UK: Part 2 of the Employment Practices Code - Records Management - Now Available

Part 2 of the "Employment Practices Data Protection Code" is now available on the Information Commissioner's website (click here). The Code is not law, but in assessing whether an employer has complied with the Data Protection Act 1998, the Information Commissioner will have regard to its compliance with the Code.

As with Part 1 (on recruitment and selection), this is a "pre-publication version" - the four parts of the Code will not be formally published until all are complete (expected to be by the end of 2002). The Code covers employees, job applicants, agency workers, casual workers and contract workers (current and former).

Part 2 sets out the recommendations on achieving data protection compliance in relation to employment records. The following areas are included in the guidance.

Collecting and keeping employment records
The emphasis here is on transparency, ensuring workers are made aware of the employer's retention policy and their own rights of access, and on regular checks that employee records held are relevant and accurate.

Security
Whether in paper or electronic form, workers' personal information should be stored safely and access should be restricted to those who have a legitimate business need to see it. Background checks, training and confidentiality agreements are all benchmarks for ensuring the reliability of those employees requiring access to records.

Sickness and accident records
A distinction is made between "absence records" (which may state that the absence is due to sickness without giving details of the sickness) and "sickness records" (which provide details of the sickness). Unless there is a legitimate need for details of the "sickness" to be accessed, employers and other employees should not access "sickness" records. Absence or sickness data for identifiable individuals should not be published to other workers with the exception of managers investigating an individual's absence record.

Pension and insurance schemes
Personal information required by, or provided by, a pension scheme administrator or insurer must not be used for general employment purposes. On joining a health or insurance scheme, it should be made clear to employees what information relating to them will be provided and how it will be used.

Responding to subject access and disclosure requests
The Act gives all data subjects, including workers, the right to access their personal data being processed by/on behalf of a controller (including employers). The Code recommends establishing a policy to ensure such a 'subject access request' is dealt with properly, including notifying other employees if information relating to them will be released in the course of giving access.

Employers should have a policy to cover requests from third parties for disclosure of worker details. Unless under a legal obligation to do so, worker information should only be disclosed if it is fair in the circumstances to do so (the duty of fairness being owed primarily to the worker).

Mergers and acquisitions
Personal data provided to a potential purchaser/merger partner should be anonymised as far as possible and formal confidentiality obligations put in place. Workers should be informed in advance, if practicable (we doubt whether this will ever be the case). After the transaction has taken place, the new entity should ensure the records do not include excessive information and are accurate – e.g. by checking the accuracy of a sample of records within a few months of the transaction (our DACS service may be appropriate at this stage). If a merger or acquisition involves a transfer of worker personal information outside the EEA, there must be a proper basis for making the transfer.

Discipline, grievance and dismissal
During a disciplinary investigation, there may be a great temptation for an employer to access information it keeps about workers merely because it might be relevant - emails are a prime example. Employers should not do so if this would be incompatible with the purposes for which the information was obtained or disproportionate to the seriousness of the matter being investigated. Employers should state clearly how 'spent' disciplinary warnings are handled, i.e. are they removed from the record or simply not taken into account for future disciplinary incidents. The reason for any termination should be properly recorded.

Retention of records
Employers should formulate a retention policy covering the different types of employment records held, dependent on business need and any professional guidelines (and bearing in mind obligations under various pieces of legislation to retain certain records). A risk analysis should be carried out, taking into account the consequences (to the employer, the worker(s) and others) of particular information not being available, the frequency with which such information is needed and the principle of proportionality. Information should be kept anonymised if this would satisfy the purpose of retaining it. At the expiry of the retention period, records should be securely and effectively destroyed.

Section 5 of the Code contains a useful checklist for employers to assist in implementing the Code.

Part 3 of the Code (on monitoring at work) is expected in the next two months and Part 4 (on medical information) by the end of 2002.

© Herbert Smith 2002

For more information on this or other Herbert Smith publications, please email us.