Data protection and employment practice (4)

The Employment Practices Data Protection Code Part 2: Employment Records gives benchmarks, notes and examples to help employers develop good data protection practices in compliance with the Data Protection Act 1998 in processing employment records.

Continuing our series of guidance notes on Data Protection and Employment Practice (see box below), this issue features the Information Commissioner's Employment Practices Data Protection Code Part 2: Employment Records ("the Employment Records Code")¹. The Employment Records Code is the second of a four-part Code of Practice being released in stages by the Information Commissioner. The first, issued in March 2002, covered recruitment and selection ("the Recruitment and Selection Code"). This second part was published in August 2002. The final two parts will cover monitoring at work (monitoring workers' use of telephone or email systems and vehicles) and medical information (occupational health, medical testing, drug and genetic screening). Each part of the Code of Practice is designed to stand alone, but when all four parts have been completed, it is proposed to formally publish them as one Code of Practice.

The Code of Practice explains how an organisation can comply with the Data Protection Act 1998 ("the DPA"). It is organised into benchmarks with notes and examples, checklists and action points, and develops and applies the DPA in the context of employment practices. It does not have the DPA's legal status and employers are under no legal obligation to comply with it in the same way as the DPA. However, with its purpose being to bring about compliance with the DPA, and its content forming the Information Commissioner's recommendations as to how the legal requirements of the DPA can be met, its provisions cannot simply be ignored. Relevant benchmarks may be cited by the Commissioner in connection with any enforcement action by her under the DPA, and "disregard for the data protection requirements that particular benchmarks are designed to help organisations meet is likely to mean that an employer will not comply with the Act." However, nothing stops an employer from meeting its requirements under the DPA in alternative ways.

Scope of the Employment Records Code

As with any other aspect of data protection and employment practice, the Employment Records Code is concerned with the "processing" of "personal data". From our earlier guidance notes in this series we know that these are defined in the broadest possible terms. "Processing" encompasses any and every conceivable action involving data, from their initial obtaining, keeping and use, through to accessing and disclosing them, and their retention or final destruction. "Personal data" refers to any data relating to a living individual from which that individual can be identified, or from which, together with other information in the possession of, or likely to come into the possession of the data controller, that individual can be identified. This includes any expression of opinion about the individual, and any indication of the intentions of the data controller or any other person in respect of that individual. Personal data also now encompasses manual records as well as computerised data.

Employers, therefore, routinely process personal data about their "workers" - another broadly defined term that covers any individual who might wish to work, who works or who has worked for the employer. Thus it includes successful and unsuccessful applicants and former applicants for jobs, and current and former employees and other atypical workers. Any processing of personal data about such individuals by an employer falls within the scope of the DPA and the Code of Practice. Employers are not thereby prevented from collecting, maintaining and using records about their workers. The aim is to ensure that the employer's right to do so is properly balanced against the worker's right to respect for his or her private life, enshrined in article 8 of the European Convention on Human Rights and Fundamental Freedoms.

To do this, the DPA imposes certain fundamental obligations on data controllers, principally, of notification with the Information Commissioner, abidance by a set of eight Data Protection Principles and of observation of data subjects' rights. These rights are: rights of access to personal data held about them; rights to prevent processing likely to cause damage or distress to them; rights in relation to automated decision-making; rights to compensation; and rights in relation to inaccurate data.

The Employment Records Code is divided into five sections. Section 1 deals with the background, answering questions about the DPA and the Code of Practice. Section 2 provides the benchmarks, with notes and examples, for how employers should collect, maintain and use employment records so as to strike a proper balance between the employer's need to keep records and the worker's right to respect for his or her private life. Section 3 provides further information on when "sensitive personal data" may be collected, and gives useful addresses. Section 4 answers several frequently asked questions, and section 5 covers checklists and action points for the practical implementation of the Code's recommendations.

The Employment Records benchmarks

In this feature, we propose to cover the following benchmarks only: collecting and keeping employment records; security; sickness and accident records; equal opportunities monitoring; workers' access to information about themselves (in subject access requests); references; disclosure requests; mergers and acquisitions; discipline, grievance and dismissal; and retention of records.

The Code's overriding concern is that information an employer collects and keeps about new and existing workers satisfies the Data Protection Principles. The First Principle, that personal data must be processed fairly and lawfully, cannot be avoided under any circumstances in respect of any given personal data. This is because it is a requisite of fair and lawful processing that a data controller must not process personal data at all unless it meets at least one of the specific conditions imposed by the DPA in Schedule 2 and, in respect of "sensitive personal data", at least one also of the Schedule 3 conditions. Openness, transparency and clarity about the processing of personal data within the organisation is emphasised throughout.

Collecting and keeping employment records

In this part, the Code has in mind, specifically, the Fourth Principle, which states that personal data must be accurate and, where necessary, kept up to date. Data is accurate only if it is correct and not misleading as to any matter of fact, and this may be affected by how up to date it is. Accuracy is not necessarily achieved merely by ensuring that the information was obtained from the worker. The DPA expects that an employer will additionally take reasonable steps, such as ensuring that inaccurate data are identified and marked as such where the worker has notified it of any inaccuracies. What such reasonable steps involve, and to the extent to which they are necessary, will be a matter of fact in each individual case, and will depend on the nature of the data and the consequences of the inaccuracy for the worker. It is clear, however, that the annual, or online, checks suggested in benchmark 4 (see below) will amount to such reasonable steps.

The note to this benchmark also clearly expects the employer to be proactive in the matter of ensuring accuracy, and not to rely on the worker who is making a subject access request for whatever reason to correct data that might be inaccurate about himself or herself.

Security

The safe storage of data, whether manual or computerised, the prevention of unauthorised access to them, and the prevention of their unintended destruction, is the focus of the benchmarks in this part. This is in compliance with the Seventh Principle, which states that "appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

What amounts to "appropriate" security measures will depend on the state of technology; cost; the resultant harm from a breach of security; the nature of the data being protected; and the "reasonable steps" taken by an employer to ensure the reliability of staff with access to personal data. The EC Data Protection Directive (No.95/46) that the DPA purports to implement states that security measures must be taken both at the time of the design of the processing system and at the time of the processing itself; and that the level of security must be appropriate to the risks presented by the processing.

All these requirements mean that employers must adopt a risk-based approach to security which takes into account all the circumstances, and in which management and organisational measures play as critical a role as do technical measures.

Sickness and accident records

The processing by an employer of a worker's sickness and accident records, in the context of the DPA, is particularly problematic. The Code's emphasis, firstly, is that a clear distinction is drawn and strictly maintained between sickness and accident records on the one hand, and absence records on the other; and secondly, that the holding of such sickness and accident records satisfy a sensitive data condition.

A sickness record, for the purposes of the Code, refers to "a record which contains details of the illness or condition responsible for a worker's absence", and an accident record describes "a record which contains details of the injury suffered". The term "absence record", on the other hand, describes a record that may give the reason for absence as "sickness" or "accident", but does not include any reference to specific medical conditions.

In addition to the First Principle, the sickness and accident records benchmarks have the Second Principle very much in mind, namely, that "personal data must be obtained only for one or more specified and lawful purposes, and must not be processed in any manner incompatible with that or those purposes." An employer may specify the purpose for which such data are processed in the "fair processing information" it is obliged to supply the individual with under the First Principle. It should also be careful to ensure that there is no deception or misleading of the individual in its processing of this data.

Because sickness or accident records hold information about a worker's physical or mental health, they involve the processing of sensitive personal data and must satisfy one of the specified Schedule 3 conditions. In her note to benchmark 2, the Commissioner introduces some uncertainty as to whether an employer can satisfy any sensitive data condition in respect of sickness records, other than one imposed by a legal obligation, such as under health and safety or social security legislation. She expresses doubt as to whether consent, or even explicit consent, as is required under Schedule 3, will suffice as a valid basis for processing such records. She then proposes that an employer who keeps and uses sickness records "in a reasonable manner" is "likely to" satisfy one of the other sensitive data conditions, but goes on to say that this question is not beyond doubt, and that the government is considering changes to the law that will place it beyond such doubt. We understand from the Commissioner's office that what is envisaged here is a statutory order that would allow the processing of sickness information in the employment context. In the meantime, the Commission intends to take a wide view of this matter, and will apply the "legal obligation" condition in Schedule 3 to such processing.

It is unclear why explicit consent, such as is required to meet a sensitive data condition, should not be sufficient for the purposes of processing health data. However, given the particularly intrusive nature of such information, a prudent employer may well take the view that it needs to ensure that it meets another sensitive data condition as well. Another condition open to such an employer under Schedule 3, apart from the "legal obligation" condition, is that under the additional Schedule 3 conditions set out in the Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI No.417). This is that the processing consists of information as to physical or mental health or condition, and is necessary for identifying or keeping under review the existence or absence of equal opportunities or treatment between persons with a view to enabling such equality to be promoted or maintained; that such processing does not support measures or decisions relating to a data subject otherwise than with his or her explicit consent; and does not cause, nor is likely to cause, substantial damage or distress to the data subject or any other person. It should be noted that the data subject has a right to prevent such processing by notice in writing to the data controller.

Equal opportunities monitoring

Problems regarding equal opportunities monitoring in the context of the DPA frequently arise with regard to excessiveness of the information sought. The Third Principle requires that "personal data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed." In line with the Fourth and Fifth Principles, equal opportunities data should also be accurate and kept up to date, and should not be kept for longer than is necessary, otherwise it may become inadequate, irrelevant and excessive.

Equal opportunities monitoring lends itself well to the use of anonymised data - that is, data stripped of all personal identifiers in order to achieve better data protection. However, in its true form, anonymisation is not easy to achieve, as there should be no possibility of being able to link back together the two data sets, namely, the original data from which personal identifiers have been stripped and the anonymised data, so as to enable the data subject to be identified from them.

Subject access requests

In this part, the Code explains how to deal with a subject access request. This is a right triggered by a written request from the worker, and is applicable to employment records held about the individual making the request, including "sickness records, disciplinary or training records, appraisal or performance review notes, emails, word-processed documents, email logs, audit trails, information held in general personnel files and even interview notes", the Code states.

The Code makes the point that employers should not always expect that the written request will be clearly titled "subject access request". They should ensure that there are systems in place, ideally within their general management of data protection as a whole, to identify those requests for access to information which may not be as transparent, and to deal with them appropriately.

A subject access request may come in the form of a request "to have communicated to [the worker] in an intelligible form" the requisite information "supplied in permanent form by way of a copy". Unless this involves "disproportionate effort", the employer must comply with the request. The DPA does not define disproportionate effort and it will be a question of fact to be determined in each particular case. The Commissioner has given the clear indication that the circumstances will have to be exceptional indeed for an employer to be able to deny subject access, by way of a permanent copy of his or her employment records, to a worker.

The inclusion of interview notes within the definition of personal data subject to data protection, and to which a data subject is entitled to have access, need not unduly alarm employers who apply good equal opportunities and industrial relations practices to their recruitment and selection activities. The point the Commissioner makes in the notes to benchmark 5 (see below) are equally applicable here, namely that this should encourage managers and others involved in these activities "to record only what is truly relevant and useful", and to avoid, in particular, discriminatory remarks.

References

An employer does not have to comply with a subject access request in certain specified circumstances under Schedule 7 to the DPA. The giving of references is one such exemption. However, so narrowly has the Commissioner interpreted this exemption that it applies only to the employer giving the reference, and not to the employer in receipt of the reference. The usual subject access rules will apply to a reference at the point of receipt, and the Code states that all the new employer is otherwise entitled to do is to take steps to protect the identity of third parties, such as the author of the reference.

A further restriction should be noted in the notes to benchmark 1 (see below), which provide that the exemption applies to corporate references only, and not to references provided internally for workers transferring between departments. No exemption applies in this case to the department supplying the reference, and a worker will be able to gain subject access to it in the usual way.

The notes to this benchmark also make clear that the Commissioner's expectation is that employers will consider carefully whether they need to take advantage of this exemption at all at the point of giving a reference, stating that "good data protection practice is to be as open as possible with workers about information which relates to them", and that "workers should be able to challenge information that they consider to be inaccurate or misleading, particularly when, as in the case of a reference, this may have an adverse impact on them."

Guidelines

In further guidelines provided in section 3 of the Code, the Code deals with benchmark 4 which explains what to do when a worker asks to see a reference or other information which enables a third party, such as the author of it, to be identified. The notes explain that to comply fully with such a request could itself lead to the violation of the third party's data protection rights. The guidelines require the employer in receipt of such a reference to balance the worker's right to know the information held about him or her against the right to privacy of the third party. The factors to be considered are:

Can the information be easily edited to remove the third party's identity without significant change to its value for the worker?

Will release of the information involve a breach of confidentiality owed by the employer to the third party?

In this respect, the Commissioner notes: "When considering the release of references it is hard to see how releasing factual information about the worker, such as his or her sickness record or allegations which have been or ought to have been put to him or her by an employer, would breach such a duty."

Has the third party expressly refused consent to release of the information, and have any reasons been given?

At the time the information was supplied, what did the third party know of, or reasonably expect as to, the possible release of the information?

The Commissioner warns that: "Those asked to give references should not be led to believe, and cannot expect, that their references will be kept confidential in all circumstances. They may, for example, have to be released under disclosure procedures in the event of a claim of unlawful discrimination."

What has been, or might be, the impact of the information on actions or decisions affecting the worker?

What is the nature of the information, and could its release damage or reveal sensitive data about the third party?

To what extent is the worker likely to be aware already of the information?

Does the information include facts that might be disputed by the worker if he or she was aware of them?

Does the information identify the third party in a business or personal capacity?

The Commissioner's view is that the third party's right to privacy is greater if he or she is the author of a personal, rather than a corporate, reference.

The fact that information released in error cannot subsequently be corrected, but if withheld in error, can subsequently be corrected by later release, perhaps by order of the Commissioner or by a court.

In conclusion, the guiding principle should be that the receiving employer should release a reference to a worker, even if a third party can be identified from it, unless the referee provides some compelling reason as to why it should be edited or not released at all. Where a breach of confidentiality is involved, the information should then be released only if its nature is such that it has had, or is likely to have, a significant adverse impact on the worker.

Disclosure requests

Section 3 of the Code sets out a list of the most common sources of such requests: the Inland Revenue; the Child Support Agency; the Benefits Agency; the Department for Work and Pensions; and the Financial Services Authority. This list is incomplete, the Commissioner states, and it is her intention, before final publication of the Code, to add specific details of the main legal obligations on employers to disclose information about their workers to such organisations (see benchmarks below).

Mergers and acquisitions

Mergers and acquisitions raise difficult data protection issues for the parties involved, particularly where disclosure of workforce information is required before the process can be finalised. Firstly, as the note to benchmark 3 (see below) states, for reasons of commercial confidentiality, an employer may be unwilling or unable to inform workers of the processing of their data, contrary to the spirit of openness, transparency and clarity that the Code emphasises. However, the note continues: "One business may also be under a legal obligation to disclose to another. This is likely to be the case where the Transfer of Undertakings (Protection of Employment) Regulations [1981] [("the TUPE Regulations")] come into play." It goes on to state that, where such a legal obligation exists, an employer is exempt from some of the DPA provisions and is relieved of the obligation to inform workers of disclosure where, for example, to do so would breach commercial confidentiality.

With respect, there is, at present, no legal obligation under the TUPE Regulations for a transferor, or prospective transferor, to disclose information about its workers to a transferee or prospective transferee. Such disclosure will, in practice, be regarded as necessary, and a business imperative, if the negotiations are to proceed to a satisfactory conclusion, but the law does not, as it stands now, require such disclosure.

Article 3(2) of the revised EC Business Transfers Directive (No.98/50/EC), which member states were required to transpose into domestic law by 17 July 2001, states under Section II, Safeguarding of Employees' Rights: "Member states may [our emphasis] adopt appropriate measures to ensure that the transferor notifies the transferee of all the rights and obligations which will be transferred to the transferee under this article, so far as those rights and obligations are or ought to have been known to the transferor at the time of the transfer. A failure by the transferor to notify the transferee of any such right or obligation shall not affect the transfer of that right or obligation and the rights of any employees against the transferee and/or transferor in respect of that right or obligation."

In its proposals for reform of, and public consultation on, the TUPE Regulations, the government has interpreted² this provision as giving it "a new option to introduce provisions requiring the transferor to notify the tranferee of all the rights and obligations in relation to employees that will be transferred . . ." (our emphasis). It stated its intention to take advantage of this option by providing, in any amended TUPE Regulations, that the prospective transferor give the prospective transferee written notification of all such rights and obligations that are to be transferred, and, if there is any change to such rights and obligations between the time of the first notification and completion of the transfer, written notification of such change. Both types of notification may be given in more than one instalment, but every instalment is to be given "in good time" before the transfer is completed, or as soon as is reasonably practicable, and in any case no later than completion of the transfer. In the detailed background paper³ on the government's proposals, possible remedies for breach of this new requirement are canvassed. The government also states that the responses it received were "overwhelmingly in favour" of the introduction of these provisions.

The position, therefore, is that any amended TUPE Regulations are likely to impose a new legal obligation to disclose workforce information at some point before the completion of a transfer of an undertaking. This will satisfy the Schedule 2 "legal obligation" condition. Until the TUPE Regulations are amended, any disclosure of rights and obligations in relation to employees is sure to involve the processing of personal data and so will be caught by the DPA and the Employment Records Code. Such processing may involve disclosing lists of names, job titles, ages and salaries of the workforce. The Schedule 2 conditions will require to be fulfilled and, in the context of a transfer of undertaking, until the TUPE Regulations are amended, the most likely to be relevant are: the consent of the individual; or that the disclosure is necessary for the purposes of the employer's legitimate interests (or for those of the third party to whom the data is disclosed, except where the disclosure is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the individual).

Consent is not likely to be easily achieved in the context of a transfer of an undertaking where the transferor may not be in a position to give reasons, or may be unwilling to be explicit as to why the disclosure is to be made. In any case, the Commissioner's view on consent, expressed in her Legal Guidance⁴, is that employers should always seek to rely on other conditions in the Schedule first, before relying on consent. The "legitimate interests" condition should be sufficient in these circumstances, but it may be necessary to seek formal assurances and strict undertakings from the prospective transferor with respect to the use of the information, in order to guard against the possibility of "unwarranted" prejudice to individuals.

Disclosure of sickness, accident and health records, trade union membership and racial or ethnic origins of the workforce may be required by the prospective transferee, and this will involve the processing of sensitive personal data, meaning that a Schedule 3 condition has to be satisfied as well. Until the TUPE Regulations are amended, the only Schedule 3 condition open to the prospective transferor in this situation is the explicit consent of the employee. The Commissioner has again stated in the Legal Guidance that, in appropriate cases, this should cover the specific detail of the processing, the particular type of data, or even the specific information to be processed, the purposes of the processing and any special aspects of the processing which may affect the individual, such as the disclosure which may be made of it. An employer who is unwilling and unable to provide the employee from whom explicit consent is sought with such information may find that any consent obtained may fall short of compliance with the DPA.

Retention of records

The Fifth Principle requires merely that personal data should not be kept for longer than is necessary for the purpose or purposes for which it is being processed. No specific retention periods are given, and the Code states that employers may set their own retention periods, but on the basis of business need, and taking into account any professional guidelines as well as statutory requirements to retain records, such as in relation to income tax and for health and safety purposes.

Note also that, under the National Minimum Wage Regulations 1999, records relating to the national minimum wage are required to be kept for three years (reg. 38(7)).

Moreover, where data is kept after the termination of an employment relationship, for the purposes of defending prospective tribunal and court claims, the expiry of relevant statutory time limits for making the claim or claims may be taken to inform the retention period for keeping that data.

Data Protection and Employment Practice (4): main points to note

The Code is a reference document, an explanatory guide to the DPA that develops and applies the Act in the context of employment practices and so helps employers to comply with the DPA.

The Code has no legal status, but its provisions may be cited in connection with any enforcement action by the Information Commissioner under the DPA. Disregard for relevant benchmarks, in the absence of any alternatives developed by the employer to meet its requirements under the DPA, may be taken to mean that the employer has not complied with the Act.

Collecting and keeping employment records about one's workers should satisfy the Data Protection Principles. Throughout its benchmarks, the Code emphasises openness and transparency towards workers about the processing their organisations undertake with respect to their personal data.

Sickness and accident records must be kept separately from absence records, and must satisfy a sensitive data condition. It is uncertain whether, in the absence of some legal obligation to keep such records, the consent, or even explicit consent, of the worker will suffice.

A worker is entitled to see an employment reference about himself or herself when it has been received by the new employer, but not when it is sent by the previous employer.

Further guidelines provided in respect to releasing employment references to workers indicate that, even where a third party can be identified from such a reference, it should be released to the worker in the absence of any compelling reason as to why it should be edited first or not released at all. Even if a breach of confidentiality is involved, a reference may be released if it has had, or is likely to have, significant adverse impact on the worker.

Mergers and acquisitions raise particularly difficult data protection issues for the prospective transferor who is required by the prospective transferee to disclose workforce information before the process can be finalised. Where the TUPE Regulations apply, there is, at present, no legal obligation to make such disclosure. The government is proposing, in its forthcoming amendment of the TUPE Regulations, to include a legal obligation to make such disclosure.

Disclosure of workforce information in the circumstances of mergers and acquisitions may require both Schedule 2 and Schedule 3 conditions to be fulfilled. The most relevant in this context, at present, are the "consent", "explicit consent" and the "legitimate interests" conditions.

In respect of retention periods for keeping employment records, the Code fixes no set periods, and employers may fix their own retention periods based on business need, professional guidelines and any statutory requirements to retain records.

COLLECTING AND KEEPING EMPLOYMENT RECORDS - the benchmarks

1. Ensure that newly appointed workers are aware of the nature and source of any information kept about them, how it will be used and who it will be disclosed to.

2. Inform new workers and remind existing workers about their rights under the Act, including their right of access to the information kept about them.

3. Ensure that there is a clear and foreseeable need for any information collected about workers and that the information collected actually meets that need.

4. Provide each worker with a copy of information that may be subject to change, eg personal details such as home address, annually or allow workers to view this online. Ask workers to check their records for accuracy and ensure any necessary amendments are made to bring records up to date.

5. Incorporate accuracy, consistency and validity checks in.

Notes and examples

1. It is not generally necessary to seek a worker's consent to keep employment records. It will usually be sufficient to ensure that the worker is aware that records are being kept and is given an explanation of the purposes they are kept for and the nature of any intended disclosures, unless these details are self-evident. However, if sensitive data are collected, then consent may be necessary.

2. One way of doing this is to prepare a factsheet for workers telling them how information about them will be used, and of their right of access to it.

3. For example, employers often require an emergency contact to be used should a worker be taken ill at work. If they ask for "next of kin" they will not necessarily obtain the information needed.

4. Some employers may decide that it is not practicable to provide each worker with a copy of their personal details annually. If so, they must ensure they have an effective alternative for ensuring records are kept accurate and up to date. In some cases employers may be able to take advantage of the capabilities of automated systems. For example, workers' PCs could prompt them to check their personal details from time to time and require them to acknowledge that they have done so. Employers must be prepared to give access to records when a worker makes a subject access request but employers should not rely on this alone as a means of ensuring accuracy.

5. For example, a computerised personnel system could have a built-in facility to automatically query the input date of birth of workers, highlighting ages above or below the normal working age. Similar "flagging" can be used to automatically alert the organisation to information that may be out of date. This could be used as part of a deletion policy. Systems which incorporate audit trails showing who has created or altered a record, and when, also assist in ensuring accuracy. They enable the employer to trace the sources of inaccurate records and to take action to prevent recurrence.

Many businesses buy computerised personnel systems "off the shelf". The business should make sure the system facilitates data protection compliance. The legal responsibility for compliance rests clearly with users rather than suppliers of systems. Users cannot simply blame the system. The Information Commissioner does however recognise that it may take businesses some time to bring existing systems up to the desired standards. She will take this into account should the possibility of enforcement action arise as a result of a breach of the Act.

Source: The Employment Practices Data Protection Code Part 2: Employment Records.

SECURITY - the benchmarks

1. Apply security standards that take account of the risks of unauthorised access to, accidental loss or destruction of, or damage to, employment records.

2. Institute a system of secure cabinets, access controls and passwords to ensure that staff can only gain access to employment records where they have a legitimate business need to do so.

3. Use the audit trail capabilities of automated systems to track who accesses and amends personal data.

4. Take steps to ensure the reliability of staff that have access to workers' records. Remember this is not just a matter of carrying out background checks - it also involves training and ensuring that workers understand their responsibilities for confidential or sensitive information. Place confidentiality clauses in their contracts of employment.

5. Ensure that if employment records are taken off-site, eg on laptop computers, this is controlled. Make sure only the necessary information is taken and that there are security rules for staff to follow.

6. Take account of the risks of transmitting confidential worker information by fax or email. Only transmit such information between locations if a secure network or comparable arrangements are in place. In the case of email, deploy some technical means of ensuring security, such as encryption.

Notes and examples

1. It is beyond the scope of this Code to set general security standards that may have no special relevance to employment records. BS 7799: 1995 (Code of Practice for Information Security Management, British Standards Institution, ISBN: 580236420) provides guidance and recommendations which, if followed, should address the main risks. Not all the controls described in BS 7799 will necessarily be relevant to all organisations but many are as applicable to small as well as to large organisations.

2. For example, confidential worker information should not be stored on laptop computers that do not have adequate access controls, ie controls that would prevent access to the information stored on the computer should it be stolen or misplaced. Give access to such information sparingly; for example, access to confidential worker information should not normally be given to technical staff for use in testing computer hardware or software. The basic principle should be that information about workers is only available to those who need it to do their job. Access rights should be based on genuine need, not seniority.

3. Computer systems increasingly incorporate audit trails. These can record automatically when and how records have been altered and by whom. In some cases they also record when a record has been accessed and by whom. Where systems detect unusual patterns of access to personal information, for example where one worker accesses information noticeably more frequently than other workers in a similar position, this should be investigated and, if necessary, preventative action taken.

4. It is important to check the reliability of workers who have access to personal information. They should be made aware of the security regime that surrounds it. Where appropriate, a confidentiality clause should be incorporated into their contracts. Do not overlook workers in management positions as they may pose as great a risk as other workers, or even a greater one, as they may enjoy wider access to information than other workers.

5. There should be a procedure for taking employment records, whether computerised or in paper files, off-site - if this is allowed at all. This should make clear who, if anyone, is allowed to take information and what information they can take. It should address security risks, eg laptops not to be left unattended in vehicles. Do not overlook senior managers who may think procedures like this do not apply to them.

6. There are risks with the use of faxes. A confidential fax message may be received on a machine to which many people have access. It can also easily be misdirected, for example, by miskeying the fax number of the intended recipient. Do not use general company email addresses or fax numbers for the transmission of confidential information. An employer must not allow the transmission of confidential worker information by email without taking appropriate security measures. Encryption may protect email in transit but it may still be vulnerable at either end. If a confidential email is "deleted" bear in mind that a copy may nevertheless be retained on the system.

To secure fax and email systems:

Ensure that copies of emails and fax messages containing sensitive information received by managers are held securely and that access to them is restricted.

Provide a means by which managers can permanently delete emails from their personal workstations that they receive or send, and make them responsible for doing so.

Check whether "deleted" information is still stored on a server. If so, ensure that this too is permanently deleted unless there is an overriding business need to retain it. In any event, restrict access to information about workers held on servers. Don't forget that those providing IT support have access to servers. They may be outside contractors.

Draw the attention of all workers to the risks of sending confidential or sensitive personal information by email or fax.

Ensure that your information systems security policy properly addresses the risk of transmitting worker information by email.

Source: The Employment Practices Data Protection Code Part 2: Employment Records.

SICKNESS AND ACCIDENT RECORDS - the benchmarks

1. Keep sickness and accident records separately from absence records. Do not use sickness or accident records for a particular purpose when records of absence could be used instead.

2. Ensure that the holding and use of sickness and accident records satisfies a sensitive data condition.

3. Only disclose information from sickness or accident records about a worker's illness, medical condition or injury where there is a legal obligation to do so, where it is necessary for legal proceedings or where the worker has given explicit consent to the disclosure.

4. Do not make the sickness, accident or absence records of individual workers available to other workers, other than to provide managers with information about those who work for them in so far as this is necessary for them to carry out their managerial roles.

Notes and examples

1. Do not access information about sickness or injury when information only about the length of absence is needed. For example, when calculating a benefit, it may only be necessary to see the length of absence rather than the nature of the sickness responsible for the absence.

2. The Act does not prevent employers from keeping sickness and accident records about their workers. Such records are clearly necessary for an employer to review the ability of workers to undertake the work for which they are employed, and for other purposes such as the detection of health and safety hazards at work and the payment of health-related benefits to workers. Where an employer is obliged by law to process sensitive personal data, for example under health and safety or social security legislation, it is easy to satisfy a sensitive data condition. In other cases, particularly involving sickness records, it may be less clear-cut that a sensitive data condition is satisfied. Because of this, some employers have sought to rely on obtaining the worker's explicit consent for the processing. The Commissioner recognises that employers need to keep some sickness records but doubts the validity of consent as a basis for the processing of the health data involved. She takes the view that an employer keeping and using sickness records in a reasonable manner is likely to satisfy one of the other sensitive data conditions. While the Data Protection Act, as it currently stands, does not place this question beyond doubt, she understands the government is considering changes to the law that will do so.

3. This benchmark does not apply to the disclosure of number of days of absence such as might be involved, for example, in giving a reference.

4. For example, "league tables" of sickness absences of individual workers should not be published because the intrusion of privacy in doing so would be disproportionate to any managerial benefit. It is permissible for a manager to access the record of an individual's sickness in order to investigate repeated or long-term absence. It is also permissible to publish totals of sickness absence by department or section provided that individual workers are not identifiable.

Source: The Employment Practices Data Protection Code Part 2: Employment Records.

EQUAL OPPORTUNITIES MONITORING - the benchmarks

1. Information about a worker's ethnic origin, disability or religion is sensitive personal data. Ensure that equal opportunities monitoring of these characteristics satisfies a sensitive data condition.

2. Only use information that identifies individual workers where this is necessary to carry out meaningful equal opportunities monitoring. Where practicable, keep the information collected in an anonymised form.

3. Ensure questions are designed so that the personal information collected through them is accurate and not excessive.

Notes and examples

1. The sensitive data conditions should mean that most equal opportunities monitoring can take place without the need to obtain a worker's consent.

2. Effective equal opportunities monitoring may mean employers have to keep records about workers' backgrounds and their work history in a form that identifies them. For example, if your organisation wants to track how many people with disabilities are being promoted and to what grades, it is difficult to see how this can be done without keeping records in a form that identifies them. Where tracking of individuals is involved it will not always be possible to use only anonymised information. However, where the employer only wants to monitor the proportion of external candidates with particular characteristics that apply for jobs, this alone will not justify the keeping of information about unsuccessful candidates in a form that identifies them. Although the removal of identifying details, eg name, may assist the protection of privacy, records will not be truly anonymous if they can still be linked back to individual workers, for example by putting serial numbers on "anonymous" questionnaires but keeping a list of which worker was given a particular questionnaire. Do not give workers the impression that information about them is anonymised unless this is truly the case.

3. Employers should take account of the advice of relevant bodies before designing, distributing, collating and evaluating an equal opportunities monitoring initiative and incorporating it into procedures. Public sector employers will also need to take into account the requirements of the Race Relations Act 1976 (Statutory Duties) Order 2001 and the Race Relations (Amendment) Act 2000. Advice about the forms, procedures and ethnic grouping categories to be used in equal opportunities monitoring are available from bodies such as the Commission for Racial Equality, the Equal Opportunities Commission and the Disability Rights Commission.

4. For example, do not limit the range of choices of ethnic origin to such an extent that individuals are forced to make a choice that does not properly describe their ethnic origin. Employers should carefully consider precisely what they are trying to monitor and should not collect unnecessarily detailed information about workers' nationality or linguistic group. Again, they should seek advice from bodies such as the Commission for Racial Equality about this. If monitoring involves the employer assigning workers to categories, perhaps in the case of those who decline to assign themselves, the record must make clear, whenever information is extracted, that the categorisation is merely the employer's assumption and is not a matter of fact.

Source: The Employment Practices Data Protection Code Part 2: Employment Records.

WORKERS' ACCESS TO INFORMATION ABOUT THEMSELVES - the benchmarks

1. Establish a system that enables your organisation to recognise a subject access request and to locate all the information about a worker in order to be able to respond promptly, and in any case within 40 calendar days, of receiving a subject access request.

2. Check the identity of anyone making a subject access request to ensure information is only given to the person entitled to it.

3. Provide the worker with a hard copy of the information kept, making clear any codes used and the sources of the information.

4.Make a judgment as to what information it is reasonable to withhold concerning the identities of third parties using the guidelines given later in this Code.

5. Inform managers and other relevant people in the organisation of the nature of information relating to them that will be released to individuals who make subject access requests.

6. Ensure that on request, promptly and in any event within 40 calendar days, workers are provided with a statement of how any automated decision-making process, to which they are subject, is used, and how it works.

7. When purchasing a computerised system ensure that the system enables you to retrieve all the information relating to an individual worker without difficulty. Ensure that the supplier of a system that you will use to take automated decisions about workers provides the information needed to enable you to respond fully to requests for information about how the system works.

Notes and examples

1. This is linked closely to the benchmarks in the section on Managing Data Protection. A subject access request need not mention the Data Protection Act. When a worker makes a written request to an employer for access to information about him or her, this should be recognised as a subject access request and handled accordingly. Unless the employer knows what personal data are held about workers and who is responsible for the data, it will be difficult to fully respond to subject access requests. It may be necessary to carry out some form of audit to find out what information about workers is held. There should then be a system for ensuring that all relevant information is located and provided in the event of a request being made. An employer can, however, ask a worker making an access request for information to help it locate the information about the worker, for example by asking "when were you employed by us and in which department?"

2. In smaller organisations where workers make access requests in person identity checks may not be necessary, but in large organisations it should not simply be assumed that all requests are genuine. Making a false subject access request is one method that can be used by those trying to get access to information about workers to which they are not entitled. See Disclosure Requests, Benchmark 5, for more information about this.

3. The employer must provide a copy of the subject access information in a permanent form, unless providing it in that form would involve disproportionate effort. Even if disproportionate effort would be involved in providing a copy, the employer must still give access to the record, perhaps by allowing the worker to inspect it. The Act does not define "disproportionate effort". Matters to be taken into account include the cost, the length of time it would take, the difficulty of providing the information, and also the size of the organisation to which the request has been made. These factors have to be balanced against the impact on the data subject of not providing a copy. Given the significance of employment records, an employer should only rely on the disproportionate effort exemption from providing a copy in exceptional circumstances.

One area that can cause employers difficulties is access to email. Workers are entitled, under subject access, to copies of emails about them. Employers are not, however, required to search through all email records merely on the off-chance that somewhere there might be a message that relates to the worker who has made the request. For information to fall within the Data Protection Act's subject access provisions, the worker must be the subject of the information. This means, for example, that an email about a worker must be provided. However, an email that merely mentions a worker, perhaps because his or her name appears on the email's address list, need not be provided. Employers should check wherever there is some likelihood that messages might exist, for example in the mailbox of the worker's manager. In doing so they should take into account any details the worker has provided to assist them in locating the information about him or her.

It is sometimes asked whether an employer will be a data controller for personal email messages held on its system. If it is not a data controller for such messages it does not have to provide access to them. Employers will, however, usually be data controllers for all email messages held on their systems. This is because they will keep at least some control over how and why messages are processed, for example by restricting the purposes for which workers can send personal emails or by retaining or monitoring personal emails to ensure the security of their systems.

Employers are free to agree alternatives to formal subject access with workers, but no pressure should be put on workers not to make or to withdraw subject access requests. For example, a worker might agree to withdraw a formal request if the employer provides particular information, about which the worker is concerned, free of charge. However if the worker proceeds with a formal request the employer must provide a full response.

4. Information released to a worker could include information that identifies another person, for example a fellow worker. This other person is referred to as a "third party". Responding fully to a subject access request could lead to the third party's rights under the Act being violated. One example is when a complaint is received about a worker and releasing information on the complaint, in its entirety, would identify the complainant to the worker. In many cases, simply removing the third party's name from the information before it is released to the worker will solve the problem. However, this will not always be the case. Sometimes the worker might be able to work out the third party's identity from the information itself, for example "only X could possibly have written that about me". The employer has to strike a balance between the right of the worker to access and the right of the third party to privacy. Before releasing information to the worker the organisation should follow a clear decision-making process to ensure it gets the balance right.

5. Managers and others need to be aware of the extent and nature of the information that an individual could gain access to. This should encourage them to record only what is truly relevant and useful.

6. Such automated systems are most common in recruitment exercises. An example of a decision that is covered is where an individual is shortlisted purely on the basis of answers provided through a touch-tone telephone in response to psychometric questions posed by a computer. Workers have a right, under the Act, to know the logic behind any such automated decision. Either a separate request can be made, for which a fee of £10 can be charged, or, if specifically stated, the request can be included in a general subject access request. Specific benchmarks relating to automated tests can be found in Section 5, Shortlisting, in the Recruitment and Selection part of this Code.

7. Responsibility for responding fully to a subject access request rests with the employer rather than the systems supplier. An employer cannot blame the shortcomings of the system it uses, or a lack of information provided by the systems supplier, as a defence for its failure to respond properly to a subject access request.

Source: The Employment Practices Data Protection Code Part 2: Employment Records.

REFERENCES - the benchmarks

References given:

1. Set out a clear company policy stating who can give corporate references, in what circumstances, and the policy that applies to the granting of access to them. Make anyone who is likely to become a referee aware of this policy.

2. Do not provide confidential references about a worker unless you are sure that this is the worker's wish.

3. Establish at the time a worker's employment ends, whether or not the worker wishes references to be provided to future employers or to others.

References received:

4. When responding to a request from a worker to see his or her own reference, and the reference enables a third party to be identified, make a judgment as to what information it is reasonable to withhold, using the guidelines given later in this Code (see text).

Notes and examples

1. It is in the employer's interest to make clear to staff the limits it places on their authority to give corporate references. Good indicators of whether a reference has been given in a corporate capacity are whether it is written on corporate headed notepaper and whether the referee provides his or her job title. If there is no company policy on the giving of corporate/personal references, the assumption should be that, in the absence of evidence to the contrary, references given from the workplace are given on behalf of the organisation.

Where confidential corporate references are given by the employer, an exemption in the Act allows the employer to deny workers access to these. Employers should decide and make clear to those providing corporate references whether they take advantage of this exemption or whether they adopt a policy of openness. In deciding the approach to take, bear in mind that good data protection practice is to be as open as possible with workers about information which relates to them. Workers should be able to challenge information that they consider to be inaccurate or misleading, particularly when, as in the case of a reference, this may have an adverse impact on them.

It should be noted that, in any case, this exemption only applies to corporate references given by the employer. It does not cover references provided by one part of the employer's business to another, as might be the case when a worker seeks a transfer between departments. Access to such internal references should be treated in the same way as access to other information the employer keeps about the worker.

2. The provision of references on workers is common practice but they do contain personal information, often of a private nature. Employers should therefore be sure that the worker is content for a reference to be provided. Requests that are clearly from reputable businesses, and request that the reference is returned to a recognised address, can generally be taken at face value, but if there are any doubts the employer should check with the worker. It is a criminal offence under the Data Protection Act to use deception to obtain personal data, such as might be included in a reference, where the data controller would not have agreed to the disclosure involved.

3. This should, where it is practicable, help to clarify the expectations of workers who leave. If a worker wants references to be provided in future the employer should still make sure that those requesting references are genuine and are not attempting to obtain information about the worker by deception.

4. The information released to a worker could include information that identifies another person, for example the author of the reference. This other person is referred to as a "third party". Responding fully to an access request could lead to the third party's rights under the Act being violated.

Source: The Employment Practices Data Protection Code Part 2: Employment Records.

DISCLOSURE REQUESTS - the benchmarks

1. Establish a disclosure policy to tell staff who are likely to receive requests for information about workers how to respond, and to where they should refer requests that fall outside the policy rules.

2. Ensure that disclosure decisions that are not covered by clear policy rules are only taken by staff who are familiar with the Act and this Code, and who are able to give the decision proper consideration.

3. Unless you are under a legal obligation to do so, only disclose information about a worker where you conclude that in all the circumstances it is fair to do so. Bear in mind that the duty of fairness is owed primarily to the worker. Where possible take account of the worker's views. Only disclose confidential information if the worker has clearly agreed.

4. Where a disclosure is requested in an emergency, make a careful decision as to whether to disclose, taking into account the nature of the information being requested and the likely impact on the worker of not providing it.

5. Make staff aware that those seeking information sometimes use deception to gain access to it. Ensure that they check the legitimacy of any request and the identity and authority of the person making it.

6. Ensure that if you intend to disclose sensitive personal data, a sensitive data condition is satisfied.

7. Where the disclosure would involve a transfer of information about a worker to a country outside the European Economic Area, ensure that there is a proper basis for making the transfer.

8. Inform the worker before, or as soon as is practicable after a request has been received, that a non-regular disclosure is to be made, unless prevented by law from doing so, or unless this would constitute a "tip-off' prejudicing a criminal or tax investigation.

9. Keep a record of non-regular disclosures. Regularly check and review this record to ensure that the requirements of the Act are being satisfied.

Notes and examples

1. Junior or inexperienced staff should not be left to make difficult decisions about disclosure without guidance. A policy should be established. This does not need to be lengthy or complex but should set out some basic rules for staff who are likely to receive requests.

2. Ensure that unusual requests not covered by the disclosure policy are forwarded to those who have a proper grasp of the legal issues involved.

3. In some cases you will be under a legal obligation to disclose. Where this is the case you have no choice but to do so. The Data Protection Act does not stand in your way provided you only disclose no more than you are obliged to.

In some cases you will not be under a legal obligation to disclose but you will be able to rely on an exemption in the Data Protection Act if you choose to do so. This is most likely to arise in the case of criminal or tax investigations or where it is necessary for you to disclose to obtain legal advice or in the course of legal proceedings, such as an employment tribunal. In such cases, provided sensitive data are not involved, it is clear that the Act will not stand in the way of disclosure. You should still take a balanced decision whether to disclose, taking into account the interests of the worker. If the information requested is confidential, for example information about sickness or earnings, only disclose if you have obtained the worker's consent or you are satisfied that the public interest served by disclosure is sufficiently strong to justify the breach of confidence.

In other cases you risk a breach of the Act if you disclose. Where it is reasonable to do so, inform the worker about the request for disclosure and take account of any objection. If confidential information is involved you should not disclose if there is an objection. If the information is not confidential, for example dates of employment or position employed in, only disclose if, in all the circumstances, you are satisfied that it is fair to do so. This can be a difficult decision, but you should remember that you must mainly consider what is fair to the worker. If it is not reasonable or not possible to contact the worker and they have not indicated their consent to disclosure in any way, you should not disclose confidential information unless it is clearly in the worker's interest that you do so. With non-confidential information, only disclose if, in all the circumstances, including in particular what the worker's view would be likely to be, you are satisfied that it is fair to do so.

4. Even in emergencies care should be taken to protect the interests of workers whose information might be disclosed. How urgent is the situation? Is it a matter of life and death? In many cases there is, for example, no reason why requests cannot be submitted in writing given the wide availability of fax and email facilities.

5. Always establish the identity and authority of the person making a request for disclosure before providing any information about workers. Those seeking disclosure, particularly on the telephone, are often persuasive. Approaches to an employer are a favourite route for those trying to get access to information to which they are not entitled eg debt collectors, private investigators, recruitment agencies or journalists. Employers should be aware that people requesting information might use deceit, for example by pretending to be from the Inland Revenue, and should guard against this. They should also be aware that sometimes officials, perhaps from a government department, may not fully understand their own powers to demand information. They may mistakenly tell an employer it is required by law to disclose information about workers when this is not the case. Where practicable, obtain the request in writing. Take particular care with telephone requests, for example by calling back to a known number. In particular:

establish the authority, if any, of the person making a request. If this is not clear, seek further information from the person concerned;

inform the Commissioner where requests based on deception are detected and there appears to be a reasonable prospect of obtaining evidence as to who is behind the deception;

where those requesting information maintain that the employer is under a legal obligation to respond, ensure that the request is received in writing and spells out the basis on which the legal obligation is asserted. Check that any assertion they make is valid and that the law is not being misrepresented.

6. The processing of sensitive data involved in a disclosure must satisfy a sensitive data condition.

7. The Act imposes restrictions on the transfer of personal data to countries outside the EEA. Countries in the EEA are the member states of the European Union together with Iceland, Norway and Liechtenstein. The Information Commissioner provides separate detailed guidance on international transfers. The European Commission provides both a model contract that can be used to legitimise a transfer outside the EEA and a list of countries outside the EEA that are deemed to provide adequate protection by virtue of their data protection law. The European Commission has also entered into a special arrangement with the USA known as "the safe harbor".

8. A non-regular disclosure would be one where a one-off enquiry is received about an individual worker, perhaps from the Inland Revenue or a local authority housing benefits department. It would not include, for example, information on tax deductions supplied regularly to the Inland Revenue on all workers or the regular passing of information to a trade union on subscriptions deducted from pay for its members.

Where there is a non-regular disclosure, even one required by law, and the information that is to be or has been disclosed might be challenged by the worker, make a copy available to the worker and give the worker an opportunity to check its accuracy. Even if the accuracy of the information is not in doubt, it may well be helpful to the worker to know that a disclosure of information about him or her has been made, for example to the Child Support Agency. There will, however, be cases, for example an enquiry from the Inland Revenue seeking confirmation of tax deducted, where the employer might reasonably conclude that to specifically inform the worker would involve disproportionate effort.

9. Where non-regular disclosures are made, a record should be kept so that those making the disclosures are accountable for their actions and so that any security breaches can be traced and remedied. The record should include details of the person who made the disclosure, the person who authorised it, the person requesting the disclosure, the reasons for the disclosure, the information disclosed and the date and time. This record can be incorporated into an automated system or be held manually.

Source: The Employment Practices Data Protection Code Part 2: Employment Records.

MERGERS AND ACQUISITIONS - the benchmarks

1. Ensure, wherever practicable, that information handed over to another organisation in connection with a prospective acquisition or merger is anonymised.

2. Only hand over personal information prior to the final merger or acquisition decision after securing assurances that it will be used solely for the evaluation of assets and liabilities, it will be treated in confidence and will not be disclosed to other parties, and it will be destroyed or returned after use.

3. Advise workers wherever practicable if their employment records are to be disclosed to another organisation before an acquisition or merger takes place. If the acquisition or merger proceeds, make sure workers are aware of the extent to which their records are to be transferred to the new employer.

4. Ensure that if you intend to disclose sensitive personal data, a sensitive personal data condition is satisfied.

5. Where a merger or acquisition involves a transfer of information about a worker to a country outside the European Economic Area (EEA), ensure that there is a proper basis for making the transfer.

6. New employers should ensure that the records they hold as a result of a merger or acquisition do not include excessive information, and are accurate and relevant.

Notes and examples

1. Wherever practicable, information from which individual workers cannot be identified should be used, so details such as names and individual job titles should be omitted. This might be possible where, for example, a company merely wants to know how many workers of a particular type are employed and their average rates of pay. In other cases a company might require detailed information about particular workers in order to appraise a company's human resources assets properly. This might be the case where the expertise or reputation of individual workers has a significant bearing on the value of the company. Similarly, where a company has a significant liability, perhaps as the result of a worker's outstanding legal claim, it may have to disclose information identifying the worker with details of the company's liability.

In some cases, even the removal of names from the information will not prevent identification, for example where without a name it is still obvious that the information relates to a particular senior manager. Removal of names may nevertheless help protect privacy, even if identification is still possible.

Remember that handing over sickness records will entail the processing of sensitive personal data (see 4 below).

2. It is important to gain formal assurances about how the information will be used. Information should be returned or destroyed, by the shredding of paper or the expunging of electronic files, should the merger or acquisition not go ahead. The provision of information is sometimes achieved by the use of a "data room" in which information about the business is made available to prospective purchasers. Strict conditions must be accepted by those granted access to the "data room".

3. Businesses may not always expect to be involved in mergers or acquisitions and may not therefore have told their workers, at the time they were recruited, what would happen to their personal information in such an event. Reasons of commercial confidentiality and legal duties relating to matters such as "insider trading" may make it difficult to be explicit at the time the merger or acquisition is being considered. In some circumstances the corporate finance exemption in the Act may be relevant and may relieve companies of the obligation to inform workers of the disclosure of their information. This could occur, for example, where providing an explanation to workers could affect the price of a company's shares or other financial instruments.

One business may also be under a legal obligation to disclose to another. This is likely to be the case where the Transfer of Undertakings (Protection of Employment) Regulations (TUPE) come into play. Where there is a legal obligation to disclose, there is an exemption from some of the provisions of the Act. The employer is relieved of the obligation to inform workers of the disclosure if this would be inconsistent with the disclosure, perhaps because it would breach commercial confidentiality.

4. The processing of sensitive personal data involved in a disclosure related to an acquisition or merger must satisfy a sensitive data condition. This will not be an obstacle where there is a legal obligation on one business to disclose to another, but may well prevent the disclosure of sensitive personal data in the run up to a merger or acquisition where there is no such obligation and the worker has not been asked for and given explicit consent.

5. The Act imposes restrictions on the transfer of personal data to countries outside the EEA. Countries in the EEA are the member states of the European Union together with Iceland, Norway and Liechtenstein. The Information Commissioner provides separate detailed guidance on international transfers. The European Commission provides both a model contract that can be used to legitimise a transfer outside the EEA and a list of countries outside the EEA that are deemed to provide adequate protection by virtue of their data protection law. The European Commission has also entered into a special arrangement with the USA known as "the safe harbor".

6. It is the new employer who now has a responsibility for the type and extent of personal data retained and who will have liability for them under the Act. The new employer must not assume that the personal data it receives from the original employer are accurate or relevant and not excessive in relation to its purposes. Within a few months of the merger or takeover it should review the records it has acquired, for example by checking the accuracy of a sample of records with the workers concerned, and should make any necessary amendments.

Source: The Employment Practices Data Protection Code Part 2: Employment Records.

DISCIPLINE, GRIEVANCE AND DISMISSAL - the benchmarks

1. Remember that the Data Protection Act applies to personal data processed in relation to discipline, grievance and dismissal proceedings.

2. Do not access or use information you keep about workers merely because it might have some relevance to a disciplinary or grievance investigation if access or use would be either:

incompatible with the purpose(s) you obtained the information for; or

disproportionate to the seriousness of the matter under investigation.

3. Ensure that there are clear procedures on how "spent" disciplinary warnings are handled.

4. Ensure that, when employment is terminated, the reason for this is accurately recorded, and that the record reflects properly what the worker has been told about the termination.

Notes and examples

1. The Act applies to personal data including those held in connection with disciplinary or grievance investigations and proceedings. This means that:

subject access rights apply, even when responding to a request might impact on a disciplinary investigation or on forthcoming proceedings. Access rights also apply to opinions expressed about workers and to information indicating the employer's intentions in respect of them. Access need not be provided if doing so would prejudice the investigation of criminal matters;

personal data to be used as evidence to support disciplinary proceedings must not be obtained by deception or by misleading those from whom they are obtained as to why they are required or how they will be used;

records used in the course of disciplinary and grievance proceedings must be accurate and sufficiently detailed to support any conclusions that are drawn from them;

records relating to disciplinary and grievance investigations, proceedings and action must be kept secure. Be particularly careful that such records are only made available to those staff whose duties require that they should have access to them. Where information is to be provided to a worker's representative or legal advisor, check that this person has been authorised by the worker to act on his or her behalf;

records of allegations about workers that have been investigated and found to be without substance should not normally be retained once an investigation has been completed. There are some exceptions to this where, for its own protection, the employer has to keep a limited record that an allegation was received and investigated, for example where the allegation relates to abuse and the worker is employed to work with children or other vulnerable individuals. There may also be a case for keeping records of unsubstantiated allegations of bullying or abuse of workers by a colleague, provided that it is made clear in the record what is an unsubstantiated allegation and what has been established as fact.

2. Information about workers must not be used in a way that is incompatible with the purpose(s) for which the information was obtained. For example, a worker in a business that issues credit cards might also be a holder of one of the business's cards. The business should not access information it obtains about the worker because he or she is a card-holder, for use in connection with disciplinary or grievance investigations arising from his or her employment. Similarly, an employer might store email messages for a limited period to ensure the security of its communications system. It must not access stored, personal messages sent by or to workers for incompatible purposes such as checking whether workers have been making adverse comments about their managers.

A purpose will not be incompatible if workers have been told in advance that information obtained from them will be used for that purpose. Where the use of information about workers in disciplinary or grievance investigations is not incompatible, it must still be fair. Personal information about workers should not be accessed if the intrusion into workers' privacy would be out of proportion to the seriousness of the matter under investigation.

For example, an employer storing email messages might suspect that within a group of workers there is someone who has been spending too long conducting personal business in the employer's time. Accessing the content of all messages, including private and personal ones, sent by all members of the group, is unlikely to be justified simply on the basis of tracking down the culprit, even if workers have been told their messages might be accessed in the course of disciplinary investigations. This is because the nature of the offence would not justify the degree and extent of the intrusion, particularly given the availability of other less intrusive means of enforcing any rules the employer might have. On the other hand, accessing the personal emails of one particular worker where there is evidence that the worker has been using email messages to racially or sexually harass another worker might well be justified.

3. Disciplinary procedures generally provide for warnings to "expire" after a set period of time. Ensure the procedure clarifies what is meant by "expire". For example, is the warning removed from the record or is it simply disregarded in determining a future disciplinary penalty? Put in place arrangements, such as a diary system, to ensure that the procedure is put into practice and that where the procedure provides for warnings to be removed or deleted, that this is actually done.

4. A breach of the Act's requirement of accuracy could arise, for example, where a worker has been allowed to resign but, because he or she has been left with little choice, the employer has recorded "dismissed". Particular care should be taken in distinguishing resignation from dismissal.

Source: The Employment Practices Data Protection Code Part 2: Employment Records.

RETENTION OF RECORDS - the benchmarks

1. Establish and adhere to standard retention times for categories of information held on the records of workers and former workers. Base the retention times on business need taking into account relevant professional guidelines.

2. Anonymise any data about workers and former workers where practicable.

3. If the holding of any information on criminal convictions of workers is justified, ensure that the information is deleted once the conviction is "spent" under the Rehabilitation of Offenders Act.

4. Ensure that records which are to be disposed of are securely and effectively destroyed.

Notes and examples

1. In setting retention times employers must ensure that personal information is not kept for longer than is necessary, but equally that it is not deleted where there is a real business need to retain it. Retention times may therefore vary from one employer to another depending on the use the employer makes of particular types of information. For example, the need for retention of records for health and safety purposes is likely to be different in the case of those working with hazardous substances to those working in an office environment.

2. Base standard retention times on a clearly established business need for retention. Take into account any relevant professional guidelines and observe any statutory requirement to retain records. In particular:

bear in mind that information should not be retained simply on the basis that it might come in useful one day without any clear view of when or why;

establish how often particular categories of information are actually accessed after, say, two, three, four or five years;

adopt a "risk analysis" approach to retention by considering what realistically would be the consequences for your business, for workers and former workers and for others, should information that is accessed only very occasionally be no longer available;

base any decision to retain a record on the principle of proportionality. This means, for example, that records about a very large number of workers should not be retained for a lengthy period on the off-chance that one of them might at some point question some aspect of his or her employment;

treat items of information individually or in logical groupings. Do not decide to retain all the information in a record simply because there is a need to retain some of it.

3. Ensure that records are not kept beyond the standard retention time unless there is a business justification for doing so. With a computerised system this might be facilitated by the automated deletion or automatic flagging of information that is due for deletion. With paper files this is likely to involve the occasional "weeding" of expired information, perhaps annually for current workers. As far as possible, structure systems to facilitate the retention policy, for example, by making sure that items of information with significantly different retention periods are not recorded on the same piece of paper.

4. If records are maintained for management analysis, for example, to check the average period for which various grades of staff remain employed with a company, delete the information which enables particular individuals to be identified.

5. For example, an employer might have a valid business reason for keeping information about the driving convictions of those who are employed to drive the employer's vehicles. However, it is difficult to see any justification for retaining this information once the convictions become "spent" under the provisions of the Rehabilitation of Offenders Act 1974. In exceptional circumstances which involve jobs covered by the Exceptions Order to this Act there might be a business need that justifies the continued retention of "spent" convictions. An example might be the retention of information about a relevant criminal conviction of a worker who was employed to work with children and was dismissed because of the conviction. This would be held to ensure that the worker is not re-employed in a similar role.

6. Take particular care to ensure that when computer records are deleted they are actually removed from the system. Copies of such records that might have been retained within the system, perhaps on a separate server, or as paper printouts, should be identified and also removed. Establish secure arrangements for the disposal of paper records containing sensitive or confidential information about workers, for example by having them shredded on-site or by a reputable contractor. Do not sell on computer equipment unless you are certain that any employment records have been completely removed. Simple "deletion" will not necessarily achieve this.

Source: The Employment Practices Data Protection Code Part 2: Employment Records.

Data protection and employment practice guidance notes

(1) Data protection and employment practice (1) A fresh look at the Data Protection Act 1998 in the light of the Information Commissioner's Legal Guidance and various statutory instruments made under the Act. This part considers the key definitions that dictate the scope of the Act and the nature of its requirements and the Data Protection Principles.

(2) Data protection and employment practice (2) This part covers the rights of data subjects under the Act; the exceptions, exemptions and defences available to data controllers; and the Information Commissioner's powers and duties.

(3) Data protection and employment practice (3) Introducing the Employment Practices Data Protection Code of Practice, in this feature we examine Part 1: Recruitment and Selection, issued in March 2002, covering the benchmarks, with notes and examples, that help employers comply with their data protection obligations when carrying out their recruitment and selection activities.

REFERENCES

1. Available from the Information Commissioner's office or from the website www.informationcommissioner.gov.uk.

2. Public consultation document: Transfer of Undertakings (Protection of Employment) Regulations 1981; government proposals for reform. This can be found at www.dti.gov.uk/er/tupe/consult.htm.

3. The detailed background paper can be found at www.dti.gov.uk/er/tupe/longconsult.pdf.

4. The Data Protection Act 1998: Legal Guidance, available from the Information Commissioner's Office or from the website www.informationcommissioner.gov.uk.

Commentary and insights

Data protection and employment practice (4)

Was this article helpful?

About this resource

Templates

When To Include