that the Information Commissioner has published Part 2 of the Employment
Practices Data Protection Code, its requirements are effective immediately. Warren Wayne of law firm Boodle Hatfield
explains the Code and what you need to do to comply with it.
part of the Code guides employers over the handling and retention of various
types of employee records.
we are, strictly speaking, within the second transitional period (which expires
on 23 October 2007) under the Data Protection Act 1998 the reality is that the
Act is now fully effective in relation to the rights of data subjects and the
maintenance of employee records.
records are covered?
the context of the employment relationship, the Code applies to records kept on
the following people:
Current job applicants (whether successful or not)
● Previous job applicants (whether successful or not)
● Current employees
● Former employees
● Agency workers (both current and former)
● Casual workers (both current and former)
● Contract workers and freelancers (both current and former)
does the code demand of these records?
Code applies the eight Data Protection Principles to these categories of
staff. The most relevant of these are
the third, fourth and fifth principles which require employee records to be:
● Not excessive in relation to the purposes for which they are used and
● Kept up to date where necessary
● Not kept for longer than is necessary
is the legal status of this Code?
the Code is not legally binding, it sets standards of good practice. According to the Commissioner, this includes
both compliance with the letter of the law and the spirit of the legislation. Naturally, there is some disquiet among
employers over this approach, as it suggests that the Commissioner will enforce
higher standards that those strictly required by the legislation.
do employers need to do in order to comply?
Code contains numerous recommendations and benchmarks and you will need to look
through all of these. The code can be downloaded from the Information
Commissioner’s website (see links). However, the main recommendations include:
Workers should be provided with a copy of their basic employment record
annually. This should either be a
paper record, or supplied in another easily intelligible permanent form.
Personal data that is irrelevant or excessive should be eliminated from
files. This is an awkward task for
HR Departments, as it will require files to be individually reviewed.
Staff should be informed that if they knowingly or recklessly disclose
personal data about other workers, they could be committing a criminal offence
and be personally liable. The best
approach here is to incorporate this into disciplinary procedures and to ensure
that staff are warned of their data protection obligations during the induction
It is recommended that employees’ contracts contain confidentiality clauses
that ensure the security of staff data.
There should be established procedures and security rules for removing staff
records from the workplace, including those on laptops or palmtops.
A distinction should be drawn between “sickness records” which include
details of the illness, and “absence records” which do not refer to any
particular medical condition, but may give the absence reason as
“sickness”. This is because the details
of a particular illness will constitute “sensitive personal data” under the
Act, making them a restricted form of record.
As a result of the above, it is recommended that sickness records and
absence records should be kept separately and used in different contexts. For example, when company sick pay is being
calculated, the payroll department will only need to refer to the length of the
absence and will not need details of the illness itself.
Taking this further, managers should be permitted to have access to sickness
records, so they can investigate persistent short term illness or long term
illness absence issues. But, this
information should only be available to those who reasonably require it as part
of their duties (including HR departments).
Although staff are not entitled to have access to references written by their
current employer, the Commissioner regards it as good data protection practice
to allow staff to see these references so that they can challenge
information which they think is inaccurate or misleading. This recommendation places the Code at odds
with the strict legal position.
In relation to general record keeping, information should not be retained
just because “it might be useful one day”.
The Commissioner requires that employers conduct a risk analysis, by
balancing the risks to workers of data being kept, against the consequences of
keeping information that is only rarely used.
No specific guidelines are given as to how long records should be kept,
but it is difficult to see how the Commissioner can object to records being
kept for up to a year after termination, in case they are needed as evidence in
employment related litigation.
can the Information Commissioner do to enforce these rules?
Commissioner has a variety of enforcement powers, although they have rarely (if
ever) been used in the employment context.
Her powers are:
Enforcement action. The
Commissioner can revoke the employer’s Notification, which effectively prevents
all further data processing in the organisation. Continued breaches after this will be a criminal offence.
● Prosecution. This is
likely to occur where personal data has been unlawfully obtained or unlawfully
● Assessment. The
Commissioner has powers to investigate and assess a company’s use of personal
data. The Commissioner must investigate
if asked to do so by an individual who makes a legitimate complaint. She has wide discretion over the way in
which the investigation is conducted has power to serve an Information Notice.
also have the right to claim compensation in the civil courts, but only if
they have suffered both damage and distress.
It is unlikely that many employees will be able to prove that they have
suffered financial damage as a result of any breach of data protection,
although it is possible in some circumstances.
this Code really necessary?
part of the Code is helpful to employers, in as much as it gives much needed
clarity in an area which has previously been beset by confusion. Data protection practices will no doubt continue
to evolve as employers adjust to these guidelines.
Practices Data Protection Code Part 2: Employment Records can be found at www.dataprotection.gov.uk/dpr/dpdoc.nsf
under "Codes of practice our responses & other papers"