necessary” for the various reasons described above.         

The information commissioner says: “It’s for the police to decide what purposes they’re holding information for, and as long as they are holding it for legitimate purposes, such as the investigation or prevention of crime, they can hold information in some cases for a very long time.”

Clearly, there are compelling arguments for holding data relating to allegations of underage sex, rape or indecent assault for a very long time. Modern forensic techniques and DNA analysis can lead to the arrest of a suspect long after the event.   On this basis, Humberside’s practice of deleting data every month seems injudicious.

The police’s own industry guidelines also seem to contradict the arguments put forward by Humberside’s chief constable.   The Association of Chief Police Officers (ACPO) Code of Practice for data protection – issued with the support of the Information Commissioner in October 2002 – seems clear: police forces have a duty “to ensure that personal information is periodically reviewed and information that is no longer required is removed” and “information should not be retained on the grounds that it may possibly become relevant in the future”.

But the code permits retention for five years where a sexual offence is alleged – even if the suspect is acquitted or the case is discontinued because of lack of evidence. This period can be extended where the circumstances of the allegation would give cause for concern if the individual applied for employment involving substantial access to vulnerable persons.  

This suggests that it is not the law at fault, but Humberside’s procedures.   However, ACPO has recently been subject to enforcement action by the information commissioner for “over retention of conviction data”, so it seems even its guidelines are controversial.


In the absence of specific guidance from the information commissioner, common sense must dictate how employers respond to these issues. The right to privacy, and the right to have data retained no longer than necessary, must be balanced with the need to protect the public from people who might have criminal tendencies.  

Marcus Turle is a solicitor with London law firm Field Fisher Waterhouse

What can employers do?

Pre-employment vetting –
Data Protection Act guidance:

  • It should only be used where there are particularly significant risks to the employer, clients, customers or others and where there is no less intrusive and reasonably practicable alternative

  • Vetting should only be carried out at an appropriate point in the recruitment process, for example, comprehensive vetting should only be conducted on a successful applicant; it should be made clear to the candidate when and how it will be conducted, and it should only be used to obtain specific information

  • Information should only be sought from likely sources and the applicant should be allowed to make representations regarding information that will affect the employer’s final decision of whether to appoint or not. Obtaining the candidate’s explicit consent to vetting is always a sensible measure to take

The Criminal Records Bureau is operational and an employer may, in appropriate circumstances, check whether a candidate has a criminal record

Erica Neustadt, Field Fisher Waterhouse

Employers’ retention of data

The Data Protection Act 1998 does not override any statutory requirement to keep records, for example for the purposes of working time, minimum wage, statutory sick pay or PAYE. While the original draft of the Data Protection Code contained guideline retention times for different categories of data, the final version provides only guidance for employers on developing a practice of standard retention times based on actual rather than theoretical need, leaving employers, therefore, to make their own decisions.

It might be sensible to retain basic employment details, such as names, dates of birth, dates of employment and national insurance numbers, indefinitely. 

As far as other records are concerned, an employer must balance the risk of a future claim against the cost of the administration involved in retaining records and the possibility of an enforcement action or a claim for damages under the act.

Erica Neustadt, Field Fisher Waterhouse

Comments are closed.