Data Protection Codes
As explained in the previous data protection briefing (No.54),
the Employment Practices Data Protection Code applies primarily
to UK businesses where the employment of staff constitutes a significant
activity. The Code is therefore directly relevant to the vast
majority of UK business's, as most if not all must necessarily
store and process information about their employees.
The UK Information Commissioner, responsible for ensuring compliance
with the 1998 UK Data Protection Act, has recently released the
second part of the Employment Practices Data Protection Code.
This section of the Code deals with the handling of employee records
and explains how employers can follow the Data Protection Act
in the context of the collection and storage of employment records.
Part 2 of the Code sets out the procedures (and penalties) for
storing personal data about employees and job applicants and also
explains the processes under which employees (and unsuccessful
job applicants) can insist on obtaining copies of those records.
In addition it also covers topics such as the handling of employee
sickness data, employee pension and insurance data and employee
data within the context of merger's and acquisitions.
The Data Protection Act is designed to give individuals certain
rights in respect of the processing of personal data about them
that takes place during employment. The Act does not prevent an
employer from collecting, maintaining and using records about
workers but seeks to strike a balance between the employer's need
to keep records and the worker's right to respect for his or her
Part.2 of the Data Protection Code is divided into 16 sections,
these relate to different areas of the collection and storage
of employment records process. Of the 16 areas addressed in part
2 of the Code, areas of particular interest include:
- Managing Data Protection
Managing data protection is concerned with how employers set
up methods to protect personal data about workers. While not
a strict legal requirement, the Code notes that it is preferable
that workers, their representatives or trade unions are consulted
on the development and implementation of policies concerning
the processing of personal data.
- Collecting & Keeping Employment Records
Employers must ensure that all employees are made aware of
the nature and source of any information kept about them,
how it will be used and whom it will be disclosed to.
Appropriate security should be in place to protect employee
data against unauthorised access, loss, or destruction, including,
where appropriate, a system of secure cabinets, access controls
and passwords to ensure that only authorised staff can view
- Sickness & Accident Records
Sickness and accident records should be maintained separately
from other employee records, including absence records (i.e.,
records that do not specifically refer to the reasons for an
employee's absence). Whenever possible, employers should rely
on absence records, rather than more detailed sickness and accident
- Pension & Insurance Schemes
Information collected for work-related pension and insurance
schemes should not be used for other general employment purposes.
Employees should be informed of any data that will be collected
in connection with a health or insurance scheme.
- Equal Opportunities Monitoring
Information used in connection with equal opportunities monitoring
should be anonymised whenever possible.
Employees should be notified if their data will be used to
market or advertise goods or services to them and have an opportunity
to opt-out of such marketing.
- Fraud Detection
Employers must not disclose worker data to other organisations
for the prevention or detection of fraud unless they are required
by law to make the disclosure. Or unless they believe that failure
to disclose is likely to prejudice the prevention or detection
of crime or unless the disclosure is provided for in workers'
contracts of employment.
- Workers' Access to Information about Themselves
Workers, like any other individuals, have a right to gain access
to information that is kept about them. This right is known
as subject access. The right applies, for example, to sickness
records, disciplinary or training records, appraisal or performance
review notes, information held in general personnel files and
even interview notes.
Employers must not provide a confidential reference about
a worker to another organisation unless they are sure that
this is the workers wish. References are included in those
documents an employee can demand to see under 'subject access'.
11. Disclosure Requests
In some cases employers will be under a legal obligation to
disclose, where this is the case they have no choice but to
12. Publication & other Disclosures
Employers should only publish information about workers where
there is a legal obligation to do so, or the information is
clearly not intrusive, or the worker has consented to disclosure,
or the information is in a form that does not identify individual
- Mergers & Acquisitions
Employee data handed over to a third-party in the context of
a pending merger or acquisition should be anonymised whenever
possible, and only after assurances are secured that the data
will be used solely in connection with the contemplated business
venture and destroyed or returned after use.
- Discipline, Grievance and Dismissal
Workers have the same rights of access to files containing
information about disciplinary matters or grievances about themselves
as they do to other personal data held, unless this information
is associated with a criminal investigation in which case an
exemption might apply.
- Outsourcing Data Processing
Where an employer outsources a service to a data processor,
it falls to the employer to ensure that the data processor puts
in place appropriate technical and organisational security measures.
- Retention of Records
Employers must ensure that personal information is not kept
for longer than is necessary but equally that it is not deleted
where there is a real business need to retain it. Retention
times may therefore vary from one employer to another depending
on the use the employer makes of particular types of information
Information for Branches:
The Act allows for any individual to make a 'subject access request'
to any organisation that he or she believes is processing his
or her personal data. This request must be in writing, for example
by letter or e-mail. Once an organisation receives such a request
it must respond promptly, or at the most within 40 calendar days.
It must produce copies of the information it holds in an intelligible
form. The organisation can charge up to £10 for doing this.
There are some exemptions that allow organisations
to withhold information. These exemptions can apply in areas such
as criminal investigation, management planning such as promotion
and transfer plans, and negotiations.