Misunderstandings
are unravelled as commission responds to feedback
When
the Data Protection Commission first envisaged a code of practice on the use of
personal data in employer/employee relationships, little did we realise the can
of worms that would be opened.
The
range of issues that arise in the employment context, the extent of the
response to our consultation on the draft code and the heat generated have
caused us surprise, but certainly not disappointment. Our only disappointment
was in the misunderstanding generated by some media reports. We now welcome the
opportunity to set the record straight and explain where we are going.
So
far we have done no more than consult on a draft code. We want the final
version of the code to provide clear, practical guidance to employers on how to
keep within the law. Employer’s views are crucial to this and we are committed
to taking them into account.
There
is no doubt the final code will be significantly different from the draft.
Nevertheless, we cannot lose sight of its purpose. The Data Protection Act 1998
and hence the code are there to protect the individual, as a job applicant,
current employee or former employee.
We
are often asked what the status of the code is. It sets out the Information
Commissioner’s view of the requirements of the law. It is not new law, so the
suggestion that there should be an implementation date or a lead-in period is
inappropriate. The code merely explains what the law that is already in place
means.
We
are now analysing the consultation responses. Many are critical, but all are
helpful. Even the code’s title has, with some justification, come under fire
for placing too much emphasis on traditional employment patterns.
Some
responses, particularly in relation to sickness records, do not fully
appreciate the limitations of the law. We recognise there are legitimate
reasons for employers to hold sickness records and obtaining employee consent
causes practical difficulties. However, we cannot rewrite the Data Protection
Act 1998, we only interpret its provisions. Even so, we hope we will be able to
provide some comfort for employers in the final version.
Some
of the consultation responses appear contradictory. We have been told not only
that the draft code is too long and complex, but also that there is a need to
include additional material. We therefore plan to produce the final version in
several distinct sections. There are likely to be four of these covering
recruitment and selection, employee records management, monitoring and medical
testing.
So
far as presentation is concerned, we are looking for expert help to ensure the
code is as useful as possible to the intended audience of HR professionals. We
have been given pointers to other codes of practice in the employment field as
examples of good practice, but would welcome suggestions as to where we might
find such expert help.
Monitoring
of e-mail and Internet access is the issue that has drawn most attention. While
we may not have fully appreciated all the reasons employers have for
monitoring, those who argue that it is solely a matter for the DTI’s Lawful
Business Practice Regulations are mistaken. These neither override the
requirements of the Data Protection Act 1998, nor, in concentrating on
interception of communications, address the means by which much monitoring is
undertaken.
It
is too early to speculate on the precise terms of the final code, but it is
inescapable that if monitoring is to take place it must:
–
Address specific business risks
–
Be a proportionate response to those risks, bearing in mind its impact on
employees and other individuals
–
Be conducted with the minimum intrusion
–
Be explained to employees beforehand.
Given
the complexity of the issues and the work to be done, it is likely to be some
months before even the first part of the code appears. In the meantime we have
not finished our discussions with those who have a contribution to make. We
are, for example, still planning a conference on employee monitoring before we
again put pen to paper on this controversial subject.
David
Smith is the Assistant Information Commissioner
The draft code and other information is available on the commission’s website
at www.dataprotection.gov.uk