The (draft) Code of Practice on the Use of Personal Data in Employer/Employee Relationships

The Data Protection Act 1998 (the "Act") enacts in the UK the provisions of the EU Data Protection Directive and came into force on 1 March 2000, replacing the Data Protection Act 1984. Controversially, it regulates the collection, processing and disclosure of personal data and, in recent months, it has attracted considerable publicity due to the introduction of a code applying the provisions of the Act to the employment context.

This article highlights some areas of potential concern for businesses when considering their compliance with the provisions of the Act. In order to understand the code it is, however, necessary to consider, in general terms, the provisions of the Act.

Broadly, the purposes of the Act are two-fold:

• to regulate the way in which persons who own or control data relating to living individuals can store, analyse, use, transfer or destroy that data (referred to collectively as "processing" that data); and

• to provide individuals identified in or identifiable from such data with a right of access to, and a right of control over their data whilst it is in the hands of another.

The Act states that such data must:

1. be processed fairly and lawfully and (in accordance with certain processing conditions);

2. be obtained, and thereafter processed, for a specified or lawful purpose;

3. be adequate, relevant and not excessive for the specified or lawful purposes;

4. be accurate and kept up to date;

5. not be kept for longer than is necessary for the specified or lawful purposes;

6. be processed in accordance with the rights of individuals to whom the data relates;

7. be secure against unlawful processing, accidental loss or destruction; and

8. not be transferred outside the European Economic Area save in certain limited circumstances.

Subject to fulfilling certain requirements an individual can make a request, in writing, to persons suspected of holding data in which that individual is identified or capable of being identified. The recipient of the request must normally respond within 40 working days. The response should state whether or not it processes personal data relating to that individual and, if it does, give a description of that data, its reasons for processing that data and details as to the identity of persons to whom the data might be disclosed.

In practice, businesses will therefore have to establish procedures to deal with requests in what may prove to be a demanding timetable.

An individual is also entitled, by notice in writing, to require that a person holding or controlling data relating to him should cease (or not begin) processing that data if that processing would cause substantial and unwarranted damage or distress to him or another. The data controller must respond to such a notice within 21 days.

An individual can normally claim damages against a person who processes data in breach of the legislation. Reasonable care is, however, a defence.

An individual is entitled, by notice in writing, to prevent data which relates to him from being processed for the purposes of direct marketing.

Although some decisions are exempt, an individual can normally, by notice in writing, require that any decision which significantly affects him and which was taken solely by an automated process be retaken by a human.

An individual may also request that the Information Commissioner (whose office was created by the Act) uses her discretion to investigate specific cases of non-compliance with the DPA. The Commissioner has the power to issue persons with an "information notice" requesting any information which she may require in order to determine whether that person has complied with the Act.

An individual can also apply to court for an order that a person should rectify, block, erase or destroy inaccurate data.

A person must notify (i.e. register with) the Commissioner if it (or a person acting on its behalf) is to process data which identifies living individuals or from which such individuals are capable of being identified. A failure to notify amounts to a criminal offence, and there are very few exemptions to this requirement.

Unless disclosure of data capable of identifying an individual is necessary for the performance of a contract with that individual, the data should not be disclosed to third parties without the consent of the individual.

Where the Commissioner issues an enforcement or information notice the recipient must comply with that notice. Persons must also respond in accordance with the Act to requests from individuals for access to information as to data held which identifies them. A failure to comply with these provisions may amount to an offence. The officers of a company which has breached these provisions may also be guilty of an offence.

The provisions of the Act inevitably impact upon the employer / employee relationship. It is clear, however, that the Act also reaches further than the traditional employment relationship to former employees, applicants (both successful and unsuccessful), agency workers, casual workers and also contract workers.

As part of her role under the Act the current Commissioner published a Draft Code of Practice on the Use of Personal Data in Employer / Employee Relationships (the "Draft Code") for consultation and comments between 6 October 2000 and 5 January 2001. The final version, which is to be published in stages over the course of this year, has been renamed the Employment Practices Data Protection Code (the "Code"). At the time of writing only the first part of the Code (which deals primarily with recruitment and selection) has been published. The Code will not be legally binding but is intended to interpret the Act for the employment context and to provide guidance as to best practice.

The publication of the final version of the Code does not change any of the rights and obligations which have been in existence since the Act came into force. On the other hand, the publication of the final version of the Code has already generated significant publicity and will continue to do so as further instalments are published. This will increase awareness among employees. It is therefore advisable for businesses to act now to update their existing practices to comply with the Data Protection Principles (discussed above) and also begin to implement further procedures for dealing with requests for access to data which may be received from individuals.

The Commissioner clearly sees the Act as having vast implications for the employment relationship, and as a result the Draft Code dealt with most aspects of the employment relationship from recruitment through to termination and even beyond.

The first part of the final version of the Code, which was published in March 2002, deals with the following issues:

The Code states that a person within the employer organisation should be responsible for ensuring that employment practices and procedures comply with the Act and states that mechanisms should be established for dealing with the collection, retention, destruction, and security of data concerning employees.

In addition to gaining the applicant’s consent for the uses to which information sought in relation to them will be put, the following issues should be considered in relation to recruitment:

(i) the information which should be given to the applicant;

(ii) the nature of information which should be sought in relation to an applicant;

(iii) the wording of the job advertisement;

(iv) the handling of the application;

(v) verification of information received from candidates;

(vi) short-listing;

(vii) selection testing;

(viii) conduct of interviews;

(ix) pre-employment vetting; and

(x) retention of recruitment records.

The remainder of the Code, which is to be published in the coming months, is likely to deal with the following areas:

When the remainder of the Code is published later this year, its significance is likely to lie primarily in the enhanced profile which data protection and the rights established by the Act will (and are already beginning to) enjoy. For employers, this will mean developing procedures to deal with their existing day-to-day obligations under the Act. For employees and applicants, this will mean greater control over their own personal data, and increased awareness of how that data is being used.

Mechanisms should therefore be put in place now, not only to enable requests from individuals to be dealt with quickly, but also to ensure that adherence to the Data Protection Principles becomes part of everyday employment practice.