The Information Commissioner's Employment Practices Data Protection Code deals with the impact of data protection laws on the employment relationship. It is intended to help employers comply with the Data Protection Act 1998.
The code says there must be a balance between the expectation of workers that their personal information will be handled properly and the interests of employers in deciding how best, within the law, to run their businesses.
It does not impose new legal obligations and employers are not obliged to follow it, but a failure to comply with the code may well be cited by the Information Commissioner in connection with any enforcement action imposed on an employer under the Data Protection Act. The code is split into four sections. The first is called 'Recruitment and Selection' and deals with job applications and vetting. 'Employment Records' is about collecting, storing, disclosing and deleting records. 'Monitoring at Work' looks at monitoring workers' use of telephones, the internet, email systems and vehicles, and 'Information about Workers' Health', is about occupational health and drug and genetic screening.
The code also contains good practice recommendations on managing data protection. It emphasises that data-protection compliance should be seen as an integral part of employment practice and stresses that it is important to develop a culture in which respect for private life, data protection, security and confidentiality of personal information is seen as the norm.
One key recommendation is that a person in the organisation should take responsibility for ensuring that employment policies and practices comply with the Data Protection Act and for ensuring that they continue to do so.
A mechanism should be put in place for checking that procedures are followed in practice. Line managers who process information about workers should understand their responsibility for data-protection compliance.
The code also recommends the monitoring of personal information collection, so that any irrelevant or excessive information is eliminated.
Workers should be made aware that they will be criminally liable if they knowingly or recklessly disclose personal information outside their employers' policies and procedures, and a breach of data-protection rules should be made a disciplinary matter.
- Emma Burrows is a partner and head of the employment group at Trowers & Hamlins solicitors.