Good Practice Recommendations
– Managing Data Protection
Data protection compliance should be seen as an integral part of employment practice. It is important to develop a culture in which respect for private life, data protection, security and confidentiality of personal information is seen as the norm.
0.1 Identify the person within the organisation responsible for ensuring that employment policies and procedures comply with the Act and for ensuring that they continue to do so. Put in place a mechanism for checking that procedures are followed in practice.
Key points and possible actions
- The nature and size of the organisation will influence where responsibility should rest.
- Ensure the person responsible reads all relevant parts of the Code.
- Check employment policies and procedures, including unwritten practices, against the relevant parts of the Code.
- Eliminate areas of non-compliance.
- Inform those who need to know why certain procedures have changed.
- Introduce a mechanism for checking that procedures are followed in practice, for example, occasional audits and spot checks and/or a requirement for managers to sign a compliance statement.
0.2 Ensure that business areas and individual line managers who process information about workers understand their own responsibility for data protection compliance and if necessary amend their working practices in the light of this.
Key points and possible actions
- Prepare a briefing to departmental heads and line managers about their responsibilities.
0.3 Assess what personal information about workers is in existence and who is
responsible for it.
Key points and possible actions
- Use the various parts of this Code as the framework to assess what personal information your organisation keeps and where responsibility for it lies.
- Remember that personal information may be held in different departments as well as
within the personnel/human resource function.
0.4 Eliminate the collection of personal information that is irrelevant or excessive to the employment relationship. If sensitive data are collected ensure that a sensitive data condition is satisfied
Key points and possible actions
- Consider each type of personal information that is held and decide whether any
information could be deleted or not collected in the first place. - Check that the collection and use of any sensitive personal data satisfies at least one
of the sensitive data conditions.
0.5 Ensure that all workers are aware how they can be criminally liable if they knowingly or recklessly disclose personal information outside their employer’s policies and procedures. Make serious breaches of data protection rules a disciplinary matter.
Key points and possible actions
- Prepare a guide explaining to workers the consequences of their actions in this area.
- Make sure that the serious infringement of data protection rules is clearly indicated as a disciplinary matter.
- Ensure that the guide is brought to the attention of new workers.
- Ensure that workers can ask questions about the guide.
0.6 Ensure that your organisation has a valid notification in the register of data controllers that relates to the processing of personal information about workers, unless it is exempt from notification.
Key points and possible actions
- Consult the Data Protection Register website – www.dpr.gov.uk – to check the
notification status of your organisation. - Check whether your organisation is exempt from notification using the website.
- Check whether all your processing of information about workers is correctly described there – unless your organisation is exempt.
- Allocate responsibility for checking and updating this information on a regular basis, for
example every 6 months.
0.7 Consult workers, and/or trade unions or other representatives, about the development and implementation of employment practices and procedures that involve the processing of personal information about workers.
Key points and possible actions
- Consultation is only mandatory under employment law, in limited circumstances and for larger employers but it should nevertheless help to ensure that processing of personal information is fair.
- When formulating new employment practices and procedures, assess the impact on collection and use of personal information
