UK: Employment Practices Data Protection Code

Part 2 of the Employment Practices Data Protection Code is now available on the Information Commissioner's website. This part of the Code sets out the Commissioner's recommendations on how to comply with the Data Protection Act 1998 (the "Act") in relation to the management of employment records.

The Code is available on the Information Commissioner's website under "Codes of practice, our responses & other papers" (click here). The Code includes guidance on the following areas:

Collecting and keeping employment records
The emphasis here is on transparency, ensuring workers are made aware of the employer's retention policy and their own rights of access, and on regular checks that the records held are necessary, relevant and accurate.

Security
Whether in paper or electronic form, workers' personal information should be transmitted and stored safely and access should be restricted to those who have a legitimate business need to see it. Background checks, training and confidentiality agreements are all recommended to ensure the reliability of those employees requiring access to records. The Commissioner also recommends that employers should be able to fully delete e-mails, including back-up copies on a server, unless there is an overriding business need to retain them - in which case access to the servers should be restricted.

Sickness and accident records
A distinction is made between "absence records" (which record the absence but do not specify the details of any sickness/accident causing it) and "sickness records" or "accident records" (which specify the type of sickness/accident). Employers should not access sickness/accident records, as opposed to absence records, unless there is a legitimate need to do so. Employers may need to revise their sickness reporting procedures to accommodate this.

Pension and insurance schemes
The golden rule here is that personal information given to or provided by pension scheme trustees or insurance providers should not be used by employers for other purposes. Employees should be informed what information will be provided if they join the scheme and how it will be used.

Workers' access to information about themselves
The Act gives workers the right to know what information is kept about them. The Code recommends establishing a policy to ensure such a "subject access request" (which need not expressly refer to the Act) is dealt with properly, including checking the identity of the person making the request and notifying other employees if information relating to them will be released in the course of giving access. The guidance states that employers will not usually be required to search through all e-mail records merely on the off-chance that there may be a message relating to the worker concerned - for the e-mail to be covered by the access provisions, the worker must be the subject of the e-mail, not just a recipient (for example). However, the employer might be expected to check the mail box of the worker's manager.

References, disclosure requests and publication
A policy should be devised to deal with requests from third parties for references or for disclosure of other worker details, including procedures for checking the identity of the third party and, where appropriate, obtaining the worker's consent. Information about identifiable workers should only be published if they have given consent, if it is required by law (eg in company annual reports), or if the information is clearly not intrusive. Normally, identifiable information should not be given to trade unions for collective bargaining, as aggregated or statistical information should suffice.

Mergers and acquisitions
Personal data provided to a potential purchaser/merger partner should be anonymised as far as possible and formal confidentiality obligations put in place. Workers should be informed in advance, if practicable – although the Code notes that companies may be relieved of the obligation to inform workers of the disclosure if this could affect the price of a company's shares or, possibly, if it would breach commercial confidentiality obligations. After the transaction has taken place, the new employer should ensure the records do not include excessive information and are accurate – eg by checking the accuracy of a sample of records with the workers concerned within a few months of the transaction. There are additional requirements where the information is to be transferred outside the EEA.

Discipline, grievance and dismissal
Information about workers should not be used for disciplinary or grievance investigations where this would be incompatible with the purpose for which it was collected, nor where the use of that information would be disproportionate to the seriousness of the matter under investigation. Evidence should only be made available to persons required to access it. Subject access rights apply even during a disciplinary investigation prior to the hearing (unless access would prejudice the investigation of criminal matters). Records of unsubstantiated allegations should not be retained after the investigation (unless, perhaps, where they relate to bullying or abuse). The employer should state clearly how "spent" disciplinary warnings are handled, i.e. whether they are removed from the record or simply not taken into account for future disciplinary incidents. The reason for termination should be properly recorded.

Retention of records
The employer should formulate a retention policy covering the different types of employment records held, dependent on business need and any professional guidelines (and bearing in mind its obligations under various pieces of legislation to retain certain records). A risk analysis should be carried out, taking into account the consequences of not having the information available, the frequency with which such information is needed and accessed, and the principle of proportionality. Information should be kept anonymised if this would satisfy the purpose of retaining it. At the expiry of the retention period, records should be securely destroyed.

There is also guidance on equal opportunities monitoring, marketing to employees, fraud detection and outsourcing data processing. Section 3 includes some useful further information on subject access requests while Section 5 is a valuable checklist for employers to assist in implementing the Code.

As with Part 1 (on recruitment and selection), Part 2 is a "pre-publication version" - the four parts of the Code will not be formally published until all are complete, although there are unlikely to be any substantive changes. Part 3 of the Code (monitoring at work) is expected in the next two months and Part 4 (on medical information) by the end of 2002.

© Herbert Smith 2002

For more information on this or other Herbert Smith publications, please email us.