Data Protection and employment practice (3)
Our third guidance note on data protection covers the Employment Practices Data Protection Code Part 1: Recruitment and Selection. The Code aims to help employers develop good data protection practices in their recruitment and selection activities.
One of the duties of the Information Commissioner under the Data Protection Act 1998 ("the DPA") is to "prepare and disseminate . . . Codes of Practice for good guidance as to good practice" (s.51(3) of the DPA). In performance of this duty, in March 2002, the Commissioner issued the first of a four-part Code of Practice entitled the Employment Practices Data Protection Code. Part 1 relates to recruitment and selection. Part 2, soon to be released, will cover employment records (collection, storing, disclosing and deleting records). The final two parts on monitoring at work (monitoring workers' use of telephone or email systems and vehicles) and medical information (occupational health, medical testing, drug and genetic screening) will follow when completed. They will not be formally published as one Code until all four booklets have been completed but will appear on the Commissioner's website1 as they are released.
The Information Commissioner lists2 the following among the factors that prompted her to produce the Code:
The extension of data protection law to cover paper records.
Developments in technology that allow for intrusive monitoring of workers to take place more readily than in the past.
The blurring of the distinction between private and working life. More people are working from home and using equipment for both business and domestic purposes.
The growth in the potential for intrusive testing of individuals, including medical/genetic testing and testing for alcohol or drugs.
This guidance note, number three in our series on data protection, examines in detail the provisions of Part 1 of the Code. Subsequent guidance notes will deal with the other three parts as and when they are published. The main points to note are set out in Data protection: Private papers .
Purpose of the Code
Part 1 of the Code is "written primarily for businesses where the employment of staff constitutes a significant activity", although it is envisaged that much of the content will be applicable to any employer. How relevant each aspect of the Code will be to an organisation will depend on the size and nature of the business. In the case of small businesses where data protection issues arise only rarely, the Code may be used only as a reference document. The Commissioner envisages that it is more likely to be put to practical use by human resources managers in medium to large businesses.
As we have seen in our earlier guidance notes in this series (IRLB 688 and 689), the DPA imposes certain legal obligations upon data controllers (employers) to process personal data about data subjects (employees) according to the Data Protection Principles and the Act's other requirements. Breaches of the DPA can lead to criminal offences being committed. The Code explains how an organisation can comply with the DPA in the context of recruitment and selection. The interpretation of the DPA is, in many areas, not without difficulty. The Code, organised as it is in the form of benchmarks, notes and examples, checklists and action points, develops and applies the DPA in the context of employment practices and thereby helps organisations, particularly those with limited experience of dealing with data protection issues, to comply with the DPA.
Other benefits from implementing the Code may include better relationships between employers and employees, compliance with other legislation such as the Human Rights Act 2000, and efficiencies in storing and managing data.
Status of the Code
Part 1 of the Code does not have the legal status of the DPA and employers are under no legal obligation to comply with it in the same way as with the DPA. However, with its purpose being to bring about compliance with the DPA, and its content forming the Commissioner's recommendations as to how the legal requirements of the DPA can be met, employers cannot simply ignore its provisions. Relevant benchmarks may be cited by the Commissioner in connection with any enforcement action by her under the DPA. "Disregard for the data protection requirements that particular benchmarks are designed to help organisations meet is likely to mean that an employer will not comply with the Act," the Code says. But an employer may meet its requirements under the DPA in alternative ways.
Part 1 of the Code is divided into five sections. Section 1 deals with the background, answering questions about the DPA and the Code. Section 2, on the Code itself, provides the benchmarks that organisations need to meet in their recruitment and selection practices. Section 3 provides further information on the Code and includes useful addresses. Section 4 answers several frequently asked questions. Section 5 covers checklists and action points for the practical implementation of the Code's recommendations.
Background to the Code
Parts 1 and 2 of our guidance notes in this series provided a detailed examination of the DPA and its requirements which form the background to the Code. We saw that the DPA regulates the processing by data controllers of personal data in the UK. We noted the wide meanings given to the terms "processing" and "personal data" - the former effectively covering any action involving data, and the latter encompassing any data relating to a living individual from which that individual can be identified, or from which, together with other information in the possession of, or likely to come into the possession of the data controller, that individual can be identified. This includes any expression of opinion about the individual, and any indication of the intentions of the data controller or any other person in respect of that individual.
We also saw that "personal data" now encompasses manual records as well as computerised data, and that the expiry of the first period of transitional relief on 23 October 2001 effectively meant that full compliance with the DPA's provisions by data controllers is now required. We noted that the DPA worked by:
providing data subjects with specified rights: of access to personal data held about them; to prevent processing likely to cause damage or distress; in relation to automated decision-making; to compensation; and in relation to inaccurate data; and
imposing certain fundamental obligations upon data controllers, notably, those of notification with the Commissioner, abidance by a set of eight Data Protection Principles and observation of data subjects' rights.
Part 1 of the Code is concerned with data that employers might collect and keep on "workers". Broadly defined, the term "worker" covers any individual who might wish to work, who works or who has worked for the employer. This includes successful and unsuccessful job applicants and former job applicants; and current and former employees, agency workers, casual workers and contract workers. Most information processed by an employer about any such person will fall within the scope of the DPA and the Code.
The provisions of the Code
The broad meanings given by the DPA to the key words that define its scope and the nature of its requirements - "data", "personal data" and "processing" - clearly indicate that most recruitment and selection exercises will involve employers in processing personal data about job applicants.
While employers need to be able to carry out such exercises effectively, the DPA and the Code are concerned with ensuring that this need is balanced against the job applicant's right to respect for his or her private life, enshrined in article 8 of the European Convention on Human Rights and Fundamental Freedoms. Section 2 of the Code sets out benchmarks designed to help organisations achieve this balance, together with accompanying notes and examples that further explain each individual benchmark.
Handling sensitive personal data during recruitment
Sensitive personal data refers to the following data on:
racial or ethnic origin;
political opinions;
religious or other similar beliefs;
trade union membership within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992;
physical or mental health or condition;
sexual life; and
offences or alleged offences, or information regarding any proceedings for offences committed or allegedly committed by the data subject, including the outcome of those proceedings.
We noted in Data protection and employment practice (1) that such data receive special protection under the DPA. Not only is an employer required to meet at least one of the Schedule 2 conditions in respect of their processing, but it also has to ensure that at least one Schedule 3 condition is fulfilled. We also noted that additional Schedule 3 conditions have been developed by Regulations (the Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI No.417)).
In section 3 of the Code, the Commissioner sets out the Schedule 3 conditions she considers most likely to be relevant to the processing of sensitive personal data during the recruitment and selection process.
These are that the processing is necessary in the following circumstances:
For exercising or performing any legal right or obligation upon the data controller in connection with employment.
For any legal proceedings (including prospective legal proceedings); for obtaining legal advice; or for establishing, exercising or defending legal rights.
Where the processing concerns information in categories relating to racial or ethnic origin, religious or other beliefs, or physical or mental health that is necessary for the purpose of identifying or keeping under review the existence or absence of equal opportunities or treatment, and there are appropriate safeguards for the rights and freedoms of data subjects.
(These first three points are discussed further below.)
For exercising any functions conferred on any person by or under an enactment or for the exercise of any functions of the Crown, a minister of the Crown or a government department. The Commissioner envisages that this condition will be of relevance in public sector recruitment and selection where the particular body is under a specific legal duty in relation to the qualifications, attributes, background or probity of workers. It will also be applicable where the public sector body concludes that it is necessary for it to process such sensitive personal data as criminal convictions relating to applicants or, exceptionally, their family or close associates, in the discharge of its wider statutory functions - for example, in the recruitment of police officers or prison officers.
Where the data subject has given explicit consent to the processing. For this requirement to be fulfilled, the applicant must have been told clearly what personal data are involved and the use to which they will be put. Explicit consent involves the applicant giving "a positive indication of agreement", eg a signature. Consent must also be freely given. Because of this, the Commissioner takes the view that it can be relied upon in the context of employment only to a limited extent. However, in relation to recruitment and selection, job applicants usually have a free choice as to whether or not to apply for a particular job. The fact that consent to some processing of sensitive personal data is a condition of an application does not, in the Commissioner's view, prevent the consent being freely given if it is clear to the applicant exactly what he or she is consenting to. As recruitment proceeds, however, the Code states that it becomes less likely that valid consent can be obtained if, for example, the direct consequence of not consenting is the withdrawal of a job offer.
Legal rights or obligations
Legal rights or obligations to which an employer may be subject in its processing of sensitive personal data may arise from statute and the common law as developed by case law. For example, both at common law and under the Health and Safety at Work etc Act 1974 and related Regulations, employers have a duty to take reasonable care for their employees' health and safety at work. Wilsons and Clyde Coal Co Ltd v English3 embodies the classic common law expression of this duty, including that an employer must provide competent and safe work colleagues. Moreover, by virtue of the application of the common law principle of vicarious liability, employers may be held liable for injuries to their employees caused by the negligence of fellow employees arising out of and in the course of employment. This means that an employer must not be negligent in its recruitment and/or selection of staff for particular work.
An employer must also ensure that its recruitment and selection processes do not fall foul of anti-discrimination law (see below). Moreover, it must check the immigration status of job applicants before employment, in accordance with the Asylum and Immigration Act 1996.
It might therefore be necessary, for any or all of these purposes, for an employer to collect relevant information from a job applicant during the recruitment and selection process that might amount to sensitive personal data. "Necessary", in this context, means necessary for exercising or performing the legal right or obligation. In some cases, this might mean that the employer is restricted to collecting the information only from the successful applicant rather than from every individual on its shortlist.
Legal proceedings and equal opportunities
A prospective employer might rely on the "legal proceedings" condition in order to process sensitive personal data in order to defend itself from a claim of unlawful discrimination by a job applicant.
Processing that is "necessary" for equal opportunities purposes means that "wherever practicable, monitoring should be based on anonymous or aggregated information".
The Sex Discrimination Act 1975 ("the SDA") and the Race Relations Act 1976 ("the RRA") prohibit discrimination at every stage of employment, including during the recruitment and selection process. They therefore apply to applicants for employment. Sections 6(1) of the SDA and 4(1) of the RRA make it unlawful for an employer to discriminate against such a person "in the arrangements he makes for the purpose of determining who should be offered that employment . . ."
The EOC Code of Practice4 recommends the establishment and use of consistent criteria for selection and promotion without which decisions can be subjective, leaving the way open for unlawful discrimination. Indirect sex discrimination can occur in selection testing where, for example, differences are found to exist between the responses of men and women to some commonly used psychometric questionnaires. Some personality questionnaires can also indirectly discriminate on grounds of sex. Careful selection of personality questionnaires is therefore important. The EOC Code states that selection tests should be specifically related to job and/or career requirements, and should measure an individual's actual or inherent ability to do, or train for, the work or career. Tests should also be reviewed regularly to ensure that they remain relevant and free from any unjustifiable bias, either in content or in the scoring mechanism.
The need for objectivity in selection procedures is also emphasised in the CRE Code of Practice5 (para. 4). To combat racial discrimination in the selection process, the CRE Code recommends the following:
An equal opportunities policy should be adopted, implemented and monitored to ensure that no job applicant receives less favourable treatment on racial grounds, or is placed at a disadvantage by requirements or conditions with a disproportionately adverse effect on his or her racial group.
Selection criteria and tests should be examined to ensure that they relate to job requirements and do not discriminate unlawfully. For example, selection tests should not contain irrelevant questions or exercises on matters that may be unfamiliar to racial minority applicants, or general knowledge questions on matters more likely to be familiar to indigenous applicants (para. 1.13).
Staff responsible for shortlisting, interviewing and selecting candidates should be: clearly informed of selection criteria and of the need for their consistent application; given guidance or training on the effects that generalised assumptions and prejudices about race can have on selection decisions; and made aware of the possible misunderstandings that can occur in interviews between persons of different cultural background (para. 1.14).
Testing disabled employees
The Disability Discrimination Act 1995 ("the DDA") prohibits discrimination by an employer against a disabled person "in the arrangements which he makes for the purpose of determining to whom he should offer employment . . ." (s.4(1)). Such discrimination may take the form of "less favourable treatment" (s.5), or a failure to comply with the duty of "reasonable adjustment" (s.6). The DDA Code of Practice6 makes clear that the "arrangements" an employer makes for determining who should be offered employment include the "the processes of selection", assessment techniques and selection criteria (paras. 5.1-5.2).
By s.6(1)-(2) of the DDA, an employer must take all reasonable steps in order to ensure that any arrangements it makes, or that are made on its behalf, for determining an offer of employment do not place a disabled person at a "substantial disadvantage in comparison with persons who are not disabled". The duty of reasonable adjustment also applies in relation to arrangements on the basis of which promotion is offered or afforded. With specific regard to making such arrangements, the duty is owed to any disabled person who is an applicant for employment, or to a disabled person who has notified the employer that he or she might be an applicant for employment (s.6(5)). Therefore, the duty is owed not only to actual applicants for employment, but also to potential applicants who have put the employer on notice as to the possibility of making an application. An employer will be relieved of this duty if it "does not know, and could not reasonably be expected to know (a) in the case of an applicant or potential applicant, that the disabled person concerned is, or may be, an applicant for the employment; or (b) in any case, that that person has a disability and is likely to be affected in the way mentioned in subsection 1"(s.6(6)).
The DDA Code recommends that employers plan ahead for the possibility of having disabled applicants in the future by considering their needs and building helpful improvements into their plans.
Equal opportunities employers ask candidates with disabilities to notify them of the fact and nature of their disability and to indicate what assistance or special arrangements they might require. It is important for employers to be able to demonstrate to tribunals that the skills and abilities that a test proposes to measure represent a valid assessment of job traits as far as is reasonably practicable. The test must also be free from bias or other unnecessary requirements that place a disabled candidate at a disadvantage in taking the test when compared with non-disabled candidates. A tribunal will also be interested in whether the employer has made a reasonable effort to assist the disabled applicant in taking the test.
In relation to selection testing, the duty of reasonable adjustment might require an employer to modify the procedures for testing or assessment (s.6(3)(j) of the DDA). This could have far-reaching implications for psychological test users as they might have to make changes to the testing environment, or the format of tests, in order to accommodate applicants and employees with disabilities. The DDA Code states in para. 4 that "this could involve ensuring that particular tests do not adversely affect people with particular types of disability. For example, a person with restricted manual dexterity might be disadvantaged by a written test, so an employer might have to give that person an oral test."
The DDA Code states that while the DDA does not prevent employers from carrying out aptitude or other tests in the recruitment process, routine testing of all candidates might discriminate against particular individuals or substantially disadvantage them. It is in these situations that tests, or the way the results of such tests are assessed, might need to be revised to take account of specific disabled candidates. For example, it may be a reasonable adjustment to accept a lower "pass rate" for a person whose disability inhibits performance in such a test. The extent to which this is required would depend on how closely the test is related to the job in question and what adjustments the employer might have to make if the applicant were given the job.
An employer who sets a numeracy test for prospective employees might also have to waive that requirement for a person with a learning disability who does not achieve the required level if the job in fact entails very little numerical work, and the candidate is otherwise well-suited for the job. Similarly, it might be a reasonable adjustment to allow an applicant with a bad stammer more time to complete an oral test, or to give the test in written form instead, unless oral communication is relevant to the job and assessing this was the purpose of the test.
The Criminal Records Bureau
Part V of the Police Act 1997 established the arrangements for access to criminal records for employment-related purposes. With the exception of s.112, it came into force on 1 March 2002 (England and Wales) and 25 April 2002 (Scotland). Under its provisions, an individual who is the subject of a check may, upon making an application in prescribed form and paying a fee, obtain details of his or her criminal record and certain other information. (The Police Act 1997 (Criminal Records) Regulations 2002 (SI 2002/233) ("the Criminal Records Regulations") prescribe a £12 fee for a standard or enhanced disclosure, waived for an application from a volunteer or potential volunteer.) These responsibilities are carried out by the newly established Criminal Records Bureau (CRB) (in Scotland, the Scottish Criminal Records Office). Both bodies act as central access points, not only to criminal record information currently held by the police, but also to certain lists held by the Department for Education and Skills and the Department of Health regarding people considered unsuitable to work with children. A similar list as regards vulnerable adults is currently being established.
Under these arrangements, three different levels of certificate or disclosure provide for varying levels of information. These are:
a criminal conviction certificate or basic disclosure;
a criminal record certificate or standard disclosure; and
an enhanced criminal record certificate or enhanced disclosure.
Basic disclosure
Section 112, which concerns basic disclosure, the lowest level of certificate, is the only section of Part V not yet in force. The appointed commencement date for Scotland is 31 July 2002. In England and Wales, it will be some time this summer.
Basic disclosure will give either the prescribed details of every conviction of the applicant recorded in central police records or state that there is no such conviction. For these purposes, "conviction" means a conviction within the meaning of the Rehabilitation of Offenders Act 1974 ("the ROA") other than a spent conviction. Employers will therefore be able to require any potential employee to provide a basic disclosure, but they will themselves not be entitled to apply directly to the CRB for a basic disclosure on a particular individual.
Standard disclosure
Standard disclosure is a more detailed certificate which gives the prescribed details of "every relevant matter" relating to the applicant that is recorded in central police records or, alternatively, states that there is no such matter. The Criminal Records Regulations prescribe which details, including whether a person is disqualified from working with children, may be disclosed on both standard and enhanced disclosures. A relevant matter, for these purposes, means a conviction as defined in the ROA, including a spent conviction, a police caution, and a reprimand or warning given to a child or young person in accordance with s.65 of the Crime and Disorder Act 1998. The standard disclosure must be required for the purposes of an "exempted question" - that is, a question excluded from the ROA provisions protecting spent convictions from disclosure. Such questions are primarily concerned with positions that involve working with children or regular contact with vulnerable adults (where the information disclosed will include whether the individual is disqualified, and details of any such disqualification, from working with such persons under various government lists7), together with a number of excepted offices, professions and employments (for full details of these, reference should be made to the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975, and its subsequent amendments).
Enhanced disclosure
Enhanced disclosure is a certificate which, in addition to the details contained in a standard disclosure, involves a further level of checking with the chief officer of a local police force for any other potentially relevant information. An example of such information would be details of suspected criminal activity where no arrest had taken place, or where the person was released without being charged or cautioned. There is also provision for chief officers to provide potentially relevant information which "ought not to be included in the certificate, in the interests of the prevention or detection of crime", but which may be disclosed to the "registered person" (see below), without harming those interests. An example of such information would be suspected criminal activity where an arrest had not yet been made, but was anticipated.
Enhanced disclosure will generally only be available in relation to individuals wanting to provide certain medical services or who are applying for a position (whether paid or unpaid) which either:
involves regularly caring for, training, supervising or being in sole charge of persons aged under 18; or
is of a kind specified in statutory Regulations and involves regularly caring for, training, supervising or being in sole charge of persons aged 18 or over. To date, only positions regarding vulnerable adults (which is widely defined) have been specified (see the Police Act 1997 (Enhanced Criminal Records Certificates)(Protection of Vulnerable Adults) Regulations 2002 (SI 2002/446)).
The "registered person"
Applications for both standard and enhanced disclosures must be countersigned by a "registered person" listed in a register maintained by the CRB as such. A registered person is a corporate or unincorporated body; a person appointed to an office by virtue of any enactment; or an individual who employs others in the course of a business. To be registered as such, it must establish that it is likely to employ people in occupations that are excluded from the protection of the ROA. When applying for disclosure, the registered person must also state that the certificate is required for the purposes of an "exempted question" under the ROA. The government anticipates the registration of various "umbrella bodies" that will countersign standard and enclosed disclosure applications on behalf of smaller organisations as well as those in the voluntary sector. Both standard and enhanced disclosures are issued directly to the registered person who countersigned the application. Only basic disclosures are sent directly to the individual applicant.
Regulations8 now in force govern (a) the details to be included in the register; (b) when and how persons may be removed from the register; and (c) the fee to be paid for inclusion in the register, currently £300 in England and Wales and £150 in Scotland.
Offences under Part V of the Police Act
An applicant who believes that the information contained in the issued certificate is inaccurate may make a written application for a new certificate under s.117 of Part V. Section 123 makes it a criminal offence for a person, with intent to deceive, to make a false certificate; to alter a certificate; or to use a certificate which relates to another in a way which suggests that it relates to himself or herself or allow a certificate to be so used. Where there is doubt about an applicant's identity, s.118 provides for the taking of fingerprints as evidence of identity (further detailed by the Criminal Records Regulations). It is also an offence, in certain circumstances, for a member, officer or employee of a registered body to disclose information provided from an application for a standard or enhanced disclosure to a third party (s.123).
Code of Practice
The CRB has published a "Code of Practice for registered persons and other recipients of disclosure information" under s.122 of Part V. This is supplemented by an explanatory guide. Both documents, and other helpful information, including application forms, can be accessed from the government's websites: www.disclosure.gov.uk and www.crb.gov.uk . The Information Commissioner states in Part 1 of the Employment Practices Data Protection Code that a failure to comply with the relevant provisions of the CRB Code is likely to lead to a breach of the DPA.
1 Establish a person within the organisation [to be] responsible for ensuring [that] employment practices and procedures comply with the Act and for ensuring that they continue to do so. Put in place a mechanism for checking that procedures are followed in practice. 2 Ensure that business areas and individual line managers that process information about workers understand their own responsibility for data protection compliance and, if necessary, amend their working practices in the light of this. 3 Assess what personal data about workers are in existence and who is responsible for [the data]. 4 Eliminate the collection of personal data that are irrelevant or excessive to the employment relationship. If sensitive data are collected, ensure that a sensitive data condition is satisfied. 5 Ensure that workers are aware of the extent to which they can be criminally liable if they knowingly or recklessly disclose personal data outside their employer's policies and procedures. Make serious breaches of data protection rules a disciplinary offence. 6 Allocate responsibility for checking that [the] organisation has a valid notification in the register of data controllers that relates to the processing of personal data about workers, unless it is exempt from notification. 7 Consult trade unions or other workers' representatives, if any, or workers themselves over the development and implementation of employment practices and procedures that involve the processing of workers' data. Access the website www.informationcommissioner.gov.uk [to] view the register or contact the Information Commissioner for a copy of the Notification handbook to find out more about notification. Notes and examples 1 In a small business the responsibility might simply be with the owner of the business. Where there is a management structure, responsibility should be allocated to a senior manager in the personnel or human resources function or [to] someone in a comparable position. Those with overall responsibility must be in a position to feed their knowledge into other areas of the business where information about workers is processed, and to ensure that the organisation has a coordinated approach to data protection compliance. Ideally, data protection should be seen as an integral part of employment procedures rather than as a standalone requirement. For example, in the company's written procedure for dealing with selection, there should be a section on how to follow up on references, which should incorporate the relevant benchmarks in this Code. Procedures are only of value if they are current and adhered to. Review and update procedures as necessary and put a mechanism in place to ensure that they are being followed on the ground. This might involve some form of audit or self-certification by managers. 2 It is important to remember that data protection compliance is a multidisciplinary matter. For example, a company's IT staff may be primarily responsible for keeping computerised personal data secure, whilst a human resources department may be responsible for ensuring that the information requested on a job application form is not excessive, irrelevant or inadequate. All workers, including line managers, have a part to play in securing compliance, for example by ensuring that waste paper bearing personal data is properly disposed of. An employer is liable to pay compensation for damage suffered by an individual as a result of the actions of a line manager [with regard] to data protection unless it is clear that the line manager has been acting outside his or her authority. Employers can help protect themselves against claims by training line managers and having clear procedures in place. 3 It may be helpful to assess personal data held on workers using the same categories as are used in the various parts of this Code, ie personal data processed in connection with recruitment and selection, employment records, monitoring at work and medical information. Consider who in [the] organisation will be collecting, using, storing and destroying such information. Only when [this has been] ascertained will [the organisation] be able to check that [it] is complying with the Act. 4 When making [the organisation's] assessment of personal data consider [whether] all the information collected on workers is necessary for the employment relationship. For example, information concerning workers' lives outside work is unlikely to be necessary. However, it might be legitimate to request information about workers' other jobs where there is a justifiable need - for example, in connection with Working Time Regulations, or to request information about their children in connection with an application for parental leave. The collection and use of sensitive data must satisfy a sensitive data condition. 5 Workers should be broadly aware of the legal duties that the Act places on employers and their own role as workers in meeting them. In particular, workers should be aware of how data protection compliance impinges in practical terms on the way they perform their work. It is also crucial to make workers aware of the possible consequences of their actions in this area, eg disciplinary action or personal criminal liability. It is useful to incorporate such information in the general induction process for new workers and to regularly remind existing workers of their obligations. 6 Failing to notify when required to do so or failing to keep a notification up to date is a criminal offence. The person responsible for data protection should ensure that entries concerning workers' data on the register of data controllers are complete, accurate and up to date. This may be a duty that he or she personally undertakes or it may be delegated. 7 Consultation is not in itself a legal requirement. Nevertheless, consultation should help ensure [that] processing of personal data is fair to the workers to whom the data relate. Source: The Employment
Practices Data Protection Code Part 1: Recruitment and
Selection. |
References
1 The Information Commissioner's website at www.informationcommissioner.gov.uk
2The IC Newsletter, March 2002, available free from the Information Commission's website.
3 [1937] 3 All ER 628.
4 Equal Opportunities Commission: Code of Practice on sex discrimination: equal opportunity policies, procedures and practices in employment (1985).
5 Commission for Racial Equality: Code of Practice for the elimination of racial discrimination and the promotion of equality of opportunity in employment (1983).
6 Code of Practice for the elimination of discrimination in the field of employment against disabled persons or persons who have had a disability (1996).
7 Section 1 of the Protection of Children Act 1999; s.218(6) of the Education Reform Act 1988; and ss.470 or 471 of the Education Act 1996. A further list is to be kept under s.81 of the Care Standards Act 2000 regarding persons considered unsuitable to work with vulnerable adults.
8 The Police Act 1997 (Criminal Records) (Registration) Regulations 2001(SI 2001/1194); The Police Act 1997 (Criminal Records) (Registration) (Amendment) Regulations 2001 (SI 2001/2498); The Police Act 1997 (Criminal Records) (Registration) (Scotland) Regulations 2002 (SSI 2002/23).