Data Protection and employment practice (3)

Our third guidance note on data protection covers the Employment Practices Data Protection Code Part 1: Recruitment and Selection. The Code aims to help employers develop good data protection practices in their recruitment and selection activities.

One of the duties of the Information Commissioner under the Data Protection Act 1998 ("the DPA") is to "prepare and disseminate . . . Codes of Practice for good guidance as to good practice" (s.51(3) of the DPA). In performance of this duty, in March 2002, the Commissioner issued the first of a four-part Code of Practice entitled the Employment Practices Data Protection Code. Part 1 relates to recruitment and selection. Part 2, soon to be released, will cover employment records (collection, storing, disclosing and deleting records). The final two parts on monitoring at work (monitoring workers' use of telephone or email systems and vehicles) and medical information (occupational health, medical testing, drug and genetic screening) will follow when completed. They will not be formally published as one Code until all four booklets have been completed but will appear on the Commissioner's website1 as they are released.

The Information Commissioner lists2 the following among the factors that prompted her to produce the Code:

  • The extension of data protection law to cover paper records.

  • Developments in technology that allow for intrusive monitoring of workers to take place more readily than in the past.

  • The blurring of the distinction between private and working life. More people are working from home and using equipment for both business and domestic purposes.

  • The growth in the potential for intrusive testing of individuals, including medical/genetic testing and testing for alcohol or drugs.

    This guidance note, number three in our series on data protection, examines in detail the provisions of Part 1 of the Code. Subsequent guidance notes will deal with the other three parts as and when they are published. The main points to note are set out in Data protection: Private papers .

    Purpose of the Code

    Part 1 of the Code is "written primarily for businesses where the employment of staff constitutes a significant activity", although it is envisaged that much of the content will be applicable to any employer. How relevant each aspect of the Code will be to an organisation will depend on the size and nature of the business. In the case of small businesses where data protection issues arise only rarely, the Code may be used only as a reference document. The Commissioner envisages that it is more likely to be put to practical use by human resources managers in medium to large businesses.

    As we have seen in our earlier guidance notes in this series (IRLB 688 and 689), the DPA imposes certain legal obligations upon data controllers (employers) to process personal data about data subjects (employees) according to the Data Protection Principles and the Act's other requirements. Breaches of the DPA can lead to criminal offences being committed. The Code explains how an organisation can comply with the DPA in the context of recruitment and selection. The interpretation of the DPA is, in many areas, not without difficulty. The Code, organised as it is in the form of benchmarks, notes and examples, checklists and action points, develops and applies the DPA in the context of employment practices and thereby helps organisations, particularly those with limited experience of dealing with data protection issues, to comply with the DPA.

    Other benefits from implementing the Code may include better relationships between employers and employees, compliance with other legislation such as the Human Rights Act 2000, and efficiencies in storing and managing data.

    Status of the Code

    Part 1 of the Code does not have the legal status of the DPA and employers are under no legal obligation to comply with it in the same way as with the DPA. However, with its purpose being to bring about compliance with the DPA, and its content forming the Commissioner's recommendations as to how the legal requirements of the DPA can be met, employers cannot simply ignore its provisions. Relevant benchmarks may be cited by the Commissioner in connection with any enforcement action by her under the DPA. "Disregard for the data protection requirements that particular benchmarks are designed to help organisations meet is likely to mean that an employer will not comply with the Act," the Code says. But an employer may meet its requirements under the DPA in alternative ways.

    Part 1 of the Code is divided into five sections. Section 1 deals with the background, answering questions about the DPA and the Code. Section 2, on the Code itself, provides the benchmarks that organisations need to meet in their recruitment and selection practices. Section 3 provides further information on the Code and includes useful addresses. Section 4 answers several frequently asked questions. Section 5 covers checklists and action points for the practical implementation of the Code's recommendations.

    Background to the Code

    Parts 1 and 2 of our guidance notes in this series provided a detailed examination of the DPA and its requirements which form the background to the Code. We saw that the DPA regulates the processing by data controllers of personal data in the UK. We noted the wide meanings given to the terms "processing" and "personal data" - the former effectively covering any action involving data, and the latter encompassing any data relating to a living individual from which that individual can be identified, or from which, together with other information in the possession of, or likely to come into the possession of the data controller, that individual can be identified. This includes any expression of opinion about the individual, and any indication of the intentions of the data controller or any other person in respect of that individual.

    We also saw that "personal data" now encompasses manual records as well as computerised data, and that the expiry of the first period of transitional relief on 23 October 2001 effectively meant that full compliance with the DPA's provisions by data controllers is now required. We noted that the DPA worked by:

  • providing data subjects with specified rights: of access to personal data held about them; to prevent processing likely to cause damage or distress; in relation to automated decision-making; to compensation; and in relation to inaccurate data; and

  • imposing certain fundamental obligations upon data controllers, notably, those of notification with the Commissioner, abidance by a set of eight Data Protection Principles and observation of data subjects' rights.

    Part 1 of the Code is concerned with data that employers might collect and keep on "workers". Broadly defined, the term "worker" covers any individual who might wish to work, who works or who has worked for the employer. This includes successful and unsuccessful job applicants and former job applicants; and current and former employees, agency workers, casual workers and contract workers. Most information processed by an employer about any such person will fall within the scope of the DPA and the Code.

    The provisions of the Code

    The broad meanings given by the DPA to the key words that define its scope and the nature of its requirements - "data", "personal data" and "processing" - clearly indicate that most recruitment and selection exercises will involve employers in processing personal data about job applicants.

    While employers need to be able to carry out such exercises effectively, the DPA and the Code are concerned with ensuring that this need is balanced against the job applicant's right to respect for his or her private life, enshrined in article 8 of the European Convention on Human Rights and Fundamental Freedoms. Section 2 of the Code sets out benchmarks designed to help organisations achieve this balance, together with accompanying notes and examples that further explain each individual benchmark.

    Handling sensitive personal data during recruitment

    Sensitive personal data refers to the following data on:

  • racial or ethnic origin;

  • political opinions;

  • religious or other similar beliefs;

  • trade union membership within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992;

  • physical or mental health or condition;

  • sexual life; and

  • offences or alleged offences, or information regarding any proceedings for offences committed or allegedly committed by the data subject, including the outcome of those proceedings.

    We noted in Data protection and employment practice (1)  that such data receive special protection under the DPA. Not only is an employer required to meet at least one of the Schedule 2 conditions in respect of their processing, but it also has to ensure that at least one Schedule 3 condition is fulfilled. We also noted that additional Schedule 3 conditions have been developed by Regulations (the Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI No.417)).

    In section 3 of the Code, the Commissioner sets out the Schedule 3 conditions she considers most likely to be relevant to the processing of sensitive personal data during the recruitment and selection process.

    These are that the processing is necessary in the following circumstances:

  • For exercising or performing any legal right or obligation upon the data controller in connection with employment.

  • For any legal proceedings (including prospective legal proceedings); for obtaining legal advice; or for establishing, exercising or defending legal rights.

  • Where the processing concerns information in categories relating to racial or ethnic origin, religious or other beliefs, or physical or mental health that is necessary for the purpose of identifying or keeping under review the existence or absence of equal opportunities or treatment, and there are appropriate safeguards for the rights and freedoms of data subjects.

    (These first three points are discussed further below.)

  • For exercising any functions conferred on any person by or under an enactment or for the exercise of any functions of the Crown, a minister of the Crown or a government department. The Commissioner envisages that this condition will be of relevance in public sector recruitment and selection where the particular body is under a specific legal duty in relation to the qualifications, attributes, background or probity of workers. It will also be applicable where the public sector body concludes that it is necessary for it to process such sensitive personal data as criminal convictions relating to applicants or, exceptionally, their family or close associates, in the discharge of its wider statutory functions - for example, in the recruitment of police officers or prison officers.

  • Where the data subject has given explicit consent to the processing. For this requirement to be fulfilled, the applicant must have been told clearly what personal data are involved and the use to which they will be put. Explicit consent involves the applicant giving "a positive indication of agreement", eg a signature. Consent must also be freely given. Because of this, the Commissioner takes the view that it can be relied upon in the context of employment only to a limited extent. However, in relation to recruitment and selection, job applicants usually have a free choice as to whether or not to apply for a particular job. The fact that consent to some processing of sensitive personal data is a condition of an application does not, in the Commissioner's view, prevent the consent being freely given if it is clear to the applicant exactly what he or she is consenting to. As recruitment proceeds, however, the Code states that it becomes less likely that valid consent can be obtained if, for example, the direct consequence of not consenting is the withdrawal of a job offer.

    Legal rights or obligations

    Legal rights or obligations to which an employer may be subject in its processing of sensitive personal data may arise from statute and the common law as developed by case law. For example, both at common law and under the Health and Safety at Work etc Act 1974 and related Regulations, employers have a duty to take reasonable care for their employees' health and safety at work. Wilsons and Clyde Coal Co Ltd v English3 embodies the classic common law expression of this duty, including that an employer must provide competent and safe work colleagues. Moreover, by virtue of the application of the common law principle of vicarious liability, employers may be held liable for injuries to their employees caused by the negligence of fellow employees arising out of and in the course of employment. This means that an employer must not be negligent in its recruitment and/or selection of staff for particular work.

    An employer must also ensure that its recruitment and selection processes do not fall foul of anti-discrimination law (see below). Moreover, it must check the immigration status of job applicants before employment, in accordance with the Asylum and Immigration Act 1996.

    It might therefore be necessary, for any or all of these purposes, for an employer to collect relevant information from a job applicant during the recruitment and selection process that might amount to sensitive personal data. "Necessary", in this context, means necessary for exercising or performing the legal right or obligation. In some cases, this might mean that the employer is restricted to collecting the information only from the successful applicant rather than from every individual on its shortlist.

    Legal proceedings and equal opportunities

    A prospective employer might rely on the "legal proceedings" condition in order to process sensitive personal data in order to defend itself from a claim of unlawful discrimination by a job applicant.

    Processing that is "necessary" for equal opportunities purposes means that "wherever practicable, monitoring should be based on anonymous or aggregated information".

    The Sex Discrimination Act 1975 ("the SDA") and the Race Relations Act 1976 ("the RRA") prohibit discrimination at every stage of employment, including during the recruitment and selection process. They therefore apply to applicants for employment. Sections 6(1) of the SDA and 4(1) of the RRA make it unlawful for an employer to discriminate against such a person "in the arrangements he makes for the purpose of determining who should be offered that employment . . ."

    The EOC Code of Practice4 recommends the establishment and use of consistent criteria for selection and promotion without which decisions can be subjective, leaving the way open for unlawful discrimination. Indirect sex discrimination can occur in selection testing where, for example, differences are found to exist between the responses of men and women to some commonly used psychometric questionnaires. Some personality questionnaires can also indirectly discriminate on grounds of sex. Careful selection of personality questionnaires is therefore important. The EOC Code states that selection tests should be specifically related to job and/or career requirements, and should measure an individual's actual or inherent ability to do, or train for, the work or career. Tests should also be reviewed regularly to ensure that they remain relevant and free from any unjustifiable bias, either in content or in the scoring mechanism.

    The need for objectivity in selection procedures is also emphasised in the CRE Code of Practice5 (para. 4). To combat racial discrimination in the selection process, the CRE Code recommends the following:

  • An equal opportunities policy should be adopted, implemented and monitored to ensure that no job applicant receives less favourable treatment on racial grounds, or is placed at a disadvantage by requirements or conditions with a disproportionately adverse effect on his or her racial group.

  • Selection criteria and tests should be examined to ensure that they relate to job requirements and do not discriminate unlawfully. For example, selection tests should not contain irrelevant questions or exercises on matters that may be unfamiliar to racial minority applicants, or general knowledge questions on matters more likely to be familiar to indigenous applicants (para. 1.13).

  • Staff responsible for shortlisting, interviewing and selecting candidates should be: clearly informed of selection criteria and of the need for their consistent application; given guidance or training on the effects that generalised assumptions and prejudices about race can have on selection decisions; and made aware of the possible misunderstandings that can occur in interviews between persons of different cultural background (para. 1.14).

    Testing disabled employees

    The Disability Discrimination Act 1995 ("the DDA") prohibits discrimination by an employer against a disabled person "in the arrangements which he makes for the purpose of determining to whom he should offer employment . . ." (s.4(1)). Such discrimination may take the form of "less favourable treatment" (s.5), or a failure to comply with the duty of "reasonable adjustment" (s.6). The DDA Code of Practice6 makes clear that the "arrangements" an employer makes for determining who should be offered employment include the "the processes of selection", assessment techniques and selection criteria (paras. 5.1-5.2).

    By s.6(1)-(2) of the DDA, an employer must take all reasonable steps in order to ensure that any arrangements it makes, or that are made on its behalf, for determining an offer of employment do not place a disabled person at a "substantial disadvantage in comparison with persons who are not disabled". The duty of reasonable adjustment also applies in relation to arrangements on the basis of which promotion is offered or afforded. With specific regard to making such arrangements, the duty is owed to any disabled person who is an applicant for employment, or to a disabled person who has notified the employer that he or she might be an applicant for employment (s.6(5)). Therefore, the duty is owed not only to actual applicants for employment, but also to potential applicants who have put the employer on notice as to the possibility of making an application. An employer will be relieved of this duty if it "does not know, and could not reasonably be expected to know (a) in the case of an applicant or potential applicant, that the disabled person concerned is, or may be, an applicant for the employment; or (b) in any case, that that person has a disability and is likely to be affected in the way mentioned in subsection 1"(s.6(6)).

    The DDA Code recommends that employers plan ahead for the possibility of having disabled applicants in the future by considering their needs and building helpful improvements into their plans.

    Equal opportunities employers ask candidates with disabilities to notify them of the fact and nature of their disability and to indicate what assistance or special arrangements they might require. It is important for employers to be able to demonstrate to tribunals that the skills and abilities that a test proposes to measure represent a valid assessment of job traits as far as is reasonably practicable. The test must also be free from bias or other unnecessary requirements that place a disabled candidate at a disadvantage in taking the test when compared with non-disabled candidates. A tribunal will also be interested in whether the employer has made a reasonable effort to assist the disabled applicant in taking the test.

    In relation to selection testing, the duty of reasonable adjustment might require an employer to modify the procedures for testing or assessment (s.6(3)(j) of the DDA). This could have far-reaching implications for psychological test users as they might have to make changes to the testing environment, or the format of tests, in order to accommodate applicants and employees with disabilities. The DDA Code states in para. 4 that "this could involve ensuring that particular tests do not adversely affect people with particular types of disability. For example, a person with restricted manual dexterity might be disadvantaged by a written test, so an employer might have to give that person an oral test."

    The DDA Code states that while the DDA does not prevent employers from carrying out aptitude or other tests in the recruitment process, routine testing of all candidates might discriminate against particular individuals or substantially disadvantage them. It is in these situations that tests, or the way the results of such tests are assessed, might need to be revised to take account of specific disabled candidates. For example, it may be a reasonable adjustment to accept a lower "pass rate" for a person whose disability inhibits performance in such a test. The extent to which this is required would depend on how closely the test is related to the job in question and what adjustments the employer might have to make if the applicant were given the job.

    An employer who sets a numeracy test for prospective employees might also have to waive that requirement for a person with a learning disability who does not achieve the required level if the job in fact entails very little numerical work, and the candidate is otherwise well-suited for the job. Similarly, it might be a reasonable adjustment to allow an applicant with a bad stammer more time to complete an oral test, or to give the test in written form instead, unless oral communication is relevant to the job and assessing this was the purpose of the test.

    The Criminal Records Bureau

    Part V of the Police Act 1997 established the arrangements for access to criminal records for employment-related purposes. With the exception of s.112, it came into force on 1 March 2002 (England and Wales) and 25 April 2002 (Scotland). Under its provisions, an individual who is the subject of a check may, upon making an application in prescribed form and paying a fee, obtain details of his or her criminal record and certain other information. (The Police Act 1997 (Criminal Records) Regulations 2002 (SI 2002/233) ("the Criminal Records Regulations") prescribe a £12 fee for a standard or enhanced disclosure, waived for an application from a volunteer or potential volunteer.) These responsibilities are carried out by the newly established Criminal Records Bureau (CRB) (in Scotland, the Scottish Criminal Records Office). Both bodies act as central access points, not only to criminal record information currently held by the police, but also to certain lists held by the Department for Education and Skills and the Department of Health regarding people considered unsuitable to work with children. A similar list as regards vulnerable adults is currently being established.

    Under these arrangements, three different levels of certificate or disclosure provide for varying levels of information. These are:

  • a criminal conviction certificate or basic disclosure;

  • a criminal record certificate or standard disclosure; and

  • an enhanced criminal record certificate or enhanced disclosure.

    Basic disclosure

    Section 112, which concerns basic disclosure, the lowest level of certificate, is the only section of Part V not yet in force. The appointed commencement date for Scotland is 31 July 2002. In England and Wales, it will be some time this summer.

    Basic disclosure will give either the prescribed details of every conviction of the applicant recorded in central police records or state that there is no such conviction. For these purposes, "conviction" means a conviction within the meaning of the Rehabilitation of Offenders Act 1974 ("the ROA") other than a spent conviction. Employers will therefore be able to require any potential employee to provide a basic disclosure, but they will themselves not be entitled to apply directly to the CRB for a basic disclosure on a particular individual.

    Standard disclosure

    Standard disclosure is a more detailed certificate which gives the prescribed details of "every relevant matter" relating to the applicant that is recorded in central police records or, alternatively, states that there is no such matter. The Criminal Records Regulations prescribe which details, including whether a person is disqualified from working with children, may be disclosed on both standard and enhanced disclosures. A relevant matter, for these purposes, means a conviction as defined in the ROA, including a spent conviction, a police caution, and a reprimand or warning given to a child or young person in accordance with s.65 of the Crime and Disorder Act 1998. The standard disclosure must be required for the purposes of an "exempted question" - that is, a question excluded from the ROA provisions protecting spent convictions from disclosure. Such questions are primarily concerned with positions that involve working with children or regular contact with vulnerable adults (where the information disclosed will include whether the individual is disqualified, and details of any such disqualification, from working with such persons under various government lists7), together with a number of excepted offices, professions and employments (for full details of these, reference should be made to the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975, and its subsequent amendments).

    Enhanced disclosure

    Enhanced disclosure is a certificate which, in addition to the details contained in a standard disclosure, involves a further level of checking with the chief officer of a local police force for any other potentially relevant information. An example of such information would be details of suspected criminal activity where no arrest had taken place, or where the person was released without being charged or cautioned. There is also provision for chief officers to provide potentially relevant information which "ought not to be included in the certificate, in the interests of the prevention or detection of crime", but which may be disclosed to the "registered person" (see below), without harming those interests. An example of such information would be suspected criminal activity where an arrest had not yet been made, but was anticipated.

    Enhanced disclosure will generally only be available in relation to individuals wanting to provide certain medical services or who are applying for a position (whether paid or unpaid) which either:

  • involves regularly caring for, training, supervising or being in sole charge of persons aged under 18; or

  • is of a kind specified in statutory Regulations and involves regularly caring for, training, supervising or being in sole charge of persons aged 18 or over. To date, only positions regarding vulnerable adults (which is widely defined) have been specified (see the Police Act 1997 (Enhanced Criminal Records Certificates)(Protection of Vulnerable Adults) Regulations 2002 (SI 2002/446)).

    The "registered person"

    Applications for both standard and enhanced disclosures must be countersigned by a "registered person" listed in a register maintained by the CRB as such. A registered person is a corporate or unincorporated body; a person appointed to an office by virtue of any enactment; or an individual who employs others in the course of a business. To be registered as such, it must establish that it is likely to employ people in occupations that are excluded from the protection of the ROA. When applying for disclosure, the registered person must also state that the certificate is required for the purposes of an "exempted question" under the ROA. The government anticipates the registration of various "umbrella bodies" that will countersign standard and enclosed disclosure applications on behalf of smaller organisations as well as those in the voluntary sector. Both standard and enhanced disclosures are issued directly to the registered person who countersigned the application. Only basic disclosures are sent directly to the individual applicant.

    Regulations8 now in force govern (a) the details to be included in the register; (b) when and how persons may be removed from the register; and (c) the fee to be paid for inclusion in the register, currently £300 in England and Wales and £150 in Scotland.

    Offences under Part V of the Police Act

    An applicant who believes that the information contained in the issued certificate is inaccurate may make a written application for a new certificate under s.117 of Part V. Section 123 makes it a criminal offence for a person, with intent to deceive, to make a false certificate; to alter a certificate; or to use a certificate which relates to another in a way which suggests that it relates to himself or herself or allow a certificate to be so used. Where there is doubt about an applicant's identity, s.118 provides for the taking of fingerprints as evidence of identity (further detailed by the Criminal Records Regulations). It is also an offence, in certain circumstances, for a member, officer or employee of a registered body to disclose information provided from an application for a standard or enhanced disclosure to a third party (s.123).

    Code of Practice

    The CRB has published a "Code of Practice for registered persons and other recipients of disclosure information" under s.122 of Part V. This is supplemented by an explanatory guide. Both documents, and other helpful information, including application forms, can be accessed from the government's websites: www.disclosure.gov.uk and www.crb.gov.uk . The Information Commissioner states in Part 1 of the Employment Practices Data Protection Code that a failure to comply with the relevant provisions of the CRB Code is likely to lead to a breach of the DPA.


    Data protection 3: main points to note

  • The Code is a reference document, an explanatory guide to the DPA that develops and applies the Act in the context of employment practices and so helps employers to comply with the DPA.

  • The Code has no legal status but its provisions may be cited in connection with any enforcement action by the Information Commissioner under the DPA. Disregard for relevant benchmarks, in the absence of any alternatives developed by the employer to meet its requirements under the DPA, may be taken to mean that the employer has not complied with the Act.

  • Most recruitment and selection exercises will involve employers in processing personal data about job applicants. While employers need to carry out effective recruitment and selection processes, the DPA and the Code seek to balance this need against individual job applicants' rights to respect for their private lives.

  • The general management of data protection requires that employers set up methods to protect workers' personal data as an integral part of their employment policies, procedures and practices, and that a culture is developed in which there is respect for individuals' private lives.

  • Individuals responding to job advertisements or completing application forms should know to whom they are supplying their details and the uses to which they will be put.

  • Only personal data that is relevant to recruitment decisions must be sought. The processing of such data must be in accordance with the DPA's provisions and sensitive personal data must satisfy a sensitive data condition.

  • The verifying of job applicants' details must be open and must be explained to them as early in the recruitment process as is reasonably practicable. Signed or other consents must be obtained from applicants for documents or information to be obtained from a third party. Applicants must be given an opportunity to respond to any discrepancies or inaccuracies revealed.

  • Enforced subject access is now a criminal offence under the DPA, and all criminal and social security records of prospective employees must be obtained from the Criminal Records Bureau, which is now fully operational.

  • Shortlisting, selection and psychological testing must be carried out in compliance also with anti-discrimination legislation, otherwise they are likely to breach the First Data Protection Principle.

  • Personal data processed during interviews must be justifiable as relevant to, and necessary for, the recruitment process and for defending it against challenges. Taking interview notes amount to the processing of personal data and job applicants will have normal subject access rights in respect of them.

  • Pre-employment vetting is best conducted only on successful candidates and, even then, should be confined to areas of special risk. Its use should be made clear and the necessary consents must be obtained from the candidate if documents or information from third parties are to be obtained.

  • Retention of recruitment records must be based on a clear business need. Otherwise, employers should be particularly scrupulous about deleting or destroying information no longer relevant for their purposes.


    Managing data protection - the benchmarks

    1 Establish a person within the organisation [to be] responsible for ensuring [that] employment practices and procedures comply with the Act and for ensuring that they continue to do so. Put in place a mechanism for checking that procedures are followed in practice.

    2 Ensure that business areas and individual line managers that process information about workers understand their own responsibility for data protection compliance and, if necessary, amend their working practices in the light of this.

    3 Assess what personal data about workers are in existence and who is responsible for [the data].

    4 Eliminate the collection of personal data that are irrelevant or excessive to the employment relationship. If sensitive data are collected, ensure that a sensitive data condition is satisfied.

    5 Ensure that workers are aware of the extent to which they can be criminally liable if they knowingly or recklessly disclose personal data outside their employer's policies and procedures. Make serious breaches of data protection rules a disciplinary offence.

    6 Allocate responsibility for checking that [the] organisation has a valid notification in the register of data controllers that relates to the processing of personal data about workers, unless it is exempt from notification.

    7 Consult trade unions or other workers' representatives, if any, or workers themselves over the development and implementation of employment practices and procedures that involve the processing of workers' data.

    Access the website www.informationcommissioner.gov.uk [to] view the register or contact the Information Commissioner for a copy of the Notification handbook to find out more about notification.

    Notes and examples

    1 In a small business the responsibility might simply be with the owner of the business. Where there is a management structure, responsibility should be allocated to a senior manager in the personnel or human resources function or [to] someone in a comparable position. Those with overall responsibility must be in a position to feed their knowledge into other areas of the business where information about workers is processed, and to ensure that the organisation has a coordinated approach to data protection compliance.

    Ideally, data protection should be seen as an integral part of employment procedures rather than as a standalone requirement. For example, in the company's written procedure for dealing with selection, there should be a section on how to follow up on references, which should incorporate the relevant benchmarks in this Code. Procedures are only of value if they are current and adhered to. Review and update procedures as necessary and put a mechanism in place to ensure that they are being followed on the ground. This might involve some form of audit or self-certification by managers.

    2 It is important to remember that data protection compliance is a multidisciplinary matter. For example, a company's IT staff may be primarily responsible for keeping computerised personal data secure, whilst a human resources department may be responsible for ensuring that the information requested on a job application form is not excessive, irrelevant or inadequate. All workers, including line managers, have a part to play in securing compliance, for example by ensuring that waste paper bearing personal data is properly disposed of.

    An employer is liable to pay compensation for damage suffered by an individual as a result of the actions of a line manager [with regard] to data protection unless it is clear that the line manager has been acting outside his or her authority. Employers can help protect themselves against claims by training line managers and having clear procedures in place.

    3 It may be helpful to assess personal data held on workers using the same categories as are used in the various parts of this Code, ie personal data processed in connection with recruitment and selection, employment records, monitoring at work and medical information. Consider who in [the] organisation will be collecting, using, storing and destroying such information. Only when [this has been] ascertained will [the organisation] be able to check that [it] is complying with the Act.

    4 When making [the organisation's] assessment of personal data consider [whether] all the information collected on workers is necessary for the employment relationship. For example, information concerning workers' lives outside work is unlikely to be necessary. However, it might be legitimate to request information about workers' other jobs where there is a justifiable need - for example, in connection with Working Time Regulations, or to request information about their children in connection with an application for parental leave. The collection and use of sensitive data must satisfy a sensitive data condition.

    5 Workers should be broadly aware of the legal duties that the Act places on employers and their own role as workers in meeting them. In particular, workers should be aware of how data protection compliance impinges in practical terms on the way they perform their work. It is also crucial to make workers aware of the possible consequences of their actions in this area, eg disciplinary action or personal criminal liability. It is useful to incorporate such information in the general induction process for new workers and to regularly remind existing workers of their obligations.

    6 Failing to notify when required to do so or failing to keep a notification up to date is a criminal offence. The person responsible for data protection should ensure that entries concerning workers' data on the register of data controllers are complete, accurate and up to date. This may be a duty that he or she personally undertakes or it may be delegated.

    7 Consultation is not in itself a legal requirement. Nevertheless, consultation should help ensure [that] processing of personal data is fair to the workers to whom the data relate.

    Source: The Employment Practices Data Protection Code Part 1: Recruitment and Selection.



    Advertising - the benchmarks

    1 Inform individuals responding to job advertisements of the name of the organisation to which they will be providing their information and how it will be used unless this is self-evident.

    2 Recruitment agencies, used on behalf of an employer, must identify themselves and explain how personal data they receive will be used and disclosed unless this is self-evident.

    3 On receiving identifiable particulars of applicants from an agency, ensure, as soon as [possible], that the applicants are aware of the name of the organisation now holding their information.

    Notes and examples

    1 Individuals providing personal data, even if only giving their name and address, in response to a job advertisement, should be aware of who they are giving their details to. They should be made aware of this before they supply their details. Individuals should not be asked simply to provide their details to a PO box number or to an inadequately identified answering machine or website. Provide this explanation:

    a in the advertisement if postal, fax or email responses are sought;

    b in the advertisement or at the start of the telephone call if telephone responses are sought; or

    c on the website before personal data are collected via an online application form.

    Advertisements for specific jobs need not state how the information supplied will be used, provided that this is self-evident. Only where the link between the information being asked for and its potential use is unclear need an explanation be given. For example, if an advertisement for a specific job simply asks those interested to send in personal details and these might also be passed on to a sister company to see if it has any suitable vacancies, this should be explained in the advertisement.

    2 Where a recruitment agency places an advertisement on behalf of an employer, the identity of the agency must be given. The agency must also be identified as such if this is not apparent from its name. The agency should also inform the applicant if it intends to use the information supplied by the applicant for some purpose of which the applicant is unlikely to be aware, for example where the information will be used to market goods or services to the applicant. If the information supplied in response to a recruitment advertisement is to be retained for use in connection with future vacancies, the advertisement should make this clear.

    3 An advertisement placed by a recruitment agency need not show the identity of the employer on whose behalf it is recruiting. The agency may pass information to the employer provided that the applicant understands that his or her details will be passed on. Once the employer receives identifiable particulars, it must, as soon as it can, inform the applicant of its identity and of any uses it might make of the information received that are not self-evident. It can arrange for the agency to provide this explanation on its behalf.

    If, for whatever reason, the employer does not want to be identified to the applicant at an early stage in the recruitment process, it is acceptable for the agency to only send anonymised information about a candidate to the employer, and for the agency or employer to provide information as to the employer's identity once the employer has expressed interest in receiving personally identifiable information about the applicant.

    Source: The Employment Practices Data Protection Code Part 1: Recruitment and Selection.




    Applications - the benchmarks

    1 State, on any application form, to whom the information is being provided and how it will be used if this is not self-evident.

    2 Only seek personal data that are relevant to the recruitment decision to be made.

    3 Only request information about an applicant's criminal convictions if that information can be justified in terms of the role offered. If this information is justified, make it clear that spent convictions do not have to be declared, unless the job being filled is covered by the Exceptions Order to the Rehabilitation of Offenders Act 1974.

    4 Explain any checks that might be undertaken to verify the information provided in the application form including the nature of additional sources from which information may be gathered. (The verification checks should meet the benchmarks set out in the next section.)

    5 If sensitive data are collected, ensure [that] a sensitive data condition is satisfied.

    6 Provide a secure method for sending applications.

    Notes and examples

    1 Where an organisation is recruiting for a specific job, it is unnecessary to explain how the information will be used if this is self-evident. For example, there is no need to explain that information will be passed from the personnel department to the department where the job is located. However, if an organisation is, for example, conducting an initial trawl of applicants for a range of different jobs, perhaps to keep on file and return to as needed, this should be explained.

    Where an applicant makes an unsolicited application for recruitment to an employer, typically by sending a speculative letter or email, the employer need only provide the applicant with an explanation if:

  • the application is to be retained; and

  • the use made of the information on the application or the period of retention goes beyond what would be self-evident to the applicant.

    Any necessary explanation could be included in a letter of acknowledgement sent by the employer, although if there is no unexpected use, then no acknowledgement letter is required. Employers should have a policy on the retention or disposal of unsolicited applications for employment.

    2 Information should not be sought from applicants unless it can be justified as being necessary to enable the recruitment decision to be made, or for a related purpose such as equal opportunities monitoring. For example, there is no obvious reason why employers should ask applicants for information about their membership of a trade union.

    The scope of the information gathered must be proportionate to what the employer is seeking to achieve, for example the extent and nature of information sought from an applicant for the post of head of security at a bank would be very different from that sought from an applicant for work in the bank's staff canteen.

    Employers should also be aware of the difference between the information needed to process an application for employment and that needed to actually administer employment. There is no obvious justification, for example, for an employer to hold information about an applicant's banking details, although it will normally be legitimate to hold these details for payment purposes once employment starts.

    3 The same questions should not necessarily be asked of all prospective workers. For example, an applicant for a purely administrative job with a haulage company should not be asked for details of driving convictions, if these are only relevant to the recruitment of drivers. However, some questions will be clearly relevant to all applicants. It is acceptable to ask all candidates certain core questions, such as whether they are eligible to work in the UK.

    Information on criminal convictions should only be sought if it is relevant to the job being filled. Where appropriate, questions should be designed to obtain no more than the information actually needed, eg "Do you have any criminal convictions involving dishonesty?" Whether by omission of an explanation or otherwise, applicants should not be led to believe they have to disclose spent convictions if they do not.

    4 One example of a [check] is, if, beyond taking up references, information [is obtained] from other local employers or other companies [within the] group which the worker may have been employed by or may have applied to previously. Another example is where an applicant's qualifications are to be verified in the course of the recruitment process - this should be clearly stated in the application form or surrounding documentation.

    5 The collection of sensitive data must satisfy a sensitive data condition.

    6 The return of applications to a postal address or fax number should be organised so that access to applications is limited. A secure method of transmission should be provided if an employer provides an on line application facility. The use of widely available encryption-based software could be used to do this. Once the application has been received, electronically or otherwise, it must be securely stored.

    Source: The Employment Practices Data Protection Code Part 1: Recruitment and Selection.



     Verification of applicants' details - the benchmarks

    1 Explain to applicants as early as is reasonably practicable in the recruitment process the nature of the verification process and the methods used to carry it out.

    2 If it is necessary to secure the release of documents or information from a third party, obtain a signed consent form from the applicant unless consent to their release has been indicated in some other way.

    3 Give the applicant an opportunity to make representations should any of the checks produce discrepancies.

    Notes and examples

    1 Applicants may not always give complete and accurate answers to the questions they are asked. Employers are justified in making reasonable efforts to check the truthfulness of the information they are given. The verification process should be open; applicants should be informed of what information will be verified and how this will be done. Where external sources are to be used to check the responses to questions, this should be explained to the applicant.

    Access to certain records needed for the verification process may only be available to the individual concerned. You should not force applicants to use their subject access rights to obtain records from a third party by making it a condition of their appointment. This is known as "enforced subject access". Requiring the supply of certain records in this way, including certain criminal and social security records, will become a criminal offence under the Act when the Criminal Records Bureau starts to issue "disclosures". (The Criminal Records Bureau came fully into operation on 1 March 2002 - see below).

    2 For example, some organisations will require a signed approval form from an individual before they confirm his or her qualifications to a third party.

    3 Where information obtained from a third party differs from that provided by the applicant, it should not simply be assumed that it is the information provided by the applicant that is incorrect or misleading. If necessary, further information should be sought and a reasoned decision taken as to where the truth lies. As part of this process, the applicant should be asked to provide an explanation where information he or she has provided is suspected of being incorrect or misleading. This is necessary to ensure that the data held are accurate and processed fairly.

    Source: The Employment Practices Data Protection Code Part 1: Recruitment and Selection.



     Shortlisting - the benchmarks

    1Be consistent in the way personal data are used in the process of shortlisting candidates for a particular position.

    2 Inform applicants if an automated shortlisting system will be used as the sole basis for making a decision. Make provisions to consider representations from applicants about this and to take these into account before making the final decision.

    3 Ensure that tests based on the interpretation of scientific evidence, such as psychological tests and handwriting analysis, are only used and interpreted by those who have received appropriate training.

    Notes and examples

    1 It is beyond the scope of the Code to set down general rules as to how shortlisting and selection testing should be carried out. This should be primarily a matter of good employment practice, although shortlisting and selection testing that leads to unlawful discrimination on the grounds of race, sex or disability is likely to breach the requirement that personal data are processed fairly and lawfully. The Information Commissioner's concern is more with ensuring that the selection criteria are applied in a way that is consistent and fair to applicants, rather than that the criteria are, in themselves, fair.

    2 The Act contains specific provisions on decision-making carried out by solely automated means. To fall within these provisions, the decision-making must evaluate matters such as an applicant's work performance or reliability. A system that automates a simple decision, for example, to reject all applicants who are under 18 years of age, is not covered by the provision.

    An example of a decision that is covered is where an individual is shortlisted purely on the basis of answers provided through a touch-tone telephone in response to psychometric questions posed by a computer. The Act requires that where the individual requests it, the logic involved in making such a decision should be explained and, in some circumstances, that the decision should be reconsidered or retaken on a different basis. This right will apply if an applicant is rejected or treated in a way that is significantly different from other applicants solely as a result of the use of an automated process.

    This right will not apply if the automated process merely provides information, such as the score resulting from a psychometric test where this is just one of a range of factors taken into account as part a decision-making process that has an element of human intervention or scrutiny.

    3 Only by using qualified people to assess psychometric and other complex tests can shortlisting be done fairly. This is normally part of good human resources practice, but should also help to meet the data protection requirement that personal data are adequate for the purpose for which they are used.

    Source: The Employment Practices Data Protection Code Part 1: Recruitment and Selection.



     Interviews - the benchmarks

    1 Ensure that personal data that are recorded and retained following interview can be justified as relevant to, and necessary for, the recruitment process itself, or for defending the process against challenge.

    Notes and examples

    This Code is not concerned with setting out how interviews should be conducted. This should be primarily a matter of good employment practice.

    However, the collection of personal data at interview, their recording, storage and use are likely to represent processing which falls within the scope of the Act. This means that, for example, applicants will normally be entitled to have access to interview notes about them which are retained as part of the record of the interview.

    Source: The Employment Practices Data Protection Code Part 1: Recruitment and Selection.



     Pre-employment vetting - the benchmarks

    1 Only use vetting where there are particular and significant risks to the employer, clients, customers or others, and where there is no less intrusive and reasonably practicable alternative.

    2 Only carry out pre-employment vetting on an applicant at an appropriate point in the recruitment process. Comprehensive vetting should only be conducted on a successful applicant.

    3 Make it clear early in the recruitment process that vetting will take place and how it will be conducted.

    4 Only use vetting as a means of obtaining specific information, not as a means of general intelligence gathering. Ensure that the extent and nature of information sought is justified.

    5 Only seek information from sources where it is likely that relevant information will be revealed. Only approach the applicant's family or close associates in exceptional cases.

    6 Do not place reliance on information collected from possibly unreliable sources. Allow the applicant to make representations regarding information that will affect the decision to finally appoint.

    7 Where information is collected about a third party, eg the applicant's partner, ensure so far as practicable that the third party is made aware of this.

    8 If it is necessary to secure the release of documents or information from a third party, obtain a signed consent form from the applicant.

    Notes and examples

    1 Checks should be proportionate to the risks faced by an employer and should be likely to reveal information that would have a significant bearing on the employment decision. The risks are likely to involve aspects of the security of the employer or of others. They could range from the risk of breaches of national security, or the risk of employing unsuitable individuals to work with children, through to the risk of theft or the disclosure of trade secrets or other commercially confidential information.

    2 As a general rule:

  • do not routinely vet all applicants;

  • do not subject all shortlisted applicants to more than basic written checks and the taking up of references, eg against the list of persons considered unsuitable to work with children compiled under the Protection of Children Act 1999. Do not require all shortlisted applicants to obtain a disclosure from the Criminal Records Bureau.

    3 This information could be provided on the initial application form or other recruitment material. Explain to the applicant the nature, extent and range of sources of the information that will be sought. Make clear the extent to which information will be released to third parties.

    4 An employer intending to use pre-employment vetting must determine carefully the level of vetting that is proportionate to the risks posed to his or her business. Employers must be very clear as to what the objectives of the vetting process are and must only pursue avenues that are likely to further these objectives. Vetting should be designed in such a way that only information that would have a significant bearing on the employment decision is likely to be obtained.

    5 In exceptional cases, an employer might be justified in collecting information about members of the family or close associates of the applicant. This is most likely to arise in connection with the recruitment of police or prison officers.

    If sensitive data are collected, one of the specified conditions must be satisfied.

    6 Employers should use all reasonable means to ensure that any external sources used as part of the vetting process are reliable. Where the vetting results in the recording of adverse information about an applicant, the applicant should be made aware of this and should be given the opportunity to make representations, either in writing or face to face.

    7 Where information about a third party, eg the applicant's partner, is to be recorded, the collection must be fair and lawful in respect of the third party. This will mean informing third parties that information about them has been obtained and informing them as to the purposes for which it will be processed, unless this would not be practicable or would involve disproportionate effort, for example where the employer does not have contact details for the third party or the information will be kept in an identifiable form for only a very short period. In such cases, there is no obligation to act.

    8 During the vetting process, information might be sought from a third party, eg a previous employer that the applicant has not given as a referee. If the information is subject to a duty of confidentiality, the third party will need some basis on which to justify its release. The employer might obtain consent for this from the applicant in order to avoid the need for the third party to contact the applicant to seek consent.

    Source: The Employment Practices Data Protection Code Part 1: Recruitment and Selection.



     Retention of recruitment records - the benchmarks

    1 Establish and adhere to retention periods for recruitment records that are based on a clear business need.

    2 Destroy information obtained by a vetting exercise as soon as possible, or in any case within six months. A record of the result of vetting or verification can be retained.

    3 Consider carefully which information contained on an application form is to be transferred to the worker's employment record. Delete information irrelevant to ongoing employment.

    4 Delete information about criminal convictions collected in the course of the recruitment process once it has been verified through a Criminal Records Bureau disclosure, unless in exceptional circumstances the information is clearly relevant to the ongoing employment relationship.

    5 Advise unsuccessful applicants that there is an intention to keep their names on file for future vacancies (if appropriate) and give them the opportunity to have their details removed from the file.

    6 Ensure that personal data obtained during the recruitment process are securely stored or are destroyed.

    Notes and examples

    1 Employers must consider carefully the justification, if any, for retaining recruitment records once the recruitment process has been completed.

    Retention of recruitment records may be necessary for the organisation to defend itself against discrimination claims or other legal actions arising from recruitment. However, the possibility that an individual may bring a legal action does not automatically justify the indefinite retention of all records relating to workers. A policy based on risk-analysis principles should be established.

    Recruitment agencies have some legal obligations to retain records under the Employment Agencies Act 1973.

    Employers should consider the possibility that some business needs might be satisfied by using anonymised rather than identifiable records. For example, if the organisation wishes to compare the success of various recruitment campaigns, this could be achieved by using anonymised records.

    2 This is consistent with the Criminal Records Bureau Code of Conduct. However, where there is a legal obligation to retain specified information for longer than six months, this must be respected.

    3 Some information is gathered during the recruitment process that may not be relevant to the employment situation. Only retain information that has ongoing relevance or is needed as evidence of the recruitment process. For example, consider carefully whether there is a reason to retain information about an applicant's former salary once he or she has started employment. For practical reasons, it may be difficult to delete some information on application forms whilst retaining the rest. Employers should, however, design application forms to facilitate the easy deletion of information which is irrelevant to the ongoing employment relationship.

    4 A note may be kept showing that a check was completed and the results of the findings.

    5 Unless there is a reason to believe that an applicant wishes to be considered again, the assumption should be that he or she has applied only for the vacancy advertised. Application forms or recruitment advertisements can give the applicant the choice as to whether he or she wishes to apply only for the advertised post or would like his or her details to be kept on file in case another position arises.

    6 Whether stored manually or electronically, personal data should be kept secure, and, as far as is practicable, access to the data should be limited.

    Source: The Employment Practices Data Protection Code Part 1: Recruitment and Selection.



    References

    1 The Information Commissioner's website at www.informationcommissioner.gov.uk

    2The IC Newsletter, March 2002, available free from the Information Commission's website.

    3 [1937] 3 All ER 628.

    4 Equal Opportunities Commission: Code of Practice on sex discrimination: equal opportunity policies, procedures and practices in employment (1985).

    5 Commission for Racial Equality: Code of Practice for the elimination of racial discrimination and the promotion of equality of opportunity in employment (1983).

    6 Code of Practice for the elimination of discrimination in the field of employment against disabled persons or persons who have had a disability (1996).

    7 Section 1 of the Protection of Children Act 1999; s.218(6) of the Education Reform Act 1988; and ss.470 or 471 of the Education Act 1996. A further list is to be kept under s.81 of the Care Standards Act 2000 regarding persons considered unsuitable to work with vulnerable adults.

    8 The Police Act 1997 (Criminal Records) (Registration) Regulations 2001(SI 2001/1194); The Police Act 1997 (Criminal Records) (Registration) (Amendment) Regulations 2001 (SI 2001/2498); The Police Act 1997 (Criminal Records) (Registration) (Scotland) Regulations 2002 (SSI 2002/23).