Data Protection Codes of Practice

The Employment Practices Data Protection Code is being introduced in four parts to ensure compliance with the Data Protection Act 1998. They should all be finalised by the end of this year and cover:

Recruitment and Selection
Worker Records
Monitoring at Work
Medical Information (due out by December 2003)

So what does this mean in practical terms?

All personal information you retain relating to either applicants in the recruitment process or employees in their personnel records must be accurate, relevant and secure. To comply with this you must ensure the following:

Worker Records

Your employees are aware of any information kept about them, how it is to be used and to whom it will be disclosed.
Your employees are regularly asked to check their records for accuracy so they can be amended as appropriate and brought up to date.
Systems must be put in place to ensure safe storage of both manual and electronic files, preventing unauthorised access and unintended destruction.

Whilst the response to non-compliance is usually enforcement notices, this can lead to fines of up to £5,000.

Recruitment

Potential payouts can however rise to ‘unlimited’ amounts if you get your recruitment procedures wrong!

Individuals now have rights of access to their records and it is therefore very important that any interview notes and selection criteria are objective and relate to the skills required to do the job. If applicants consider themselves to have been discriminated against, on the basis of sex, race or disability there is no limit on the amount of compensation they may be awarded if successful at tribunal.

Comments such as ‘they will not fit with our culture’ or ‘a young woman in her twenties, likely to have a family within a few years’ are clearly inappropriate, as are ‘too old’, ‘too young’ or ‘qualifications are not appropriate as not obtained in the UK’.

Any records you retain should include clear reasons why unsuccessful applicants’ skills do not match the job description or are less matched than the successful candidate.

And be careful if you wish to check for any criminal convictions. Do not make such evidence a condition of employment as this is to be made illegal shortly. An individual may of their own accord obtain ‘basic’ information from the Criminal Records Bureau to provide to a prospective employer, but employers will only have direct access to such information if vacancies are for sensitive jobs with children and vulnerable adults.

And finally be careful, about retaining all of those CVs for reference in the event of future vacancies. You can only do this if you have the applicant’s agreement and even so, remember the information is likely to be out of date in the relatively short term. It may be preferable to destroy the CVs and obtain the applicant’s agreement to retaining name, address and telephone number so that you can contact him/her for an updated CV should another vacancy become available.

Monitoring at Work

If you want to avoid the possibility of excessive personal use of emails or abuse of the email system, you have the right to monitor email traffic at work. But only if you follow the Data Protection Code guidelines including the following:

make sure you have a clear written policy
explain the business reasons for monitoring emails. For example, emails may form part of the business records
set out the rules for using emails
make clear any monitoring procedure.

It is preferable to exclude as far as possible the monitoring of personal emails or ensure that where it is undertaken, access is kept secure and to a minimum. The key to a successful email monitoring policy is ensuring that everyone is aware of what it is!