contents
- About the Code
- Managing Data Protection
- Part 1: Recruitment and Selection
- Part 2: Employment Records
- About Part 2 of the Code
- Good Practice Recommendations
- 2.1 COLLECTING AND KEEPING GENERAL RECORDS
- 2.2 SECURITY
- 2.3 SICKNESS AND INJURY RECORDS
- 2.4 PENSION AND INSURANCE SCHEMES
- 2.5 EQUAL OPPORTUNITIES MONITORING
- 2.6 MARKETING
- 2.7 FRAUD DETECTION
- 2.8 WORKERS' ACCESS TO INFORMATION ABOUT THEMSELVES
- 2.9 REFERENCES
- 2.10 DISCLOSURE REQUESTS
- 2.11 PUBLICATION AND OTHER DISCLOSURES
- 2.12 MERGER, ACQUISITION, AND BUSINESS RE-ORGANISATION
- 2.13 DISCIPLINE, GRIEVANCE AND DISMISSAL
- 2.14 OUTSOURCING DATA PROCESSING
- 2.15 RETENTION OF RECORDS
- Part 3: Monitoring at Work
- Part 4: Information About Workers' Health
- Contact Details
Good Practice Recommendations – Part 2
The parts of the Code referred to in this section are:
2.1 Collecting and keeping general records
2.2 Security
2.3 Sickness and injury records
2.4 Pension and insurance schemes
2.5 Equal opportunities monitoring
2.6 Marketing
2.7 Fraud detection
2.8 Workers’ access to information about themselves
2.9 References
2.10 Disclosure requests
2.11 Publication and other disclosures
2.12 Merger, acquisition, and business re-organisation
2.13 Discipline, grievance and dismissal
2.14 Outsourcing data processing
2.15 Retention of records
2.1 Collecting and keeping general records
2.2.1 Ensure that newly appointed workers are aware of the nature and source of any information stored about them, how it will be used and who it will be disclosed to.
Key points and possible actions
- It is not generally necessary to seek a worker’s consent to keep employment records. It will usually be sufficient to ensure that the worker is aware that records are being kept and is given an explanation of the purposes they are kept for and the nature of any intended disclosures.
- It is only if sensitive data are collected that consent may be necessary.
- Decide on how best to inform new workers about how information about them will be held, used and disclosed.
- If your organisation has not done so previously, distribute this information to existing workers.
- In large organisations, randomly check with a sample of workers, that they did in fact receive this information. Rectify any communication gaps.
2.1.2 Inform new workers and remind existing workers about their rights under the Act, including their right of access to the information kept upon them.
Key points and possible actions
- Ensure that information given to new workers includes information about their rights under the Act.
- Set up a system to remind existing workers of their rights.
2.1.3 Ensure that there is a clear and foreseeable need for any information collected from workers and that the information collected actually meets that need.
Key points and possible actions
- Review all forms where information is requested from workers.
- Remove or amend any questions which require the worker to provide information extraneous to your needs.
2.1.4 Provide each worker with a copy of information that may be subject to change, e.g. personal details such as home address, annually or allow workers to view this on-line. Ask workers to check their records for accuracy and ensure any necessary amendments are made to bring records up-to-date.
Key points and possible actions
- Determine the different types of personal data kept about workers and whether they are likely to be subject to change.
- Decide whether data that change could easily be viewed electronically and make any changes to systems necessary to enable this.
- Ensure that the system restricts access to individuals’ records so that each worker can only get access to his or her own record.
- If it is only possible for workers to view data manually, consider how this can best be done.
- Make provision to amend any details that are incorrect on individual workers’ files.
2.1.5 Incorporate accuracy, consistency and validity checks into systems.
Key points and possible actions
- Review computerised systems to see if accuracy checks can be easily built in.
- Put in place arrangements to ensure that when systems are updated or new systems purchased they facilitate data protection compliance.
- Remember that legal responsibility for data protection compliance rests with users rather than suppliers of systems.
2.2 Security
2.2.1 Apply security standards that take account of the risks of unauthorised access to, accidental loss of, destruction of, or damage to employment records.
Key points and possible actions
- BS 7799: 1995 (Code of Practice for Information Security Management) provides guidance which, if followed, should address the main security risks.
- Obtain a copy of BS7799 if you do not have one already and compare its recommendations to your own existing procedures.
- Put in place measures to rectify any shortfalls, bearing in mind that not all controls will be relevant to all organisations.
2.2.2 Institute a system of secure cabinets, access controls and passwords to ensure that staff can only gain access to employment records where they have a legitimate business need to do so.
Key points and possible actions
- Review who in your organisation has access to employment records and determine whether it is necessary for everyone who currently has access to retain it.
- Remove access rights from those who have unnecessary or over-extensive access to personal information about others.
- Make sure manual files that hold personal information are securely held with locks and only those who should have access retain the key.
- In the case of computerised records, ensure that passwords or similar controls are set up to limit unauthorised access.
2.2.3 Use the audit trail capabilities of automated systems to track who accesses and amends personal information.
Key points and possible actions
- Check whether computerised systems that retain personal information currently have audit trail capabilities. If they do, check that the audit trail is enabled.
- If they do not, see if it would be possible to create audit trails of who accesses and amends personal information.
- If you have a system with audit trails, ensure that regular checks occur to detect unauthorised or suspicious use. Set up a procedure to investigate patterns of unusual or unauthorised access of personal information.
2.2.4 Take steps to ensure the reliability of staff that have access to workers’ records.
Key points and possible actions
- Carry out background checks on staff that will have access to workers’ records, for example by taking up references.
- Review the contracts of workers who deal with personal information to ensure they include confidentiality clauses concerning the unauthorised disclosure and use of personal information.
- Set up induction training for these staff that contains explanation about their responsibilities. Organise refresher training as and when necessary.
2.2.5 Ensure that if employment records are taken off-site, e.g. on laptop computers, this is controlled. Make sure only the necessary information is taken and there are security rules for staff to follow.
Key points and possible actions
- Formulate a procedure for taking laptop computers off-site (or review the existing procedure). Include points regarding the information that may be taken off-site, security of passwords and keeping the laptop in view or secured at all times.
- Inform all workers, including senior staff, of the procedure.
2.2.6 Take account of the risks of transmitting confidential worker information by fax or e-mail. Only transmit information between locations if a secure network or comparable arrangements are in place.
Key points and possible actions
- Check that your security policy properly addresses the risk of sending and receiving worker information by e-mail or fax and review the relevant procedures.
- Ensure that all managers use a secure system if workers’ records are to be transmitted by fax.
- In the case of e-mail deploy some technical means of ensuring security, such as effective password protection and encryption.
- Advise all managers about permanently deleting e-mails that contain personal information about workers from their work-stations.
- Check whether deleted e-mails will still be kept on a server. Wherever possible ensure these too can be permanently deleted. In any case, restrict access to them.
2.3 Sickness and injury records
2.3.1 Where possible keep sickness and injury records separate from absence and accident records. Do not use sickness records for a particular purpose when records of absence could be used instead.
Key points and possible actions
- Review how sickness and accident records are currently kept.
- If necessary, change the way information on sickness and accidents is kept so that information on workers’ health is not accessed when only information on absence or the circumstances of an accident at work is needed.
- Inform those accessing both sickness/injury and absence records of when it is and is not necessary to access the full sickness or injury records.
2.3.2 Ensure that the holding and use of sickness and injury records satisfies a sensitive data condition.
Key points and possible actions
- Check current practices on the use of sickness and injury records against the sensitive data conditions in the Code.
- Take any remedial action necessary including restricting the purposes for which records can be used and/or deleting records if no condition can be satisfied.
- Inform those handling sickness and injury records of any changes in procedures or practices.
2.3.3 Only disclose information from sickness or injury records about an identifiable worker’s illness, medical condition or injury where there is a legal obligation to do so, where it is necessary for legal proceedings or where the worker has given explicit consent to the disclosure.
Key points and possible actions
- Ensure that all those who deal with workers’ sickness or injury records are aware in which circumstances there may be a legal obligation to disclose.
- Ensure when appropriate, written consent is obtained from the worker.
2.3.4 Do not make the sickness, injury or absence records of individual workers available to other workers unless it is necessary for them to do their jobs.
Key points and possible actions
- Managers can be provided with information about those who work for them in so far as this is necessary for them to carry out their managerial roles.
- No ‘league tables’ of individual records should be published.
- Ensure that managers are aware of the sensitive nature of sickness and injury records.
2.4 Pension and insurance schemes
Pension or insurance-based schemes such as those offering private medical care are usually controlled by a third party but can be administered in-house. Some employers also insure their business against sickness by key workers. These recommendations are directed at employers who are party to such schemes rather than at insurance companies or pensions providers.
2.4.1 Do not access personal information required by a third party to administer a scheme, in order to use it for general employment purposes.
Key points and possible actions
- Identify and review schemes currently in operation in your business.
- Identify where information could possibly ‘leak’ from a scheme to be used for other employment purposes.
- Identify ways of stopping this occurring, for example by passing information in sealed envelopes.
2.4.2 Limit your exchange of information with a scheme provider to the minimum necessary for operation of the scheme bearing in mind the scheme’s funding obligations.
Key points and possible actions
- Remember that if information on a worker’s sickness, injury or other sensitive data is exchanged a sensitive data condition must be satisfied.
- Bear in mind that your funding of a scheme does not give you a right to receive information about
individual scheme members beyond that necessary for the operation of the scheme. - Review the exchange of information with any scheme providers.
- Identify and eliminate any personal information passed to you by the scheme provider that is not essential to the operation of the scheme.
2.4.3 Do not use information gained from the internal trustees or administrators of pension schemes for general employment purposes.
Key points and possible actions
- Inform trustees and administrators of their general data protection responsibilities. In particular make sure they know they must not use personal information acquired in their capacity as trustee or administrator in their capacity as employer.
2.4.4 If your business takes on the role of broker or your staff act as group secretary for a private medical insurance scheme, ensure that personal information gathered is kept to minimum, limit access to the information and do not use it for general employment purposes.
Key points and possible actions
- Consider carefully what information is actually needed to administer the scheme.
- Limit access to personal data arising from the administration of the scheme and ensure that information gathered in this context is not used for any other purposes.
2.4.5 Ensure that when a worker joins a health or insurance scheme it is made clear what, if any, information is passed between the scheme controller and the employer and how it will be used.
Key points and possible actions
- Assess the information given to workers when they join a health or insurance scheme.
- If no specific mention is made about the transfer of information, amend the documentation about the scheme accordingly.
2.5 Equal opportunities monitoring
2.5.1 Information about a worker’s ethnic origin, disability, religion or sexual orientation is sensitive personal data. Ensure that equal opportunities monitoring of these characteristics satisfies a sensitive data condition.
Key points and possible actions
- Check your organisation’s current equal opportunities monitoring against the sensitive data conditions in the Code.
- Make any necessary changes to the monitoring procedure to ensure that a sensitive data condition can always be satisfied.
See Supplementary Guidance for conditions to be satisfied. (Clicking this link opens a new window)
2.5.2 Only use information that identifies individual workers where this is necessary to carry out meaningful equal opportunities monitoring. Where practicable, keep the information collected in an anonymised form.
Key points and possible actions
- Review current practices. Check whether any monitoring form gives the impression that information is anonymous, when in fact, it can be traced back to individuals.
- If identifiable information is held but it can be anonymised, do this.
- When there is no reasonable alternative but to be able to identify individuals, check whether the monitoring form states this and explains how the information is to be used.
- Ensure that identifiable information collected for equal opportunities monitoring is not used for any other purposes.
- Make any necessary changes to procedures and ensure that staff involved in monitoring understand why these changes have been made.
2.5.3 Ensure questions are designed so that the personal information collected through them is accurate and not excessive.
Key points and possible actions
- Check that questions allow people to identify themselves accurately. For example, in ethnic origin monitoring, do not limit the range of choices given so that workers are forced to make a choice that does not properly describe them.
- If you assign workers to categories ensure the record is clear that it is your assumption and not a matter of fact.
2.6 Marketing
2.6.1 Inform new workers if your organisation intends to use their personal information to deliver advertising or marketing messages to them. Give workers a clear opportunity to object (an ‘opt-out’) and respect any objections whenever received.
Key points and possible actions
- Review whether your business markets its, or anyone else’s, products or services to current or former workers.
- Ensure that any new worker who will receive marketing information from your company has been informed that this will happen.
- Ensure that a clear procedure for ‘opting-out’ is made known to all workers.
2.6.2 Do not disclose workers’ details to other organisations for their marketing unless individual workers have positively and freely indicated their agreement (an ‘opt-in’).
Key points and possible actions
- Review whether your business discloses workers’ details. If so, put in place a procedure to ensure that a worker’s details are not passed on until you have received a positive indication of agreement from him or her.
2.6.3 If you intend to use details of existing workers for marketing for the first time either in ways that were not explained when they first joined or that they would not expect, do not proceed until individual workers have positively and freely indicated their agreement (an ‘opt-in’).
Key points and possible actions
- When considering this type of campaign, construct an approval form to send to workers. Only direct material to those workers who have given a positive indication of agreement.
- Enclosing details of particular offers within a communication that workers will receive anyway, for example in a pay-slip, is acceptable as long as the offer includes an explanation of how to object.
2.7 Fraud detection
Public sector employers, in particular, use workers’ records in the prevention and detection of fraud, for example, in order to check that they are not paying state benefits to those who by virtue of their employment are not entitled to receive them. Such exercises involve the electronic comparison of data sets held for different purposes in order to identify inconsistencies or discrepancies which may indicate fraud. This is known as data matching.
2.7.1 Consult workers, and/or trade unions or other representatives before starting a data matching exercise.
Key points and possible actions
- Inform trade unions and other workers’ representatives of any proposed data matching exercise.
- Discuss how the plan will work in detail and take account of legitimate concerns raised before starting the exercise.
2.7.2 Inform new workers of the use of payroll or other information in fraud prevention exercises and remind them of this periodically.
Key points and possible actions
- Explain how fraud prevention exercises operate to new workers as part of information given about data protection.
- Set up regular reminders to workers on how the data matching exercise works – eg prior to the start of each new exercise.
2.7.3 Do not disclose worker information to other organisations for the prevention or detection of fraud unless:-
- you are required by law to make the disclosure, or
- you believe that failure to disclose, in a particular instance, is likely to prejudice the prevention or detection of crime, or
- the disclosure is provided for in workers’ contracts of employment.
Key points and possible actions
- Ensure staff who would be approached by outside agencies for this type of information, understand the rules of disclosure.
2.8 Workers’ access to information about themselves
Workers, like any other individuals, have a right to gain access to information that is kept about them. This right is known as subject access.
2.8.1 Establish a system that enables your organisation to recognise a subject access request and to locate all the information about a worker in order to be able to respond promptly and in any case within 40 calendar days of receiving a request.
Key points and possible actions
- Assess what personal information about workers is in existence and who is responsible for it (See recommendation 0.3.)
- Ensure that the information is accessible.
- Establish who in the organisation is responsible for responding to subject access requests.
- Ensure that all workers who are likely to receive subject access requests can recognise them and know who to pass them to.
- Have a checklist in place listing all places where personal information might be held that should be checked.
- Use the checklist to gather all personal information in time to enable a response within 40 days.
2.8.2 Check the identity of anyone making a subject access request to ensure information is only given to the person entitled to it.
Key points and possible actions
- In smaller organisations where workers make access requests in person, identity checks may not be necessary, but in large organisations it should not simply be assumed all requests are genuine.
- Brief anyone responsible for responding to a subject access request on how to check the identity of the person making it.
2.8.3 Provide the worker with a hard copy of the information kept, making clear any codes used and the sources of the information.
Key points and possible actions
- In the checklist used to gather all personal information include a check to ensure that the information supplied is intelligible, that it includes sources and that if at all possible it is in hard copy form.
- Although a hard copy of the subject access information does not have to be provided if this would involve “disproportionate effort” some form of access to the information still has to be given.
2.8.4 Make a judgement as to what information it is reasonable to withhold concerning the identities of third parties.
Key points and possible actions
- Information released to a worker could include information that enables a third party such as another worker to be identified. The employer has to balance the worker’s right to know against an expectation of privacy that the third party might have.
- You can use the guidance on Access when Information about Third Parties is involved on page 40 of the Supplementary Guidance to help you make the necessary judgement.
- Brief those handling subject access requests on how to make decisions concerning third party information.
2.8.5 Inform managers and other relevant people in the organisation of the nature of information that will be released to individuals who make subject access requests.
Key points and possible actions
- Managers should be made aware of the extent to which information relating to them might be released to workers.
- If managers and others are aware of the extent and nature of the information that an individual could gain access to it should encourage them to record only what is truly relevant and useful.
2.8.6 Ensure that on request, promptly and in any event within 40 calendar days, workers are provided with a statement of how any automated decision-making process, to which they are subject, is used, and how it works.
Key points and possible actions
- Determine whether your organisation has any automated systems which are used as the sole basis for decision-making, for example during short-listing.
- If so, document how the system works and the basis of its decisions.
- Make this information available to those who are responsible for responding to requests about the process and make sure that they are aware of the requirement to respond within 40 calendar days.
2.8.7 When purchasing a computerised system ensure that the system enables you to retrieve all the information relating to an individual worker without difficulty.
Key points and possible actions
- Ensure that the supplier of a system that you will use to take automated decisions about workers provides the information needed to enable you to respond fully to requests for information about how the system works.
- Put in place arrangements to ensure that when systems are updated or new systems purchased they facilitate responses to subject access requests.
2.9 References
The provision of a reference about a worker from one party, such as a present employer, to another, such as a prospective employer, will generally involve the disclosure of personal data. This sub section of the Code applies not only to references given to prospective employers, but also references given in other circumstances, for example character references given in connection with legal proceedings or financial references given in connection with a worker’s application for a mortgage.
References Given:
2.9.1 Set out a clear company policy stating who can give corporate references, in what circumstances, and the policy that applies to the granting of access to them. Make anyone who is likely to become a referee aware of this policy.
Key points and possible actions
- Determine who is allowed to give corporate references, this may, for example, be done by grade. Check whether your organisation distinguishes between corporate and personal references. If not, consider doing so.
- Draw up a policy explaining how reference requests should be handled, outlining the types of information that can be provided and the extent to which workers are given access. Ensure the policy is brought to the attention of anyone who is likely to receive a reference request.
2.9.2 Do not provide confidential references about a worker unless you are sure that this is the worker’s wish.
Key points and possible actions
- As part of the policy, include a requirement that all those giving corporate references must be satisfied that the worker wishes the reference to be provided.
- As part of an Exit Policy, include on file a record of whether the worker wishes references to be provided after he/she has left.
References received:
2.9.3 When responding to a request from a worker to see his or her own reference and the reference enables a third party to be identified, make a judgement as to what information it is reasonable to withhold.
Key points and possible actions
- You can use the guidance on Access when Information about Third Parties is Involved from the Supplementary Guidance to help you make this judgement. Click here to view. (Clicking this link opens a new window)
- Brief those responsible for responding to requests for access to references received on how to make decisions concerning third party information.
2.10 Disclosure requests
This is concerned with requests for information about individual workers that come from outside the
employer’s organisation.
2.10.1 Establish a disclosure policy to tell staff who are likely to receive requests for information about workers how to respond, and to where they should refer requests that fall outside the policy rules.
Key points and possible actions
- Distribute information, based on this Code, on how to handle disclosure requests and ensure that all those likely to handle such requests receive the information.
- Give examples of situations where a member of staff might need to refer a request to a higher authority within the organisation.
- Provide contact details of whom staff should contact, should they be unsure of how to deal with a disclosure request.
2.10.2 Ensure that disclosure decisions that are not covered by clear policy rules are only taken by staff who are familiar with the Act and this Code, and who are able to give the decision proper consideration.
Key points and possible actions
- Determine who will be responsible for dealing with disclosure requests not covered by
the policy. - Organise any necessary training for those who will take on this role.
2.10.3 Unless you are under a legal obligation to do so, only disclose information about a worker where you conclude that in all the circumstances it is right to do so.
Key points and possible actions
- In some cases you will be under a legal obligation to disclose. Where this is the case you have no choice but to disclose. The Act does not stand in your way provided that you disclose no more than you are obliged to.
- In some cases you will not be under an obligation to disclose but you will be able to rely on an exemption in the Act if you choose to do so. This is most likely to arise in the case of criminal or tax investigations or where legal action is involved.
- Where you can relay on an exemption in the Act you still need to take care with the disclosure of confidential or sensitive information.
- In other cases you could breach the Act if you disclose. Only disclose, if in all the circumstances you are satisfied that it is fair to do so. Bear in mind that the duty of fairness is owed primarily to the worker. Where possible seek and take account of the workers’ views.
- Only disclose confidential information if the worker has clearly agreed or you are satisfied that despite the duty of confidence the worker’s interest or the wider public interest justifies disclosure.
- Ensure that if you intend to disclose sensitive personal data a sensitive data condition is satisfied.
2.10.4 Where a disclosure is requested in an emergency, make a careful decision as to whether to disclose, considering the nature of the information being requested and the likely impact on the individual of not providing it.
Key points and possible actions
- Make sure staff who are likely to receive such requests know whether they can handle them themselves or if not, who to refer them to. If they handle them themselves make them aware of their responsibility to assess the nature of the emergency and determine whether the request could be submitted in writing.
2.10.5 Make staff aware that those seeking information sometimes use deception to gain access to it. Ensure that they check the legitimacy of any request and the identity and authority of the person making it.
Key points and possible actions
- As part of the disclosure policy, make it a requirement that staff check the identity of any person making a request, the authority of the individual concerned and the basis for the request.
- Ensure that when a request is made on the basis of a stated legal obligation, that it is received in writing, spelling out the legal obligation on which it is based. If the stated legal obligation is in doubt check it against the law.
2.10.6 Where the disclosure involves a transfer of information about a worker to a country outside the European Economic Area (EEA), ensure that there is a proper legal basis for making the transfer.
Key points and possible actions
- The Act restricts the transfer of personal information outside the EEA.
- Review the Information Commissioner’s guidance at www.informationcommissioner.gov.uk: Data Protection: Your Legal Obligations: International Transfers, if you intend to pass workers’ information outside the EEA.
- Keep a record of the legal basis on which you make the transfer.
2.10.7 Inform the worker before or as soon as is practicable after a request has been received that a non-regular disclosure is to be made, unless prevented by law from doing so, or unless this would constitute a “tip off” prejudicing a criminal or tax investigation.
Key points and possible actions
- For each non-regular disclosure, make a judgment as to whether the worker can be informed and whether a copy of the information can be provided to him or her.
(A reminder of this could be placed in any system for handling non-regular disclosures.) - In cases where the information can be provided to the worker do so as soon as possible.
2.10.8 Keep a record of non-regular disclosures. Regularly check and review this record to ensure that the requirements of the Act are being satisfied.
Key points and possible actions
- Set up a system for non-regular disclosures recording the details of the person who made the
disclosure, the person who authorised it, the person requesting the disclosure, the reasons for the disclosure, the information disclosed and the date and time. - Also set up a system to regularly check and review this record.
2.11 Publication and other disclosures
2.11.1 If publishing information about workers ensure that:
- there is a legal obligation to do so, or
- the information is clearly not intrusive, or
- the worker has consented to disclosure, or
- the information is in a form that does not identify individual workers.
Key points and possible actions
- An employer must balance the benefits of publishing information about workers with the reasonable expectations of its workers that their employer will respect the privacy of their personal information.
- Assess the current information published about named workers (eg in annual reports or on the website or in other publications) and the basis on which this takes place.
- Determine whether it is necessary to obtain consent from workers who are named and if so, set up an arrangement for obtaining consent from workers who are named in publications in the future.
2.11.2 Where information about workers is published on the basis of consent, ensure that when the worker gives consent he or she is made aware of the extent of information that will be published, how it will be published and the implications of this.
Key points and possible actions
- In any arrangement for obtaining consent for the publication of information on named workers, ensure that the worker is made aware of the full extent of any information to be published and where it is to be published. This is particularly important if information is to be published on the internet.
2.11.3 Personal information about workers should only be supplied to a trade union for its recruitment purposes if;
- the trade union is recognised by the employer,
- the information is limited to that necessary to enable a recruitment approach, and
- each worker has been previously told that this will happen and has been given a clear opportunity to object.
Key points and possible actions
- If your organisation has a recognised trade union that is requesting personal information about workers for a recruitment drive, inform all workers and give them an opportunity to object if they so wish.
2.11.4 Where staffing information is supplied to trade unions in the course of collective bargaining, ensure the information is such that individual workers cannot be identified.
Key points and possible actions
- Review your arrangements for the supply of information in connection with collective bargaining to ensure that in future all information on workers is supplied in an anonymised form.
2.12 Merger, acquisition, and business re-organisation
Business mergers and acquisitions will generally involve the disclosure of information about workers. This may take place during evaluation of assets and liabilities prior to the final merger or acquisition decision. Once a decision has been made disclosure is also likely to take place either in the run-up to or at the time of the actual merger or acquisition. A similar situation arises in business re-organisations that involve the transfer of workers’ employment from one legal entity to another. This sub-section of the Code will be relevant to such situations.
2.12.1 Ensure, wherever practicable, that information handed over to another organisation in connection with a prospective acquisition, merger or business re-organisation is anonymised.
Key points and possible actions
- Ensure that in any merger or acquisition situation, those responsible for negotiation are aware of the Code, including its provisions on sensitive data.
- Assess any request for personal information from the other organisation. If at all possible, limit the information given to anonymised details.
2.12.2 Only hand over personal information prior to a final merger or acquisition decision after securing assurances that it will be used solely for the evaluation of assets and liabilities, it will be treated in confidence and will not be disclosed to other parties, and it will be destroyed or returned after use.
Key points and possible actions
- Remind those negotiating that they must receive strict assurances about how personal information will be used and what will happen to it should discussions end.
- Consider setting up a “data room” with accompanying rules of access.
2.12.3 Unless it is impractical to do so, tell workers if their employment records are to be disclosed to another organisation before an acquisition, merger or re-organisation takes place. If the acquisition, merger or re-organisation proceeds make sure workers are aware of the extent to which their records are to be transferred to the new employer.
Key points and possible actions
- In some circumstances “insider trading” or similar restrictions will apply. An example is where providing an explanation to workers would alert them to the possibility of a takeover of which they would otherwise be unaware and could thereby affect the price of a company’s shares. The obligation to provide an explanation to workers is lifted in such circumstances.
2.12.4 Where a merger, acquisition or re-organisation involves a transfer of information about a worker to a country outside the European Economic Area (EEA) ensure that there is a proper basis for making the transfer.
Key points and possible actions
- Review the Information Commissioner’s guidance at www.informationcommissioner.gov.uk: Data Protection: Your Legal Obligations: International Transfers if you intend to pass workers’ information outside the EEA.
- Check that there is a legal basis for the transfer that you intend to make.
2.12.5 New employers should ensure that the records they hold as a result of a merger, acquisition or re-organisation do not include excessive information, and are accurate and relevant.
Key points and possible actions
- Remember that a new employer’s use of workers’ information acquired as the result of a merger, acquisition or re-organisation is constrained by the expectations the workers will have from their former employer’s use of information.
- When taking over an organisation assess what personal information you now hold as outlined in 0.3 and 0.4.
2.13 Discipline, grievance and dismissal
2.13.1 Remember that the Data Protection Act applies to personal information processed in relation to discipline, grievance and dismissal proceedings.
Key points and possible actions
- Assess your organisation’s disciplinary procedures and grievance procedures. Consider whether they need to be amended in the light of the Code.
- Ensure that managers are aware that subject access rights apply even if responding to a request might impact on a disciplinary or grievance investigation or on forthcoming proceedings, unless responding would be likely to prejudice a criminal investigation.
- Ensure that those involved in investigating disciplinary matters or grievances are aware that they must not gather information by deception.
- Ensure that records used in the course of proceedings are of good enough quality to support any conclusion drawn from them.
- Ensure that all records are kept securely.
- Check that unsubstantiated allegations have been removed unless there are exceptional reasons for retaining some record.
2.13.2 Do not access or use information you keep about workers merely because it might have some relevance to a disciplinary or grievance investigation if access or use would be either:
- incompatible with the purpose(s) you obtained the information for, or
- disproportionate to the seriousness of the matter under investigation.
Key points and possible actions
- Make those in the organisation who are likely to carry out investigations aware that they do not have an unrestricted right of access to all information held about workers under investigation.
- Put in place a system to ensure that decisions on whether access is justified take into account the
provisions of this Code and the Act.
2.13.3 Ensure that there are clear procedures on how “spent” disciplinary warnings are handled.
Key points and possible actions
- Determine what is meant by a “spent” warning in your organisation. Assess the disciplinary procedure and decide whether it needs to be amended to clarify what happens once a warning period has expired.
- Set up a diary system, either manual or computerised, to remove spent warnings from individual’s records, if this is a requirement of your procedure.
2.13.4 Ensure that when employment is terminated the reason for this is accurately recorded, and that the record reflects properly what the worker has been told about the termination.
Key points and possible actions
- Ensure that if a worker has resigned, even if asked to do so, that this is recorded on his or her record, as “resigned” rather than “dismissed”.
2.14 Outsourcing data processing
Frequently, organisations do not process all the information they hold on workers themselves but outsource this to other organisations. Such organisations are termed ‘data processors’ in the Data Protection Act.
2.14.1 Satisfy yourself that any data processor you choose adopts appropriate security measures both in terms of the technology it uses and how it is managed.
Key points and possible actions
- Check whether the data processor has in place appropriate security measures. Is it, for example, certified to BS7799?
- Check that the processor actually puts their security measures into practice.
2.14.2 Have in place a written contract with any data processor you choose that requires it to process personal information only on your instructions, and to maintain appropriate security.
Key points and possible actions
- If there is no contract, put one in place.
- Check that any contract you have with a data processor includes clauses ensuring proper data security measures.
2.14.3 Where the use of a data processor would involve a transfer of information about a worker to a country outside the European Economic Area (EEA), ensure that there is a proper basis for making the transfer.
Key points and possible actions
- Review the Information Commissioner guidelines at www.informationcommissioner.gov.uk: Data Protection: Your Legal Obligations: International transfers if you intend to pass workers’ information outside the EEA.
- Check that there is a legal basis for the transfer that you intend to make.
2.15 Retention of records
2.15.1 Establish and adhere to standard retention times for the various categories of information to be held on the records of workers and former workers. Base the retention times on business need taking into account relevant professional guidelines.
Key points and possible actions
- Remember that the Act does not override any statutory requirement to retain records, for example, in relation to income tax or certain aspects of health and safety.
- Only retain information on records that is still needed; eliminate personal information that is no longer of any relevance, once the employment relationship has ended.
- As far as possible set standard retention times for categories of information held in employment records. Consider basing these on a risk analysis approach.
- Assess who in your organisation retains employment records (see 0.3). Make sure no one retains information beyond the standard retention times unless there is a sound business reason for doing so.
- If possible, set up a computerised system which flags information retained for more than a certain time as due for review or deletion.
2.15.2 Anonymise any information about workers and former workers where practicable.
Key points and possible actions
- Where statistical information only is required, anonymised records should be sufficient.
2.15.3 If the holding of any information on criminal convictions of workers is justified, ensure that the information is deleted once the conviction is ‘spent’ under the Rehabilitation of Offenders Act.
Key points and possible actions
- Use a computerised or manual system to ensure spent convictions are deleted from the system.
- Identify if your organisation may be justified in making exceptions to this, for example, certain convictions held in connection with workers who work with children.
2.15.4 Ensure that records which are to be disposed of are securely and effectively destroyed.
Key points and possible actions
- Review arrangements for dealing with old records to ensure they are securely disposed of and advise anyone holding employment records of these arrangements for disposal.
- Do not assume that pressing the “delete” key on a computer based system necessarily removes a record completely from the system. Check that computer records that are to be deleted are in practice removed completely.
- Make sure that computer equipment that has held employment records is never sold on unless you are sure the records have been fully removed.