Data Protection Codes Briefing No 54
This briefing should be regarded as a follow
up to Briefing No. 48, which introduced
the topic of data protection and explained in general terms the
four constituent parts of the Employment Practices Data Protection
Code. This briefing will explain in greater detail the contents
of Part One of the Employment Practices Data Protection Code including
the responsibilities of employers and employees as regards the
handling of data in relation to the recruitment and selection
of staff. Further briefings will be published in the near future
in relation to Parts two, three and four of the code. These will
deal with employer's responsibilities as regards the maintenance
of employment records, monitoring of employees and handling of
sensitive medical information.
What is this Code of Practice for?
The Employment Practices Data Protection Code is intended to
assist employers in complying with the 1998 Data Protection Act
and to establish good practice for handling personal data in the
Who do the provisions of the code relate to?
The Code is concerned with data that employers might collect
and keep on a range of 'workers'. In the Code the term 'worker'
applies to successful and unsuccessful applicants and former applicants,
current and former employees, agency workers, casual workers and
What is the legal status of the code?
The legal requirement on employers is to comply with the Act
itself, however the benchmarks in the Code are designed to bring
about compliance with the Act. The benchmarks in the Code develop
and apply the Act in the context of employment practices.
What type of data is covered by the code?
The majority of information about employees that is processed
by an organisation will fall within the scope of the Code. This
includes personal data like salary and bank details in addition
to more personal information contained in completed application
forms or employers notes. In practice nearly all useable information
held about individual workers will be covered by the code.
What is sensitive personal data?
The Data Protection Act sets out a series of strict conditions,
which have to be met before an employer can collect, store, use,
disclose or otherwise process sensitive personal data. Examples
of sensitive personal data include information relating to an
individual's racial origins, political opinions, or religious
beliefs. In the context of recruitment and selection typical circumstances
in which sensitive personal data might be held include relevant
criminal convictions to assess suitability for certain types of
employment or racial origin to ensure recruitment processes do
not discriminate against particular racial groups.
Part 1 of the code is divided into eight sections relating
to different elements of the recruitment and selection process
and includes compliance and best practice guidance on the following
- Managing data protection
Employers are expected to comply fully with the DPA and make
it an integral part of their employment practices. Overall responsibility
for compliance should be allocated to an individual within the
organisation. While not a strict legal requirement, the Code notes
that it is preferable that workers, their representatives or trade
unions are consulted on the development and implementation of
policies concerning the processing of personal data.
People applying for jobs must be informed of the company's name
and, unless self evident, how their information will be used.
Candidates must also be informed if the information is kept for
Applications include responses to specific job advertisements
and speculative applications, whether on tailor-made forms or
CVs. Forms should state to whom the information is being provided,
how it will be used and whether or not information will be verified.
Information should only be sought if it is relevant to the recruitment
decision and criminal convictions should only be requested if
justified by the role.
When verifying an applicant's details firms should not go beyond
checking the information supplied in the application or recruitment
process. The process of checking information should also be
explained. If it is necessary to obtain information or documents
from a third party, employers must ensure that applicants sign
a consent form.
Information for branches
Workers responsibilities under the Act
Workers also have responsibilities for data protection under
the Act. No employee should disclose personal data outside the
organisation's procedures, or use personal data held on others
for their own purposes. A worker disclosing personal data without
the authority of the organisation may commit a criminal offence,
unless there is some other legal justification for example under
Short-listing procedures should be applied consistently. Applicants
must be told if automated tests are the sole selection method
and are entitled to make representations. Where psychological
testing is used, only those sufficiently trained in the method
should analyse the information.
Employers should only keep personal data that is relevant to
the recruitment process or which may be used to defend the process
if it is challenged. Worthwhile bearing in mind that as an applicant
you will normally be entitled to have access to any interview
notes that are retained.
- Pre-employment vetting
Firms should only make further enquiries about an applicant when
it is absolutely necessary. Comprehensive vetting should only
be conducted when the applicant is successful and information
only sought if it is specifically needed. The recruitment process
should make it clear vetting will take place.
8. Retention of recruitment records
There is no specific time limit on the retention of personal
data but it should not be kept any longer than is necessary. The
Code advises employers to carry out a review of information obtained
through the selection process and to destroy any irrelevant information.
Workers rights under the Act
The Act grants workers the right to have a copy of the information
that an organisation holds about them. It allows them to apply
to the courts to obtain an order requiring an organisation to
correct inaccurate data held about them, and to seek compensation
where damage and distress have been caused as a result of any
breach of the Act. Workers may also object to the processing of
personal data about them. In some circumstances they can stop
employers keeping information about them or using the information
in particular ways.
Dave Watson - email@example.com
@ The P&I Team
14 West Campbell St
Tel 0845 355 0845
Fax 0141-307 2572