Part 2 of the "Employment Practices Data Protection Code" is now available on the Information Commissioner's website (click here). The Code is not law, but in assessing whether an employer has complied with the Data Protection Act 1998, the Information Commissioner will have regard to its compliance with the Code.
As with Part 1 (on recruitment and selection), this is a "pre-publication version" - the four parts of the Code will not be formally published until all are complete (expected to be by the end of 2002). The Code covers employees, job applicants, agency workers, casual workers and contract workers (current and former).
Part 2 sets out the recommendations on achieving data protection compliance in relation to employment records. The following areas are included in the guidance.
Collecting and keeping employment records
The emphasis here
is on transparency, ensuring workers are made aware of the employer's
retention policy and their own rights of access, and on regular checks
that employee records held are relevant and accurate.
Security
Whether in paper or electronic form, workers'
personal information should be stored safely and access should be
restricted to those who have a legitimate business need to see it.
Background checks, training and confidentiality agreements are all
benchmarks for ensuring the reliability of those employees requiring
access to records.
Sickness and accident records
A distinction is made between
"absence records" (which may state that the absence is due to sickness
without giving details of the sickness) and "sickness records" (which
provide details of the sickness). Unless there is a legitimate need for
details of the "sickness" to be accessed, employers and other employees
should not access "sickness" records. Absence or sickness data for
identifiable individuals should not be published to other workers with the
exception of managers investigating an individual's absence record.
Pension and insurance schemes
Personal information required
by, or provided by, a pension scheme administrator or insurer must not be
used for general employment purposes. On joining a health or insurance
scheme, it should be made clear to employees what information relating to
them will be provided and how it will be used.
Responding to subject access and disclosure requests
The Act
gives all data subjects, including workers, the right to access their
personal data being processed by/on behalf of a controller (including
employers). The Code recommends establishing a policy to ensure such a
'subject access request' is dealt with properly, including notifying other
employees if information relating to them will be released in the course
of giving access.
Employers should have a policy to cover requests from third parties for disclosure of worker details. Unless under a legal obligation to do so, worker information should only be disclosed if it is fair in the circumstances to do so (the duty of fairness being owed primarily to the worker).
Mergers and acquisitions
Personal data provided to a
potential purchaser/merger partner should be anonymised as far as possible
and formal confidentiality obligations put in place. Workers should be
informed in advance, if practicable (we doubt whether this will ever be
the case). After the transaction has taken place, the new entity should
ensure the records do not include excessive information and are accurate –
e.g. by checking the accuracy of a sample of records within a few months
of the transaction (our DACS service may be appropriate at this
stage). If a merger or acquisition involves a transfer of worker
personal information outside the EEA, there must be a proper basis for
making the transfer.
Discipline, grievance and dismissal
During a disciplinary
investigation, there may be a great temptation for an employer to access
information it keeps about workers merely because it might be relevant -
emails are a prime example. Employers should not do so if this would be
incompatible with the purposes for which the information was obtained or
disproportionate to the seriousness of the matter being investigated.
Employers should state clearly how 'spent' disciplinary warnings are
handled, i.e. are they removed from the record or simply not taken into
account for future disciplinary incidents. The reason for any termination
should be properly recorded.
Retention of records
Employers should formulate a retention
policy covering the different types of employment records held, dependent
on business need and any professional guidelines (and bearing in mind
obligations under various pieces of legislation to retain certain
records). A risk analysis should be carried out, taking into account the
consequences (to the employer, the worker(s) and others) of particular
information not being available, the frequency with which such information
is needed and the principle of proportionality. Information should be kept
anonymised if this would satisfy the purpose of retaining it. At the
expiry of the retention period, records should be securely and effectively
destroyed.
Section 5 of the Code contains a useful checklist for employers to assist in implementing the Code.
Part 3 of the Code (on monitoring at work) is expected in the next two months and Part 4 (on medical information) by the end of 2002.
© Herbert Smith 2002
The content of this article does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances.
For more information on this or other Herbert Smith publications, please email us.