The best kept records

In launching the second instalment of the Employment Practices Data Protection Code, the Information Commissioner's Office has been quick to point out that employers are not prevented from collecting, maintaining and using records about staff within their organisation – emphasising all the while that the Code "helps to strike a balance between an employer's need to keep records and the worker's right to respect for their private life".

Very much in common with those parts of the Code already released – 'Recruitment and Selection' ('Code of ethics', SMT, June 2002, pp26-28) and 'Monitoring at Work' – this latest segment is structured to form a complete and individual guidance document designed to stand alone from the other parts of the legislation. Unique to each section are the 'benchmarks' against which employers are encouraged to assess their existing (and future) practices – thereby ensuring full compliance with the Data Protection Act 1998.

The second instalment of the Code demonstrates to employers how they should collect, store and use information within the principles of the Act. Although it's not necessary for security managers and their Human Resources teams to seek an employee's express consent to retain employment records – employers merely need to make their employees aware that this will be done – employee consent is needed to process sensitive data unless the Act specifically authorises otherwise.

The Code suggests that employers consider the use of factsheets to advise new and existing workers as to how employment information is kept and used by the organisation. It also suggests that members of security teams are regularly provided with copies of information held by the organisation which may be subject to change (for example address details, etc) and asked to check and/or update this data – whether by use of a regular mailing to workers or, if suitable, by prompting workers to check and amend data by automatic means.

All employers in the corporate sector must give due regard to the security of stored personal data as it relates to members of the workforce. Examples of security measures would of course include lockable cabinets, the adoption of computer passwords and audit trails to track those individuals who have been accessing personal data. Members of staff – be they Human Resources professionals, security managers or third parties – who are entrusted to process personal data must be assessed for their reliability. Confidentiality clauses will also have to be built-in to their contracts with appropriate sanctions put in place should any confidentiality be breached.

If personal data is taken off site (eg if personal files are spirited away by managers) then the risk of unauthorised access must be assessed in advance and any necessary protections provided. In short, staff who deal with personal data must be made aware of the need for caution at all times.

Sickness and absenteeism records
Such records are rightly recognised as being a necessity for the proper management of the working relationship. However, employees should be aware that these records will clearly include sensitive data. Consequently, information contained within them may only be disclosed if there is either a legal obligation to do so or the employee has given consent.

Where information is provided to third parties for pension and insurance schemes, information gathered by the employer cannot be used for any purpose other than that which may be necessary in respect of the proper funding and/or arrangements of the schemes.

Wherever possible, the managers of security companies and/or in-house teams should put in place mechanisms to enable workers to provide information in private (for example, allowing members of staff to supply information in private direct to the service provider, or retaining copies of such evidence in sealed envelopes within the file).

The second instalment of the Code demonstrates to employers how they should collect, store and use information within the principles of the Data Protection Act 1998.

Equal Opportunities information monitoring will centre on sensitive data. Any information identifying workers must only be used where this is necessary for meaningful equal opportunities monitoring to take place. Information collected must be accurate and not excessive. Wherever possible, such information is to be kept and used in an anonymous format.

Should any of your security staff's details be intended for marketing use, this must be clearly explained to employees before it's collected. An opportunity must also be provided for employees to say 'no' to their data being used. Similarly, members of staff must be made aware of – and regularly reminded about – any data matching exercises which might be implemented by an employer to prevent and/or detect fraud. Any data retrieved must not be disclosed to third parties without cause.

Subject access request entitlements
A member of the security staff is entitled to make a data subject access request which will include access to their personal file. To meet the 40-day timescale permitted to produce these details, employers are encouraged to establish systems which will enable them to do so in advance, and to make everyone who might be involved in such requests aware of their individual responsibilities.

The right to access should be borne in mind when purchasing any new computer systems to ensure that this will enable employers to comply with the requirements of the Data Protection Act.

Before releasing any details, employers must check that the data subject is entitled to the information to be provided and, when preparing the information for them, they must make a value judgement as to exactly what it is reasonable to withhold concerning the identities of third parties. For example, while workers are entitled to copies of all e-mails about them, this shouldn't necessitate a full search of all e-mails held. An e-mail that merely mentions a worker – perhaps because their name appears on the list of recipients – need not be provided.

All employers are encouraged to establish a clear policy concerning the provision of corporate references. If a person wishes to see their own reference on file which identifies a third party, employers are advised to make a judgement on what information it may be reasonable to withhold.

In addition, security company managers and in-house practitioners alike should establish a disclosure policy and ensure that decisions taken on disclosure are made by a suitably qualified and senior individual. Unless they're under a legal obligation, employers should disclose information only where it is fair to do so, and must bear in mind that the duty of fairness is owed primarily to the worker. Consequently, their views on disclosure should be taken wherever possible.

Security companies and corporate concerns alike should not automatically assume that the person requesting disclosure has the authority to do so, and must always be looking to check the legitimacy of any such request. If sensitive data is to be disclosed then the employee's consent is needed at the outset. Otherwise, ensure that one of the other conditions relating to sensitive data is satisfied.

It’s not necessary for security managers and their Human Resources teams to seek an employee’s express consent to retain employment records – employers merely need to make their employees aware that this will be done at some stage

Finally, unless it would amount tot a tip-off, always advise the employee that a disclosure has been made and record the details of any disclosure given.

Publication and other disclosures
The general rule is that information which amounts to personal data should be published only where there's a legal obligation to do so, it is not intrusive, there has been informed consent or the published information doesn't identify individuals. Information should only be supplied to a Trade Union for recruitment purposes if the Trade Union is recognised by the employer.

Any information provided must be limited to that which is necessary to enable recruitment. Members of staff must be advised in advance that their employer proposes to release their details, and should be offered an opportunity to object.

Wherever possible, practicable information provided in the event of a merger/acquisition should be anonymised. Personal information should be given only if assurances are received that it will be used solely for the evaluation of assets and liabilities, will be treated in confidence, will not be disclosed to any other parties and will be destroyed/returned after use. Again, wherever possible members of staff should be made aware of the fact that their details are being provided to third parties in this way.

Following the transfer of ownership of a given security company or corporate operation, new employers would do well to ensure that the employment records which they inherit are assessed to make certain that they don't include excessive information (and that the information contained therein is both accurate and relevant).

Discipline, grievance and dismissal
The terms and conditions of the Data Protection Act 1998 clearly apply to records of disciplinary and grievance procedures, as well as the dismissal of given employees. Employers must ensure that their record keeping procedures reflect this fact, both in terms of the investigation process which precedes formal proceedings and in respect of any hearing and final outcome.

Where an organisation outsources the processing of personal data, it must ensure that appropriate safeguards are put in place such that all third parties comply with the same obligations as if the processing were being carried out by the organisation itself. The contractual arrangements with third parties should reflect this and, as far as possible, checks introduced to assess compliance with the Act.