Cookies and Privacy  UNISONScotland www
This is our archive website that is no longer being updated.
For the new website please go to
Click here
Home News About us Join Us Contacts Help Resources Learning Links UNISON UK


About the P&I Team Briefings Home | Responses | PFI Index | Policy Guide




Data Protection Codes Briefing No 54

 This briefing should be regarded as a follow up to Briefing No. 48, which introduced the topic of data protection and explained in general terms the four constituent parts of the Employment Practices Data Protection Code. This briefing will explain in greater detail the contents of Part One of the Employment Practices Data Protection Code including the responsibilities of employers and employees as regards the handling of data in relation to the recruitment and selection of staff. Further briefings will be published in the near future in relation to Parts two, three and four of the code. These will deal with employer's responsibilities as regards the maintenance of employment records, monitoring of employees and handling of sensitive medical information.

What is this Code of Practice for?

The Employment Practices Data Protection Code is intended to assist employers in complying with the 1998 Data Protection Act and to establish good practice for handling personal data in the workplace.

Who do the provisions of the code relate to?

The Code is concerned with data that employers might collect and keep on a range of 'workers'. In the Code the term 'worker' applies to successful and unsuccessful applicants and former applicants, current and former employees, agency workers, casual workers and contract workers.

What is the legal status of the code?

The legal requirement on employers is to comply with the Act itself, however the benchmarks in the Code are designed to bring about compliance with the Act. The benchmarks in the Code develop and apply the Act in the context of employment practices.

What type of data is covered by the code?

The majority of information about employees that is processed by an organisation will fall within the scope of the Code. This includes personal data like salary and bank details in addition to more personal information contained in completed application forms or employers notes. In practice nearly all useable information held about individual workers will be covered by the code.

What is sensitive personal data?

The Data Protection Act sets out a series of strict conditions, which have to be met before an employer can collect, store, use, disclose or otherwise process sensitive personal data. Examples of sensitive personal data include information relating to an individual's racial origins, political opinions, or religious beliefs. In the context of recruitment and selection typical circumstances in which sensitive personal data might be held include relevant criminal convictions to assess suitability for certain types of employment or racial origin to ensure recruitment processes do not discriminate against particular racial groups.

Part 1 of the code is divided into eight sections relating to different elements of the recruitment and selection process and includes compliance and best practice guidance on the following topics:

  1. Managing data protection

Employers are expected to comply fully with the DPA and make it an integral part of their employment practices. Overall responsibility for compliance should be allocated to an individual within the organisation. While not a strict legal requirement, the Code notes that it is preferable that workers, their representatives or trade unions are consulted on the development and implementation of policies concerning the processing of personal data.

2. Advertising

People applying for jobs must be informed of the company's name and, unless self evident, how their information will be used. Candidates must also be informed if the information is kept for any reason.

  1. Applications
  2. Applications include responses to specific job advertisements and speculative applications, whether on tailor-made forms or CVs. Forms should state to whom the information is being provided, how it will be used and whether or not information will be verified. Information should only be sought if it is relevant to the recruitment decision and criminal convictions should only be requested if justified by the role.

  3. Verification
  4. When verifying an applicant's details firms should not go beyond checking the information supplied in the application or recruitment process. The process of checking information should also be explained. If it is necessary to obtain information or documents from a third party, employers must ensure that applicants sign a consent form.

    Information for branches

    Workers responsibilities under the Act

    Workers also have responsibilities for data protection under the Act. No employee should disclose personal data outside the organisation's procedures, or use personal data held on others for their own purposes. A worker disclosing personal data without the authority of the organisation may commit a criminal offence, unless there is some other legal justification for example under 'whistle-blowing' legislation.

  5. Short-listing

Short-listing procedures should be applied consistently. Applicants must be told if automated tests are the sole selection method and are entitled to make representations. Where psychological testing is used, only those sufficiently trained in the method should analyse the information.

6. Interviews

Employers should only keep personal data that is relevant to the recruitment process or which may be used to defend the process if it is challenged. Worthwhile bearing in mind that as an applicant you will normally be entitled to have access to any interview notes that are retained.

  1. Pre-employment vetting

Firms should only make further enquiries about an applicant when it is absolutely necessary. Comprehensive vetting should only be conducted when the applicant is successful and information only sought if it is specifically needed. The recruitment process should make it clear vetting will take place.

8. Retention of recruitment records

There is no specific time limit on the retention of personal data but it should not be kept any longer than is necessary. The Code advises employers to carry out a review of information obtained through the selection process and to destroy any irrelevant information.

Workers rights under the Act

The Act grants workers the right to have a copy of the information that an organisation holds about them. It allows them to apply to the courts to obtain an order requiring an organisation to correct inaccurate data held about them, and to seek compensation where damage and distress have been caused as a result of any breach of the Act. Workers may also object to the processing of personal data about them. In some circumstances they can stop employers keeping information about them or using the information in particular ways.


Contacts list:

Dave Watson - d.watson@unison.co.uk

@ The P&I Team
14 West Campbell St
Glasgow G26RX
Tel 0845 355 0845
Fax 0141-307 2572

Top of page

Further Information

A copy of part 1 of the code can be accessed at http://www.dataprotection.gov.uk

A copy of part 2 of the code can be accessed at http://www.evh.org.uk/uploaded/

The draft copy of part 3 of the code can be accessed at http://specials.ft.com/spdocs/

Contacts list:

Dave Watson -

@ The P&I Team
14 West Campbell St
Glasgow G26RX
Tel 0845 355 0845
Fax 0141-307 2572