contents
- About the Code
- Managing Data Protection
- Part 1: Recruitment and Selection
- Part 2: Employment Records
- About Part 2 of the Code
- Good Practice Recommendations
- 2.1 COLLECTING AND KEEPING GENERAL RECORDS
- 2.2 SECURITY
- 2.3 SICKNESS AND INJURY RECORDS
- 2.4 PENSION AND INSURANCE SCHEMES
- 2.5 EQUAL OPPORTUNITIES MONITORING
- 2.6 MARKETING
- 2.7 FRAUD DETECTION
- 2.8 WORKERS' ACCESS TO INFORMATION ABOUT THEMSELVES
- 2.9 REFERENCES
- 2.10 DISCLOSURE REQUESTS
- 2.11 PUBLICATION AND OTHER DISCLOSURES
- 2.12 MERGER, ACQUISITION, AND BUSINESS RE-ORGANISATION
- 2.13 DISCIPLINE, GRIEVANCE AND DISMISSAL
- 2.14 OUTSOURCING DATA PROCESSING
- 2.15 RETENTION OF RECORDS
- Part 3: Monitoring at Work
- Part 4: Information About Workers' Health
- Contact Details
About Part 2 of the Code
Data protection in employment records
Running a business necessarily involves keeping records about workers. Such records will contain information that is personal in nature and can affect a worker’s privacy. The Act does not prevent an employer from collecting, maintaining and using records about workers but helps to strike a balance between the employer’s need to keep records and the worker’s right to respect for his or her private life. This part of the Code will assist employers not only to comply with the law but also to follow good records management practice.
What does this part of the code cover?
This part of the Code covers all aspects of the collection, holding and use of employment records from the initial obtaining of information once a worker has been employed or engaged through to the ultimate deletion of the former worker’s record. It also deals with the rights of job applicants as well as workers to access to information the employer keeps about them. It does not though deal in detail with the collection and use of health information. This is covered in Part 4.
Some recommendations in the Code are only likely to be of relevance to those involved in particular activities such as marketing to their workers or to those who find themselves in particular situations such as a business merger or acquisition. For this reason some sub sections are likely to be of relevance mainly to larger organisations.
Sickness and injury records
For the purposes of this Code it is necessary to distinguish between records that include “sensitive data” and those that do not. The term ‘sickness record’ is therefore used to describe a record which contains details of the illness or condition responsible for a worker’s absence. Similarly, an injury record is a record which contains details of the injury suffered. The term ‘absence record’ is used to describe a record that may give the reason for absence as ‘sickness’ or ‘accident’ but does not include any reference to specific medical conditions.
Many employers keep accident records. Such a record will only be an “injury record” if it includes details of the injury suffered by an identifiable worker.
Sickness and injury records include information about workers’ physical or mental health. The holding of sickness or injury records will therefore involve the processing of sensitive personal data. This means one of the conditions for processing sensitive personal data must be satisfied.
Employers are advised as far as practicable to restrict their record keeping to absence records rather than sickness or injury records.
Workers’ access to information about themselves
Workers, like any other individuals, have a right to gain access to information that is kept about them. This right is known as subject access. The right applies, for example, to sickness records, disciplinary or training records, appraisal or performance review notes, e-mails, word-processed documents, e-mail logs, audit trails, information held in general personnel files and interview notes, whether held as computerised files, or as structured paper records. A fee of up to £10 can be charged by the employer for giving access.
Responding to a subject access request involves:
- telling the worker if the organisation keeps any personal information about him or her;
- giving the worker a description of the type of information the organisation keeps, the purposes it is used for and the types of organisations which it may be passed on to, if any;
- showing the worker all the information the organisation keeps about him or her, explaining any codes or other unintelligible terms used;
- providing this information in a hard copy or in readily readable, permanent electronic form unless providing it in that way would involve disproportionate effort or the worker agrees to receive it in
some other way; - providing the worker with any additional information the organisation has as to the source of the
information kept about him or her.
There are a number of exemptions from the right of subject access which can be relevant in an
employment context.
References
The provision of a reference about a worker from one party, such as a present employer, to another, such as a prospective employer, will generally involve the disclosure of personal data. In considering how the Act applies to such disclosure it is important to establish who the reference is being given by or on behalf of.
The Code therefore distinguishes between a reference given in a personal capacity and one given in a corporate capacity. A corporate reference is one given on behalf of the employer by one of its staff. Many employers have rules about who can give such a reference and what it can include. The employer remains legally responsible for compliance with the Data Protection Act.
A personal reference is one given by a member of staff in an individual capacity. It may refer to work
done but it is not given on behalf of the employer. References that are given in a personal capacity do
not, at least in data protection terms, incur a liability for the employer.
Under a specific exemption in the Act, a worker does not have the right to gain access to a confidential job reference from the organisation which has given it. However, once the reference is with the organisation to which it was sent then no such specific exemption from the right of access exists. That organisation is though entitled to take steps to protect the identity of third parties such as the author of the reference.
Disclosure requests
Employers regularly receive requests for information about individual workers that come from outside the employer’s organisation. An employer has a responsibility to its workers to be cautious in responding to such requests. It risks a breach of the Act if it does not take sufficient care to ensure the interests of its workers are safeguarded. In some cases though the employer has no choice but to respond positively to a request for disclosure. This is where there is a legal obligation to disclose. It is not the Data Protection Act but other laws that create such obligations. Where they do so the Act does not stand in the way of disclosure.
In some other cases the employer will have a choice whether or not to disclose but provided sensitive data are not involved it is clear that the Act will not stand in the way of disclosure. This is where the circumstances of the disclosure are covered by one of the exemptions from the ‘non-disclosure provisions’ of the Act.