THOROGOOD PROFESSIONAL INSIGHTS
A SPECIALLY COMMISSIONED REPORT
DATA PROTECTION LAW FOR EMPLOYERS Susan Singleton
THOROGOOD PROFESSIONAL INSIGHTS
A SPECIALLY COMMISSIONED REPORT
DATA PROTECTION LAW FOR EMPLOYERS Susan Singleton
Published by Thorogood
Other Thorogood Professional Insights
10-12 Rivington Street London EC2A 3DU. t: 020 7749 4748 f: 020 7729 6110 e:
[email protected]
Email Legal Issues
w: www.thorogood.ws
Susan Singleton © Elizabeth Susan Singleton 2003
Applying the Employment Act 2002 Audrey Williams
All rights reserved. No part of this publication may be reproduced, stored in a retrieval
Reviewing and Changing Contracts of Employment
system or transmitted in any
Annelise Tracy Phillips
electronic, photocopying,
form or by any means, recording or otherwise, without the prior permission of
Employee Sickness and Fitness for Work
the publisher. This Report is sold subject to the
Gillian Howard
condition that it shall not, by way of trade or otherwise, be lent,
Successful Competitive Tendering Jeff Woodhams
re-sold, hired out or otherwise circulated without the publisher’s prior consent in any form of binding or cover other than in
The Internet and E-Commerce
which it is published and without
Peter Carey
a similar condition including this condition being imposed upon
The Competition Act – Practical Advice and Guidance Susan Singleton
the subsequent purchaser. No responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication can be accepted by
Special discounts for bulk quantities of Thorogood books are available to corporations, institutions, associations and other organisations. For more information contact Thorogood by telephone on 020 7749 4748, by fax on 020 7729 6110, or e-mail us:
[email protected]
the author or publisher.
A CIP catalogue record for this Report is available from the British Library. ISBN 1 85418 283 8 Printed in Great Britain by printflow.com
To my children Rachel, Rebecca, Benjamin, Samuel and Joseph whose use and abuse of the internet throws up many an interesting data protection issue.
The author Susan Singleton is a solicitor with her own London firm, Singletons, which specialises in intellectual property law, including trade marks and competition law, internet law and general commercial law. Articled at Nabarro Nathanson, she joined Slaughter and May’s EC/Competition Law Department on qualifying in 1985, moving to Bristows in March 1988, where she remained until founding her own firm in 1994. Since then she had advised over 425 clients. According to the Chambers and Partners Legal Directory she is one of the UK’s leading IT Lawyers. In 2002 she acted for the claimant in the first damages action for breach of the EU competition rules to come before the English courts, Arkin v Borchard and Others. Her clients range from major plcs and institutions to small start-up businesses. She is the author of over 25 law books on topics such as internet and e-commerce law, competition law, commercial agency law, data protection legislation and intellectual property and writes twenty legal articles a month. She is a frequent speaker in the intellectual property, competition and commercial law fields, both in the UK and abroad. She is on the Committee of the Competition Law Association, is a member of the Licensing Executives Society (and Chaired their EC/Laws Committee) and serves on the Legal Committee of the Chartered Institute of Purchasing and Supply (CIPS), and is a member of the Society of Computers and Law. Singletons welcomes clients of any size. Contact: Susan Singleton Singletons Solicitors The Ridge South View Road Pinner Middlesex HA5 3YD UK Telephone: 020 8866 1934 Fax:
020 8866 6912
Website:
www.singlelaw.com
Email:
[email protected]
THOROGOOD PROFESSIONAL INSIGHTS
Contents Preface ..........................................................................................................1
1
INTRODUCTION AND GUIDANCE FOR EMPLOYERS
4
Introduction .................................................................................................5 Subject access requests ..............................................................................6 Compliance ..................................................................................................7 Changing law ..............................................................................................8 The Employment Practices Code ..............................................................8 Personal data ...............................................................................................9 Making access requests ...........................................................................14 Managing Data Protection .......................................................................15 Conclusion .................................................................................................18 Further information ..................................................................................18
2
RECRUITMENT
21
General .......................................................................................................22 Advertising ................................................................................................23 Applications ..............................................................................................25 Verification ................................................................................................27 Short-listing ...............................................................................................29 Interviews ..................................................................................................30 Pre-employment vetting ...........................................................................31 Retention of recruitment records ............................................................34 Criminal Records Bureau .........................................................................36 Information commissioner’s frequently asked questions ....................37 Checklist .....................................................................................................40
THOROGOOD PROFESSIONAL INSIGHTS
3
EMPLOYMENT RECORDS
58
Managing Data Protection .......................................................................60 Collecting and keeping employment records ........................................61 Security ......................................................................................................62 Sickness and accident records ................................................................63 Pension and insurance schemes .............................................................64 Equal opportunities monitoring .............................................................65 Marketing ..................................................................................................66 Fraud detection .........................................................................................67 Workers’ access to information about themselves ...............................68 References .................................................................................................70 Disclosure requests ...................................................................................71 Publication and other disclosures ...........................................................73 Mergers and acquisitions ........................................................................74 Discipline, grievance and dismissal ........................................................75 Outsourcing data processing ..................................................................76 Retention of records .................................................................................77 Access when information about third parties is involved ...................78 Frequently asked questions .....................................................................79 Checklist .....................................................................................................82
4
MONITORING
115
Examples of monitoring .........................................................................116 Assessments ............................................................................................117 Is a worker’s consent needed? ..............................................................118 Managing data protection .....................................................................122 Monitoring electronic communications ...............................................123 How to notify employees of email rules ...............................................128 Video and audio monitoring ..................................................................129 Conclusion ...............................................................................................131 Frequently asked questions ...................................................................132
THOROGOOD PROFESSIONAL INSIGHTS
APPENDIX FURTHER INFORMATION
136
1.
Information Commissioner’s Office .............................................137
2.
Advisory, Conciliation and Arbitration Service (ACAS) ...........137
3.
British Standards Institute (BS7799) ............................................138
4.
Chartered Institute of Personnel and Development ...................138
5.
Commission for Racial Equality ...................................................138
6.
Department of Trade and Industry ...............................................139
7.
Confederation of British Industry ................................................139
8.
Criminal Records Bureau ..............................................................139
9.
Disability Rights Commission ......................................................139
10. The Disclosure Bureau ...................................................................140 11. Equal Opportunities Commission ................................................140 12. Office of the E-envoy ......................................................................140 13. Trades Union Congress ..................................................................141 14. Legal Advice ....................................................................................141
THOROGOOD PROFESSIONAL INSIGHTS
Preface When I was admitted as a solicitor in 1985 the Data Protection Act 1984 was only just coming into force. Almost 20 years later the replacement Act has been in force since 1st March 2000 and is a constant presence, particularly for those who deal with employees and employment matters. The Data Protection Act 1998, the current legislation, has been supplemented by the Information Commissioner’s Employment Practices Code which is the principal subject of this report. This report seeks to summarise the application of the Act to the employment area, in particular by examining parts 1 (recruitment), 2 (records) and 3 (monitoring) of the code. Part 3 was only issued in June 2003 but in time to be included here and Part 4 which is not covered has yet to be issued (on the subject of Medical Records). By concentrating on the areas covered by the Code the report aims to provide useful and practical guidance for employers, many of whose queries on the legislation are mundane. Basic issues are addressed, such as what consents do we need to obtain from employees? When can we fax their CV to Hong Kong? Do we have to give copies of a reference to an employee? How long must we keep their details? Can we monitor their email and internet use at work? The IC’s Code in this area simply gives the view of the data protection office on their interpretation of the Act in the field of employment in those areas. The view may be wrong but in practice employment tribunals examining whether a member of staff, for example, has been unfairly dismissed for internet abuse will pay regard to whether an employer followed the code. Thus it is important all employers should seek to follow these rules where they hold personal data about their employees. The Act is a serious matter. Breach is a criminal offence. It can also be an expensive matter. Businesses concerned about the cost of complying with data protection law may be interested in the British Chamber of Commerce’s recently published report ‘Do regulators play by the rules?’ The report estimates the total costs to June 2003 of the Data Protection Act 1998 to be close to four million pounds. This cost was the second most expensive of all the measures audited. The data protection questions practising IT lawyers, such as I, receive are many – from companies wrestling with troublemakers making repeated data protection requests for the sake of causing hassle to a school grappling with the question of when a child is old enough to consent to processing. A very big area not covered in this report is direct marketing which is not an employment issue. At the date
THOROGOOD PROFESSIONAL INSIGHTS
1
P R E FA C E
of writing the UK is on the verge of implementing the e-privacy directive. New regulations which may be in force from 31st October 2003 will implement the EU directive on Privacy and Electronic Communications 2002/58 into English law. Directive 2002/58 of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications ‘e-privacy directive’ OJ 31.7.02 L201/37), will change the consents firms will need to obtain from those to whom they will market by email. The European Commission is examining the use of CCTV in the workplace in the context of data protection (which may lead to yet more changes in the future) and cases have started coming before the courts in this area. These cases are usually of a high profile nature such as the Court of Appeal decision in 2003 that Naomi Campbell, the supermodel, could not claim damages for breach of the Act when photographs were taken of her leaving a narcotics anonymous meeting without her consent. Conversely Sara Cox, a Radio 1 presenter, was able to use the Human Rights Act 1998 to recover damages when pictures of herself naked on her honeymoon were published by the Sunday People. The case led to a settlement agreed at the high court (6th June 2003) between Ms Cox, the People and Jason Fraser, the photographic agent concerned, under which she would receive £50,000 in damages. The People, Mr Fraser and two photographic agencies with which he was associated, were required to pay legal costs that were expected to be more than £200,000. In a sense there is an abundance of riches. The three parts of the employment code alone amount to over 60,000 words. Few personnel departments or data protection offices will have time to read them. However, it is important to know what is available so that further study can take place. For example, there is a separate CCTV Code of Practice about use of CCTV cameras which is on the IC’s web site (www.informationcommissioner.gov.uk). There is a very detailed 200 page Audit Manual on the same site which is available free of charge (written for the IC by Privacy Laws and Business (www.privacylaws.com)) which contains checklists for organisations seeking to check if they do comply with the Act. This report is aimed at those who deal with data protection queries in practice or who advise on them. It is not a substitute for obtaining specific legal advice and it is often more sensible to ask an expert than run up problems for the future by making erroneous conclusions about the law. A welcome development with the June 2003 Part 3 of the Code of Practice is a short summary of its provisions for small and medium-sized companies. The report seeks to summarise the rules and has drawn heavily from the guidance in the Code. To date there
THOROGOOD PROFESSIONAL INSIGHTS
2
P R E FA C E
have been virtually no cases of employment law issues under the Data Protection Act since it came into force just over three years ago. Although the Annual Reports of the IC, which are on the IC’s web site, contain some examples of breaches of the legislation it is in general hard to find examples of corporate practices in this area of the law. Finally, the report is up-to-date to 9th August 2003. The latest position should always be checked and independent and specific legal advice sought in cases of doubt. Any errors are my own and should be notified to me at
[email protected] for correction in future editions. We are grateful to the Information Commissioner for allowing reproduction of extracts from the Code in this report. My thanks go to my many clients, over 425 since I set up my own practice in 1994, whose many IT/data protection, IP, competition and commercial law queries ensure I am always aware that I never know it all and that many issues under the data protection legislation remain a profound mystery even to the so-called experts. In 2003 I spoke at about 50 legal conferences, many including data protection issues, all round the UK. I make a point of saying I think it is impossible to be 100% compliant with the Data Protection Act. All we can do is try our best. I hope this report enables more companies to make a decent stab at compliance. Susan Singleton 9th August 2003
THOROGOOD PROFESSIONAL INSIGHTS
3
THOROGOOD PROFESSIONAL INSIGHTS
Chapter 1 Introduction and guidance for employers Introduction Subject access requests Compliance Changing law The Employment Practices Code Personal data Making access requests Managing Data Protection Conclusion Further information
Chapter 1 Introduction and guidance for employers
‘The Data Protection Act 1998 came into force on 1 March 2000. It regulates the use of personal data and gives effect in UK law to the European Directive on data protection (95/46/EC). The Act covers some manual records, such as those recorded on paper or media such as microfiche, as well as computerised records and is concerned with the processing of ‘personal data’, that is, data relating to identifiable living individuals. It works in two ways: •
giving individuals (data subjects) certain rights
•
requiring those who decide how and why personal data are processed (data controllers) to be open about their use of those data and to comply with the data protection principles in their information-handling practices.’
IC’s Code of Practice: Part 1 Recruitment (Employment)
Introduction The Data Protection Act applies to most employers in the UK. Whether they have registered or notified the Information Commissioner that they hold personal data which is caught by the Act or not, they must still comply with eight data protection ‘principles’ and ensure they give individuals access to copies of the personal data of those individuals, which is held about them by the employer – known in this context as the ‘data controller’.
THOROGOOD PROFESSIONAL INSIGHTS
5
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
This report looks at how the Act affects employers rather than describes the Act in all its provisions. Lots of useful guidance on the Act is contained in the Introduction to the Act published by the IC on the IC’s web site. The eight data protection principles are that personal data must be: 1.
processed fairly and lawfully.
2.
processed for limited purposes and not in any manner incompatible with those purposes.
3.
adequate, relevant and not excessive.
4.
accurate.
5.
not kept for longer than is necessary.
6.
processed in line with data subjects’ rights.
7.
secure.
8.
not transferred to countries that don’t protect personal data adequate
Subject access requests Employees, just like anyone else, whose personal data is held by someone have a right of ‘subject access’ under section 7 of the Act to see the data held about them. Many employers find it useful to have a form for this purpose. If inaccurate data is held about someone they have a right to have it corrected and even to obtain a court order to force it to be corrected. There are also rights to sue for damages if loss has been suffered by a data subject arising from a breach of the Act.
THOROGOOD PROFESSIONAL INSIGHTS
6
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
Lord Ashcroft and the Data Protection Act Lord Ashcroft took high court action in 2003 under the Data Protection Act 1998. The Labour party allegedly leaked five major slurs of damaging information about him and his business affairs. He applied under s7 of the Act for copies of documents held which referred to him. In response he alleged that he was given information held on computers about him, but was told he could not have information held in manual form as the manual records fell outside the Act as they were not part of a ‘structured set’. Only manual data which is part of a structured set falls within the Act. He said 95% of the information about him which he wanted to see was contained in 56 paper files – 47 in the Foreign Office and 15 with the Department of International Development. He also asked for information about why he was refused a peerage or information relating to that issue. On 5th June 2003 he settled his case when the Government offered an apology and agreed to pay £500,000 of his costs.
Compliance It is an obligation of the data controller to comply with the Act. This will be a limited company or could be a sole trader or partnership. However, companies act through their employees and directors, and it will be employees who either ensure the company complies or whose conduct results in a breach of the act. It may be wise to appoint an employee as the data protection compliance officer. For Government bodies the Data Controller is the Secretary of State. For other public organisations, it is usually the organisation itself that is liable. The IC has an Audit Manual on their web site which helps companies to check if they comply. The IC has powers to take enforcement action if a breach of the Act occurs. Companies can be forced to change their policies or correct or delete records. Breach of the Act is a criminal offence. Offences include failing to register (notify), not keeping a notification up-to-date, unlawfully obtaining personal data and unlawfully selling the data. There are also rights to sue for damages to obtain compensation if the Act has been breached.
THOROGOOD PROFESSIONAL INSIGHTS
7
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
Changing law This report looks at the Data Protection Act 1998. This brought an EU data protection directive into force in the UK. That directive was agreed in 1996 and in 2003 was being re-examined by the European Commission. It is possible it will be altered. In May 2003 the European Commission has adopted the first report on the implementation of the Data Protection Directive. The report notes that the directive has broadly achieved its aim of ensuring strong protection for privacy but that late implementation by some member states along with differences in national approaches has prevented the EU from obtaining the full benefit of the Directive. See http://europa.eu.int/comm/internal_market/privacy/lawreport_en.htm.
The Employment Practices Code This report principally concentrates on the application of the Act in the employment area as the IC construes this through its Employment Practices Code. Three parts of the Code are described here. At the date of writing, Part 4 – Medical Records had not yet been issued. It is therefore crucial to know what the purpose of the Code is.
What is this Code of Practice for? The Code is intended to assist employers in complying with the Act and to establish good practice for handling personal data in the workplace. The Code covers such issues as the obtaining of information about workers, the retention of records, access to records and disclosure of them.
Who does data protection cover in the workplace? The Code is concerned with data that employers might collect and keep on any individual who might wish to work, work, or have worked for them. In the Code the term ‘workers’ is used to cover all these individuals. As such it includes: •
Applicants (successful and unsuccessful).
•
Former applicants (successful and unsuccessful).
•
Employees (current and former).
•
Agency workers (current and former).
•
Casual workers (current and former).
•
Contract workers (current and former).
THOROGOOD PROFESSIONAL INSIGHTS
8
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
Some benchmarks will also apply to others in the workplace such as volunteers and those on work experience placements.
What data are covered by the Code? It is likely that most information about workers that is processed by an organisation will fall within the scope of the Data Protection Act and therefore within the scope of this Code.
Personal data The Code is concerned with ‘personal data’. That is, information which: •
relates to a living person, and
•
identifies an individual either on its own or together with other information that is in the organisation’s possession or that is likely to come into its possession.
All automated and computerised personal data are covered by the Act. It also covers personal data put on paper or microfiche and held in any ‘relevant filing system’. In addition, information recorded with the intention that it will be put in a relevant filing system or held on computer is covered. A relevant filing system essentially means any set of information about workers in which it is easy to find a piece of information about a particular worker.
Processing The Act applies to personal data that are subject to ‘processing’. For the purposes of the Act, the term ‘processing’ applies to a comprehensive range of activities. It includes the initial obtaining of personal data, their keeping and use, accessing and disclosing them through to their final destruction.
THOROGOOD PROFESSIONAL INSIGHTS
9
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
Examples of personal data likely to be covered by the Act The IC gives the following examples of personal data under the Act. This is a useful list for data controllers to consider when they look at employment issues under the Act: •
Details of a worker’s salary and bank account held on an organisation’s computer system or in a manual filing system.
•
An email about an incident involving a named worker.
•
A supervisor’s notebook containing sections on several named individuals.
•
A supervisor’s notebook containing information on only one individual but where there is an intention to put that information in the worker’s file.
•
A set of completed application forms.
Examples of information unlikely to be covered by the Act •
Information on the entire workforce’s salary structure, given by grade, where individuals are not named and are not identifiable.
•
A report on the comparative success of different recruitment campaigns where no details regarding individuals are held.
•
A report on the results of ‘exit interviews’ where all responses are anonymised and where the results are impossible to trace back to individuals.
•
Manual files that contain some information about workers but are not stored in an organised way, such as a pile of papers left in a basement.
In practice, therefore, nearly all useable information held about individual workers will be covered by the Code.
THOROGOOD PROFESSIONAL INSIGHTS
10
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
Sensitive personal data Some particularly important data, such as about people’s sexual inclinations or health, is classed as ‘sensitive personal data’. It must only be processed if explicit consent has been obtained for the processing. Sensitive data is data about: •
racial or ethnic origin,
•
political opinions,
•
religious beliefs or other beliefs of a similar nature,
•
trade union membership (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
•
physical or mental health or condition,
•
sexual life,
•
commission or alleged commission of any offence, or
•
proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.
Sensitive data found in a workers’ record might typically be about their: •
physical or mental health – as a part of sickness records’
•
disabilities – to facilitate adaptations in the workplace,
•
racial origin – to ensure equality of opportunity, and
•
trade union membership – to enable deduction of subscriptions from payroll.
The IC says: ‘In the context of recruitment and selection typical circumstances in which sensitive personal data might be held include: •
relevant criminal convictions to assess suitability for certain types of employment.
•
disabilities to ensure special needs are catered for at interview or selection testing.
•
racial origin to ensure recruitment processes do not discriminate against particular racial groups.’
THOROGOOD PROFESSIONAL INSIGHTS
11
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
The Act sets out a series of conditions, at least one of which has to be met before an employer can collect, store, use, disclose or otherwise process sensitive personal data. The conditions include: •
The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. Note: This condition can have quite wide application in the context of recruitment and selection. Employers’ rights and obligations may be conferred or imposed by statute or common law, which in this context means decisions in relevant legal cases. For example, they will include obligations to: 1.
Ensure the health, safety and welfare at work of worker.
2.
Select safe and competent workers.
3.
Ensure a safe working environment.
4.
Not discriminate on the grounds of race, sex or disability.
5.
Ensure the reliability of workers with access to personal data.
6.
Protect customers’ property or funds in the employer’s possession.
7.
Check immigration status before employment.
The IC says: ‘Thus an employer may be able to collect information as to an applicant’s criminal record or health in the recruitment process if this can be shown to be necessary to enable the employer to meet its obligations in relation to the safety of its workers or others to whom it owes a duty of care. The collection of sensitive personal data must however be ‘necessary’ for exercising or performing a right or obligation which is conferred or imposed by law. This condition would not, for example, be satisfied if the employer obtains information on the criminal convictions of all applicants in order to protect its staff or customers if the protection could equally be provided by obtaining this information only on the successful applicant prior to confirmation of appointment.’
THOROGOOD PROFESSIONAL INSIGHTS
12
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
•
The processing: 1.
is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
2.
is necessary for the purpose of obtaining legal advice, or
3.
is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
Note: The application of this condition in the context of recruitment and selection is quite limited but it might for example, be relied on to enable a prospective employer to process sensitive personal data to defend him or herself were an applicant to make a claim of unlawful discrimination. •
The processing: 1.
is of information in categories relating to racial or ethnic origin, religious or other beliefs or physical or mental health,
2.
is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment,
3.
there are safeguards for the data subject.
Note: This condition will be relevant to equal opportunities monitoring related to racial origin, religion and disability. Processing must be ‘necessary’ emphasising that wherever practicable monitoring should be based on anonymous or aggregated information. •
The processing is necessary: 1.
for the exercise of any functions conferred on any person by or under an enactment, or
2.
for the exercise of any functions of the Crown, a Minister of the Crown or a government department.
Note: This condition is most likely to be relevant to public sector bodies that may have specific legal duties placed on them in relation to the qualifications, attributes, background or probity of their workers. It will also be relevant when a public sector body concludes that in order to discharge its wider statutory functions it is necessary for it to process sensitive personal data such as criminal convictions relating to applicants or, in exceptional cases, their family or close associates. It is likely, for example, to be relevant to the recruitment of police or prison officers.
THOROGOOD PROFESSIONAL INSIGHTS
13
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
•
The data subject has given explicit consent to the processing: Note: Employers seeking to rely on this condition must bear in mind that: the consent must be explicit. This means the applicant must have been told clearly what personal data are involved and the use that will be made of them. The applicant must have given a positive indication of agreement (e.g. a signature), the consent must be freely given. This means the applicant must have a real choice whether or not to consent and there must be no significant detriment that arises from not consenting. Importantly the commissioner says: ‘The extent to which consent can be relied upon in the context of employment is limited because of the need for any consent to be freely given. However, in relation to the recruitment and selection of workers this is less of a constraint. Individuals in the open job market will usually have a free choice whether or not to apply for a particular job. If consent to some processing of sensitive data is a condition of an application being considered this does not prevent the consent being freely given. It must of course be clear to the applicant exactly what he or she is consenting to. As recruitment proceeds it becomes less likely that valid consent can be obtained. If, for example, the direct consequence of not consenting is the withdrawal of a job offer the consent is unlikely to be freely given.’
Making access requests The Act allows for any individual to make a ‘subject access request’ to any organisation that he or she believes is processing his or her personal data. This request must be in writing, for example by letter or email. Once an organisation receives such a request it must respond promptly, or at the most within 40 calendar days. There is similar legislation in the Freedom of Information Act 2000, which by 2003 was still not fully in force. This will allow anyone, companies as well as individual data subjects, to request information held about them from public bodies (not all companies). This requires such requests be made within 20 days. Many public sector bodies therefore want to harmonise their procedures to comply with the DPA and the FOIA and thus provide for a 20 not a 40 day period. Companies in the private sector however, may stick with 40 days under the DPA. The data controller, in response to a request, must produce copies of the information it holds in an intelligible form.
THOROGOOD PROFESSIONAL INSIGHTS
14
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
A charge of up to £10 can be made. The 40 day period starts once the organisation has received the fee together with any information it needs to verify the identity of the individual making the request, and to locate the information that the individual seeks. Many companies have a form they ask data subjects to complete when making a request so that the company receives all the identification information it needs. It is wise to have such a form ready. There are some exemptions that allow organisations to withhold information. These exemptions can apply in areas such as criminal investigation, management planning such as promotion and transfer plans, and negotiations. The exemptions, though, are limited in their application even within these areas. THIRD PARTY DATA
Be careful not to disclose third party data in responding to requests. The IC has Guidance on the IC web site on subject access and third party data to which reference should be made.
Managing Data Protection Most businesses will need to nominate someone to take charge of data protection in their company. The Information Commissioner suggests standards for managing data protection which are common to all four areas of the employment Code of Practice as follows: ‘Data protection compliance should be seen as an integral part of employment practice. It is important to develop a culture in which respect for private life, data protection, security and confidentiality of personal data are seen as the norm.’
The benchmarks 1.
Establish a person within the organisation responsible for ensuring employment practices and procedures comply with the Act and for ensuring that they continue to do so. Put in place a mechanism for checking that procedures are followed in practice.
2.
Ensure that business areas and individual line managers that process information about workers understand their own responsibility for data protection compliance and, if necessary, amend their working practices in the light of this.
THOROGOOD PROFESSIONAL INSIGHTS
15
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
3.
Assess what personal data about workers are in existence and who is responsible for them.
4.
Eliminate the collection of personal data that are irrelevant or excessive to the employment relationship. If sensitive data are collected ensure that a sensitive data condition is satisfied.
5.
Ensure that workers are aware of the extent to which they can be criminally liable if they knowingly or recklessly disclose personal data outside their employer’s policies and procedures. Make serious breaches of data protection rules a disciplinary offence.
6.
Allocate responsibility for checking that your organisation has a valid notification in the register of data controllers that relates to the processing of personal data about workers, unless it is exempt from notification.
7.
Consult trade unions or other workers’ representatives, if any, or workers themselves over the development and implementation of employment practices and procedures that involve the processing of workers’ data.
Notes and examples 1.
In a small business the responsibility might simply be with the owner of the business. Where there is a management structure responsibility should be allocated to a senior manager in the personnel or human resources function, or someone in a comparable position. Those with overall responsibility must be in a position to feed their knowledge into other areas of the business where information about workers is processed, and to ensure that the organisation has a co-ordinated approach to data protection compliance. Ideally data protection should be seen as an integral part of employment procedures rather than as a stand alone requirement. For example, in the company’s written procedure for dealing with selection, there should be a section on how to follow up on references, which should incorporate the relevant benchmarks in this Code. Procedures are only of value if they are current and adhered to. Review and update procedures as necessary and put a mechanism in place to ensure that they are being followed on the ground. This might involve some form of audit or self-certification by managers.
2.
It is important to remember that data protection compliance is a multidisciplinary matter. For example, a company’s IT staff may be primarily responsible for keeping computerised personal data secure, whilst a
THOROGOOD PROFESSIONAL INSIGHTS
16
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
human resources department may be responsible for ensuring that the information requested on a job application form is not excessive, irrelevant or inadequate. All workers, including line managers, have a part to play in securing compliance, for example by ensuring that waste paper bearing personal data is properly disposed of. An employer is liable to pay compensation for damage suffered by an individual as a result of the actions of a line manager in regards to data protection unless it is clear that the line manager has been acting outside his or her authority. Employers can help protect themselves against claims by training line managers and having clear procedures in place. 3.
It may be helpful to assess personal data held on workers using the same categories as are used in the various parts of this Code, i.e. personal data processed in connection with recruitment and selection, employment records, monitoring at work and medical information. Consider who in your organisation will be collecting, using, storing and destroying such information. Only when you have ascertained this will you be able to check that your organisation is complying with the Act.
4.
When making your assessment of personal data consider if all the information collected on workers is necessary for the employment relationship. For example, information concerning workers’ lives outside work is unlikely to be necessary. However, it might be legitimate to request information about workers’ other jobs where there is a justifiable need, for example, in connection with Working Time Regulations, or to request information about their children in connection with an application for parental leave. The collection and use of sensitive data must satisfy a sensitive data condition.
5.
Workers should be broadly aware of the legal duties that the Act places on employers and their own role as workers in meeting them. In particular, workers should be aware of how data protection compliance impinges in practical terms on the way they perform their work. It is also crucial to make workers aware of the possible consequences of their actions in this area, e.g. disciplinary action or personal criminal liability. It is useful to incorporate such information in the general induction process for new workers and to regularly remind existing workers of their obligations.
THOROGOOD PROFESSIONAL INSIGHTS
17
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
6.
Failing to notify when required to do so or failing to keep a notification up-to-date is a criminal offence. The person responsible for data protection should ensure that entries concerning workers’ data on the Register of Data Controllers are complete, accurate and up-to-date. This may be a duty that he or she personally undertakes or it may be delegated.
7.
Consultation is not in itself a legal requirement. Nevertheless consultation should help ensure processing of personal data is fair to the workers to whom the data relates.
Conclusion The data protection legislation has wide application in the field of employment and employers need to consider its application from the recruitment stage, addressed in the next chapter, right through to termination of the employment contract and beyond.
Further information The Information Commissioner’s web site has the following Guidance which is also regularly added to and expanded from time-to-time (this list is current as at 9th August 2003) – all at www.informationcommissioner.gov.uk.
Compliance advice •
Disclosures of personal data required by the Inland Revenue under the taxes management Act
•
Guide to Data Protection Auditing
•
Child Support Agency: use and disclosure of maintenance assessment information
•
Small businesses – Data protection and you
•
Data controller’s brief guide
•
CCTV Checklist
•
Council Tax: Secondary use of Personal Data held for the Collection and Administration: Oct 2001
•
Credit reference file info: common complaints: Feb 2000
THOROGOOD PROFESSIONAL INSIGHTS
18
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
•
Crime & Disorder Act 1998: Feb 2000
•
Electoral Register – The use of the Electoral Register in light of the ‘Robertson Case’
•
FAQ’s – General (Nov 00)
•
FAQ’s – Notification (Nov 00)
•
FAQ’s – Subject access (Nov 00)
•
FAQ’s – Web (Jul 01)
•
Health data, use and disclosure of: –
International Transfers Summary: 8th Principle
–
Internet: Protection of Privacy-Data Controllers
–
Internet: Protection of Privacy – Data Subjects
–
Local Authority: elected members, compliance DPA
–
Local Authority: elected members, disclosure to
–
Local authority: Registration Officer’s right to inspect records
–
Local Authority: sharing of data
•
Mailing, Telephone and Fax Preference Service
•
Secondary Legislation – Comments of the Data Protection Registrar (Jan 2000)
•
Schools: exam results, publication
•
Small Business Information
•
Subject access – education records in England
•
Subject access & e-mails
•
Subject access & e-mails
•
Subject access & health records
•
Subject access & Local authority housing records
•
Subject Access & medical records: fees for access
•
Subject access to social services records
•
Subject access and third party information
•
Telecommunications Regulations
•
Transborder dataflow – EU ‘approved list’
•
Violent warning marker: use in the public sector.
•
US Safe Harbour
•
International Transfers – Adequacy, Safe Harbor and the Standard Contractual Clauses
THOROGOOD PROFESSIONAL INSIGHTS
19
1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS
Legal guidance •
Data Protection Act 1998: Legal Guidance
•
International Transfers
•
Model contract clauses: authorisation & guidance on the use of Subject Access and third party information
•
Telecoms Guidance
•
Undertaking – Thames Water Utilities Ltd
Codes of practice •
CCTV
•
Employment
THOROGOOD PROFESSIONAL INSIGHTS
20
THOROGOOD PROFESSIONAL INSIGHTS
Chapter 2 Recruitment General Advertising Applications Verification Short-listing Interviews Pre-employment vetting Retention of recruitment records Criminal Records Bureau Information commissioner’s frequently asked questions Checklist
Chapter 2 Recruitment
General The first stage of any employment process is the recruitment of employees. The employee’s name, almost certainly a CV and often a photograph will be supplied, and application forms will be completed. Most of this information will be ‘personal data’ under the Data Protection Act 1998 and will need to be handled carefully and in accordance with the eight data protection principles which were listed in Chapter 1. The Information Commissioner’s Employment Code of Practice – Part 1 – Recruitment is most relevant in this area and extracts are given in this chapter. A list of frequently asked questions and checklists from the information commissioner are given are at the end of the chapter. The chapter follows the topics covered by the IC in Part 1 of the guidance and looks first at advertising for an employee. Some data will be sensitive personal data. Chapter 1 examined this and reference should be made to those provisions. Some checks will involve making reference to the Criminal Records Bureau and a section later in this chapter sets out the guidance relating to use of that service.
THOROGOOD PROFESSIONAL INSIGHTS
22
2 RECRUITMENT
Advertising Most jobs are advertised in order to obtain candidates for interview. In this area the Commissioner suggests the following benchmarks:
The benchmarks 1.
Inform individuals responding to job advertisements of the name of the organisation to which they will be providing their information and how it will be used unless this is self-evident.
2.
Recruitment agencies, used on behalf of an employer, must identify themselves and explain how personal data they receive will be used and disclosed unless this is self-evident.
3.
On receiving identifiable particulars of applicants from an agency ensure, as soon as you can, that the applicants are aware of the name of the organisation now holding their information.
Notes and examples 1.
Individuals providing personal data, even if only giving their name and address, in response to a job advertisement should be aware of who they are giving their details to. They should be made aware of this before they supply their details. Individuals should not be asked simply to provide their details to a PO Box Number or to an inadequately identified answering machine or website. Provide this explanation: a.
in the advertisement if postal, fax or email responses are sought.
b.
in the advertisement or at the start of the telephone call if telephone responses are sought.
c.
on the website before personal data are collected via an online application form.
Advertisements for specific jobs need not state how the information supplied will be used, provided that this is self-evident. Only where the link between the information being asked for and its potential use is unclear need an explanation be given. For example, if an advertisement for a specific job simply asks those who are interested to send in personal details and these might also be passed on to a sister company to see if it has any suitable vacancies, this should be explained in the advertisement.
THOROGOOD PROFESSIONAL INSIGHTS
23
2 RECRUITMENT
2.
Where a recruitment agency places an advertisement on behalf of an employer, the identity of the agency must be given. The agency must also be identified as such, if this is not apparent from its name. The agency should also inform the applicant if it intends to use the information supplied by the applicant for some purpose of which the applicant is unlikely to be aware, for example, where the information will be used to market goods or services to the applicant. If the information supplied in response to a recruitment advertisement is to be retained for use in connection with future vacancies, the advertisement should make this clear.
3.
An advertisement placed by a recruitment agency need not show the identity of the employer on whose behalf it is recruiting. The agency may pass information to the employer provided that the applicant understands that his or her details will be passed on. Once the employer receives identifiable particulars it must, as soon as it can, inform the applicant of its identity and of any uses it might make of the information received that are not self-evident. It can arrange for the agency to provide this explanation on its behalf. If, for whatever reason, the employer does not want to be identified to the applicant at an early stage in the recruitment process, it is acceptable for the agency to only send anonymised information about a candidate to the employer, and for the agency or employer to provide information as to the employer’s identity once the employer has expressed interest in receiving personally identifiable information about the applicant.
THOROGOOD PROFESSIONAL INSIGHTS
24
2 RECRUITMENT
Applications Once an advertisement has been placed, employers will next receive data from potential employees either by a written CV, completion of a form on-line or by completion of an application form sent out by the employer. The benchmarks below from Part 1 of the Code address the issues raised in this area.
The benchmarks 1.
State, on any application form, to whom the information is being provided and how it will be used if this is not self-evident.
2.
Only seek personal data that are relevant to the recruitment decision to be made.
3.
Only request information about an applicant’s criminal convictions if that information can be justified in terms of the role offered. If this information is justified, make it clear that spent convictions do not have to be declared, unless the job being filled is covered by the Exceptions Order to the Rehabilitation of Offenders Act 1974.
4.
Explain any checks that might be undertaken to verify the information provided in the application form including the nature of additional sources from which information may be gathered. (The verification checks should meet the benchmarks set out in the next section.)
5.
If sensitive data are collected ensure a sensitive data condition is satisfied.
6.
Provide a secure method for sending applications.
Notes and examples 1.
Where an organisation is recruiting for a specific job, it is unnecessary to explain how the information will be used if this is self-evident. For example there is no need to explain that information will be passed from the personnel department to the department where the job is located. However, if an organisation is, for example, conducting an initial trawl of applicants for a range of different jobs, perhaps to keep on file and return to as needed, this should be explained.
THOROGOOD PROFESSIONAL INSIGHTS
25
2 RECRUITMENT
Where an applicant makes an unsolicited application for recruitment to an employer, typically by sending a speculative letter or email, the employer need only provide the applicant with an explanation if the application is to be retained, and use made of the information on the application, or the period of retention goes beyond what would be selfevident to the applicant. Any necessary explanation could be included in a letter of acknowledgement sent by the employer, although if there is no unexpected use, then no acknowledgement letter is required. Employers should have a policy on the retention or disposal of unsolicited applications for employment. 2.
Information should not be sought from applicants unless it can be justified as being necessary to enable the recruitment decision to be made, or for a related purpose such as equal opportunities monitoring. For example, there is no obvious reason why employers should ask applicants for information about their membership of a trades union. The scope of the information gathered must be proportionate to what the employer is seeking to achieve, for example, the extent and nature of information sought from an applicant for the post of head of security at a bank would be very different from that sought from an applicant for work in the bank’s staff canteen. Employers should also be aware of the difference between the information needed to process an application for employment and that needed to actually administer employment. There is no obvious justification, for example, for an employer to hold information about an applicant’s banking details, although it will normally be legitimate to hold these details for payment purposes once employment starts.
3.
The same questions should not necessarily be asked of all prospective workers. For example, an applicant for a purely administrative job with a haulage company should not be asked for details of driving convictions, if these are only relevant to the recruitment of drivers. However, some questions will be clearly relevant to all applicants. It is acceptable to ask all candidates certain core questions, such as whether they are eligible to work in the U.K. Information on criminal convictions should only be sought if it is relevant to the job being filled. Where appropriate questions should be designed to obtain no more than the information actually needed, e.g. ‘Do you have any criminal convictions involving dishonesty?’
THOROGOOD PROFESSIONAL INSIGHTS
26
2 RECRUITMENT
Whether by omission of an explanation, or otherwise, applicants should not be led to believe they have to disclose spent convictions if they do not. 4.
One example is, if, beyond taking up references you obtain information from other local employers or other companies in your group which the worker may have been employed by or may have applied to previously. Another example is where an applicant’s qualifications are to be verified in the course of the recruitment process – this should be clearly stated in the application form or surrounding documentation.
5.
The collection of sensitive data must satisfy a sensitive data condition.
6.
The return of applications to a postal address or fax number should be organised so that access to applications is limited. A secure method of transmission should be provided if an employer provides an online application facility. The use of widely available encryption-based software could be used to do this. Once the application has been received, electronically or otherwise, it must be securely stored.
Verification People lie on their CVs. Any human resources manager reading this report will know that it is always wise to check details. Ask to see original degree certificates. Call the university concerned. Do not take any claims to grades or work experience at face value. However, verification is an inherently intrusive process. Taking up references is also a form of verification. The IC has therefore set out some benchmarks to be followed in this area:
The benchmarks 1.
Explain to applicants as early as is reasonably practicable in the recruitment process, the nature of the verification process and the methods used to carry it out.
2.
If it is necessary to secure the release of documents or information from a third party, obtain a signed consent form from the applicant unless consent to their release has been indicated in some other way.
3.
Give the applicant an opportunity to make representations should any of the checks produce discrepancies.
THOROGOOD PROFESSIONAL INSIGHTS
27
2 RECRUITMENT
Notes and examples 1.
Applicants may not always give complete and accurate answers to the questions they are asked. Employers are justified in making reasonable efforts to check the truthfulness of the information they are given. The verification process should be open; applicants should be informed of what information will be verified and how this will be done. Where external sources are to be used to check the responses to questions, this should be explained to the applicant. Access to certain records needed for the verification process may only be available to the individual concerned. You should not force applicants to use their subject access right to obtain records from a third party by making it a condition of their appointment. This is known as ‘enforced subject access’. Requiring the supply of certain records in this way, including certain criminal and social security records, will become a criminal offence under the Act when the Criminal Records Bureau starts to issue ‘disclosures’.
2.
For example, some organisations will require a signed approval form from an individual before they confirm his or her qualifications to a third party.
3.
Where information obtained from a third party differs from that provided by the applicant, it should not simply be assumed that it is the information provided by the applicant that is incorrect or misleading. If necessary, further information should be sought and a reasoned decision taken as to where the truth lies. As part of this process the applicant should be asked to provide an explanation where information he or she has provided is suspected of being incorrect or misleading. This is necessary to ensure that the data held are accurate and processed fairly.
THOROGOOD PROFESSIONAL INSIGHTS
28
2 RECRUITMENT
Short-listing Once a list of candidates has been drawn up decisions have to be taken about who to short-list and perhaps more detailed enquiries then made about the candidates in the running. These are the benchmarks:
The benchmarks 1.
Be consistent in the way personal data are used in the process of short-listing candidates for a particular position.
2.
Inform applicants if an automated short-listing system will be used as the sole basis for making a decision. Make provisions to consider representations from applicants about this and to take these into account before making the final decision.
3.
Ensure that tests based on the interpretation of scientific evidence, such as psychological tests and handwriting analysis, are only used and interpreted by those who have received appropriate training.
Notes and examples 1.
It is beyond the scope of the Code to set down general rules as to how short-listing and selection testing should be carried out. This should be primarily a matter of good employment practice, although shortlisting and selection testing that leads to unlawful discrimination on the grounds of race, sex or disability is likely to breach the requirement that personal data are processed fairly and lawfully. The Information Commissioner’s concern is more with ensuring that the selection criteria are applied in a way that is consistent and fair to applicants, rather than that the criteria are, in themselves, fair.
2.
The Act contains specific provisions on decision-making carried out by solely automated means. To fall within these provisions the decision-making must evaluate matters such as an applicant’s work performance or reliability. A system that automates a simple decision, for example, to reject all applicants who are under 18 years of age, is not covered by the provision.
THOROGOOD PROFESSIONAL INSIGHTS
29
2 RECRUITMENT
An example of a decision that is covered, is where an individual is shortlisted purely on the basis of answers provided through a touch-tone telephone in response to psychometric questions posed by a computer. The Act requires that where the individual requests it, the logic involved in making such a decision should be explained and, in some circumstances, that the decision should be reconsidered or retaken on a different basis. This right will apply if an applicant is rejected or treated in a way that is significantly different from other applicants solely as a result of the use of an automated process. This right will not apply if the automated process merely provides information, such as the score resulting from a psychometric test, where this is just one of a range of factors taken into account as part a decisionmaking process that has an element of human intervention or scrutiny. 3.
Only by using qualified people to assess psychometric and other complex tests can short-listing be done fairly. This is normally part of good human resource practice but should also help to meet the data protection requirement that personal data are adequate for the purpose for which they are used.
Interviews Interviews also raise data protection issues and are used either as the final basis of the decision of who to select, or as part of that decision. Only one benchmark is suggested by the Commissioner:
The benchmarks 1.
Ensure that personal data that are recorded and retained following interview can be justified as relevant to, and necessary for, the recruitment process itself, or for defending the process against challenge.
THOROGOOD PROFESSIONAL INSIGHTS
30
2 RECRUITMENT
Notes and examples 1.
This Code is not concerned with setting out how interviews should be conducted. This should be primarily a matter of good employment practice. However, the collection of personal data at interview, their recording, storage and use are likely to represent processing which falls within the scope of the Act. This means that, for example, applicants will normally be entitled to have access to interview notes about them which are retained as part of the record of the interview.
Pre-employment vetting The term ‘pre-employment vetting’ means actively making enquiries from third parties about an applicant’s background and circumstances. It goes further than verification and the IC says it should be ‘confined to areas of special risk’. It is, for example, used for some government workers who have access to classified information. ‘In some sectors vetting may be a necessary and accepted practice. Limited vetting may be a legal requirement for some jobs, for example under the Protection of Children Act 1999. The Department of Health is developing a Protection of Vulnerable Adults list, which employers intending to recruit individuals to work with certain vulnerable adults, may be required to consult. The Data Protection Act 1998 does not necessarily prohibit the use of such vetting, but regulates whether and how it may be carried out.’
The benchmarks 1.
Only use vetting where there are particular and significant risks to the employer, clients, customers or others, and where there is no less intrusive and reasonably practicable alternative.
2.
Only carry out pre-employment vetting on an applicant at an appropriate point in the recruitment process. Comprehensive vetting should only be conducted on a successful applicant.
THOROGOOD PROFESSIONAL INSIGHTS
31
2 RECRUITMENT
3.
Make it clear early in the recruitment process that vetting will take place and how it will be conducted.
4.
Only use vetting as a means of obtaining specific information, not as a means of general intelligence gathering. Ensure that the extent and nature of information sought is justified.
5.
Only seek information from sources where it is likely that relevant information will be revealed. Only approach the applicant’s family or close associates in exceptional cases.
6.
Do not place reliance on information collected from possibly unreliable sources. Allow the applicant to make representations regarding information that will affect the decision to finally appoint.
7.
Where information is collected about a third party, e.g. the applicant’s partner, ensure so far as practicable that the third party is made aware of this.
8.
If it is necessary to secure the release of documents or information from a third party, obtain a signed consent form from the applicant.
Notes and examples 1.
Checks should be proportionate to the risks faced by an employer and be likely to reveal information that would have a significant bearing on the employment decision. The risks are likely to involve aspects of the security of the employer or of others. They could range from the risk of breaches of national security, or the risk of employing unsuitable individuals to work with children through to the risk of theft or the disclosure of trade secrets or other commercially confidential information.
2.
As a general rule: •
do not routinely vet all applicants, and
•
do not subject all short-listed applicants to more than basic written checks and the taking up of references, e.g. against the list of persons considered unsuitable to work with children compiled under the Protection of Children Act 1999. Do not require all shortlisted applicants to obtain a ‘disclosure’ from the Criminal Records Bureau.
THOROGOOD PROFESSIONAL INSIGHTS
32
2 RECRUITMENT
3.
This information could be provided on the initial application form or other recruitment material. Explain to the applicant the nature, extent and range of sources of the information that will be sought. Make clear the extent to which information will be released to third parties.
4.
An employer intending to use pre-employment vetting must determine carefully the level of vetting that is proportionate to the risks posed to his or her business. Employers must be very clear as to what the objectives of the vetting process are and must only pursue avenues that are likely to further these objectives. Vetting should be designed in such a way that only information that would have a significant bearing on the employment decision is likely to be obtained.
5.
In exceptional cases an employer might be justified in collecting information about members of the family or close associates of the applicant. This is most likely to arise in connection with the recruitment of police or prison officers.
6.
Employers should use all reasonable means to ensure that any external sources used as part of the vetting process are reliable. Where the vetting results in the recording of adverse information about an applicant, the applicant should be made aware of this and should be given the opportunity to make representations, either in writing or face to face.
7.
Where information about a third party, e.g. the applicant’s partner, is to be recorded, the collection must be fair and lawful in respect of the third party. This will mean informing third parties that information about them has been obtained and informing them as to the purposes for which it will be processed, unless this would not be practicable or would involve disproportionate effort. For example, where the employer does not have contact details for the third party or the information will be kept in an identifiable form for only a very short period. In such cases there is no obligation to act.
8.
During the vetting process information might be sought from a third party, e.g. a previous employer that the applicant has not given as a referee. If the information is subject to a duty of confidentiality, the third party will need some basis on which to justify its release. The employer might obtain consent for this from the applicant in order to avoid the need for the third party to contact the applicant to seek consent.
THOROGOOD PROFESSIONAL INSIGHTS
33
2 RECRUITMENT
Retention of recruitment records Chapter 3 looks at Records in general in the area of data protection and employment, but in the recruitment side of things records also need to be considered. One of the most common questions asked is how long should applicants’ details be kept if they have not been given the job. No specific period is given in the Act. It just says that the personal data in a record shall not be kept for longer than is necessary for a particular purpose or purposes. However, any period that is set must be based on business need and should take into account any relevant professional guidelines, the IC says and then suggests the following benchmarks.
The benchmarks 1.
Establish and adhere to retention periods for recruitment records that are based on a clear business need.
2.
Destroy information obtained by a vetting exercise as soon as possible, or in any case within 6 months. A record of the result of vetting or verification can be retained.
3.
Consider carefully which information contained on an application form is to be transferred to the worker’s employment record. Delete information irrelevant to on-going employment.
4.
Delete information about criminal convictions collected in the course of the recruitment process once it has been verified through a Criminal Records Bureau disclosure, unless in exceptional circumstances the information is clearly relevant to the on-going employment relationship.
5.
Advise unsuccessful applicants that there is an intention to keep their names on file for future vacancies (if appropriate) and give them the opportunity to have their details removed from the file.
6.
Ensure that personal data obtained during the recruitment process are securely stored or are destroyed.
THOROGOOD PROFESSIONAL INSIGHTS
34
2 RECRUITMENT
Notes and examples 1.
Employers must consider carefully the justification, if any, for retaining recruitment records once the recruitment process has been completed. Retention of recruitment records may be necessary for the organisation to defend itself against discrimination claims or other legal actions arising from recruitment. However, the possibility that an individual may bring a legal action does not automatically justify the indefinite retention of all records relating to workers. A policy based on riskanalysis principles should be established. Recruitment agencies have some legal obligations to retain records under the Employment Agencies Act 1973. Employers should consider the possibility that some business needs might be satisfied by using anonymised rather than identifiable records. For example, if the organisation wishes to compare the success of various recruitment campaigns, this could be achieved by using anonymised records.
2.
This is consistent with the Criminal Records Bureau Code of Conduct. However, where there is a legal obligation to retain specified information for longer than 6 months, this must be respected.
3.
Some information is gathered during the recruitment process that may not be relevant to the employment situation. Only retain information that has on-going relevance or is needed as evidence of the recruitment process. For example, consider carefully whether there is a reason to retain information about an applicant’s former salary once he or she has started employment. For practical reasons it may be difficult to delete some information on application forms whilst retaining the rest. Employers should however, design application forms to facilitate the easy deletion of information which is irrelevant to the on-going employment relationship.
4.
A note may be kept showing that a check was completed and the results of the findings.
THOROGOOD PROFESSIONAL INSIGHTS
35
2 RECRUITMENT
5.
Unless there is a reason to believe that an applicant wishes to be considered again, the assumption should be that he or she has applied only for the vacancy advertised. Application forms or recruitment advertisements can give the applicant the choice as to whether he or she wishes to apply only for the advertised post or would like his or her details to be kept on file in case another position arises.
6.
Whether stored manually or electronically, personal data should be kept secure and as far as is practicable access to the data should be limited.
Criminal Records Bureau Employers will already be aware of the searches they can do at the Criminal Records Bureau before hiring an employee. Information on the CRB is at www.crb.gov.uk. Information on the ‘disclosure’ process is on the disclosure web site of the CRB at http://www.disclosure.gov.uk/. The CRB Information line is 0870 90 90 811. The Information Commissioner suggests the following benchmarks in relation to information disclosed as part of this process. ‘Benchmarks for the handling of information obtained through disclosure: •
Consider carefully whether it is necessary for the protection or conduct of business to request a disclosure. The collection and holding of disclosure information that is excessive will breach the data protection principles.
•
Once disclosure information has been obtained and an employment decision made, do not retain the information unless there is an overriding reason for doing so. Usually it will be sufficient to record that the check has been carried out and its result. In any event, do not retain the information for more than 6 months.
•
Do not share with other employers the information obtained through a disclosure.
•
Do not attempt to obtain information about criminal convictions by enforced subject access or from sources other than the CRB or the applicant. The carrying out of media checks to look for spent convictions for a post that is not eligible for standard or enhanced disclosure is likely to breach the Act. Media checks involve obtaining information from old newspaper articles or similar sources about an individual.’
THOROGOOD PROFESSIONAL INSIGHTS
36
2 RECRUITMENT
Most employers want to know if their employees have a criminal record or not. The Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 provides that criminal offences that are ‘spent’ do not normally have to be declared on application forms or in answer to other requests for information about criminal convictions. There are exceptions for certain types of job which are covered in the order. The types of job covered by this Order are: 1.
The professions, e.g. medical practitioners, barristers, accountants, vets and opticians
2.
Those employed to uphold the law, e.g. judges, constables, prison officers and traffic wardens and those involved in the provision of social services
3.
Certain regulated occupations, e.g. firearms dealers, directors of insurance companies and those in charge of certain types of nursing home
Information commissioner’s frequently asked questions Is all information about workers now covered by the Act? No, but in practice most employment records will be. As well as computerised records manual data held within a ‘relevant filing system’ are now covered by the Act. This is defined as any set of data which is structured either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. An example of a relevant filing system would be a personnel file with a worker’s name or individual reference number on it, in which it is possible to find information about the worker such as starting date, performance mark at last appraisal, previous employer etc. Less obviously structured records may also be caught, for example, a completed set of job application forms. Unstructured collections of information, such as those warehoused in no particular order will not be covered.
THOROGOOD PROFESSIONAL INSIGHTS
37
2 RECRUITMENT
Do I have to get a person’s consent to keep records about him or her? Consent to hold personal data relating to workers is not usually required. Indeed, the Commissioner considers it misleading to seek consent from workers if they have no real choice. Employers are more likely to need the consent of workers if they are processing sensitive data rather than non-sensitive data. In this case, the consent must be ‘explicit’. However, even then, sensitive data can be processed without explicit consent in a number of circumstances, for example, where the processing is necessary to enable the employer to comply with any legal obligation. Data about the racial or ethnic origin of workers may therefore be held in order to comply with the law relating to racial discrimination. Similarly, sickness records of workers may be kept in order to enable employers to meet the requirements imposed on them by the law in relation to statutory sick pay.
How can the company be expected to keep accurate records if applicants give us wrong information? Provided that the employer has taken reasonable steps to ensure the accuracy of the information, the data protection principle that requires personal data to be accurate will not be breached.
How can I check that a candidate isn’t lying on his or her application form – doesn’t the Act stop me doing this? The Act does not prevent an employer from checking whether a candidate is lying. However, the Act requires that if checks on information are to be carried out the candidate is aware of this. In some cases, for example where a school or college is to be asked to disclose information to verify a candidate’s qualifications, they may want the candidate’s permission before doing so.
If we’re only going to use the information that applicants supply to us on their application forms to process their application, what’s the point of telling them this? There is no obligation in the Act to tell individuals what is going to happen to information they have provided so long as it is no more than they are likely to expect. If the information is to be used for a purpose that might not be expected, for example where applicants’ details are to be used for direct marketing purposes, they must be advised of this and any objections respected.
THOROGOOD PROFESSIONAL INSIGHTS
38
2 RECRUITMENT
We employ staff who work with children – how can we protect these children if the Act prevents us from getting a copy of the applicant’s police record? There is a provision in the Act that will prohibit ‘enforced subject access’ in connection with employment or recruitment once the Criminal Records Bureau starts to issue ‘disclosures’ listing convictions and certain other information. Once the CRB system is in operation, then this will be the channel that must be used for checking applicants’ police records.
Do we have to show candidates the notes we make when we interview them? There is no general exemption from the Act’s subject access rights in respect of interview notes about candidates. This means that when an individual makes a request for access to the notes, it must be granted unless the set of notes is so unstructured as to fall outside the Act.
Isn’t there an exemption in the Act for references? There is no such general exemption from the right of subject access. There is, however, a special exemption from the right of access to a confidential reference when in the hands of the organisation which gave it. This exemption does not apply once the reference is in the hands of the person or organisation to whom the reference has been given. The recipient is, though, entitled to take steps to withhold information that reveals the identity of other individuals such as the author of the reference.
If the Act forces us to delete information, how are we supposed to protect ourselves against allegations that we have discriminated against someone? The Act doesn’t require that all information is deleted straight away. However, information that is retained for a particular purpose should not be kept for longer than is necessary for that purpose. This does not rule out keeping information to protect against legal action. Employers should however, consider carefully what information they hold and why they hold it. A ‘risk analysis’ approach to data retention is recommended.
THOROGOOD PROFESSIONAL INSIGHTS
39
2 RECRUITMENT
Checklist The checklist is taken from Part 1 Recruitment of the Information Commissioner’s Code of Practice and is useful for those involved in this field. Completing this checklist is not a requirement of either the Act or the Code but is meant to assist you in implementing the Code. The checklist is aimed at the person in the organisation who is responsible for implementation. Who has responsibility for the various actions will depend on the make-up of your organisation.
1. Managing Data POSSIBLE ACTION POINTS
1.1 Establish a person within the organisation responsible for ensuring that employment practices and procedures comply with the Act and for ensuring that they continue to do so. Put in place a mechanism for checking that procedures are followed in practice.
ACTION
•
Ensure that someone is responsible for delivering compliance.
•
Ensure the person responsible reads all relevant parts of the Code.
•
Obtain all written employment procedures and note unwritten procedures and practices and check them against the relevant parts of the code.
•
Eliminate areas of non-compliance.
•
Inform those who need to know why certain procedures have changed.
•
Introduce a mechanism for checking that procedures are followed in practice, for example, occasional audits and spot checks and/or a requirement for managers to sign a compliance statement.
THOROGOOD PROFESSIONAL INSIGHTS
40
2 RECRUITMENT
1.2 Ensure that business areas and individual line managers that process information about workers understand their own responsibility for data protection compliance and, if necessary, amend their working practices in light of this.
ACTION
•
Prepare a briefing to departmental heads and line managers about their responsibilities.
•
Distribute or deliver the briefing and be available to answer questions.
1.3 Assess what personal data about workers are in existence and who is responsible for them.
ACTION
•
Consider using the checklists produced in conjunction with other parts of the Code to assess all personal data.
•
Check with personnel functions as to the types of data that are held.
•
Check with Departments as to the types of data that are held.
1.4 Eliminate the collection of personal data that are irrelevant or excessive to the employment relationship. It sensitive data are collected ensure that a sensitive data condition is satisfied.
ACTION
•
Consider each type of personal data that are held and determine whether any information could be deleted or not collected in the first place.
•
Check that the collection and use of any sensitive personal data satisfies at least one of the sensitive data conditions.
THOROGOOD PROFESSIONAL INSIGHTS
41
2 RECRUITMENT
1.5 Ensure that workers are aware of the extent to which they can be criminally liable if they knowingly or recklessly disclose personal data outside their employer’s policies and procedures. Make serious breaches of a data protection rules a disciplinary offence.
ACTION
•
Prepare a guide explaining to workers the consequences of their actions in this area.
•
Make sure that an infringement of data protection procedures is clearly indicated as a disciplinary offence.
•
Ensure that the guide is brought to the attention of new staff.
•
Ensure that staff can ask questions about the guide.
1.6 Allocate responsibility for checking that your organisation has a valid notification in the register of data controllers that relates to the processing of personal data about workers, unless it is exempt from notification.
ACTION
•
Consult the Data Protection Register website: www.dpr.gov.uk to check the status of your organisation regarding notification.
•
Check whether your organisation is exempt from notification using the website.
•
Check whether all information about workers is described there, if your organisation is not exempt.
•
Allocate responsibility for checking and updating this information on a regular basis, for example every 6 months.
THOROGOOD PROFESSIONAL INSIGHTS
42
2 RECRUITMENT
1.7 Consult trade unions or other workers’ representatives, if any, or workers themselves over the development and implementation of employment practices and procedures that involve the processing of workers’ data.
ACTION
•
On formulating new practices and procedures, assess the impact on processing personal data.
•
Consult with workers or workers representatives about the processing.
•
Take account of their suggestions and concerns.
2. Advertising POSSIBLE ACTION POINTS
2.1 Inform individuals responding to job advertisements of the name of the organisation to which they will be providing their information and how it will be used unless this is self-evident.
ACTION
•
Ensure that the name of your organisation appears in all recruitment advertisements.
•
Ensure that your organisation is named on the answerphone message which invites potential applicants to leave details.
•
Ensure that your organisation is named on your website before personal data are collected on an online application form.
•
Ensure the purpose for which you may use the personal data is described in the advertisement, for example, to market your organisations products and service unless self evident.
THOROGOOD PROFESSIONAL INSIGHTS
43
2 RECRUITMENT
2.2 Recruitment agencies, used on behalf of an employer, must identify themselves and explain how personal data they receive will be used and disclosed unless this is self-evident.
ACTION
•
Ensure that the recruitment agency identifies itself in any advertisement, and that it informs applicants if the information requested is to be used for any purpose of which the applicant is unlikely to be aware.
2.3 On receiving identifiable particulars of applicants from an agency ensure, as soon as you can, that the applicants are aware of the name of the organisation holding their information.
ACTION
•
Inform the applicant as soon as you can of the employer’s identity and of any uses that the employer might make of the information received that are not self-evident.
OR •
If the employer does not wish to be identified at an early stage in the recruitment process, ensure the agency only sends anonymised information about applicants. Ensure the employer is identified to individuals whose applications are to be pursued further.
THOROGOOD PROFESSIONAL INSIGHTS
44
2 RECRUITMENT
3. Applications POSSIBLE ACTION POINTS
3.1 State, on any application form, to whom the information is being provided and how it will be used if this is not self-evident.
ACTION
•
Ensure the name of your organisation is stated on the application form.
•
If information from the application form will be used for any other purpose than to recruit for a specific job or passed to anyone else, make sure that this purpose is stated on the application form.
3.2 Only seek personal data that are relevant to the recruitment decision to be made.
ACTION
•
Determine whether all questions are relevant for all applicants.
•
Consider customising application forms where posts justify the collection of more intrusive personal data.
•
Remove or amend any questions which require the applicant to provide information extraneous to the recruitment decision.
•
Remove questions that are only relevant to people your organisation goes on to employ (e.g. banking details) but are not relevant to unsuccessful applicants.
THOROGOOD PROFESSIONAL INSIGHTS
45
2 RECRUITMENT
3.3 Only request information about an applicant’s criminal convictions if that information can be justified in terms of the role offered. If this information is justified, make it clear that spent convictions do not have to be declared, unless the job being filled is covered by the Exceptions Order to the Rehabilitation of Offenders Act 1974.
ACTION
•
Consider whether the collection of information about criminal convictions can be justified.
•
Check that it is stated that spent convictions do not have to be declared (unless the job is one covered by the Exceptions Order).
3.4 Explain any checks that might be undertaken to verify the information provided in the application form including the nature of additional sources from which information may be gathered.
ACTION
•
Ensure there is a clear statement on the application form or surrounding documents, explaining what information will be sought and from whom.
•
Explain the nature of the verification process and the methods used to achieve this.
THOROGOOD PROFESSIONAL INSIGHTS
46
2 RECRUITMENT
3.5 If sensitive data are collected ensure a sensitive data condition is satisfied.
ACTION
•
Assess whether the collection of sensitive data is relevant to the recruitment process.
•
Remove any questions about sensitive data that are not relevant.
•
Ensure that the purpose of collecting any relevant sensitive data is explained on the application form or surrounding documentation.
•
Ensure the purpose of collection satisfies one of the sensitive data conditions.
3.6 Provide a secure method for sending applications.
ACTION
•
Ensure that a secure method of transmission is used for sending applications online. (E.g. encryption-based software).
•
Ensure that once electronic applications are received, they are saved in a directory or drive which has access limited to those involved in the recruitment process.
•
Ensure that postal applications are given directly to the person or people processing the applications and that these are stored in a locked drawer.
•
Ensure that faxed applications are given directly to the person or people processing the applications and that these are stored in a locked drawer.
•
If applications are processed by line managers, make sure line managers are aware of how to gather and store applications.
THOROGOOD PROFESSIONAL INSIGHTS
47
2 RECRUITMENT
4. Verification POSSIBLE ACTION POINTS
4.1 Explain to applicants as early as is reasonably practicable in the recruitment process the nature of the verification process and the methods used to carry it out.
ACTION
•
Ensure that information provided to applicants for example on an application form or associated documents explains what information will be verified and how, including in particular any external sources that will be used.
•
Ensure that applicants are not forced to use their subject access rights to obtain records from a third party (i.e. by making such a requirement a condition of getting a job.)
4.2 If it is necessary to secure the release of documents or information from a third party, obtain a signed consent form from the applicant unless consent to their release has been indicated in some other way.
ACTION
•
Ensure applicants provide signed consent if this is required to secure the release of documents from a third party.
THOROGOOD PROFESSIONAL INSIGHTS
48
2 RECRUITMENT
4.3 Give the applicant an opportunity to make representations should any of the checks produce discrepancies.
ACTION
•
Ensure that those staff who are involved in verification in your organisation are aware what to do should inconsistencies emerge between what the applicant said in the application and what your checks have discovered.
•
Make sure that in this situation, staff inform the applicant and allow them the opportunity to provide an explanation of the inconsistencies.
•
Ensure this feedback to the applicant is incorporated into any recruitment procedures.
5. Short-listing POSSIBLE ACTION POINTS
5.1 Be consistent in the way personal data are used in the process of shortlisting candidates for a particular position.
ACTION
•
Check shortlist methods with sources of good practice such as the Equal Opportunities Commission or Commission with Racial Equality – see Further information page 137.
THOROGOOD PROFESSIONAL INSIGHTS
49
2 RECRUITMENT
5.2 Inform applicants if an automated short-listing system will be used as the sole basis of making a decision. Make provisions to consider representations from applicants about this and to take these into account before making the final decision.
ACTION
•
Ensure all the applicants are informed that an automated system is used as the sole basis of short-listing and of how to make representations against any adverse decision.
•
Test and keep the results produced by the system under review to ensure they properly and fairly apply your shortlisting criteria to all applicants.
5.3 Ensure that tests based on the interpretation of scientific evidence, such as psychological tests and handwriting analysis, are only used and interpreted by those who have received appropriate training.
ACTION
•
Determine which such tests are operated within your organisation.
•
Ensure all tests are assessed by properly qualified persons.
THOROGOOD PROFESSIONAL INSIGHTS
50
2 RECRUITMENT
6. Interviews POSSIBLE ACTION POINTS
6.1 Ensure that personal data that are recorded and retained following interview can be justified as relevant to, and necessary for, the recruitment process itself, or for defending the process against challenge.
ACTION
•
Ensure that all interviewers are aware that interviewees have a right to request access to their interview notes.
•
Ensure that all interviewers are given instructions on how to store interview notes.
•
Make provisions for interview notes to be destroyed after a reasonable time, allowing the organisation to protect itself from any potential claims such as those for race or sex discrimination.
•
Explain to interviewers or those dealing with applicants, how to deal with a request for access to interview notes.
•
If written procedures exist for interviews, ensure that these provisions are built into them.
7. Pre-employment vetting POSSIBLE ACTION POINTS
7.1 Only use vetting where there are particular and significant risks involved to the employer, clients, customers or others, and where there is no less intrusive and reasonably practicable alternative.
ACTION
•
Find out for which jobs, if any, pre-employment vetting takes place.
•
Consider whether pre-employment vetting is justified for each of these jobs and whether the information could be obtained in a less intrusive way.
THOROGOOD PROFESSIONAL INSIGHTS
51
2 RECRUITMENT
7.2 Only carry out pre-employment vetting on an applicant at an appropriate point in the recruitment process. Comprehensive vetting should only be conducted on a successful applicant.
ACTION
•
Ascertain at which point pre-employment vetting takes place and who is subject to it. Eliminate any comprehensive preemployment vetting that takes place for all short-listed applicants (only the people selected for the job should be submitted to comprehensive pre-employment vetting).
7.3 Make it clear early in the recruitment process that vetting will take place and how it will be conducted.
ACTION
•
Provide information about any vetting that might take place on application forms or other recruitment material. This should explain the nature, extent and range of sources to be used to carry out the vetting.
•
If information is sought from a third party, ensure the third party has some basis to justify its release, such as evidence of the applicant’s consent to the disclosure.
7.4 Only use vetting as a means of obtaining specific information, not as a means of general intelligence gathering. Ensure that the extent and nature of information sought is justified.
ACTION
•
Ensure that there are clearly stated objectives in any vetting process.
•
Consider the extent and nature of information that is sought against these objectives.
•
Eliminate any verification that consists of general intelligence-gathering. Ensure that it is clearly focussed on furthering particular objectives.
THOROGOOD PROFESSIONAL INSIGHTS
52
2 RECRUITMENT
7.5 Only seek information from sources where it is likely that relevant information will be revealed. Only approach the applicant’s family or close associates in exceptional cases.
ACTION
•
Ensure that those who will seek the information are briefed about which sources to use, ensuring that those sources are likely to produce relevant information.
•
Ensure that if family members or close associates are approached it can be justified by the nature of the job.
7.6 Do not place reliance on information collected from possibly unreliable sources. Allow the applicant to make representations regarding information that will affect the decision to finally appoint.
ACTION
•
Ensure that information that has been collected from a vetting process is evaluated in the light of the reliability of the sources.
•
Ensure that no recruitment decision is made solely on the basis of information obtained from a source that may be unreliable.
•
Ensure that if information received will lead to the applicant not being appointed, then this will be made known to the applicant.
•
Put in place a mechanism for providing this feedback, allowing the applicant to respond and obliging those involved in the recruitment decision to take this response into account.
•
Build these measures into any written recruitment procedure that already exists.
THOROGOOD PROFESSIONAL INSIGHTS
53
2 RECRUITMENT
7.7 Where information is collected about a third party, ensure so far as practicable that the third party is made aware of this.
ACTION
•
Ensure that those conducting a vetting process are briefed to avoid discovering information about a third party unnecessarily.
•
Where substantial personal data have been collected about a third party and are to be retained, ensure there is a process in place to inform the third party of this and of how the data will be used.
•
Build these measures into any written recruitment procedure that already exists.
7.8 If it is necessary to secure the release of documents or information from a third party, obtain a signed consent form from the applicant.
ACTION
•
Ensure applicants provide signed consent if this is required to secure the release of documents from a third party.
THOROGOOD PROFESSIONAL INSIGHTS
54
2 RECRUITMENT
8. Retention of recruitment records POSSIBLE ACTION POINTS
8.1 Establish and adhere to retention periods for recruitment records that are based on a clear business need.
ACTION
•
Assess who in your organisation retains recruitment records (e.g. are they held centrally, at departmental level or in the line).
•
Ensure that no recruitment record is held beyond the statutory period in which a claim arising from the recruitment process may be brought unless there is a clear business reason for exceeding this period.
•
Consider anonymising any recruitment information that is to be held longer than the period necessary for responding to claims.
8.2 Destroy information obtained by a vetting exercise as soon as possible, or in any case within 6 months. A record of the result of vetting or verification can be retained.
ACTION
•
Check who in your organisation retains information from vetting. Ensure that vetting records are destroyed after 6 months. Manual records should be shredded and electronic files permanently deleted from the system.
•
Inform those responsible for the destruction of this information that they may keep a record that vetting was carried out, the result and the recruitment decision taken.
•
If written procedures on vetting exist, incorporate these measures into them.
THOROGOOD PROFESSIONAL INSIGHTS
55
2 RECRUITMENT
8.3 Consider carefully which information contained on an application form is to be transferred to the worker’s employment record. Delete information irrelevant to on-going employment.
ACTION
•
Assess how information is transferred from recruitment records to employment records.
•
Ensure those responsible for such transfers only move information relevant to on-going employment to employment files.
•
Build this in to any written recruitment procedures.
8.4 Delete information about criminal convictions collected in the course of the recruitment process once it has been verified through a Criminal Records Bureau disclosure unless, in exceptional circumstances, the information is clearly relevant to the on-going employment relationship.
ACTION
•
Make sure it is only recorded whether a check has yielded a satisfactory or an unsatisfactory result. Delete other information.
8.5 Advise unsuccessful applicants that there is an intention to keep their names on file for future vacancies (if appropriate) and give them the opportunity to have their details removed from the file.
ACTION
•
Ensure that application forms or surrounding documentation tell applicants that, should they be unsuccessful, their details will be kept on file unless they specifically request that this should not be the case.
THOROGOOD PROFESSIONAL INSIGHTS
56
2 RECRUITMENT
8.6 Ensure that personal data received during the recruitment process are securely stored or are destroyed.
ACTION
•
Assess who in your organisation presently processes recruitment information.
•
Inform them that manual records should be kept securely, for example in a locked filing cabinet.
•
Inform them that electronic files should kept securely, for example by using passwords and other technical security measures.
THOROGOOD PROFESSIONAL INSIGHTS
57
THOROGOOD PROFESSIONAL INSIGHTS
Chapter 3 Employment records Managing Data Protection Collecting and keeping employment records Security Sickness and accident records Pension and insurance schemes Equal opportunities monitoring Marketing Fraud detection Workers’ access to information about themselves References Disclosure requests Publication and other disclosures Mergers and acquisitions Discipline, grievance and dismissal Outsourcing data processing Retention of records Access when information about third parties is involved Frequently asked questions Checklist
Chapter 3 Employment records A large part of the work of those involved with human resources is managing records of employees. Many of these records contain personal data and also include sensitive personal data. The Data Protection Act should be followed in the handling of employment records and this chapter seeks to summarise the rules which apply in this area. It quotes from Part 2 of the Data Protection Employment Code on Employment Records. The benchmarks suggested in this area by the Information Commissioner are given, but not the Notes which accompany them which are very lengthy. The notes are useful in practice so any reader struggling with interpretation of a particular benchmark should look at the notes accompanying it which are with the Code under Codes of Practice on the Information Commissioner’s web site. The chapter follows the sixteen records sections of Part 2 of the Code as they are a comprehensive selection of topics relevant in this field. At the end of the Chapter are some frequently asked questions and a Checklist from the Information Commissioner’s Guide. A chart is also given on third party data issues. Nothing in the Act prevents an employer from gathering, holding and using personal data about employees. However, efforts should be made to ensure the principles of the Act are followed in the use of that data.
THOROGOOD PROFESSIONAL INSIGHTS
59
3 EMPLOYMENT RECORDS
Managing Data Protection Earlier chapters looked at the managing of data protection. Someone in the organisation needs to be given responsibility to achieve compliance. Much depends on whether it is a one man business or a huge plc but the principles are much the same. The IC says that: ‘Data protection compliance should be seen as an integral part of employment practice. It is important to develop a culture in which respect for private life, data protection, security and confidentiality of personal data are seen as the norm’ and suggests the following benchmarks.
The benchmarks 1.
Establish a person within the organisation responsible for ensuring employment practices and procedures comply with the Act and for ensuring that they continue to do so. Put in place a mechanism for checking that procedures are followed in practice.
2.
Ensure that business areas and individual line managers that process information about workers understand their own responsibility for data protection compliance and if necessary amend their working practices in light of this.
3.
Assess what personal data about workers are in existence and who is responsible for them.
4.
Eliminate the collection of personal data that are irrelevant or excessive to the employment relationship. If sensitive data are collected ensure that a sensitive data condition is satisfied.
5.
Ensure that workers are aware of the extent to which they can be criminally liable if they knowingly or recklessly disclose personal data outside their employer’s policies and procedures. Make serious breaches of data protection rules a disciplinary offence.
6.
Allocate responsibility for checking that your organisation has a valid notification in the register of data controllers that relates to the processing of personal data about workers, unless it is exempt from notification.
7.
Consult Trade Unions or other workers’ representatives, if any, or workers themselves over the development and implementation of employment practices and procedures that involve the processing of workers’ data.
THOROGOOD PROFESSIONAL INSIGHTS
60
3 EMPLOYMENT RECORDS
Collecting and keeping employment records Part 2 of the Code examines the collection and retention of employment records. The benchmarks are as follows. As with much of the Code the emphasis is on ensuring employees know what will happen to them and how their data will be used. Many employers need to add clauses to employment contracts or even have stand alone data protection policies to ensure that they are fully compliant.
The benchmarks 1.
Ensure that newly appointed workers are aware of the nature and source of any information kept about them, how it will be used and who it will be disclosed to.
2.
Inform new workers and remind existing workers about their rights under the Act, including their right of access to the information kept about them.
3.
Ensure that there is a clear and foreseeable need for any information collected about workers and that the information collected actually meets that need.
4.
Provide each worker with a copy of information that may be subject to change, e.g. personal details such as home address, annually or allow workers to view this on-line. Ask workers to check their records for accuracy and ensure any necessary amendments are made to bring records up-to-date.
5.
Incorporate accuracy, consistency and validity checks into systems.
THOROGOOD PROFESSIONAL INSIGHTS
61
3 EMPLOYMENT RECORDS
Security An employer may have information on file that an employee for example is HIV positive or has had some very embarrassing medical condition. It is crucial that the data is kept secure otherwise a breach of the Act could occur. As was seen in Chapter one the data protection principles require that data be kept safe and secure. These are the benchmarks in this area:
The benchmarks 1.
Apply security standards that take account of the risks of unauthorised access to, accidental loss or destruction of, or damage to, employment records.
2.
Institute a system of secure cabinets, access controls and passwords to ensure that staff can only gain access to employment records where they have a legitimate business need to do so.
3.
Use the audit trail capabilities of automated systems to track who accesses and amends personal data.
4.
Take steps to ensure the reliability of staff that have access to workers’ records. Remember this is not just a matter of carrying out background checks. It also involves training and ensuring that workers understand their responsibilities for confidential or sensitive information. Place confidentiality clauses in their contracts of employment.
5.
Ensure that if employment records are taken off-site, e.g. on laptop computers, this is controlled. Make sure only the necessary information is taken and there are security rules for staff to follow.
6.
Take account of the risks of transmitting confidential worker information by fax or e-mail. Only transmit such information between locations if a secure network or comparable arrangement is in place. In the case of e-mail deploy some technical means of ensuring security, such as encryption.
THOROGOOD PROFESSIONAL INSIGHTS
62
3 EMPLOYMENT RECORDS
Sickness and accident records Chapter one described that sensitive personal data and sickness records will inevitably come within this category. Employers are also required to keep an accident record book where injuries at work are recorded. This is also a document often containing sensitive personal data. The other term used in the Guidelines is an ‘absence record’ to describe a record that may give the reason for absence as ‘sickness’ or ‘accident’ but does not include any reference to specific medical conditions. The fourth part of the Code will deal with medical information about workers and will provide further information about occupational health schemes. This has not yet been produced.
The benchmarks 1.
Keep sickness and accident records separately from absence records. Do not use sickness or accident records for a particular purpose when records of absence could be used instead.
2.
Ensure that the holding and use of sickness and accident records satisfies a sensitive data condition.
3.
Only disclose information from sickness or accident records about a worker’s illness, medical condition or injury where there is a legal obligation to do so, where it is necessary for legal proceedings or where the worker has given explicit consent to the disclosure.
4.
Do not make the sickness, accident or absence records of individual workers available to other workers, other than to provide managers with information about those who work for them in so far as this is necessary for them to carry out their managerial roles.
THOROGOOD PROFESSIONAL INSIGHTS
63
3 EMPLOYMENT RECORDS
Pension and insurance schemes Personal data may well be handed to a third party such as a pension company, and therefore, the operation of pension and insurance schemes falls to be considered under the DPA. This is an area where regular consideration should be given to changes in the law. The EU equal treatment directive will be implemented in the UK by 2006 and will outlaw age discrimination. Employees will probably not be allowed to be forced to retire if they do not wish to do so, when they reach 65 years of age or state retirement age. In the US it is illegal to ask potential employees their age or specify this on advertisements and it is likely that EU law is moving in the same direction. This is an area which should be kept under review although, at the date of writing, age can be specified as long as it does not amount to sex discrimination (often women are older than men because they often take time out to bring up children, so sex discrimination in age requirements can sometimes be found). The IC says that: ‘Pension or insurance-based schemes such as those offering private medical care are often used to provide benefits for workers. These schemes are usually controlled by a third party but can be administered in-house. Some employers also insure their business against sickness by key workers’.
The benchmarks GENERAL
1.
Do not access personal data required by a third party to administer a scheme, in order to use it for general employment purposes.
2.
Limit your exchange of information with a scheme provider to the minimum necessary for operation of the scheme bearing in mind the scheme’s funding obligations. Make sure that if sensitive data are involved a sensitive data condition is satisfied.
PENSION SCHEMES
3.
Do not use information gained from the internal trustees or administrators of pension schemes for general employment purposes.
THOROGOOD PROFESSIONAL INSIGHTS
64
3 EMPLOYMENT RECORDS
INSURANCE SCHEMES
4.
If your business takes on the role of broker or your staff act as group secretary for a private medical insurance scheme, ensure that personal data gathered are kept to a minimum, limit access to the information and do not use it for general employment purposes.
5.
Ensure that when a worker joins a health or insurance scheme it is made clear what, if any, information is to be passed between the scheme controller and the employer and how it will be used.
Equal opportunities monitoring It is wise for businesses to have some form of equal opportunities monitoring policies in place which will also assist them if later they face a discrimination action. However, they will need to store personal data to do this. Such monitoring is allowed under the DPA but information which identifies workers should be ‘kept to a minimum’. The following guidelines provide assistance:
The benchmarks 1.
Information about a worker’s ethnic origin, disability or religion is sensitive personal data. Ensure that equal opportunities monitoring of these characteristics satisfies a sensitive data condition.
2.
Only use information that identifies individual workers where this is necessary to carry out meaningful equal opportunities monitoring. Where practicable, keep the information collected in an anonymised form.
3.
Ensure questions are designed so that the personal information collected through them is accurate and not excessive.
THOROGOOD PROFESSIONAL INSIGHTS
65
3 EMPLOYMENT RECORDS
Marketing Many employers of large numbers of workers market goods or services to them. Workers can always opt out of this and employers need to comply with the law. Marketing under the DPA is a very substantial topic and reference should be made to general data protection works in this respect. See Tolley’s Data Protection Handbook (2nd ed.)
The benchmarks 1.
Inform new workers if your organisation intends to use their personal information to deliver advertising or marketing messages to them. Give workers a clear opportunity to object (an ‘opt-out’) and respect any objections whenever received.
2.
Do not disclose workers’ details to other organisations for their marketing unless individual workers have positively and freely indicated their agreement (an ‘opt-in’).
3.
If you intend to use details of existing workers for marketing for the first time either in ways that were not explained when they first joined or that they would not expect, do not proceed until individual workers have positively and freely indicated their agreement (an ‘opt-in’).
THOROGOOD PROFESSIONAL INSIGHTS
66
3 EMPLOYMENT RECORDS
Fraud detection Some employers, particularly in the public sector, use workers’ records in the prevention and detection of fraud, for example, in order to check that they are not paying state benefits to those who by virtue of their employment are not entitled to receive them. Such exercises frequently involve data matching – the electronic comparison of data sets held for different purposes in order to identify inconsistencies or discrepancies which may indicate fraud.
The benchmarks 1.
Consult Trade Unions or other worker representatives, if any, or workers themselves before starting a data matching exercise. Act on any legitimate concerns raised in consultation before starting the exercise.
2.
Inform new workers of the use of payroll or other data in fraud prevention exercises and remind them of this periodically.
3.
Do not disclose worker data to other organisations for the prevention or detection of fraud unless: •
you are required by law to make the disclosure, or
•
you believe that failure to disclose, in a particular instance, is likely to prejudice the prevention or detection of crime, or
•
the disclosure is provided for in workers’ contracts of employment.
THOROGOOD PROFESSIONAL INSIGHTS
67
3 EMPLOYMENT RECORDS
Workers’ access to information about themselves Employees can ask to see information held about them provided they pay £10 – see Chapter one. Responding to a subject access request involves: •
telling the worker if the organisation keeps any personal information about him or her;
•
giving the worker a description of the type of information the organisation keeps, the purposes it is used for and the types of organisations which it may be passed on to, if any;
•
showing the worker all the information the organisation keeps about him or her, explaining any codes or other unintelligible terms used;
•
providing this information in a hard copy or in readily readable, permanent electronic form unless providing it in that way would involve disproportionate effort or the worker agrees to receive it in some other way;
•
providing the worker with any additional information the organisation has as to the source of the information kept about him or her.
There are a number of exemptions from the right of subject access which can be relevant in an employment context.
THOROGOOD PROFESSIONAL INSIGHTS
68
3 EMPLOYMENT RECORDS
The benchmarks •
Establish a system that enables your organisation to recognise a subject access request and to locate all the information about a worker, in order to be able to respond promptly and in any case within 40 calendar days of receiving a subject access request.
•
Check the identity of anyone making a subject access request to ensure information is only given to the person entitled to it.
•
Provide the worker with a hard copy of the information kept, making clear any codes used and the sources of the information.
•
Make a judgement as to what information it is reasonable to withhold concerning the identities of third parties using the guidelines given later in this Code.
•
Inform managers and other relevant people in the organisation of the nature of information relating to them that will be released to individuals who make subject access requests.
•
Ensure that on request, promptly and in any event within 40 calendar days, workers are provided with a statement of how any automated decision-making process, to which they are subject, is used, and how it works.
•
When purchasing a computerised system ensure that the system enables you to retrieve all the information relating to an individual worker without difficulty. Ensure that the supplier of a system that you will use to take automated decisions about workers provides the information needed to enable you to respond fully to requests for information about how the system works.
THOROGOOD PROFESSIONAL INSIGHTS
69
3 EMPLOYMENT RECORDS
References Employers often give references for employees or provide statements about a workers’ earnings for mortgage application purposes or other similar purposes. Workers do not have the right to gain access to a confidential job reference from the organisation which has given it. However, once the reference is with the organisation to which it was sent then no such specific exemption from the right of access exists. That organisation is though entitled to take steps to protect the identity of third parties such as the author of the reference. So the reference may well be seen later. It is wise to take some legal advice about references in Pearce v Governing Body of Mayfield Secondary School and related cases (HL: 19.6.03, Times Law Report 20th June 2003) the House of Lords said legal obligations as regards references continue even after a worker has left employment. One of the test cases concerned a Nick Kirker, a chemist who had worked for British Sugar but had extremely poor eyesight and was registered blind. When he was made redundant he claimed discrimination. He failed to get another job after giving British Sugar as a reference. British Sugar at first had the case struck out on the grounds that discrimination protection only applies whilst one was an employee. The HL did not agree. The liability continued.
The benchmarks References given: 1.
Set out a clear company policy stating who can give corporate references, in what circumstances, and the policy that applies to the granting of access to them. Make anyone who is likely to become a referee aware of this policy.
2.
Do not provide confidential references about a worker unless you are sure that this is the worker’s wish.
3.
Establish at the time a worker’s employment ends, whether or not the worker wishes references to be provided to future employers or to others.
References received: 4.
When responding to a request from a worker to see his or her own reference, and the reference enables a third party to be identified, make a judgement as to what information it is reasonable to withhold, using the guidelines given later in this Code.
THOROGOOD PROFESSIONAL INSIGHTS
70
3 EMPLOYMENT RECORDS
Disclosure requests Often third parties ask for information about employees. Sometimes the police do, or lenders and others. Much care needs to be exercised and staff should be warned not simply to agree. Take legal advice in cases of doubt. There are some exemptions from the ‘non-disclosure provisions’ of the Act.
The benchmarks 1.
Establish a disclosure policy to tell staff who are likely to receive requests for information about workers how to respond, and to where they should refer requests that fall outside the policy rules.
2.
Ensure that disclosure decisions that are not covered by clear policy rules are only taken by staff who are familiar with the Act and this Code, and who are able to give the decision proper consideration.
3.
Unless you are under a legal obligation to do so, only disclose information about a worker where you conclude that in all the circumstances it is fair to do so. Bear in mind that the duty of fairness is owed primarily to the worker. Where possible take account of the worker’s views. Only disclose confidential information if the worker has clearly agreed.
4.
Where a disclosure is requested in an emergency, make a careful decision as to whether to disclose, taking into account the nature of the information being requested and the likely impact on the worker of not providing it.
5.
Make staff aware that those seeking information sometimes use deception to gain access to it. Ensure that they check the legitimacy of any request and the identity and authority of the person making it.
6.
Ensure that if you intend to disclose sensitive personal data, a sensitive data condition is satisfied.
7.
Where the disclosure would involve a transfer of information about a worker to a country outside the European Economic Area, ensure that there is a proper basis for making the transfer.
THOROGOOD PROFESSIONAL INSIGHTS
71
3 EMPLOYMENT RECORDS
8.
Inform the worker before or as soon as is practicable after a request has been received, that a non-regular disclosure is to be made, unless prevented by law from doing so, or unless this would constitute a ‘tip off’ prejudicing a criminal or tax investigation.
9.
Keep a record of non-regular disclosures. Regularly check and review this record to ensure that the requirements of the Act are being satisfied.
THOROGOOD PROFESSIONAL INSIGHTS
72
3 EMPLOYMENT RECORDS
Publication and other disclosures The Act does not necessarily prohibit the publication of information about workers. There may be areas where an employer decides that as a matter of policy it should publish certain information about workers. In doing so, it must balance the benefits of publishing the information with the reasonable expectations of its workers that their employer will respect the privacy of their personal information.
The benchmarks 1.
Only publish information about workers where: •
there is a legal obligation to do so, or
•
the information is clearly not intrusive, or
•
the worker has consented to disclosure, or
•
the information is in a form that does not identify individual workers.
2.
Where information about workers is published on the basis of consent, ensure that when the worker gives consent he or she is made aware of the extent of information that will be published, how it will be published and the implications of this.
3.
Only supply personal information about workers to a trade union for its recruitment purposes if: •
the trade union is recognised by the employer,
•
the information is limited to that necessary to enable a recruitment approach, and
•
each worker has been previously told that this will happen and has been given a clear opportunity to object.
4.
Where staffing information is supplied to trade unions in the course of collective bargaining, ensure the information is such that individual workers cannot be identified.
THOROGOOD PROFESSIONAL INSIGHTS
73
3 EMPLOYMENT RECORDS
Mergers and acquisitions A very frequent question asked of data protection lawyers is how can someone buying a business do their due diligence, checking out the company, its employees, their pay etc, without disclosing the information in breach of the Act. The IC has the following benchmarks in this area:
The benchmarks 1.
Ensure, wherever practicable, that information handed over to another organisation in connection with a prospective acquisition or merger is anonymised.
2.
Only hand over personal information prior to the final merger or acquisition decision after securing assurances that it will be used solely for the evaluation of assets and liabilities, it will be treated in confidence and will not be disclosed to other parties, and it will be destroyed or returned after use.
3.
Advise workers wherever practicable if their employment records are to be disclosed to another organisation before an acquisition or merger takes place. If the acquisition or merger proceeds make sure workers are aware of the extent to which their records are to be transferred to the new employer.
4.
Ensure that if you intend to disclose sensitive personal data a sensitive personal data condition is satisfied.
5.
Where a merger or acquisition involves a transfer of information about a worker to a country outside the European Economic Area (EEA) ensure that there is a proper basis for making the transfer.
6.
New employers should ensure that the records they hold as a result of a merger or acquisition do not include excessive information, and are accurate and relevant.
THOROGOOD PROFESSIONAL INSIGHTS
74
3 EMPLOYMENT RECORDS
Discipline, grievance and dismissal Few areas are as emotive as disciplining employees and this can, if done badly, lead to claims for unfair dismissal. The IC says that: ‘Workers have the same rights of access to files containing information about disciplinary matters or grievances about themselves as they do to other personal data held, unless this information is associated with a criminal investigation in which case an exemption might apply.’ The Advisory, Conciliation and Arbitration Service (ACAS) and other bodies provide general guidance on this topic.
The benchmarks 1.
Remember that the Data Protection Act applies to personal data processed in relation to discipline, grievance and dismissal proceedings.
2.
Do not access or use information you keep about workers merely because it might have some relevance to a disciplinary or grievance investigation if access or use would be either: •
incompatible with the purpose(s) you obtained the information for, or
•
disproportionate to the seriousness of the matter under investigation.
3.
Ensure that there are clear procedures on how ‘spent’ disciplinary warnings are handled.
4.
Ensure that when employment is terminated the reason for this is accurately recorded, and that the record reflects properly what the worker has been told about the termination.
THOROGOOD PROFESSIONAL INSIGHTS
75
3 EMPLOYMENT RECORDS
Outsourcing data processing Frequently, organisations do not process all the data they hold on workers themselves but outsource this to other organisations. Organisations which process the data on behalf of other organisations include specialist businesses which run payroll systems, sister companies which manage the centralised computer system on which group worker records are kept, and organisations which provide a secure facility for the storage of archived manual records. Such organisations are termed ‘data processors’ in the Data Protection Act.
The benchmarks 1.
Satisfy yourself that any data processor you choose adopts appropriate security measures both in terms of the technology it uses and how it is managed.
2.
Have in place a written contract with any data processor you choose that requires it to process personal information only on your instructions, and to maintain appropriate security.
3.
Where the use of a data processor would involve a transfer of information about a worker to a country outside the European Economic Area, ensure that there is a proper basis for making the transfer.
THOROGOOD PROFESSIONAL INSIGHTS
76
3 EMPLOYMENT RECORDS
Retention of records How long to keep records is one of the most practical and important issues. It is expensive to store data for long periods. The IC says that: ‘It falls primarily to the employer to set retention periods. No specific period is given in the Act, which merely requires that the personal data in a record shall not be kept for longer than is necessary for a particular purpose or purposes. However, any period that is set must be based on business need and should take into account any professional guidelines. Employers should be aware that the Act does not override any statutory requirement to retain records, for example in relation to income tax or certain aspects of health and safety.’ This is not very helpful as employers often just want to be told what period applies.
The benchmarks 1.
Establish and adhere to standard retention times for categories of information held on the records of workers and former workers. Base the retention times on business need taking into account relevant professional guidelines.
2.
Anonymise any data about workers and former workers where practicable.
3.
If the holding of any information on criminal convictions of workers is justified, ensure that the information is deleted once the conviction is ‘spent’ under the Rehabilitation of Offenders Act.
4.
Ensure that records which are to be disposed of are securely and effectively destroyed.
THOROGOOD PROFESSIONAL INSIGHTS
77
3 EMPLOYMENT RECORDS
Access when information about third parties is involved Finally where third party information is involved the Commission in Part 2 of the Code provides some guidance. The following diagram shows how to deal with subject access requests when the identity of a third party, i.e. a person other than the worker making the request, might be revealed within the personal data being released to the worker.
Do the data contain information relating to another individual (a third party)? Yes Would the release of all the information reveal the third party’s identity?
DISCLOSE
Yes If the third party has not already agreed to release all the information is it realistic to seek his/her consent? For example, it might be unrealistic if the third party’s whereabouts are unknown. Yes Does the third party consent to the release of all the information?
DISCLOSE EDITED
No Is it reasonable in the circumstances to release the information even without the third party’s consent, taking into account the guidance overleaf? No
Can the information be edited so as not to reveal the third party’s identity, for example by removing the third party’s name and address?
WITHOLD
No
Figure 1: How to deal with subject access requests
THOROGOOD PROFESSIONAL INSIGHTS
78
3 EMPLOYMENT RECORDS
Frequently asked questions Aren’t paper files exempt from the Data Protection Act – are we OK if we don’t computerise our records? No. Manual data held within a ‘relevant filing system’ are now covered by the Act. This is defined as any set of information which is structured either by reference to individuals or by reference to criteria relating to individuals in such a way that specific information relating to a particular individual is readily accessible. An example of a relevant filing system would be a personnel file with a worker’s name or individual reference number on it, in which it is possible to find information about the worker such as starting date, performance mark at last appraisal, or previous employer.
What about sickness records? Sickness records will almost certainly contain information about workers’ physical or mental health. They will therefore include sensitive data. Where they are kept in order to enable employers to meet the requirements imposed on them by the law in relation to statutory sick pay it is clear that a sensitive data condition can be satisfied and consent will not be needed. With more general sickness records the position is less clear cut. The Commissioner recognises that employers need to keep some sickness records and it is unsatisfactory should they have to rely on the consent of workers to do so. She takes the view that an employer keeping and using sickness records in a reasonable manner can rely on the condition that the processing is necessary in order to enable the employer to comply with any legal obligation associated with employment. The Data Protection Act, as it currently stands, does not place the question beyond doubt but the Commissioner understands that Government is considering changes to the law that will do so. Even though consent is not needed, employers should of course ensure that workers are aware of what information about them is kept in sickness records and how it is used.
Is a worker entitled access to all our confidential records, including references? There is no general exemption from the worker’s right of access to information about him/her simply because the information is ‘confidential’. There is, however, a special exemption from the right of access to a confidential reference when in the hands of the organisation which gave it. This exemption does not apply once the reference is in the hands of the person or organisation to
THOROGOOD PROFESSIONAL INSIGHTS
79
3 EMPLOYMENT RECORDS
whom the reference has been given. The recipient may though be entitled to take steps to withhold information that reveals the identity of other individuals such as the author of the reference. This would not usually justify withholding the reference in its entirety.
How do I deal with requests by workers for access to information where the information identifies someone else? We get this problem a lot when workers want access to disciplinary files and similar documents. Such requests require careful handling and there is no simple solution to your problem. Employers should be prepared to disclose information to a worker that identifies work colleagues, provided that the information is about colleagues acting in a business capacity and is not of a particularly private or sensitive nature. However, there are cases where information should be withheld. This might be the case where, for example, giving access would allow a worker accused of bullying to find out the identity of his or her accuser.
How can the company be expected to keep accurate records if workers give us wrong information? Provided that the employer has taken reasonable steps to ensure the accuracy of the information, the data protection principle that requires personal information to be accurate will not be breached.
If the Act forces us to delete information, how are we supposed to protect ourselves against allegations that we have discriminated against someone? The Act doesn’t require that all information is deleted straightaway. However, information that is retained for a particular purpose should not be kept for longer than is necessary for that purpose. This does not rule out keeping information to protect against legal action. Employers should however, consider carefully what information they hold and why they hold it. A ‘risk analysis’ approach to data retention is therefore recommended.
THOROGOOD PROFESSIONAL INSIGHTS
80
3 EMPLOYMENT RECORDS
We are looking at centralising our group’s employment records at our headquarters in the USA. Can we do this? Personal data must not be transferred outside the European Economic Area (EEA) unless adequate protection is provided in the destination country. Some countries provide adequate protection by virtue of their data protection law. The USA is not one of these. In the USA a special arrangement known as the ‘safe harbor’ has been created. If your company is a member of the safe harbour transfer is allowed. There are also other alternatives such as providing adequate protection through the terms of a contract between your company in the UK and its parent in the USA. Detailed guidance on international transfers of personal data is provided on the Legal Guidance section of the Commissioner’s website.
Can we disclose personal data to prospective purchasers of our business? The Act doesn’t necessarily prevent this. However, if it is not unduly difficult to do so and the prospective purchasers’ needs can still be met, the information should be anonymised, for example by providing the numbers of workers in each grade rather than their names. If personal information needs to be made available the employer should ensure that the prospective purchaser signs up to conditions on how it will be used. Employers should also ensure that information is returned or destroyed if the sale of the business does not proceed.
THOROGOOD PROFESSIONAL INSIGHTS
81
3 EMPLOYMENT RECORDS
Checklist Completing this checklist is not a requirement of either the Act or the Code but is meant to assist you in implementing the Code. The checklist is aimed at the person in the organisation who is responsible for implementation. Who has responsibility for the various actions will depend on the make-up of your organisation.
1. Managing Data Protection POSSIBLE ACTION POINTS
See Point 1 on the Checklist at the end of Chapter two.
2. Collecting and keeping general records POSSIBLE ACTION POINTS
2.1 Ensure that newly appointed workers are aware of the nature and source of any information stored about them, how it will be used and who it will be disclosed to.
ACTION
•
Decide on how best to inform new workers about how information about them will be held, used and disclosed. Possible different ways include distribution of a fact-sheet, information given on an intranet or inclusion of relevant material in an induction course.
•
Inform HR professionals, department and line managers about this information and how it is to be made available to new workers.
•
In large organisations, randomly check with a sample of new workers, that they did in fact receive this information. Rectify any communication gaps.
THOROGOOD PROFESSIONAL INSIGHTS
82
3 EMPLOYMENT RECORDS
2.2 Inform new workers and remind existing workers about their rights under the Act, including their right of access to the information kept upon them.
ACTION
•
Ensure that information given to new workers includes information about their rights under the Act.
•
If your organisation has not done so previously, distribute this information to existing workers.
•
Set up a system to remind existing workers of the right of information.
2.3 Ensure that there is a clear and foreseeable need for any information collected from workers and that the information collected actually meets that need.
ACTION
•
Review all forms where information is requested from workers.
•
Remove or amend any questions which require the worker to provide information extraneous to your needs.
•
Ensure that questions are constructed in such a way that their answers consist only of the information that is actually required.
THOROGOOD PROFESSIONAL INSIGHTS
83
3 EMPLOYMENT RECORDS
2.4 Provide each worker with a copy of information that may be subject to change, e.g. personal details such as home address, annually or allow workers to view this on-line. Ask workers to check their records for accuracy and ensure any necessary amendments are made to bring records up-to-date.
ACTION
•
Determine the different types of personal data kept about workers and whether they are likely to be subject to change.
•
Decide whether data that change could easily be viewed electronically.
•
Make any changes to systems necessary to enable this.
•
Ensure that the system restricts access to individuals’ records so that each worker can only get access to his or her own record.
•
If it is only possible for workers to view data manually, consider how this can best be done.
•
Inform HR, departments and line managers of any new arrangements.
•
Make provision to amend any details that are incorrect on individual workers’ files.
2.5 Incorporate accuracy, consistency and validity checks into systems.
ACTION
•
Review computerised systems to see if accuracy checks can be easily built in.
•
Put in place arrangements to ensure that when systems are updated or new systems purchased they facilitate data protection compliance.
THOROGOOD PROFESSIONAL INSIGHTS
84
3 EMPLOYMENT RECORDS
3. Security POSSIBLE ACTION POINTS
3.1 Apply security standards that take account of the risks of unauthorised access to, accidental loss of, destruction of, or damage to employment records.
ACTION
•
Obtain a copy of BS7799 if you do not have one already.
•
Compare its recommendations to your own existing procedures.
•
Put in place measures to rectify any shortfalls.
3.2 Institute a system of secure cabinets, access controls and passwords to ensure that staff can only gain access to employment records where they have a legitimate business need to do so.
ACTION
•
Review who in your organisation has access to personal data.
•
Determine whether it is necessary to give access to everyone who currently has it.
•
Deny access to those who have unnecessary access to personal information about others.
•
Make sure manual files that hold personal data are securely held with locks and only those who should have access retain the key.
•
In the case of computerised records, ensure that passwords are set up to limit unauthorised access.
THOROGOOD PROFESSIONAL INSIGHTS
85
3 EMPLOYMENT RECORDS
3.3 Use the audit trail capabilities of automated systems to track who accesses and amends personal data.
ACTION
•
Check whether computerised systems that retain personal data currently have audit trail capabilities.
•
If they do, check that the audit trail is enabled.
•
If they do not, see if it would be possible to create audit trails of who accesses and amends personal data.
•
If you have a system with audit trails, ensure that regular checks occur to detect unauthorised or suspicious use.
•
Set up a procedure to investigate patterns of unusual or unauthorised access of personal data.
3.4 Take steps to ensure the reliability of staff that have access to workers’ records. Remember this is not just a matter of carrying out background checks. It also involves training and ensuring that workers understand their responsibilities for confidential or sensitive information. Place confidentiality clauses in their contracts of employment.
ACTION
•
Carry out background checks on staff that will have access to workers’ records, for example by taking up references.
•
Review the contracts of workers who deal with personal data.
•
Write confidentiality clauses into contracts concerning the disclosure and unauthorised use of personal data.
•
Set up induction training for these staff which explains their responsibilities.
•
Organise refresher training as and when necessary.
•
Ensure that all senior staff are aware of their responsibilities in this area.
THOROGOOD PROFESSIONAL INSIGHTS
86
3 EMPLOYMENT RECORDS
3.5 Ensure that if employment records are taken off-site, e.g. on laptop computers, this is controlled. Make sure only the necessary information is taken and there are security rules for staff to follow.
ACTION
•
Formulate a procedure for taking laptop computers offsite (or review the existing procedure). Include points regarding the information that may be taken off-site, security of passwords and keeping the laptop in view or secured at all times.
•
Inform all workers, including senior staff, of the procedure.
3.6 Take account of the risks of transmitting confidential worker information by fax or e-mail. Only transmit information between locations if a secure network or comparable arrangement is in place. In the case of e-mail deploy some technical means of ensuring security, such as encryption.
ACTION
•
Review procedures for sending and receiving personal data via faxes.
•
Ensure that all managers use a secure system if personal data are to be transmitted by fax.
•
Advise all managers about permanently deleting e-mails that contain personal data from their work-stations.
•
Check whether deleted e-mails will still be kept on a server. Wherever possible ensure these too can be permanently deleted. In any case, restrict access to them. Check that your information systems security policy properly addresses the risk of transmitting worker information by e-mail.
THOROGOOD PROFESSIONAL INSIGHTS
87
3 EMPLOYMENT RECORDS
4. Sickness and Accident Records POSSIBLE ACTION POINTS
4.1 Keep sickness and accident records separately from absence records. Do not use sickness records for a particular purpose when records of absence could be used instead.
ACTION
•
Review how sickness and accident records are currently kept.
•
If necessary, change the way information on sickness and accidents is kept so that information on workers’ health is not accessed when only information on absence is needed.
•
Inform those accessing both sickness/accident and absence records of when it is and is not necessary to access the full sickness or accident records.
4.2 Ensure that the holding and use of sickness and accident records satisfies a sensitive data condition.
ACTION
•
Check current practices on the use of sickness records against the sensitive data conditions in the Code.
•
Take any remedial action necessary.
•
Inform those handling sickness records of any changes in procedures or practices.
THOROGOOD PROFESSIONAL INSIGHTS
88
3 EMPLOYMENT RECORDS
4.3 Only disclose information from sickness or accident records about a worker’s illness, medical condition or injury where there is a legal obligation to do so, where it is necessary for legal proceedings or where the worker has given explicit consent to the disclosure.
ACTION
•
Ensure that all those who deal with workers sickness records are aware in which circumstances there may be a legal obligation to disclose.
•
Ensure when appropriate, written consent is obtained from the worker.
4.4 Do not make the sickness, accident or absence records of individual workers available to other workers, other than to provide managers with information about those who work for them in so far as this is necessary for them to carry out their managerial roles.
ACTION
•
Review current procedures for use of sickness records.
•
Ensure no ‘league tables’ of individual records are published.
•
Ensure that managers are aware of the sensitive nature of sickness records.
THOROGOOD PROFESSIONAL INSIGHTS
89
3 EMPLOYMENT RECORDS
5. Pension and insurance schemes POSSIBLE ACTION POINTS
5.1 Do not access personal data required by a third party to administer a scheme, in order to use it for general employment purposes.
ACTION
•
Identify and review schemes currently in operation in your business.
•
Identify where information could possibly ‘leak’ from a scheme to an employment context.
•
Identify ways of stopping this occurring, for example by passing information in sealed envelopes.
5.2 Limit your exchange of information with a scheme provider to the minimum necessary for operation of the scheme bearing in mind the scheme’s funding obligations. Make sure that if sensitive data are involved a sensitive data condition is satisfied.
ACTION
•
Review the exchange of information with any scheme providers.
•
Identify and eliminate any personal information passed to you by the scheme provider that is not essential to the operation of the scheme.
5.3 Do not use information gained from the internal trustees or administrators of pension schemes for general employment purposes.
ACTION
•
Inform trustees and administrators of their general data protection responsibilities. In particular make sure they know they must not use personal information acquired in their capacity as trustee or administrator in their capacity as employer.
THOROGOOD PROFESSIONAL INSIGHTS
90
3 EMPLOYMENT RECORDS
5.4 If your business takes on the role of broker or your staff act as group secretary for a private medical insurance scheme, ensure that personal data gathered is kept to a minimum, limit access to the information and do not use it for general employment purposes.
ACTION
•
Consider carefully what information is needed to administer the scheme.
•
Limit access to personal data arising from the administration of the scheme.
•
Ensure that information gathered in this context is not used for any other purpose.
5.5 Ensure that when a worker joins a health or insurance scheme it is made clear what, if any, information is passed between the scheme controller and the employer, and how it will be used.
ACTION
•
Assess the information given to workers when they join a health or insurance scheme.
•
If no specific mention is made about the transfer of information, amend the documentation about the scheme accordingly.
THOROGOOD PROFESSIONAL INSIGHTS
91
3 EMPLOYMENT RECORDS
6. Equal opportunities monitoring POSSIBLE ACTION POINTS
6.1 Information about a worker’s ethnic origin, disability or religion is sensitive personal data. Ensure that equal opportunities monitoring of these characteristics satisfies a sensitive data condition.
ACTION
•
Check your organisation’s current equal opportunities monitoring against the sensitive data conditions in the Code.
•
Make any necessary changes to the monitoring procedure in light of these.
6.2 Only use information that identifies individual workers where this is necessary to carry out meaningful equal opportunities monitoring. Where practicable, keep the information collected in an anonymised form.
ACTION
•
Review current practices. Check whether any monitoring form gives the impression that information is anonymous, when in fact, it can be traced back to individuals.
•
If identifiable information is held but it can be anonymised, do this.
•
When there is no reasonable alternative but to be able to identify individuals, check whether the monitoring form states this and explains how the data are to be used.
•
Make any necessary changes to procedures and ensure that HR staff involved in monitoring understand why these changes have been made.
THOROGOOD PROFESSIONAL INSIGHTS
92
3 EMPLOYMENT RECORDS
6.3 Ensure questions are designed so that the personal information collected through them is accurate and not excessive.
ACTION
•
Check that questions allow people to identify themselves accurately. For example, in ethnic origin monitoring, do not limit the range of choices given so that workers are forced to make a choice that does not properly describe them.
•
If you assign workers to categories ensure the record is clear that it is your assumption and not a matter of fact.
7. Marketing POSSIBLE ACTION POINTS
7.1 Inform new workers if your organisation intends to use their personal information to deliver advertising or marketing messages to them. Give workers a clear opportunity to object (an ‘opt-out’) and respect any objections whenever received.
ACTION
•
Review whether your business markets its, or anyone else’s, products or services to current or former workers.
•
Ensure that any new worker who will receive marketing information from your company has been informed that this will happen.
•
Ensure that a clear procedure for ‘opting-out’ is made known to all workers.
THOROGOOD PROFESSIONAL INSIGHTS
93
3 EMPLOYMENT RECORDS
7.2 Do not disclose workers’ details to other organisations for their marketing unless individual workers have positively and freely indicated their agreement (an ‘opt-in’).
ACTION
•
Review whether your business discloses workers’ details. If so, put in place a procedure to ensure that a worker’s details are not passed on until you have received a positive indication of agreement from him or her.
7.3 If you intend to use details of existing workers for marketing for the first time, either in ways that were not explained when they first joined or that they would not expect, do not proceed until individual workers have positively and freely indicated their agreement (an ‘opt-in’).
ACTION
•
When considering this type of campaign, construct an approval form to send to workers.
•
Distribute the form to every worker to be targeted.
•
Only conduct the campaign to those workers who have given a positive indication of agreement.
THOROGOOD PROFESSIONAL INSIGHTS
94
3 EMPLOYMENT RECORDS
8. Fraud detection POSSIBLE ACTION POINTS
8.1 Consult trade unions or other worker representatives, if any, or workers themselves before starting a data matching exercise. Act on any legitimate concerns raised in consultation before starting the exercise.
ACTION
•
Inform trade unions and other workers’ representatives of any proposed data matching exercise.
•
Discuss with workers how the plan will work in detail.
•
Listen and take account of legitimate concerns raised.
8.2 Inform new workers of the use of payroll or other data in fraud prevention exercises and remind them of this periodically.
ACTION
•
Explain how fraud prevention exercises operate to new workers as part of information given about data protection. (See 2.2)
•
Set up regular reminders to workers on how the data matching exercise works – e.g. every 6 months.
8.3 Do not disclose worker data to other organisations for the prevention or detection of fraud unless: •
you are required by law to make the disclosure, or
•
you believe that failure to disclose, in a particular instance, is likely to prejudice the prevention or detection of crime, or
•
the disclosure is provided for in workers’ contracts of employment.
ACTION
•
Ensure staff who would be approached by outside agencies for this type of information, understand the rules of disclosure.
THOROGOOD PROFESSIONAL INSIGHTS
95
3 EMPLOYMENT RECORDS
9. Workers’ access to information about themselves POSSIBLE ACTION POINTS
9.1 Establish a system that enables your organisation to recognise a subject access request and to locate all the information about a worker in order to be able to respond promptly and in any case within 40 calendar days of receiving a request.
ACTION
•
Assess all personal data held on workers (See 1.3).
•
Ensure that the information is accessible.
•
Establish who in the organisation is responsible for responding to subject access requests.
•
Ensure that all workers who are likely to receive subject access requests can recognise them and know who to pass them to.
•
Have a checklist in place listing all places where personal data might be held that should be checked.
•
Use the checklist to gather all personal data in time to enable a response within 40 days.
•
If your organisation plans to charge a £10 fee, set up an administration system for handling this.
9.2 Check the identity of anyone making a subject access request to ensure information is only given to the person entitled to it.
ACTION
•
Brief anyone responsible for responding to a subject access request to check the identity of the person making it.
THOROGOOD PROFESSIONAL INSIGHTS
96
3 EMPLOYMENT RECORDS
9.3 Provide the worker with a hard copy of the information kept, making clear any codes used and the sources of the information.
ACTION
•
In the checklist used to gather all personal data include a check to ensure that the information supplied is intelligible, that it includes sources and that if at all possible it is in hard copy form.
•
Ensure that everyone involved in responding to subject access requests is aware of these requirements.
9.4 Make a judgement as to what information it is reasonable to withhold concerning the identities of third parties using the guidelines given later in this Code.
ACTION
•
Brief those handling subject access requests on how to make decisions concerning third party information.
•
Include the guidelines on this as part of the checklist.
9.5 Inform managers and other relevant people in the organisation of the nature of information that will be released to individuals who make subject access requests.
ACTION
•
Brief managers as to what type of information about them may be released.
•
Make sure this information is re-circulated from time-totime.
THOROGOOD PROFESSIONAL INSIGHTS
97
3 EMPLOYMENT RECORDS
9.6 Ensure that on request, promptly and in any event within 40 calendar days, workers are provided with a statement of how any automated decision-making process, to which they are subject, is used, and how it works.
ACTION
•
Determine whether your organisation has any automated systems which are used as the sole basis for decisionmaking, for example during short-listing.
•
If so, document how the system works and the basis of its decisions.
•
Distribute this information to those who are responsible for responding to requests about the process.
•
Make sure those responding to such requests are aware of the requirement to respond to do so within 40 calendar days.
•
If your organisation plans to charge a £10 fee, make sure that those responding to requests are aware of this and that there is a suitable administration system in place.
9.7 When purchasing a computerised system ensure that the system enables you to retrieve all the information relating to an individual worker without difficulty. Ensure that the supplier of a system that you will use to take automated decisions about workers provides the information needed to enable you to respond fully to requests for information about how the system works.
ACTION
•
If you are unsure of how the system works, obtain the relevant information from the system supplier.
•
Put in place arrangements to ensure that when systems are updated or new systems purchased they facilitate responses to subject access requests.
THOROGOOD PROFESSIONAL INSIGHTS
98
3 EMPLOYMENT RECORDS
10. References POSSIBLE ACTION POINTS
10.1 Set out a clear company policy stating who can give corporate references, in what circumstances, and the policy that applies to the granting of access to them. Make anyone who is likely to become a referee aware of this policy.
ACTION
•
Determine who is allowed to give corporate references, this may, for example, be done by grade. Check whether your organisation distinguishes between corporate and personal references. If not, consider doing so.
•
Draw up a policy explaining how reference requests should be handled, outlining the types of information that can be provided and the extent to which workers are given access. Ensure the policy is brought to the attention of anyone who is likely to receive a reference request.
10.2 Do not provide confidential references about a worker unless you are sure that this is the worker’s wish.
ACTION
•
As part of the policy, issue a requirement that all referees must be satisfied that the subject wishes the reference to be provided.
10.3 Establish at the time a worker’s employment ends, whether or not the worker wishes references to be provided to future employers or to others.
ACTION
•
As part of an Exit Policy, include on file a record of whether the worker wishes references to be provided.
THOROGOOD PROFESSIONAL INSIGHTS
99
3 EMPLOYMENT RECORDS
10.4 When responding to a request from a worker to see his or her own reference and the reference enables a third party to be identified, make a judgement as to what information it is reasonable to withhold, using the guidelines given later in this Code.
ACTION
•
Brief those responsible for responding to requests for access to references received on how to make decisions concerning third party information.
•
Provide them with the guidelines on this.
11. Disclosure requests POSSIBLE ACTION POINTS
11.1 Establish a disclosure policy to tell staff who are likely to receive requests for information about workers how to respond, and to where they should refer requests that fall outside the policy rules
ACTION
•
Distribute information, based on this Code, on how to handle disclosure requests.
•
Ensure that all those likely to handle disclosure requests receive the information.
•
Give examples of situations where a member of staff might need to refer a request to a higher authority within the organisation.
•
Provide contact details of whom staff should contact, should they be unsure of how to deal with a disclosure request.
THOROGOOD PROFESSIONAL INSIGHTS
100
3 EMPLOYMENT RECORDS
11.2 Ensure that disclosure decisions that are not covered by clear policy rules are only taken by staff who are familiar with the Act and this Code, and who are able to give the decision proper consideration.
ACTION
•
Determine who will be responsible for dealing with disclosure requests not covered by the policy.
•
Organise any necessary training for those who will take on this role.
11.3 Unless you are under a legal obligation to do so, only disclose information about a worker where you conclude that in all the circumstances it is fair to do so. Bear in mind that the duty of fairness is owed primarily to the worker. Where possible take account of the worker’s views. Only disclose confidential information if the worker has clearly agreed.
ACTION
•
Ensure that those responsible for dealing with disclosure requests not covered by clear policy rules or where there is no legal obligation to disclose give them proper consideration.
•
Make sure that they take full account of what is fair to workers.
THOROGOOD PROFESSIONAL INSIGHTS
101
3 EMPLOYMENT RECORDS
11.4 Where a disclosure is requested in an emergency, make a careful decision as to whether to disclose, considering the nature of the information being requested and the likely impact on the individual of not providing it.
ACTION
•
Make sure staff who are likely to receive such requests know whether they can handle them themselves or if not, who to refer them to. If they handle them themselves make them aware of their responsibility to assess the nature of the emergency and determine whether the request could be submitted in writing.
11.5 Make staff aware that those seeking information sometimes use deception to gain access to it. Ensure that they check the legitimacy of any request and the identity and authority of the person making it.
ACTION
•
As part of the disclosure policy, make it a requirement that staff check the identity of any person making a request, the authority of the individual concerned and the basis for the request.
•
Ensure that when a request is made on the basis of a stated legal obligation, that it is received in writing, spelling out the legal obligation on which it is based. If the legal basis is relied upon, have in place an arrangement to check it against the law.
THOROGOOD PROFESSIONAL INSIGHTS
102
3 EMPLOYMENT RECORDS
11.6 Ensure that if you intend to disclose sensitive personal data, a sensitive data condition is satisfied.
ACTION
•
Ensure that those who respond to disclosure requests are familiar with the sensitive data conditions as set out in this Code.
11.7 Where the disclosure would involve a transfer of information about a worker to a country outside the European Economic Area, ensure there is a proper basis for making the transfer.
ACTION
•
Review the Information Commissioner’s guidance at: www.informationcommissioner.gov.uk
Guidance and other publications: •
Legal Guidance: International transfers if you intend to pass workers’ information outside the EEA.
•
Determine the basis for making the transfer.
THOROGOOD PROFESSIONAL INSIGHTS
103
3 EMPLOYMENT RECORDS
11.8 Inform the worker before or as soon as is practicable after a request has been received that a non-regular disclosure is to be made, unless prevented by law from doing so, or unless this would constitute a ‘tip off’ prejudicing a criminal or tax investigation.
ACTION
•
For each non-regular disclosure, make a judgment as to whether the worker can be informed and whether a copy of the information can be provided to the him or her. (A reminder of this could be placed in any system for handling non-regular disclosures.)
•
In cases where it can be provided, do this as soon as possible.
11.9 Keep a record of non-regular disclosures. Regularly check and review this record to ensure that the requirements of the Act are being satisfied.
ACTION
•
Set up a system for non-regular disclosures recording the details of the person who made the disclosure, the person who authorised it, the person requesting the disclosure, the reasons for the disclosure, the information disclosed and the date and time.
•
Also set up a system to regularly check and review this record.
THOROGOOD PROFESSIONAL INSIGHTS
104
3 EMPLOYMENT RECORDS
12. Publication and other disclosures POSSIBLE ACTION POINTS
12.1 Only publish information about workers where: •
there is a legal obligation to do so, or
•
the information is clearly not intrusive, or
•
the worker has consented to disclosure, or
•
the information is in a form that does not identify individual workers.
ACTION
•
Assess the current information published about named workers i.e. in annual reports or on the website or in other publications.
•
Assess whether there is a legal obligation to name the worker.
•
Assess whether workers would expect to be named in the context of the publication.
•
Determine whether it is necessary to obtain consent from workers who are named.
•
If so, set up an arrangement for obtaining consent from workers who are named in publications in the future.
THOROGOOD PROFESSIONAL INSIGHTS
105
3 EMPLOYMENT RECORDS
12.2 Where information about workers is published on the basis of consent, ensure that when the worker gives consent he or she is made aware of the extent of information that will be published, how it will be published and the implications of this.
ACTION
•
In any arrangement for obtaining consent for the publication of information on named workers, ensure that the worker is made aware of the full extent of any information to be published and where it is to be published. This is particularly important if information is to be published on the internet.
12.3 Only supply personal information about workers to a trade union for its recruitment purposes if: •
the trade union is recognised by the employer,
•
the information is limited to that necessary to enable a recruitment approach, and
•
each worker has been previously told that this will happen and has been given a clear opportunity to object.
ACTION
•
If your organisation has a recognised trade union that is requesting personal information about workers for a recruitment drive, inform all workers and give them an opportunity to object if they so wish.
THOROGOOD PROFESSIONAL INSIGHTS
106
3 EMPLOYMENT RECORDS
12.4 Where staffing information is supplied to trade unions in the course of collective bargaining, ensure the information is such that individual workers cannot be identified.
ACTION
•
Review your arrangements for the supply of information in connection with collective bargaining.
•
Ensure in future all information on workers is supplied in an anonymised way.
13. Mergers and acquisitions POSSIBLE ACTION POINTS
13.1 Ensure, wherever practicable, that information handed over to another organisation in connection with a prospective acquisition or merger is anonymised.
ACTION
•
Ensure that in any merger situation those responsible for negotiation are aware of the Code.
•
Assess any request from the other organisation. If at all possible, limit the information given to anonymised details.
•
Ensure that those entrusted with negotiations are aware of and comply with the sensitive data conditions in the Code.
THOROGOOD PROFESSIONAL INSIGHTS
107
3 EMPLOYMENT RECORDS
13.2 Only hand over personal information prior to the final merger or acquisition decision after securing assurances that it will be used solely for the evaluation of assets and liabilities, it will be treated in confidence and will not be disclosed to other parties, and it will be destroyed or returned after use.
ACTION
•
Remind those negotiating that they must receive strict assurances about how personal data will be used and what will happen to them should discussions end.
•
Consider setting up a ‘data room’ with accompanying rules of access.
13.3 Advise workers wherever practicable if their employment records are to be disclosed to another organisation before an acquisition or merger takes place. If the acquisition or merger proceeds make sure workers are aware of the extent to which their records are to be transferred to the new employer.
ACTION
•
Inform workers if their employment records are to be disclosed unless it is not practicable to do so, or an exemption in the Act applies.
13.4 Ensure that if you intend to disclose sensitive personal data a sensitive personal data condition is satisfied.
ACTION
•
Ensure that those who are responsible for disclosing information about workers are familiar with the sensitive data conditions as set out in this Code.
THOROGOOD PROFESSIONAL INSIGHTS
108
3 EMPLOYMENT RECORDS
13.5 Where a merger or acquisition involves a transfer of information about a worker to a country outside the European Economic Area (EEA) ensure that there is a proper basis for making the transfer.
ACTION
•
Review the Information Commissioner guidance at: www.informationcommissioner.gov.uk
Guidance and other publications: •
Legal Guidance: International transfers if you intend to pass workers’ information outside the EEA.
•
Determine the basis for making the transfer.
13.6 New employers should ensure that the records they hold as a result of a merger or acquisition do not include excessive information, and are accurate and relevant.
ACTION
•
When taking over an organisation assess personal data you now hold as outlined in 1.3 and 1.4.
THOROGOOD PROFESSIONAL INSIGHTS
109
3 EMPLOYMENT RECORDS
14. Discipline, grievance and dismissal POSSIBLE ACTION POINTS
14.1 Remember that the Data Protection Act applies to personal data processed in relation to discipline, grievance and dismissal proceedings.
ACTION
•
Assess your organisation’s disciplinary procedures and grievance procedures. Consider whether they need to be amended in the light of the Code.
•
Ensure that managers are aware that subject access rights apply even if responding to a request might impact on a disciplinary or grievance investigation, or on forthcoming proceedings, unless responding would be likely to prejudice a criminal investigation.
•
Ensure that those involved in investigating disciplinary matters or grievances are aware that they must not gather information by deception.
•
Ensure that records used in the course of proceedings are of good enough quality to support any conclusion drawn from them.
•
Ensure that all records are kept securely.
•
Check that unsubstantiated allegations have been removed unless there are exceptional reasons for retaining some record.
THOROGOOD PROFESSIONAL INSIGHTS
110
3 EMPLOYMENT RECORDS
14.2 Do not access or use information you keep about workers merely because it might have some relevance to a disciplinary or grievance investigation if access or use would be either: •
incompatible with the purpose(s) you obtained the information for, or
•
disproportionate to the seriousness of the matter under investigation.
ACTION
•
Make those in the organisation who are likely to carry out investigations aware that they do not have an unrestricted right of access to all information held about workers under investigation.
•
Put in place a system to ensure that decisions on whether access is justified and take into account the provisions of this Code and the Act.
14.3 Ensure that there are clear procedures on how ‘spent’ disciplinary warnings are handled.
ACTION
•
Determine what is meant by a ‘spent’ warning in your organisation. Assess the disciplinary procedure and decide whether it needs to be amended to clarify what happens once a warning period has expired.
•
Set up a diary system, either manual or computerised, to remove spent warnings from individual’s records, if this is a requirement of your procedure.
THOROGOOD PROFESSIONAL INSIGHTS
111
3 EMPLOYMENT RECORDS
14.4 Ensure that when employment is terminated the reason for this is accurately recorded, and that the record reflects properly what the worker has been told about the termination.
ACTION
•
Ensure that if a worker has resigned, even if asked to do so, that this is recorded on his or her record, as ‘resigned’ rather than ‘dismissed’.
15. Outsourcing data processing POSSIBLE ACTION POINTS
15.1 Satisfy yourself that any data processor you choose adopts appropriate security measures both in terms of the technology it uses and how it is managed.
ACTION
•
Check whether the data processor has in place appropriate security measures. Is it, for example, certified to BS7799?
•
Check that the processor actually puts their security measures into practice.
15.2 Have in place a written contract with any data processor you choose that requires it to process personal information only on your instructions, and to maintain appropriate security.
ACTION
•
Check that any contract you have with a data processor includes clauses ensuring proper data security measures.
•
If there is no contract, put one in place.
THOROGOOD PROFESSIONAL INSIGHTS
112
3 EMPLOYMENT RECORDS
15.3 Where the use of a data processor would involve a transfer of information about a worker to a country outside the European Economic Area, ensure that there is a proper basis for making the transfer.
ACTION
•
Review the Information Commissioner guidelines at: www.informationcommissioner.gov.uk
Guidance and other Publications: •
Legal Guidance: International transfers if you intend to pass workers’ information outside the EEA.
•
Determine the basis for making the transfer.
16. Retention of records POSSIBLE ACTION POINTS
16.1 Establish and adhere to standard retention times for the various categories of information to be held on the records of workers and former workers. Base the retention times on business need taking into account relevant professional guidelines.
ACTION
•
Decide on standard retention times for categories of information held in employment records. Consider basing these on a risk analysis approach.
•
Only retain information on records that is still needed; eliminate personal data that is no longer of any relevance, once the employment relationship has ended.
•
Assess who in your organisation retains employment records (see 1.3). Make sure no one retains information beyond the standard retention times unless there is a sound business reason for doing so.
•
If possible, set up a computerised system which flags data retained for more than a certain time as due for deletion.
THOROGOOD PROFESSIONAL INSIGHTS
113
3 EMPLOYMENT RECORDS
16.2 Anonymise any data about workers and former workers where practicable.
ACTION
•
Where statistical information only is required, anonymise details.
16.3 If the holding of any information on criminal convictions of workers is justified, ensure that the information is deleted once the conviction is ‘spent’ under the Rehabilitation of Offenders Act.
ACTION
•
Use a computerised or manual system to ensure spent convictions are deleted from the system.
•
Identify when your organisation may need to make exceptions to this, for example convictions in connection with workers who work with children.
16.4 Ensure that records which are to be disposed of are securely and effectively destroyed.
ACTION
•
Review arrangements for dealing with old records to ensure they are securely disposed of.
•
Advise anyone holding employment records of these arrangements for disposal.
•
Check that computer records which are to be deleted are in practice removed completely from the system.
•
Make sure that computer equipment that has held employment records is never sold on unless you are sure the records have been fully removed.
THOROGOOD PROFESSIONAL INSIGHTS
114
THOROGOOD PROFESSIONAL INSIGHTS
Chapter 4 Monitoring Examples of monitoring Assessments Is a worker’s consent needed? Managing data protection Monitoring electronic communications How to notify employees of email rules Video and audio monitoring Conclusion Frequently asked questions
Chapter 4 Monitoring
Employers monitor employees in a number of different ways. This final chapter looks at the data protection implications of monitoring in the workplace.
Examples of monitoring The IC gives the following examples of monitoring: •
Gathering information through point of sale terminals, to check the efficiency of individual supermarket check-out operators.
•
Recording the activities of workers by means of CCTV cameras, either so that the recordings can be viewed routinely to ensure that health and safety rules are being complied with, or so that they are available to check on workers in the event of a health and safety breach coming to light.
•
Randomly opening up individual workers’ e-mails or listening to their voice-mails to look for evidence of malpractice.
•
Using automated checking software to collect information about workers, for example to find out whether particular workers are sending or receiving inappropriate e-mails.
•
Examining logs of websites visited to check that individual workers are not downloading pornography.
•
Keeping recordings of telephone calls made to or from a call centre, either to listen to as part of workers training, or to simply to have a record to refer to in the event of a customer complaint about a worker.
•
Systematically checking logs of telephone numbers called to detect use of premium-rate lines.
•
Videoing workers outside the workplace, to collect evidence that they are not in fact sick.
•
Obtaining information through credit reference agencies to check that workers are not in financial difficulties.
THOROGOOD PROFESSIONAL INSIGHTS
116
4 MONITORING
Assessments The Data Protection Act does not prevent monitoring. Indeed, in some cases monitoring might be necessary to satisfy its requirements. However, any adverse impact of monitoring on individuals must be justified by the benefits to the employer and others. The IC suggests that ‘impact assessments’ be carried out. In all but the most straightforward cases, employers are likely to find it helpful to carry out a formal or informal ‘impact assessment’ to decide if and how to carry out monitoring.
Adverse impact Identifying any likely adverse impact means taking into account the consequences of monitoring, not only for workers, but also for others who might be affected by it, such as customers. Consider: •
what intrusion, if any, will there be into the private lives of workers and others, or interference with their private e-mails, telephone calls or other correspondence? Bear in mind that the private lives of workers can, and usually will, extend into the workplace.
•
to what extent will workers and others know when either they, or information about them, are being monitored and then be in a position to act to limit any intrusion or other adverse impact on themselves?
•
whether information that is confidential, private or otherwise sensitive will be seen by those who do not have a business need to know, e.g. IT workers involved in monitoring e-mail content.
•
what impact, if any, will there be on the relationship of mutual trust and confidence that should exist between workers and their employer?
•
what impact, if any, will there be on other legitimate relationships, e.g. between trades union members and their representatives?
•
what impact, if any, will there be on individuals with professional obligations of confidentiality or secrecy, e.g. solicitors or doctors?
•
whether the monitoring will be oppressive or demeaning?
THOROGOOD PROFESSIONAL INSIGHTS
117
4 MONITORING
Obligations Taking into account the obligations that arise from monitoring means considering such matters as: •
whether and how workers will be notified about the monitoring arrangements.
•
how information about workers collected through monitoring will be kept securely and handled in accordance with the Act.
Is a worker’s consent needed? The IC says: ‘There are limitations as to how far consent can be relied on in the employment context to justify the processing of personal data. To be valid, for the purposes of the Data Protection Act, consent must be ‘freely given’, which may not be the case in the employment environment. Once given, consent can be withdrawn. In any case, employers who can justify monitoring on the basis of an impact assessment will not generally need the consent of individual workers.’ Some employers have a document separate from an employment contract for the worker to sign to give data protection consents, so that the employee is not effectively forced to give the consent in order to have the job which might be the case if the consents are part of the employment contract itself.
Electronic communications? Electronic communications are telephone calls, fax messages, e-mails and internet access. Monitoring can involve the ‘interception’ of such communications. The Regulation of Investigatory Powers Act, and the Lawful Business Practice Regulations made under it, set out when interception can take place despite the general rule that interception without consent is against the law. It should be remembered that – whilst the Regulations deal only with interception – the Data Protection Act is concerned more generally with the processing of personal information. Therefore, when monitoring involves an interception which results in the recording of personal information an employer will need to satisfy both the Regulations and the requirements of the Data Protection Act. The Supporting Guidance on page 28 of the IC deals with this in a bit more detail.
THOROGOOD PROFESSIONAL INSIGHTS
118
4 MONITORING
The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 came into force on 24th October 2000. The regulations are made under the Regulation of Investigatory Powers Act 2000. The regulations authorise businesses to monitor or record communications on their telecoms systems without consent for the following purposes. However, people must be notified of the surveillance and this includes both employees and third parties sending emails to a business. Interception without consent is permitted: •
To establish the existence of facts relevant to the business e.g. keeping records of transactions and other communications in cases where it is necessary or desirable to know the specific facts of the conversation.
•
to ascertain compliance with regulatory or self regulatory practices or procedures relevant to the business e.g. monitoring as a means to check that the business is complying with regulatory or self regulatory rules or guidelines.
•
to ascertain or demonstrate standards which are, or ought to be, achieved by persons using the telecoms system e.g. monitoring for purposes of quality control or staff training.
•
to prevent or detect crime e.g. monitoring or recording to detect fraud or corruption.
•
to investigate or detect the unauthorised use of their telecoms systems e.g. monitoring to ensure that employees do not breach company rules regarding use of the telecoms system.
•
to ensure the effective operation of the system e.g. monitoring for viruses or other threats to the system; automated processes such as caching or load distribution.
THOROGOOD PROFESSIONAL INSIGHTS
119
4 MONITORING
The Regulations also authorise businesses to monitor (but not record) without consent in the following cases: •
for the purpose of determining whether or not they are communications relevant to the business e.g. checking email accounts to access business communications in staff absence.
•
in the case of communications to a confidential anonymous counselling or support helpline e.g. monitoring calls to confidential, welfare helplines in order to protect or support helpline staff.
Staff whose communications may be intercepted without their consent should be told, the DTI says: ‘e.g. Businesses could place a note in staff contracts or in other readily available literature informing staff that interceptions may take place. The persons who use a system are the people who make direct use of it. Someone who calls from outside, or who receives a call outside, using another system is not a user of the system on which the interception is made.’ Some interceptions will be outside the scope of the regulations. In those cases business must obtain consent of the sender and recipient. Examples given by the DTI are: •
Interceptions for purposes such as marketing or market research;
•
Interceptions for any other purposes that fall outside the list in Section 3 described above.
The types of steps businesses can take to gain consent of staff and others is: •
the business could insert a clause in staff contracts by which employees consent to calls being monitored or recorded;
•
the call operator could ask outsiders at the start of a call whether they consented to their call being monitored or recorded;
•
the business could begin calls with a recorded message stating that calls might be monitored or recorded unless outsiders requested otherwise.
The DTI believes that, as a minimum, a business would need to give outsiders a clear opportunity to refuse consent to interception and to be able to continue with the call.
THOROGOOD PROFESSIONAL INSIGHTS
120
4 MONITORING
In addition, consideration should be given to the Data Protection Act 1998. If the interceptions involves obtaining, recording or otherwise processing personal data by means of automated equipment (for example, recording calls or filtering emails) it also falls within the scope of the Data Protection Act 1998. So too does the holding or processing of personal data after the interception has taken place, the DTI say. For more information about The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 see the DTI website at http://www.dti.gov.uk/cii/regulation.html. A copy of the final regulations is on that site. Compliance with these regulations on its own is not enough. The regulations should be read with the Code of Practice part 3 as well, which is described below.
The Code Part 3 There are seven sub-sections in this section of the Code: 1.
Managing data protection.
2.
The general approach to monitoring.
3.
Monitoring electronic communications.
4.
Video and audio monitoring.
5.
Covert monitoring.
6.
In-vehicle monitoring.
7.
Monitoring through information from third parties.
There is also very detailed supporting guidance given as well as a short summary of the rules on employee monitoring for small and medium-sized enterprises. These are available separately on the IC’s web site.
THOROGOOD PROFESSIONAL INSIGHTS
121
4 MONITORING
Managing data protection As with Parts 1 and 2 of the Code in Chapters two and three, Part 3 of the code suggests that having someone in charge of monitoring and supervision is necessary. ‘Data protection compliance should be seen as an integral part of employment practice. It is important to develop a culture in which respect for private life, data protection, security and confidentiality of personal information is seen as the norm.’
Core principles of monitoring •
It will usually be intrusive to monitor your workers.
•
Workers have legitimate expectations that they can keep their personal lives private and that they are also entitled to a degree of privacy in the work environment.
•
If employers wish to monitor their workers, they should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by real benefits that will be delivered.
•
Workers should be aware of the nature, extent and reasons for any monitoring, unless (exceptionally) covert monitoring is justified.
•
In any event, workers’ awareness will influence their expectations.
Much more guidance on when and who to monitor is provided in the guidance itself.
THOROGOOD PROFESSIONAL INSIGHTS
122
4 MONITORING
Monitoring electronic communications One issue employers need guidance on is when they can monitor email and internet and telephone calls. The Guidance says that employers should have a policy on this and communicate it to their workers.
Key points and possible actions •
If your organisation does not have a policy on the use of electronic communications, decide whether you should establish one.
•
Review any existing policy to ensure that it reflects data protection principles.
•
Review any existing policies and actual practices to ensure that they are not out of line, e.g. whether private calls are banned in the policy but generally accepted in practice.
•
Check that workers are aware of the policy and if not, bring it to their attention.
Policy for the use of electronic communications Policies are available in a number of e-commerce and internet law books or can be commissioned from solicitors. The IC suggests that employers should consider integrating the following data protection features into a policy for the use of electronic communications: •
Set out clearly to workers the circumstances in which they may or may not use the employer’s telephone systems (including mobile phones), the e-mail system and internet access for private communications.
•
Make clear the extent and type of private use that is allowed, for example restrictions on overseas phone calls or limits on the size and/or type of e-mail attachments that they can send or receive.
•
In the case of internet access, specify clearly any restrictions on material that can be viewed or copied. A simple ban on ‘offensive material’ is unlikely to be sufficiently clear for people to know what is and is not allowed. Employers may wish to consider giving examples of the sort of material that is considered offensive, for example material containing racist terminology or nudity.
•
Advise workers about the general need to exercise care, about any relevant rules and about what personal information they are allowed to include in particular types of communication.
THOROGOOD PROFESSIONAL INSIGHTS
123
4 MONITORING
•
Make clear what alternatives can be used, e.g. the confidentiality of communications with the company doctor can only be ensured if they are sent by internal post, rather than by e-mail, and are suitably marked.
•
Lay down clear rules for private use of the employer’s communication equipment when used from home or away from the workplace, e.g. the use of facilities that enable external dialling into company networks.
•
Explain the purposes for which any monitoring is conducted, the extent of the monitoring and the means used.
•
Outline how the policy is enforced and penalties which exist for a breach of policy.
There may, of course, be other matters that an employer also wants to address in its policy. Ensure that where monitoring involves the interception of a communication it is not outlawed by the Regulation of Investigatory Powers Act 2000 as described above. Consider whether any monitoring of electronic communications can be limited to that necessary to ensure the security of the system, and whether it can be automated. An impact assessment can be used for this purpose. Tell employees what will happen as regards monitoring unless it is obvious. The IC also says that workers must be told what information the employer receives about the use of telephone lines in their homes, or mobile phones provided for their personal use, for which the business pays: ‘Do not make use of information about private calls for monitoring, unless they reveal activity that no employer could reasonably be expected to ignore’.
‘If e-mails and/or internet access are, or are likely to be, monitored, consider, preferably using an impact assessment, whether the benefits justify the adverse impact. If so, inform workers about the nature and extent of all e-mail and internet access monitoring.’ IC’s Guidance
THOROGOOD PROFESSIONAL INSIGHTS
124
4 MONITORING
Avoid wherever possible opening e-mails, particularly those which look as if they are private or personal. It is crucial that workers are told they are being monitored (unless covert monitoring is justified which is a separate issue addressed in the Guidance. If it is necessary to check the e-mail accounts of workers in their absence, make sure that they are aware that this will happen. Inform workers of the extent to which information about their internet access and e-mails is retained in the system and for how long. The Supplementary Guidance with Part 3 of the Code goes into all these issues in more detail. In relation to people calling the company’s business it says: ‘Although this Code of Practice is primarily concerned with information about workers rather than external callers, employers should bear in mind that monitoring workers will often involve collecting information about those people who make calls to, or receive calls from, the organisation as well as about workers themselves. Where monitoring goes beyond simply listening-in in real time on calls without recording them, and so involves the processing of personal data, these people should also be told that monitoring is taking place and why. Unless it is self-evident that monitoring is taking place and why, provide this information, where reasonably practicable, through the use of recorded messages on telephone systems. Don’t forget that those who might be making personal calls to workers are less likely to expect that their calls may be monitored, or to understand why, than, for example, customers who might expect some recording to take place. If there is no better way of providing information, instruct workers to inform callers that their calls may be recorded and to explain why this is the case.’ This is important advice. Many readers will be familiar with calling banks and other institutions where a recorded message tells them that their calls are being recorded for various purposes. Some businesses put on their email footers that people other than the sender may well read the reply.
THOROGOOD PROFESSIONAL INSIGHTS
125
4 MONITORING
Questions to ask when preparing an impact assessment on email and internet monitoring The following questions were devices by the IC in their Supplementary Guidance. In an impact assessment of e-mail monitoring you should consider the following: •
Can analysis of e-mail traffic rather than monitoring the content of messages be used? If the traffic record alone is not sufficient, can the traffic record be used to narrow the scope of content monitoring, for example to restrict any examination of the content of messages to those that are being sent to a rival organisation?
•
Is it feasible to use an automated monitoring and detection process that, for example, detects malicious codes such as viruses or Trojans, or limits the size of attachments that can be received?
•
Is there a risk that monitoring the content of messages will breach a duty of confidence owed to workers or customers?
•
Are there secure lines of communication, for example for the transmission of sensitive information from the worker to an occupational health advisor or for trade union communications that will not be subject to monitoring? Some systems can be set up so that messages to and from particular individuals or sections of the organisation are not subject to monitoring or are monitored differently to others.
•
Is there a system that allows workers to mark personal communications as such?
•
What would be the implications of making adjustments to the system, for example to provide facilities that allow messages to be sent that do not bear the employer’s ‘official’ heading? The provision of such facilities should reduce the risk of employers’ liabilities in respect of personal e-mails sent using the employer’s equipment.
•
Can any monitoring be confined to external rather than internal e-mail messages? In some cases monitoring of internal messages might be more intrusive for workers, whereas the benefits of monitoring might come mainly from external messages.
THOROGOOD PROFESSIONAL INSIGHTS
126
4 MONITORING
•
Can e-mails that are marked personal, or which there are other grounds to believe are personal, be excluded from monitoring or treated differently? Apart from automated monitoring which rejects or returns unacceptable messages for security reasons messages that are personal should only be opened in exceptional circumstances, for example where a worker is suspected of using e-mail to harass other employees.
•
Is there a ban on personal use of the e-mail system or a restriction on the types of messages that can be sent? Such a ban or restriction does not in itself justify the employer knowingly opening messages that are clearly personal. However, an employer designing monitoring is entitled to work on the assumption that messages in the system are either all likely to be business ones or, if personal, are only likely to be of a particular type. If personal use is prohibited it may be possible to detect personal messages from the header or address information, and to take action against the sender or recipient without opening them.
•
Are workers provided with a separate e-mail account or an encryption capability? Are they allowed access to web-based mail services for personal use?
•
Are systems for recording information about e-mail use reliable? Employers should bear in mind that e-mails and associated records can be misleading or even falsified, and if cited in court could be challenged.
In an impact assessment of internet access monitoring you should consider the following: •
Can monitoring that prevents rather than detects misuse be used, for example by blocking access to inappropriate sites or material by using web-filtering software? Consider the capabilities of the latest technology, for example, products are available that, it is claimed, can undertake complex analysis of images and thereby prevent the display of sexually explicit material without disrupting normal business activity.
•
Is it possible to prevent misuse of systems by recording the time spent accessing the internet rather by monitoring the sites visited or the contents viewed?
•
Is it possible to limit the use of the information collected? For example, if the issue is that a worker has been spending too much time on the internet for purposes that are not work-related, is it necessary for the worker’s manager to be told exactly what sites have been visited?
THOROGOOD PROFESSIONAL INSIGHTS
127
4 MONITORING
•
Can private internet access be separated from business access, perhaps by having a different log-on for private use and then limiting the collection of information on private use to the length and time of the session?
•
Can monitoring be done on an aggregated basis, for example examining logs of which sites have been accessed from which departments and only focussing on specific workers if it is apparent there is a problem?
Many employers worry about whether they will read personal emails of employees and breach either the DPA or the Human Rights Act, or even the common law of confidentiality. The Supplementary Guidance says: ‘Employers may wish to encourage the use of a marking system to help protect personal communications when the intended recipient is absent. Only in exceptional circumstances should e-mails that are clearly personal be opened, for example if the worker is suspected of using the employer’s communication system to engage in criminal activity’.
How to notify employees of email rules There are a variety of ways in which workers can be told about the retention of information about their e-mail or internet usage. The IC says: ‘This might be done by giving them an information pack addressing this when they are given access to the office’s internet or e-mail systems, or by displaying on-line information on their computer. It is important to ensure that workers are aware of retention periods and, in particular, that they are not misled into believing that information will be either deleted or retained when this is not the case’.
A chance to explain Web sites can be visited unwittingly through unintended responses of search engines, unclear hypertext links, misleading banner advertising or misskeying. Workers should have the opportunity of explaining or challenging any information before action is taken against them. This is particularly important from an employment law perspective because many dismissals which might other-
THOROGOOD PROFESSIONAL INSIGHTS
128
4 MONITORING
wise be fair for email abuse, are rendered unfair because proper procedures are not followed. It is best to take advice from an employment lawyer before sacking or disciplining anyone.
Video and audio monitoring Lots of workplaces have CCTV cameras for security reasons. Others record telephone calls routinely. There is a separate Code of Practice of the IC on CCTV. As with email and internet monitoring the IC recommends companies using an impact assessment first to see if the benefits justify the adverse impact. Continuous video or audio monitoring of particular individuals is only likely to be justified in rare circumstances. There may be people working with very expensive precious metals, for example where continuous TV coverage may be needed. Workers must be told (unless covert monitoring is justified). Ensure that people other than workers, such as visitors or customers, who may inadvertently be caught by monitoring, are made aware of its operation and why it is being carried out.
Covert monitoring Sometimes monitoring people in secret is necessary. Senior
management
should normally authorise any covert monitoring, the IC says. They should satisfy themselves that there are grounds for suspecting criminal activity or equivalent malpractice, and that notifying individuals about the monitoring would prejudice its prevention or detection. Ensure that any covert monitoring is strictly targeted at obtaining evidence within a set timeframe and that the covert monitoring does not continue after the investigation is complete. Do not use covert audio or video monitoring in areas which workers would genuinely and reasonably expect to be private, in lavatories or changing rooms for example. If a private investigator is employed to collect information on workers covertly, make sure there is a contract in place that requires the private investigator to only collect information in a way that satisfies the employer’s obligations under the Act.
THOROGOOD PROFESSIONAL INSIGHTS
129
4 MONITORING
The IC advises that businesses should ‘ensure that information obtained through covert monitoring is used only for the prevention or detection of criminal activity or equivalent malpractice. Disregard and, where feasible, delete other information collected in the course of monitoring unless it reveals information that no employer could reasonably be expected to ignore.’
In-vehicle monitoring Devices can record or transmit information such as the location of a vehicle, the distance it has covered and information about the user’s driving habits. Monitoring of vehicle movements, where the vehicle is allocated to a specific driver, and information about the performance of the vehicle can therefore be linked to a specific individual, will fall within the scope of the Data Protection Act. The draft Privacy and Electronic Communications (EC Directive) Regulations 2003 will implement the Directive probably by 31st October 2003. They also revoke Telecommunications Regulations of 1999 (regulations dealing with issues such as marketing by fax). The e-privacy directive provides that individuals must be told and give express consent, if they will be subject to tracking by location data and given a right to opt out of this at any time. The consultation document on these regulations and the draft regulations is at: http://www.dti.gov.uk/cii/regulatory/telecomms/telecommsregulations/comms_d pd.shtml#consult If in-vehicle monitoring is or will be used, consider – preferably using an impact assessment – whether the benefits justify the adverse impact. Employers should tell employees what private use of cars is allowed.
Monitoring through information from third parties Employers need to take special care when wishing to make use of information held by third parties, such as credit reference or electoral roll information. This section also applies to information held by employers in a non-employment capacity, such as when a bank monitors its workers’ bank accounts. Where an employer wishes to obtain information about a worker’s criminal convictions, a disclosure must be obtained through the Criminal Records Bureau. Part 3 of the Code gives more detail on this. Workers should be told who will be consulted about them. •
Set up a system to tell workers the nature and extent of any monitoring which uses information from third parties. (This could be via a workers handbook, notice board or on-line.)
THOROGOOD PROFESSIONAL INSIGHTS
130
4 MONITORING
•
Where a specific check is to be carried out, the workers should be directly informed, unless to do so would be likely to prejudice the prevention or detection of crime.
The IC says: ‘Ensure that, if workers are monitored through the use of information held by a credit reference agency, the agency is aware of the use to which the information is put. Do not use a facility provided to conduct credit checks on customers to monitor or vet workers.’ Particular care should be taken of information about workers which the employer has as a result of a non-employment relationship with them. The Guidance says that: ‘Unless there is a legal or regulatory obligation check that information is not normally retained for more than six months.’
Conclusion The rules for the monitoring of employees provide a useful guide for employers in ensuring they comply with that aspect of the Data Protection Act in their employment policies. The other guidance for those involved with recruitment and handling of records will also be helpful in practice. When the Guidance on Medical Records is produced, employers and human resources managers will have a comprehensive set of procedures and guidance to enable them to seek to be compliant with the DPA in the employment area.
THOROGOOD PROFESSIONAL INSIGHTS
131
4 MONITORING
Frequently asked questions Monitoring of employees 1. WE OWN THE EQUIPMENT WORKERS USE FOR COMMUNICATIONS AND THEY’VE BEEN TOLD WE ARE GOING TO MONITOR THEM. ISN’T THAT ENOUGH?
You may well own the equipment, but the rules of data protection still apply to personal information processed on it. Telling workers about the monitoring is important, but telling them about it in general terms is unlikely to be sufficient. Workers should be told about the specific circumstances in which messages they send or receive may be seen by others. Even if workers have been told about monitoring, the other rules of data protection still apply. This means, for example, that the information obtained through monitoring mustn’t be irrelevant or excessive. The benefits monitoring brings should be sufficient to justify carrying it out. The Code recommends the use of an impact assessment to check whether monitoring is justified. 2. BUT WHAT IF WE COMPLETELY BAN PRIVATE E-MAIL USE AND INTERNET ACCESS?
A ban can be an important factor but is not necessarily an over-riding one. A ban on private use doesn’t in itself allow the employer to access messages that are clearly private. The intrusion involved in accessing such messages must still be justified by the benefits gained. It might, for example, be possible to identify an e-mail as private from its header and take action against its sender or recipient for breach of the rule without reading the message’s content. In any case there might well be genuine business messages, for example ones sent by a worker to his or her occupational health advisor that a worker has legitimate grounds for wishing to keep private. 3. IS IT RIGHT THAT WE CAN NEVER OPEN PRIVATE E-MAILS IN THE COURSE OF MONITORING?
There is no absolute ban on an employer accessing the content of private e-mails, but any such access ought to be carefully considered. Much depends on the reasons for access, any rules the employer might have for private use of the system, what workers have been told about monitoring and what steps are taken to keep the intrusion to a minimum. There is, for example, likely to be little to prevent an employer who suspects a worker of engaging in criminal activity in the workplace and who reasonably believes that this may involve the sending or receipt of e-mails from accessing the contents of his or her messages. The opening of e-mails that are clearly private should not be undertaken lightly though.
THOROGOOD PROFESSIONAL INSIGHTS
132
4 MONITORING
It is unlikely that opening private messages merely on the off chance that evidence of wrong-doing will be found will be justified if this involves revealing their contents to an individual other than the sender or intended recipient. 4. THE LAWFUL BUSINESS PRACTICE REGULATIONS ALLOW A WIDE RANGE OF MONITORING. DON’T THEY OVERRIDE THE DATA PROTECTION ACT?
No. When carrying out monitoring both pieces of legislation must be complied with, one doesn’t override the other. The Lawful Business Practice Regulations deal with the interception of electronic communications. Not all monitoring involves interception. Even where it does, the Regulations work in tandem with the Data Protection Act. An interception, if it is not done with the consent of the parties to the communication, must satisfy one of the conditions in the Lawful Business Practice Regulations. In so far as it then involves the recording and use of personal information it must also comply with the Data Protection Act. Although the conditions in the Lawful Business Practice Regulations allow for interception of business related communications in a range of circumstances, monitoring that involves interception and is targeted on the contents of personal communications that are not business related is not permitted. 5. HOW DOES THE ACT AFFECT VIRUS CHECKING?
The Act does not prevent employers monitoring their systems to check for viruses or other forms of malicious code. In fact the Act requires those handling personal information to use technical means to safeguard their systems. Virus checking should be conducted in the least intrusive way possible consistent with achieving good security. It is preferable, for example, from a privacy viewpoint, for suspect messages to be rejected or quarantined for collection by the intended recipient rather than be opened and read by a systems administrator. 6. DOES THE CODE REALLY REQUIRE US TO PROVIDE OUR WORKERS WITH SEPARATE E-MAIL ACCOUNTS FOR PRIVATE MESSAGES?
No, this is a misunderstanding. The Code says that if an employer chooses to provide a separate facility for private messages, this will be an important factor in deciding what monitoring of the business related account is justified. If a separate account is provided for private messages this will help limit any intrusion that results from monitoring the business account.
THOROGOOD PROFESSIONAL INSIGHTS
133
4 MONITORING
7. WE HAVE TO PREVENT SEXUAL AND RACIAL HARASSMENT OF WORKERS. ARE WE JUSTIFIED IN CHECKING E-MAIL AND INTERNET ACCESS TO DO SO?
Employers have legal obligations on them that require them to take active steps to prevent racial or sexual harassment in the workplace. Nevertheless, it is hard to see a justification for randomly or routinely accessing the content of e-mail messages, particularly private ones, sent to or from workers, or checking which web sites they have visited in the course of private internet use on the off-chance that evidence of harassment will be found. Where there are grounds to suspect that a particular worker or workers are using e-mail to harass others or are downloading inappropriate material from the internet, then targeting monitoring at those workers’ e-mail or internet use may well be justified. 8. WE UNDERTAKE WORK AS A CONTRACTOR FOR A BANK AND THEY INSIST WE MONITOR OUR WORKERS’ CREDITWORTHINESS. IF THEY REQUIRE US TO DO THIS DOES THIS MEAN WE CAN DO IT REGARDLESS OF WHAT THE DATA PROTECTION ACT SAYS?
No. As you are monitoring the creditworthiness of your workers you must be satisfied that the intrusion they face is justified by the benefits the monitoring brings to you and the bank. You are obviously entitled to take the bank’s circumstances into account in assessing what monitoring is justified, but the assessment should be yours. You are also entitled to take into account the extent to which workers genuinely have a free choice of whether or not to subject themselves to the monitoring, i.e. are they able to choose not to work on the bank’s contract without suffering any detriment? Incidentally, you must not use a facility provided to you by a credit reference agency to check your workers without the agency’s knowledge and agreement. 9. IS IT ACCEPTABLE FOR US TO INSTALL HIDDEN VIDEO CAMERAS? WE TOLD ALL WORKERS SOME MONTHS AGO THAT WE MIGHT DO THIS
Video cameras are particularly intrusive. The notice you have given to workers will not be sufficient unless it is the case that providing more specific information would be likely to prejudice the prevention or detection of crime or equivalent malpractice, for example because the camera has been set up to monitor a worker you suspect of theft. Because video cameras are intrusive, workers should generally be aware of exactly where they are located and what they are being used to detect.
THOROGOOD PROFESSIONAL INSIGHTS
134
4 MONITORING
10. WE COLLECT A LOT OF INFORMATION ABOUT WORKERS THROUGH MONITORING E-MAILS AND INTERNET ACCESS. WHAT DO WE HAVE TO DO WHEN ONE OF THEM MAKES A SUBJECT ACCESS REQUEST?
If a worker makes a subject access request he or she is entitled to access to all the information of which he or she is the subject. This will include internet access logs and e-mail records. Remember though that a worker will not be the subject of a message simply because he or she is its sender or recipient. Clearly the more information that is amassed about workers through monitoring, the more onerous employers may find it to respond to subject access requests. Systems that are designed with subject access in mind are thought likely to reduce the burden considerably.
THOROGOOD PROFESSIONAL INSIGHTS
135
THOROGOOD PROFESSIONAL INSIGHTS
Appendix Further information Information Commissioner’s Office Advisory, Conciliation and Arbitration Service (ACAS) British Standards Institute (BS7799) Chartered Institute of Personnel and Development Commission for Racial Equality Department of Trade and Industry Confederation of British Industry Criminal Records Bureau Disability Rights Commission The Disclosure Bureau Equal Opportunities Commission Office of the E-envoy Trades Union Congress Legal Advice
Appendix Further information
1. Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Telephone: 01625 545745 (for information and other parts of the Code) or 01625 545740 (for notification) Fax:
01625 524 510
E-mail:
[email protected] (for information and requests for other parts of the Code) or
[email protected]
Websites:
www.informationcommissioner.gov.uk (for information and to download other parts of the Code) or www.dpr.gov.uk (for notification and to view the register)
2. Advisory, Conciliation and Arbitration Service (ACAS) Brandon House 180 Borough High Street London SE1 1LW Telephone: 020 7396 5100 Website:
www.acas.org.uk/contact_us.html (contact details of offices throughout the UK)
THOROGOOD PROFESSIONAL INSIGHTS
137
APPENDIX
3. British Standards Institute (BS7799) BSI-DISC 389 Chiswick High Road London W4 4AL Telephone: 020 8995 7799 Fax:
020 8996 6411
E-mail:
[email protected]
Website:
www.bsi.org.uk
4. Chartered Institute of Personnel and Development CIPD House Camp Road London SW19 4UX Telephone: 020 8971 9000 Fax:
020 8263 3333
Website:
www.cipd.co.uk
5. Commission for Racial Equality Elliot House 10-12 Allington Street London SW1E 5EH Telephone: 020 7828 7022 Fax:
020 7630 7605
E-mail:
[email protected]
Website:
www.cre.gov.uk
THOROGOOD PROFESSIONAL INSIGHTS
138
APPENDIX
6. Department of Trade and Industry Communication and Information Industries Directorate 151 Buckingham Palace Road London SW1W 9SS Telephone: 0207 215 5000 Website:
www.dti.gov.uk/cii
7. Confederation of British Industry Centre Point 103 New Oxford Street London WC1A 1DU Telephone: 0207 395 8247 Website:
www.cbi.org.uk
8. Criminal Records Bureau PO Box 91 Liverpool L69 2UH Telephone: 0870 9090811 Website:
www.crb.gov.uk
9. Disability Rights Commission DRC Helpline Freepost MID 02164 Stratford-upon-Avon CV37 9BR Telephone: 08457 622 633 Fax:
08457 778 878
Textphone: 08457 622 644 E-mail:
[email protected]
Website:
www.drc-gb.org
THOROGOOD PROFESSIONAL INSIGHTS
139
APPENDIX
10. The Disclosure Bureau The Scottish Criminal Record Office 1 Pacific Quay Glasgow Scotland G51 1EA Telephone: 0141 585 8495 Website:
www.disclosurescotland.co.uk.
11. Equal Opportunities Commission Customer Contact Point Arndale House Arndale Centre Manchester M4 3EQ Telephone: 0161 833 9244 Fax:
0161 838 8312
E-mail:
[email protected]
Website:
www.eoc.org.uk
12. Office of the E-envoy Stockley House 130 Wilton Road London SW1V 1LQ Telephone: 020 727 63208 Fax:
020 727 63292
E-mail:
[email protected]
Website:
www.e-envoy.gov.uk
THOROGOOD PROFESSIONAL INSIGHTS
140
APPENDIX
13. Trades Union Congress Congress House Great Russell Street London WC1B 3LS Telephone: 020 7636 4030 Fax:
020 7636 0632
Website:
www.tuc.org.uk
14. Legal Advice Solicitors specialising in data protection legislation include the writer: Susan Singleton Singletons Solicitors The Ridge South View Road Pinner Middlesex HA5 3YD Telephone: 020 8866 1934 Fax:
020 8866 6912
Email:
[email protected]
Website:
www.singlelaw.com
Other solicitors specialising in this area are listed at: www.chambersandpartners.com under UK Legal Directory ‘IT’ heading.
THOROGOOD PROFESSIONAL INSIGHTS
141
Other specially commissioned reports BUSINESS AND COMMERCIAL LAW
The commercial exploitation of intellectual property rights by licensing
The Competition Act 1998: practical advice and guidance
CHARLES DESFORGES
SUSAN SINGLETON
£125.00
£149.00
1 85418 285 4 • 2001
1 85418 205 6 • 2001
Expert advice and techniques for the identification and successful exploitation of key opportunities.
Failure to operate within UK and EU competition rules can lead to heavy fines of up to 10 per cent of a business’s total UK turnover.
This report will show you: •
how to identify and secure profitable opportunities
•
strategies and techniques for negotiating the best agreement
•
the techniques of successfully managing a license operation.
Insights into successfully managing the in-house legal function BARRY O’MEARA
£65.00
1 85418 174 2 • 2000
Damages and other remedies for breach of commercial contracts ROBERT RIBEIRO
£125.00
Negotiating the fault line between private practice and in-house employment can be tricky, as the scope for conflicts of interest is greatly increased. Insights into successfully managing the In-house legal function discusses and suggests ways of dealing with these and other issues.
1 85418 226 X • 2002 This valuable new report sets out a systematic approach for assessing the remedies available for various types of breach of contract, what the remedies mean in terms of compensation and how the compensation is calculated.
Commercial contracts – drafting techniques and precedents ROBERT RIBEIRO
£125.00
1 85418 210 2 • 2002 The Report will: •
Improve your commercial awareness and planning skills
For full details of any title, and to view sample extracts please visit: www.thorogood.ws You can place an order in four ways:
•
Enhance your legal foresight and vision
1 Email:
[email protected]
•
Help you appreciate the relevance of rules and guidelines set out by the courts
2 Telephone: +44 (0)20 7749 4748
Ensure you achieve your or your client’s commercial objectives
4 Post: Thorogood, 10-12 Rivington Street, London EC2A 3DU, UK
•
t +44 (0)20 7749 4748
e
[email protected]
3 Fax: +44 (0)20 7729 6110
w w w w. t h o r o g o o d . w s
The legal protection of databases SIMON CHALTON
Email – legal issues £145.00
SUSAN SINGLETON
£95.00
1 85418 245 5 • 2001
1 85418 215 3 • 2001
Inventions can be patented, knowledge can be protected, but what of information itself?
What are the chances of either you or your employees breaking the law?
This valuable report examines the current EU [and so EEA] law on the legal protection of databases, including the sui generis right established when the European Union adopted its Directive 96/9/EC in 1996.
The report explains clearly:
Litigation costs MICHAEL BACON
•
How to establish a sensible policy and whether or not you are entitled to insist on it as binding
•
The degree to which you may lawfully monitor your employees’ e-mail and Internet use
•
The implications of the Regulation of Investigatory Powers Act 2000 and the Electronic Communications Act 2000
•
How the Data Protection Act 1998 affects the degree to which you can monitor your staff
•
What you need to watch for in the Human Rights Act 1998
•
TUC guidelines
•
Example of an e-mail and Internet policy document.
£95.00
1 85418 241 2 • 2001 The rules and regulations are complex – but can be turned to advantage. The astute practitioner will understand the importance and relevance of costs to the litigation process and will wish to learn how to turn the large number of rules to maximum advantage.
International commercial agreements REBECCA ATTREE
£175
1 85418 286 2 • 2002 A major new report on recent changes to the law and their commercial implications and possibilities. The report explains the principles and techniques of successful international negotiation and provides a valuable insight into the commercial points to be considered as a result of the laws relating to: pre-contract, private international law, resolving disputes (including alternative methods, such as mediation), competition law, drafting common clauses and contracting electronically. It also examines in more detail certain specific international commercial agreements, namely agency and distribution and licensing. For full details of any title, and to view sample extracts please visit: www.thorogood.ws You can place an order in four ways: 1 Email:
[email protected] 2 Telephone: +44 (0)20 7749 4748 3 Fax: +44 (0)20 7729 6110 4 Post: Thorogood, 10-12 Rivington Street, London EC2A 3DU, UK
S e e f u l l d e t a i l s o f a l l T h o r o g o o d t i t l e s o n w w w. t h o r o g o o d . w s
HR AND EMPLOYMENT LAW
Employee sickness and fitness for work – successfully dealing with the legal system GILLIAN HOWARD
£95.00
1 85418 281 1 • 2002 Many executives see Employment Law as an obstacle course or, even worse, an opponent – but it can contribute positively to keeping employees fit and productive. This specially commissioned report will show you how to get the best out of your employees, from recruitment to retirement, while protecting yourself and your firm to the full.
How to turn your HR strategy into reality TONY GRUNDY
£129.00
1 85418 183 1 • 1999 A practical guide to developing and implementing an effective HR strategy.
Internal communications JAMES FARRANT
£125
1 85418 149 1 • July 2003 How to improve your organisation’s internal communications – and performance as a result.
Data protection law for employers SUSAN SINGLETON
£125
There is growing evidence that the organisations that ‘get it right’ reap dividends in corporate energy and enhanced performance.
1 85418 283 8 • May 2003 The new four-part Code of Practice under the Data Protection Act 1998 on employment and data protection makes places a further burden of responsibility on employers and their advisers. The Data protection Act also applies to manual data, not just computer data, and a new tough enforcement policy was announced in October 2002.
MARK THOMAS
£69.00
1 85418 270 6 • 2001 Practical advice on how to attract and keep the best.
Successfully defending employment tribunal cases
1 85418 008 8 • 1997
This report will help you to understand the key practical and legal issues, achieve consensus and involvement at all levels, understand and implement TUPE regulations and identify the documentation that needs to be drafted or reviewed.
New ways of working STEPHEN JUPP
DENNIS HUNT
£95.00
Why do so many mergers and acquisitions end in tears and reduced shareholder value?
Successful graduate recruitment JEAN BRADING
Mergers and acquisitions – confronting the organisation and people issues
£99.00
£95 1 85418 169 6 • 2000
1 85418 267 6 • 2003 Fully up to date with all the Employment Act 2002 changes. 165,000 claims were made last year and the numbers are rising. What will you do when one comes your way?
t +44 (0)20 7749 4748
e
[email protected]
New ways of working examines the nature of the work done in an organisation and seeks to optimise the working practices and the whole context in which the work takes place.
w w w w. t h o r o g o o d . w s
Knowledge management SUE BRELADE, CHRISTOPHER HARMAN
changes to internal disciplinary and grievance procedures
•
significant changes to unfair dismissal legislation
•
new rights for those employed on fixed-term contracts
•
the introduction of new rights for learning representatives from an employer’s trade union
£95.00
1 85418 230 7 • 2001 Managing knowledge in companies is nothing new. However, the development of a separate discipline called ‘knowledge management’ is new – the introduction of recognised techniques and approaches for effectively managing the knowledge resources of an organisation. This report will provide you with these techniques.
Reviewing and changing contracts of employment ANNELISE PHILLIPS, TOM PLAYER and PAULA ROME
This specially commissioned new report examines each of the key developments where the Act changes existing provisions or introduces new rights. Each chapter deals with a discreet area.
Email – legal issues £125
SUSAN SINGLETON
£95.00
1 85418 215 3 • 2001
1 85418 296 X • 2003 The Employment Act 2002 has raised the stakes. Imperfect understanding of the law and poor drafting will now be very costly.
360,000 email messages are sent in the UK every second (The Guardian). What are the chances of either you or your employees breaking the law? The report explains clearly:
This new report will: •
Ensure that you have a total grip on what should be in a contract and what should not
•
Explain step by step how to achieve changes in the contract of employment without causing problems
•
Enable you to protect clients’ sensitive business information
•
Enhance your understanding of potential conflict areas and your ability to manage disputes effectively.
Applying the Employment Act 2002 – crucial developments for employers and employees AUDREY WILLIAMS
•
•
How to establish a sensible policy and whether or not you are entitled to insist on it as binding
•
The degree to which you may lawfully monitor your employees’ e-mail and Internet use
•
The implications of the Regulation of Investigatory Powers Act 2000 and the Electronic Communications Act 2000
•
How the Data Protection Act 1998 affects the degree to which you can monitor your staff
•
What you need to watch for in the Human Rights Act 1998
•
TUC guidelines
•
Example of an e-mail and Internet policy document.
£125
1 85418 253 6 • May 2003 The Act represents a major shift in the commercial environment, with far-reaching changes for employers and employees. The majority of the new rights under the family friendly section take effect from April 2003 with most of the other provisions later in the year. The consequences of getting it wrong, for both employer and employee, will be considerable – financial and otherwise. The Act affects nearly every aspect of the work place, including: •
flexible working
•
family rights (adoption, paternity and improved maternity leave)
For full details of any title, and to view sample extracts please visit: www.thorogood.ws You can place an order in four ways: 1 Email:
[email protected] 2 Telephone: +44 (0)20 7749 4748 3 Fax: +44 (0)20 7729 6110 4 Post: Thorogood, 10-12 Rivington Street, London EC2A 3DU, UK
S e e f u l l d e t a i l s o f a l l T h o r o g o o d t i t l e s o n w w w. t h o r o g o o d . w s
SALES, MARKETING AND PR
Implementing an integrated marketing communications strategy
Tendering and negotiating for MoD contracts
NORMAN HART
TIM BOYCE
£99.00
£125.00
1 85418 120 3 • 1999
1 85418 276 5 • 2002
Just what is meant by marketing communications, or ‘marcom’? How does it fit in with other corporate functions, and in particular how does it relate to business and marketing objectives?
This specially commissioned report aims to draw out the main principles, processes and procedures involved in tendering and negotiating MoD contracts.
Defending your reputation Strategic customer planning ALAN MELKMAN AND PROFESSOR KEN SIMMONDS
SIMON TAYLOR £95.00
1 85418 255 2 • 2001 This is very much a ‘how to’ Report. After reading those parts that are relevant to your business, you will be able to compile a plan that will work within your particular organisation for you, a powerful customer plan that you can implement immediately. Charts, checklists and diagrams throughout.
1 85418 251 • 2001 ‘Buildings can be rebuilt, IT systems replaced. People can be recruited, but a reputation lost can never be regained…’ ‘The media will publish a story – you may as well ensure it is your story’ Simon Taylor ‘News is whatever someone, somewhere, does not want published’ William Randoplh Hearst When a major crisis does suddenly break, how ready will you be to defend your reputation?
Selling skills for professionals KIM TASSO
£65.00
1 85418 179 3 • 2000 Many professionals still feel awkward about really selling their professional services. They are not usually trained in selling. This is a much-needed report which addresses the unique concerns of professionals who wish to sell their services successfully and to feel comfortable doing so. ‘Comprehensive, well written and very readable… this is a super book, go and buy it as it is well worth the money’ Professional Marketing International
Insights into understanding the financial media – an insider’s view SIMON SCOTT
This practical briefing will help you understand the way the financial print and broadcast media works in the UK.
European lobbying guide £129.00
1 85418 144 0 • 2000
Corporate community investment £75.00
Understand how the EU works and how to get your message across effectively to the right people.
1 85418 192 0 • 1999 Supporting good causes is big business – and good business. Corporate community investment (CCI) is the general term for companies’ support of good causes, and is a very fast growing area of PR and marketing.
t +44 (0)20 7749 4748
£99.00
1 85418 083 5 • 1998
BRYAN CASSIDY
CHRIS GENASI
£95.00
e
[email protected]
w w w w. t h o r o g o o d . w s
Lobbying and the media: working with politicians and journalists
Managing corporate reputation – the new currency
MICHAEL BURRELL
SUSAN CROFT and JOHN DALTON
£95.00
1 85418 240 4 • 2001
1 85418 272 2 • June 2003
Lobbying is an art form rather than a science, so there is inevitably an element of judgement in what line to take. This expert report explains the knowledge and techniques required.
ENRON, WORLDCOM… who next?
Strategic planning in public relations KIERAN KNIGHTS
£69.00
At a time when trust in corporations has plumbed new depths, knowing how to manage corporate reputation professionally and effectively has never been more crucial.
Surviving a corporate crisis – 100 things you need to know
1 85418 225 0 • 2001
PAUL BATCHELOR
Tips and techniques to aid you in a new approach to campaign planning.
1 85418 208 0 • April 2003
Strategic planning is a fresh approach to PR. An approach that is fact-based and scientific, clearly presenting the arguments for a campaign proposal backed with evidence.
£125
£125
Seven out of ten organisations that experience a corporate crisis go out of business within 18 months. This very timely report not only covers remedial action after the event but offers expert advice on preparing every department and every key player of the organisation so that, should a crisis occur, damage of every kind is limited as far as possible.
FINANCE
Tax aspects of buying and selling companies MARTYN INGLES
Practical techniques for effective project investment appraisal £99.00
RALPH TIFFIN
£99.00
1 85418 189 0 • 2001
1 85418 099 1 • 1999
This report takes you through the buying and selling process from the tax angle. It uses straightforward case studies to highlight the issues and more important strategies that are likely to have a significant impact on the taxation position.
How to ensure you have a reliable system in place. Spending money on projects automatically necessitates an effective appraisal system – a way of deciding whether the correct decisions on investment have been made.
Tax planning opportunities for family businesses in the new regime CHRISTOPHER JONES
£49.00
1 85418 154 8 • 2000 Following recent legislative and case law changes, the whole area of tax planning for family businesses requires very careful and thorough attention in order to avoid the many pitfalls.
S e e f u l l d e t a i l s o f a l l T h o r o g o o d t i t l e s o n w w w. t h o r o g o o d . w s
MANAGEMENT AND PERSONAL DEVELOPMENT
Strategy implementation through project management TONY GRUNDY
£95.00
1 85418 250 1 • 2001 The gap Far too few managers know how to apply project management techniques to their strategic planning. The result is often strategy that is poorly thought out and executed. The answer Strategic project management is a new and powerful process designed to manage complex projects by combining traditional business analysis with project management techniques.
For full details of any title, and to view sample extracts please visit: www.thorogood.ws You can place an order in four ways: 1 Email:
[email protected] 2 Telephone: +44 (0)20 7749 4748 3 Fax: +44 (0)20 7729 6110 4 Post: Thorogood, 10-12 Rivington Street, London EC2A 3DU, UK
t +44 (0)20 7749 4748
e
[email protected]
w w w w. t h o r o g o o d . w s