The Information Commissioner has recently issued the first part of a four part code which will set out what employers must do to comply with the Data Protection Act 1998 (the "Act") and to establish good practice for handling data in the workplace. The Code sets out the Information Commissioner's recommendations as to how the legal requirements of the Act can be met and is written primarily for businesses where the employment of staff constitutes a significant activity. Failure to comply with the Code is likely to mean that an organisation is in breach of the Act, which could lead to enforcement proceedings by the Information Commissioner and claims by individuals for compensation. In some cases breach of the Act is a criminal offence.
The first part of the Code is on recruitment and selection and is available on the Information Commissioner's website at www.dataprotection.gov.uk. This will be followed by codes on employment records, monitoring at work and medical testing over the coming months.
The Code is concerned with data that employers might collect and keep about current, past and prospective workers. In the context of recruitment and selection, this may include a prospective employee's CV, details of any disabilities to ensure special needs are catered for at interview or selection testing, racial origin to ensure the recruitment process does not discriminate against particular racial groups or any relevant criminal convictions to assess suitability for certain types of employment.
The Code provides a set of benchmarks which are designed to help business to achieve compliance with the Act. These benchmarks are dealt with in detail and are illustrated by further notes and examples.
The first section of the Code looks generally at how a business can manage data protection compliance, before looking at selection and recruitment in further detail. We have included an example of some of the benchmarks in this part of the Code below:
Ensure that an applicant responding to a job advert knows in advance to whom they are sending information. This means un-named P.O. boxes and answerphone numbers should not be used.
Only seek personal data relevant to the application - so only ask for bank account details for the successful applicant; explain in advance any checks that might be undertaken to verify the information provided in the application form including the nature of additional sources from which information may be gathered.
Give the applicant an opportunity to make representations should any of the verification checks produce discrepancies.
Inform applicants if an automated short-listing system will be used as the sole basis for making a decision and allow for appeals. Ensure that tests based on the interpretation of scientific evidence, such as psychological tests and handwriting analysis, are only used and interpreted by those who have received appropriate training.
Ensure that personal data retained following interview can be justified as relevant to, and necessary for, the recruitment process itself, or for defending the process against challenge. Remember, the applicant has a right to see these records.
"Vetting" should only be used where there are particular and significant risks to the employer, clients, customers or others, and where there is no less intrusive and reasonably practicable alternative.
Establish and adhere to retention periods for recruitment records that are based on clear business need; ensure that personal data obtained during the recruitment period are securely stored or are destroyed.
The Code also includes further information about (i) processing sensitive personal data (such as health, ethnic origin and trade union membership data) and how the conditions set out by the Act for such processing can be met and (ii) the Criminal Records Bureau which is intended to put the disclosure of information about an individual's criminal history in England and Wales on a statutory footing and to put proper safeguards in place concerning the handling of this information.
Finally, the Code includes a section of frequently asked questions and a checklist section which is aimed to assist organisations in implementing the Code.
Employers are not obliged to comply with the Code by the Data Protection Act. However, disregard of the Code is likely to indicate a breach of the Act - which could lead to enforcement action, damages, claims, or prosecutions comprising of a criminal offence.
Organisations will need to review their employment practices against the Code. The checklists at the end of the Code will assist here. Organisations are also likely to need to put in place new policies and procedures. Bird & Bird's compliance pack may assist here and this is available by contacting Fiona Sneddon.