The much-heralded Employment Practices Data Protection Code – which provides guidance to employers when processing data in line with the Data Protection Act 1998 – has finally been issued by the Information Commissioner. What are it's likely impacts so far as the security companies are concerned? Jonathan Exten-Wright and Mary Walsh investigate.
At long last, the Information Commissioner has published the Employment Practices Data Protection Code – and managing directors, supervisors and line managers at the UK's many and varied manned security companies had better take note.

Although the Code doesn't enjoy the status of primary legislation, security companies will ignore its contents at their peril – the Information Commissioner will consider compliance with the Code in any enforcement proceedings under the terms of the Data Protection Act.

In essence, the Employment Practices Data Protection Code offers guidance to all employers (including in-house security managers) who, when recruiting and then employing staff, are involved with processing personal data under the terms and conditions of the Data Protection Act 1998. Non-compliance with the Code will be evidence of a breach of the Act, and penalties will range from basic compensation for individuals through to criminal sanctions for persistent breaches by companies and organisations.

It's not just employees who are covered by the Code. Applicants and former applicants (both successful and unsuccessful), as well as employees, agency workers, casual workers and contract workers (in all cases both current and former) are all protected.

As stated, the Code covers the processing of both personal and sensitive data. The former is any form of data which identifies a living person. It can include the bank details of a worker, or perhaps more mundane information such as address, contact details and next of kin details. Sensitive data, on the other hand, comprises information relating to an individual's life (eg racial or ethnic origin, political opinion, religious beliefs, trade union memberships, physical or mental health and/or condition or the committal – or alleged committal – of any offence).

Salient examples of sensitive data may include sickness records, records of disabilities used to facilitate adaptations to the workplace and records of racial origin (thereby ensuring equality of opportunities). At all times these data MUST be processed in line with the terms of the Data Protection Act 1998.

Managing data protection
To comply with this benchmark security companies must establish internal mechanisms that will ensure compliance with the Act. Responsibility for compliance should be allocated to a senior manager in the Human Resources Department.

All and any employment procedures must comply with the Act, while all staff must be trained in its interpretation. In a similar vein, any breach of the Data Protection Act must be made a disciplinary offence.

Security companies must also notify the Information Commissioner that employee records are processed, and keep their own register up-to-date. Importantly, bosses must also audit the extent to which personal data are processed within the company, and delete any data that are no longer relevant.

What do you do when advertising for security staff? This could take in newspapers, local radio, television and the Internet. Either way, the new Code lays down several guidelines for when you do come to advertise.

To begin with, prospective applicants should always be informed of the name of the company to which they will provide their own details, and how that information might be used (unless it is self-evident). In addition, recruitment agencies used to hire officers or supervisors must clearly identify the name of the agency on the advert. If the information supplied in response to a recruitment advertisement is retained for future use, the advert should make this clear.

In addition, although any advertisement placed by a recruitment agency need not show the identity of the employer on whose behalf it is recruiting, the agency may pass the information to the employer provided that the applicant is informed that his/her details will be passed on. That said, the employer can arrange for the agency to provide this explanation on its behalf.

Applications, of course, include written responses to specific job advertisements, whether made on paper or online. The Code also covers CVs sent 'on spec'. In each case, there are several benchmarks that employers must follow in order that they be 'Data Protection Act-compliant'.

First, state on ALL application forms exactly to whom the information submitted is being provided, and how that information will be used if this is not self-evident. Second, if the organisation is conducting an initial trawl of applicants for a range of different jobs (perhaps to keep on file and return to as and when needed), this should be explained to each and every prospective applicant.

Third, wherever a security company receives unsolicited applications by way of e-mail or letter, the company need only provide the applicant with an explanation where the application is to be retained, and the use made of the information on the application or the period of retention goes beyond what would be self-evident to the applicant.

Verification and shortlisting
Verification involves checking that details supplied by applicants are both accurate and complete. The process could include confirmation of qualifications and financial information if this is justified to meet the requirements of the position involved.

There is no specific period for the retention of recruitment records under the Data Protection Act, although personal data contained should not be kept for longer than is necessary. Any period of retention must be based on a business need, such as the pos

Applicants should be told as soon as possible in the recruitment process that any details provided will be verified.

It may be necessary for security managers to obtain the consent of third parties in order to verify details provided by an applicant. In such a case, the employer should always strive to obtain signed consent from the individual concerned.

Short-listing includes selecting applicants who will go on to a further stage in the recruitment process – usually an interview. It can be conducted through evaluating applications and/or by conducting tests. Again, the Code sets out certain benchmarks that security companies and in-house managers must adhere to when shortlisting applicants.

Employers should always be consistent in the way personal data are used in the process of shortlisting candidates for a given job.

Applicants should be informed if an automated shortlisting system is to be used as the sole basis for making a decision. Where the shortlisting process is carried out solely by computerised means, and where no human element is involved, applicants have the right of access to the logic of the decision-making process explained to them. Wherever a human element is involved such an explanation is not necessary. Also, ensure that any tests used in shortlisting such as psychological tests and handwriting analyses are only used by those who have received appropriate training.

There are no detailed benchmarks on the interviewing process, but personal data recorded and retained following an interview should be necessary for the recruitment process itself or for defending the process against any potential legal challenge.

Applicants will also be entitled to have access to interview notes about them which are retained as part of the record of the interview. This is not a new right, but part of the general right of subject access to processed data under the terms of the Data Protection Act.

Pre-employment vetting procedures
Pre-employment vetting, of course, involves actively making enquiries from third parties about an applicant's background and circumstances ('Vetting in a new security world' and 'The nemesis of manned guarding', SMT, April 2002, pp54-55). It goes way beyond verification, and is particularly intrusive.

The Code suggests that vetting should be confined to areas of specific risk, including those that involve working with children and vulnerable adults. While security companies are not mentioned directly in the Code, it's reasonable that a prospective employer of security staff would want to ensure that such people do indeed have an appropriate background.

Not all security staff may need vetting. The Code suggests that vetting should only be carried out where staff will actually have access to high risk/sensitive information rather than providing many concrete guidelines for the security industry. It's likely that vetting should only take place where the type of goods/information to be guarded on a given site is particularly sensitive.

Vetting and the risk factor
The Code doesn't necessarily prohibit the use of such vetting, but regulates whether and how it may be carried out – confining it to areas of specific risk. These are as follows:

  • where there are significant risks to the security of the employer or others;
  • comprehensive vetting should only be conducted on a successful applicant, and not on all applicants;
  • make clear early in the recruitment process that vetting will take place, and how it will be conducted;
  • allow the applicant to make representations regarding information that will affect the decision to finally appoint someone.

There is no specific period for the retention of recruitment records under the Data Protection Act, although personal data contained should not be kept for longer than is necessary. Any period of retention must be based on a business need, such as the possible defence of a discrimination action. However, the possibility that an individual may bring a legal action doesn't justify the indefinite retention of all records relating to workers.

Employers must recognise that any record of the results of a vetting or verification exercise should be kept for no longer than six months. Companies will need to use discretion in deciding exactly at what point data should no longer be retained.

There are other practical steps that can be taken to minimise exposure to the law. For example (and as stated previously), employers should appoint a senior person within the company to be responsible for data protection compliance. They should ensure the training of key people, draft procedures in line with the Data Protection Act and the Code, audit the retention of current data and make any breach of data protection a disciplinary offence.

In essence, the Employment Practices Data Protection Code aims to strike a balance between the rights of an employer to carry on a business and the rights of a workforce to respect for privacy.

Efficient and effective recruitment: the essentials

The cost of undertaking a recruitment assignment is calculated by many employers only by the hard cash expended through advertising, writes Peter French. Many times, the unseen costs are forgotten. Management is integral to the trading process. We all have variable value, but our time is never replaceable. Typically, the middle management overhead can be valued at £1,000 per day per manager. The application of a trading profit easily doubles that figure. What about valuing the loss of profit sustained through an unfilled position? This is a barometer rarely used when calculating the unseen costs of the recruitment process. In the drive for increased profitability, organisations should reduce their recruitment cycle and qualify for a quick win. Non-specific industry recruitment consultants who rely on advertising can be wasteful. They have to wait for the right day. Adding anything up to 30 days to the recruitment cycle can result in a final cost – for a middle management position – of between £67,000 and £120,000. In truth, specialist recruitment consultancies should be in a position to meet the time frames of all clients. Indeed, management positions should always be filled within four weeks. Using interactive self-selection When recruiting personnel who provide support personnel functions, the increased use of interactive self-selection telephone systems can have a dramatic effect in reducing the recruitment cycle. No less than 2,500 candidates may be profiled each day. Recruitment cycles from three days include screening, vetting and the appointment of an employee within seven days. The cost of any failure for many end user organisations – or the loss of a contract by a service vendor due to staffing shortages – is calculable in millions of pounds. Many employers use human resources profiling tools for management appointments if it is viewed as a critical post, but in a job market in which we increasingly need to develop the skills of our people. Assessment Centre selection can be a vital business tool when assessing self-development potential and reducing personnel attrition rates. At a time of depressed corporate profits, it’s efficiencies in the recruitment function which will add 20-30% in profits as the achievable gains flow directly to the bottom line. Peter French is managing director of SSR Personnel, the security recruitment specialist

Source

SMT

Postscript

  • Jonathan Exten-Wright is a partner in the Employment Department of City law firm DLA
  • Mary Walsh is a qualified solicitor at DLA