Code of conduct for private data

THE long awaited first part of the Information Commissioner’s Data Protection Code has now been issued dealing specifically with recruitment and selection. It is intended to help employers comply with the requirements of the Data Protection Act and covers areas such as obtaining information about workers, the retention of their records, access to their records and their disclosure.
By The Newsroom
Published 8th Apr 2002, 01:00 BST

The act and the code deal with the handling of personal and sensitive data regarding workers - including job applicants (regardless of whether or not they are successful), employees, agency workers, casual workers and both current and former contractual workers.

Personal data likely to be covered by the act include: details of a worker’s salary and bank account; an e-mail about an incident involving a named worker or a set of completed application forms. In practice, nearly all useable information held about individual workers will be covered by the code.

Hide Ad
Hide Ad

Sensitive data cover information concerning an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life or the commission of or conviction for any offence.

In particular, the code sets out eight specific sets of recommendations on how the requirements of the Data Protection Act can be met in the areas of recruitment and selection, including the management of data protection, advertising, applications, pre-employment vetting and the retention of recruitment records.

There is also a checklist for each of these sections to assist employers in complying with the act, although completing the checklist is not a requirement of the act or the code.

The code re-affirms the position that individual employees have a right to a ‘Subject Access Request’ which is the right to see information from any organisation he or she believes is processing his or her personal data.

A Subject Access Request must be in writing and an organisation is permitted to charge up to 10 for access. Upon receipt of this fee, the organisation must provide the applicant with the requested information within 40 days. Of course, employers must take care not to identify third parties in any of the released information. This could therefore involve blanking out the names of any third party referred to.

There are some exemptions that allow organisations to withhold information. These exemptions can apply in areas such as criminal investigation, management planning such as promotion and transfer plans, and negotiations. The exemptions, though, are limited in their application even within these areas.

Applications submitted on-line are also covered by the code. It provides that a secure method of transmission should be used in online recruitment. This would mean using encryption-based software, such as Hypertext Transfer Protocol over Secure Sock Layer, which is common in e-commerce sites.

The code suggests that, having received electronic applications, the employer should ensure these are saved to a limited access drive or directory, that is, only those involved in the recruitment process should be permitted access to the data.

Hide Ad
Hide Ad

The aim of the code is to strike a balance between a worker’s legitimate right to respect for his or her private life and an employer’s legitimate need to run its business.

Applying the recommendations in the code should help increase trust in the workplace, encourage good housekeeping, protect employers from legal action and prevent the illicit use of information.

The second part of the code dealing with employment records is expected to be published later this month.

Alan Masson is an employment law partner at MacRoberts, Solicitors.