Cookies and Privacy  UNISONScotland www
This is our archive website that is no longer being updated.
For the new website please go to
Click here
Home News About us Join Us Contacts Help Resources Learning Links UNISON UK


About the P&I Team Briefings Home | Responses | PFI Index | Policy Guide




Data Protection Codes 3


As explained in the previous data protection briefing (No.54), the Employment Practices Data Protection Code applies primarily to UK businesses where the employment of staff constitutes a significant activity. The Code is therefore directly relevant to the vast majority of UK business's, as most if not all must necessarily store and process information about their employees.

The UK Information Commissioner, responsible for ensuring compliance with the 1998 UK Data Protection Act, has recently released the second part of the Employment Practices Data Protection Code. This section of the Code deals with the handling of employee records and explains how employers can follow the Data Protection Act in the context of the collection and storage of employment records. Part 2 of the Code sets out the procedures (and penalties) for storing personal data about employees and job applicants and also explains the processes under which employees (and unsuccessful job applicants) can insist on obtaining copies of those records. In addition it also covers topics such as the handling of employee sickness data, employee pension and insurance data and employee data within the context of merger's and acquisitions.

Employment aspects

The Data Protection Act is designed to give individuals certain rights in respect of the processing of personal data about them that takes place during employment. The Act does not prevent an employer from collecting, maintaining and using records about workers but seeks to strike a balance between the employer's need to keep records and the worker's right to respect for his or her private life.

Part.2 of the Data Protection Code is divided into 16 sections, these relate to different areas of the collection and storage of employment records process. Of the 16 areas addressed in part 2 of the Code, areas of particular interest include:

  1. Managing Data Protection
  2. Managing data protection is concerned with how employers set up methods to protect personal data about workers. While not a strict legal requirement, the Code notes that it is preferable that workers, their representatives or trade unions are consulted on the development and implementation of policies concerning the processing of personal data.

  3. Collecting & Keeping Employment Records

    Employers must ensure that all employees are made aware of the nature and source of any information kept about them, how it will be used and whom it will be disclosed to.

3. Security

Appropriate security should be in place to protect employee data against unauthorised access, loss, or destruction, including, where appropriate, a system of secure cabinets, access controls and passwords to ensure that only authorised staff can view employee data.

  1. Sickness & Accident Records
  2. Sickness and accident records should be maintained separately from other employee records, including absence records (i.e., records that do not specifically refer to the reasons for an employee's absence). Whenever possible, employers should rely on absence records, rather than more detailed sickness and accident records.

  3. Pension & Insurance Schemes
  4. Information collected for work-related pension and insurance schemes should not be used for other general employment purposes. Employees should be informed of any data that will be collected in connection with a health or insurance scheme.

  5. Equal Opportunities Monitoring
  6. Information used in connection with equal opportunities monitoring should be anonymised whenever possible.

  7. Marketing
  8. Employees should be notified if their data will be used to market or advertise goods or services to them and have an opportunity to opt-out of such marketing.

  9. Fraud Detection
  10. Employers must not disclose worker data to other organisations for the prevention or detection of fraud unless they are required by law to make the disclosure. Or unless they believe that failure to disclose is likely to prejudice the prevention or detection of crime or unless the disclosure is provided for in workers' contracts of employment.

  11. Workers' Access to Information about Themselves
  12. Workers, like any other individuals, have a right to gain access to information that is kept about them. This right is known as subject access. The right applies, for example, to sickness records, disciplinary or training records, appraisal or performance review notes, information held in general personnel files and even interview notes.

  13. References

    Employers must not provide a confidential reference about a worker to another organisation unless they are sure that this is the workers wish. References are included in those documents an employee can demand to see under 'subject access'.

11. Disclosure Requests

In some cases employers will be under a legal obligation to disclose, where this is the case they have no choice but to do so.

12. Publication & other Disclosures

Employers should only publish information about workers where there is a legal obligation to do so, or the information is clearly not intrusive, or the worker has consented to disclosure, or the information is in a form that does not identify individual workers.

  1. Mergers & Acquisitions
  2. Employee data handed over to a third-party in the context of a pending merger or acquisition should be anonymised whenever possible, and only after assurances are secured that the data will be used solely in connection with the contemplated business venture and destroyed or returned after use.

  3. Discipline, Grievance and Dismissal
  4. Workers have the same rights of access to files containing information about disciplinary matters or grievances about themselves as they do to other personal data held, unless this information is associated with a criminal investigation in which case an exemption might apply.

  5. Outsourcing Data Processing
  6. Where an employer outsources a service to a data processor, it falls to the employer to ensure that the data processor puts in place appropriate technical and organisational security measures.

  7. Retention of Records

    Employers must ensure that personal information is not kept for longer than is necessary but equally that it is not deleted where there is a real business need to retain it. Retention times may therefore vary from one employer to another depending on the use the employer makes of particular types of information

Information for Branches:

The Act allows for any individual to make a 'subject access request' to any organisation that he or she believes is processing his or her personal data. This request must be in writing, for example by letter or e-mail. Once an organisation receives such a request it must respond promptly, or at the most within 40 calendar days. It must produce copies of the information it holds in an intelligible form. The organisation can charge up to £10 for doing this.

There are some exemptions that allow organisations to withhold information. These exemptions can apply in areas such as criminal investigation, management planning such as promotion and transfer plans, and negotiations.


Top of page

Further Information

A copy of part 1 of the code can be accessed at http://www.dataprotection.gov.uk

A copy of part 2 of the code can be accessed at http://www.evh.org.uk/uploaded/

The draft copy of part 3 of the code can be accessed at http://specials.ft.com/spdocs/

Contacts list:

Dave Watson -

@ The P&I Team
14 West Campbell St
Glasgow G26RX
Tel 0845 355 0845
Fax 0141-307 2572