Part 2 of the Employment Practices Data Protection Code is now available on the Information Commissioner's website. This part of the Code sets out the Commissioner's recommendations on how to comply with the Data Protection Act 1998 (the "Act") in relation to the management of employment records.
The Code is available on the Information Commissioner's website under "Codes of practice, our responses & other papers" (click here). The Code includes guidance on the following areas:
Collecting and keeping employment records
The
emphasis here is on transparency, ensuring workers are made aware of the
employer's retention policy and their own rights of access, and on regular
checks that the records held are necessary, relevant and accurate.
Security
Whether in paper or electronic form,
workers' personal information should be transmitted and stored safely and
access should be restricted to those who have a legitimate business need
to see it. Background checks, training and confidentiality agreements are
all recommended to ensure the reliability of those employees requiring
access to records. The Commissioner also recommends that employers should
be able to fully delete e-mails, including back-up copies on a server,
unless there is an overriding business need to retain them - in which case
access to the servers should be restricted.
Sickness and accident records
A distinction is made
between "absence records" (which record the absence but do not specify the
details of any sickness/accident causing it) and "sickness records" or
"accident records" (which specify the type of sickness/accident).
Employers should not access sickness/accident records, as opposed to
absence records, unless there is a legitimate need to do so. Employers may
need to revise their sickness reporting procedures to accommodate this.
Pension and insurance schemes
The golden rule here is
that personal information given to or provided by pension scheme trustees
or insurance providers should not be used by employers for other purposes.
Employees should be informed what information will be provided if they
join the scheme and how it will be used.
Workers' access to information about themselves
The
Act gives workers the right to know what information is kept about them.
The Code recommends establishing a policy to ensure such a "subject access
request" (which need not expressly refer to the Act) is dealt with
properly, including checking the identity of the person making the request
and notifying other employees if information relating to them will be
released in the course of giving access. The guidance states that
employers will not usually be required to search through all e-mail
records merely on the off-chance that there may be a message relating to
the worker concerned - for the e-mail to be covered by the access
provisions, the worker must be the subject of the e-mail, not just a
recipient (for example). However, the employer might be expected to check
the mail box of the worker's manager.
References, disclosure requests and publication
A
policy should be devised to deal with requests from third parties for
references or for disclosure of other worker details, including procedures
for checking the identity of the third party and, where appropriate,
obtaining the worker's consent. Information about identifiable workers
should only be published if they have given consent, if it is required by
law (eg in company annual reports), or if the information is clearly not
intrusive. Normally, identifiable information should not be given to trade
unions for collective bargaining, as aggregated or statistical information
should suffice.
Mergers and acquisitions
Personal data provided to a
potential purchaser/merger partner should be anonymised as far as possible
and formal confidentiality obligations put in place. Workers should be
informed in advance, if practicable – although the Code notes that
companies may be relieved of the obligation to inform workers of the
disclosure if this could affect the price of a company's shares or,
possibly, if it would breach commercial confidentiality obligations. After
the transaction has taken place, the new employer should ensure the
records do not include excessive information and are accurate – eg by
checking the accuracy of a sample of records with the workers concerned
within a few months of the transaction. There are additional requirements
where the information is to be transferred outside the EEA.
Discipline, grievance and dismissal
Information about
workers should not be used for disciplinary or grievance investigations
where this would be incompatible with the purpose for which it was
collected, nor where the use of that information would be disproportionate
to the seriousness of the matter under investigation. Evidence should only
be made available to persons required to access it. Subject access rights
apply even during a disciplinary investigation prior to the hearing
(unless access would prejudice the investigation of criminal matters).
Records of unsubstantiated allegations should not be retained after the
investigation (unless, perhaps, where they relate to bullying or abuse).
The employer should state clearly how "spent" disciplinary warnings are
handled, i.e. whether they are removed from the record or simply not taken
into account for future disciplinary incidents. The reason for termination
should be properly recorded.
Retention of records
The employer should formulate a
retention policy covering the different types of employment records held,
dependent on business need and any professional guidelines (and bearing in
mind its obligations under various pieces of legislation to retain certain
records). A risk analysis should be carried out, taking into account the
consequences of not having the information available, the frequency with
which such information is needed and accessed, and the principle of
proportionality. Information should be kept anonymised if this would
satisfy the purpose of retaining it. At the expiry of the retention
period, records should be securely destroyed.
There is also guidance on equal opportunities monitoring, marketing to employees, fraud detection and outsourcing data processing. Section 3 includes some useful further information on subject access requests while Section 5 is a valuable checklist for employers to assist in implementing the Code.
As with Part 1 (on recruitment and selection), Part 2 is a "pre-publication version" - the four parts of the Code will not be formally published until all are complete, although there are unlikely to be any substantive changes. Part 3 of the Code (monitoring at work) is expected in the next two months and Part 4 (on medical information) by the end of 2002.
© Herbert Smith 2002
The content of this article does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances.
For more information on this or other Herbert Smith publications, please email us.