About the Code

Our aim:

This Code is intended to help employers comply with the Data Protection Act and to encourage them to adopt good practice. The Code aims to strike a balance between the legitimate expectations of workers that personal information about them will be handled properly and the legitimate interests of employers in deciding how best, within the law, to run their own businesses. It does not impose new legal obligations.

Who is the Code for?

The Employment Practices Data Protection Code deals with the impact of data protection laws on the employment relationship. It covers such issues as the obtaining of information about workers, the retention of records, access to records and disclosure of them. Not every aspect of the Code will be relevant to every organisation – this will vary according to size and the nature of its business. Some of the issues addressed may arise only rarely – particularly for small businesses. Here the Code is intended to serve as a reference document to be called on when necessary.

The benefits of the Code

The Data Protection Act 1998 places responsibilities on any organisation to process personal information that it holds in a fair and proper way. Failure to do so can ultimately lead to a criminal offence being committed.

The effect of the Act on how an organisation processes information on its workers is generally straightforward. But in some areas it can be complex and difficult to understand, especially if your
organisation has only limited experience of dealing with data protection issues. The Code therefore
covers the points you need to check, and what action, if any, you may need to take. Following the Code should produce other benefits in terms of relationships with your workers, compliance with other legislation and efficiencies in storing and managing information.

Following the Code will:

• increase trust in the workplace – there will be transparency about information held on individuals,
  thus helping to create an open atmosphere where workers have trust and confidence in employment practices.
• encourage good housekeeping – following the Code encourages organisations to dispose of
  out-of-date information, freeing up both physical and computerised filing systems and making
  valuable information easier to find.
• protect organisations from legal action – adhering to the Code will help employers to protect
  themselves from challenges against their data protection practices.
• encourage workers to treat customers’ personal data with respect – following the Code will create a general level of awareness of personal data issues, helping to ensure that information about customers is treated properly.
• help organisations to meet other legal requirements – the Code is intended to be consistent with other legislation such as the Human Rights Act 1998 and the Regulation of Investigatory Powers Act 2000 (RIPA).
• assist global businesses to adopt policies and practices which are consistent with similar legislation in other countries – the Code is produced in the light of EC Directive 95/46/EC and ought to be in line with data protection law in other European Union member states.
• help to prevent the illicit use of information by workers – informing them of the principles of data protection, and the consequences of not complying with the Act, should discourage them from misusing information held by the organisation.

What is the legal status of the Code?

The Code has been issued by the Information Commissioner under section 51 of the Data Protection Act. This requires him to promote the following of good practice, including compliance with the Act’s requirements, by data controllers and empowers him, after consultation, to prepare Codes of Practice giving guidance on good practice.

The basic legal requirement on each employer is to comply with the Act itself. The Code is designed to help. It sets out the Information Commissioner’s recommendations as to how the legal requirements of the Act can be met. Employers may have alternative ways of meeting these requirements but if they do nothing they risk breaking the law.

Any enforcement action would be based on a failure to meet the requirements of the Act itself. However, relevant parts of the Code are likely to be cited by the Commissioner in connection with any enforcement action that arises in relation to the processing of personal information in the employment context.

Who does data protection cover in the workplace?

The Code is concerned with information that employers might collect and keep on any individual who might wish to work, work, or have worked for them. In the Code the term ‘worker’ includes:

• applicants (successful and unsuccessful)
• former applicants (successful and unsuccessful)
• employees (current and former)
• agency staff (current and former)
• casual staff (current and former)
• contract staff (current and former)

Some of this Code will also apply to others in the workplace, such as volunteers and those on work experience placements.

What information is covered by the Code?

Information about individuals, that is kept by an organisation on computer in the employment context, will fall within the scope of the Data Protection Act and therefore, within the scope of this Code. However, information that is kept in simple manual files will often fall outside the Act. Where information falls outside the Act, this Code can do no more than offer advice on good information handling practice.

Personal information

The Code is concerned with ‘personal information’. That is, information which:

• l is about a living person and affects that person’s privacy (whether in his/her personal or family life, business or professional capacity) in the sense that the information has the person as its focus or is otherwise biographical in nature, and
• identifies a person, whether by itself, or together with other information in the organisation’s
  possession or that is likely to come into its possession.

This means that automated and computerised personal information kept about workers by employers is covered by the Act. It also covers personal information put on paper or microfiche and held in any ‘relevant filing system’. In addition, information recorded with the intention that it will be put in a relevant filing system or held on computer is covered.

Only a well structured manual system will qualify as a relevant filing system. This means that the system must amount to more than a bundle of documents about each worker filed in date order. There must be some sort of system to guide a searcher to where specific information about a named worker can be found readily. This might take the form of topic dividers within individually named personnel files or name dividers within a file on a particular topic, such as ‘Training Applications’.

Processing

The Act applies to personal information that is subject to ‘processing’. For the purposes of the Act, the term ‘processing’ applies to a comprehensive range of activities. It includes the initial obtaining of
personal information, the retention and use of it, access and disclosure and final disposal.

Examples of personal information likely to be covered by the Act include:

• details of a worker’s salary and bank account held on an organisation’s computer system
• an e-mail about an incident involving a named worker
• a supervisor’s notebook containing information on a worker where there is an intention to put that
  information in that worker’s computerised personnel file
• an individual worker’s personnel file where the documents are filed in date order but there is an index to the documents at the front of the file
• an individual worker’s personnel file where at least some of the documents are filed behind sub
  dividers with headings such as application details, leave record and performance reviews
• a set of leave cards where each worker has an individual card and the cards are kept in alphabetical order
• a set of completed application forms, filed in alphabetical order within a file of application forms for a particular vacancy.

Examples of information unlikely to be covered by the Act include:

• information on the entire workforce’s salary structure, given by grade, where individuals are not
  named and are not identifiable
• a report on the comparative success of different recruitment campaigns where no details regarding individuals are held
• a report on the results of “exit interviews” where all responses are anonymised and where the results are impossible to trace back to individuals
• a personnel file that contains information about a named worker but where the information is simply filed in date order with nothing to guide a searcher to where specific information, such as the worker’s leave entitlement, can be found.

Sensitive personal information

What are sensitive data?

Sensitive data are information concerning an individual’s;

• racial or ethnic origin
• political opinions
• religious beliefs or other beliefs of a similar nature
• trade union membership (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992)
• physical or mental health or condition
• sexual life
• commission or alleged commission of any offence, or
• proceedings for any offence committed or alleged to have been committed, the disposal of such
  proceedings or the sentence of any court in such proceedings

Sensitive data processed by an employer might typically be about a worker’s;

• physical or mental health
  • as a part of sickness records revealed through monitoring e-mails sent by a worker to his or her manager or to an occupational health advisor
  • obtained as part of a pre-employment medical questionnaire or examination.
  • drug or alcohol test results
• criminal convictions
  • to assess suitability for certain types of employment
• disabilities
  • to facilitate adaptations in the workplace
  • to ensure special needs are catered for at interview or selection testing
  • in monitoring equality of opportunity
• racial origin
  • to ensure that recruitment processes do not discriminate against particular racial groups
  • to ensure equality of opportunity
• trade union membership
  • to enable deduction of subscriptions from payroll
  • revealed by internet access logs which show that a worker routinely accesses a particular trade union website.

The Act sets out a series of conditions, at least one of which has to apply before an employer can collect, store, use, disclose or otherwise process sensitive data.

See Supplementary Guidance which explains more about the conditions for processing sensitive data. (Clicking this link opens a new window)

What responsibilities do workers have under the Act?

Workers – as well as employers – have responsibilities for data protection under the Act. Line managers have responsibility for the type of personal information they collect and how they use it. No-one at any level should disclose personal information outside the organisation’s procedures, or use personal information held on others for their own purposes. Anyone disclosing personal information without the authority of the organisation may commit a criminal offence, unless there is some other legal justification, for example under ‘whistle-blowing’ legislation.

Of course, applicants for jobs ought to provide accurate information and may breach other laws if they do not. However, the Act does not create any new legal obligation for them to do so.

Managing Data Protection explains more about allocating responsibility.

Parts of the Code

The Employment Practices Data Protection Code starts with a section on managing data protection
in employment practices. It is then split into four parts

• recruitment and selection – is about job applications and pre-employment vetting
• employment records – is about collecting, storing, disclosing and deleting records
• monitoring at work – is about monitoring workers’ use of telephones, the internet, e-mail systems and vehicles
• workers’ health – is about occupational health, medical testing, drug and genetic screening.

Each part of the Code has been designed to stand alone. Which parts of the Code you choose to use will depend on the relevance to your organisation of each area covered.

The Good Practice Recommendations

Each part of the Code consists of a series of good practice recommendations. These good practice recommendations may be relevant to either large or small employers, but some of them address activities that are of a more specialist nature than others or may occur only rarely, particularly in a small business, These recommendations are most likely to be relevant to larger organisations. However, how far they are applicable and what is needed to achieve them will, of course, depend very much not just on size but also on the nature of each organisation.

Supplementary Guidance

Supporting guidance, aimed mainly at those in larger organisations who are responsible for ensuring that employment policies and practices comply with data protection law, includes more detailed notes and examples. These notes and examples, do not form part of this Code.