The Employment practices data protection code: part 3(monitoring at work)
Part 3
Monitoring At Work
Section 1: About The Code
Our aim:
This Code is intended to help employers comply with the Data Protection Act and to encourage them to adopt good practice. The Code aims to strike a balance between the legitimate expectations of workers that personal information about them will be handled properly and the legitimate interests of employers in deciding how best, within the law, to run their own businesses. It does not impose new legal obligations.
Who is the Code for?
The Employment Practices Data Protection Code deals with the impact of data protection laws on the employment relationship. It covers such issues as the obtaining of information about workers, the retention of records, access to records and disclosure of them. Not every aspect of the Code will be relevant to every organisation - this will vary according to size and the nature of its business. Some of the issues addressed may arise only rarely - particularly for small businesses. Here the Code is intended to serve as a reference document to be called on when necessary.
This part of the Code recommends how your organisation can meet the requirements of the Data Protection Act through the adoption of good practice where you wish to monitor the activities of your workers.
increase trust in the workplace - there will be transparency about information held on individuals, thus helping to create an open atmospherewhere workers have trust and confidence in employment practices.
encourage good housekeeping - following the Code encourages organisations to dispose of out-of-date information, freeing up both physical and computerised filing systems and making valuable information easier to find.
protect organisations from legal action – adhering to the Code will help employers to protect themselves from challenges against their data protection practices.
encourage workers to treat customers’ personal data with respect -following the Code will create a general level of awareness of personal data issues, helping to ensure that information about customers is treated properly.
help organisations to meet other legal requirements - the Code is intended to be consistent with other legislation such as the Human Rights Act 1998 and the Regulation of Investigatory Powers Act 2000 (RIPA).
assist global businesses to adopt policies and practices which are consistent with similar legislation in other countries - the Code is produced in the light of EC Directive 95/46/EC and ought to be in line with data protection law in other European Union member states.
help to prevent the illicit use of information by workers - informing them of the principles of data protection, and the consequences of not complying with the Act, should discourage them from misusing information held bythe organisation
What is the legal status of the Code?
The Code has been issued by the Information Commissioner under section 51 of the Data Protection Act. This requires him to promote the following of good practice, including compliance with the Act’s requirements, by data controllers and empowers him, after consultation, to prepare Codes of Practice giving guidance on good practice.
The basic legal requirement on each employer is to comply with the Act itself. The Code is designed to help. It sets out the Information Commissioner’s recommendations as to how the legal requirements of the Act can be met. Employers may have alternative ways of meeting these requirements but if they do nothing they risk breaking the law.
Any enforcement action would be based on a failure to meet the requirements of the Act itself. However, relevant parts of the Code are likely to be cited by the Commissioner in connection with any enforcement action that arises in relation to the processing of personal information in the employment context.
Who does data protection cover in the workplace?
The Code is concerned with information that employers might collect and keep on any individual who might wish to work, work, or have worked for them. In the Code the term ‘worker’ includes:
applicants (successful and unsuccessful);
former applicants (successful and unsuccessful);
employees (current and former);
agency staff (current and former);
casual staff (current and former);
contract staff (current and former).
Some of this Code will also apply to others in the workplace, such as volunteers and those on work experience placements.
What information is covered by the Code?
It is likely that most information about individuals that is processed by an organisation in the employment context will fall within the scope of the Data Protection Act and therefore within the scope of this Code.
The Code is concerned with 'personal information'. That is, information which:
relates to a living person, and
identifies an individual, whether by itself, or together with other information in the organisation’s possession or that is likely to come into its possession.
All automated and computerised personal information is covered by the Act. It also covers personal information put on paper or microfiche and held in any 'relevant filing system'. In addition, information recorded with the intention that it will be put in a relevant filing system or held on computer is covered. A relevant filing system essentially means any set of information about workers in which it is easy to find a piece of information about a particular individual.
[Note: At the date of publication the case of Durrant v the Financial Services Authority is still before the courts. The explanation of ‘relevant filing system’ is based on the Information Commissioner’s previously published advice. This may need to be amended as the case law develops.]
Processing
The Act applies to personal information that is subject to ‘processing’. For the purposes of the Act, the term ‘processing’ applies to a comprehensive range of activities. It includes the initial obtaining of personal information, the retention and use of it, access and disclosure and final disposal.
Examples of personal information likely to be covered by the Act include:
details of a worker’s salary and bank account held on an organisation’s computer system or in a manual filing system;
an e-mail about an incident involving a named worker;
a supervisor’s notebook containing sections on several named workers;
a supervisor’s notebook containing information on only one individual but where there is an intention to put that information in that person’s file;
a set of completed application forms.
Examples of information unlikely to be covered by the Act include:
information on the entire workforce’s salary structure, given by grade, where individuals are not named and are not identifiable;
a report on the comparative success of different recruitment campaigns where no details regarding individuals are held;
a report on the results of “exit interviews” where all responses are anonymised and where the results are impossible to trace back to individuals;
manual files that contain some information about workers but are not stored in an organised way, such as a pile of papers left in a basement.
In practice, therefore, nearly all employment-related useable information held about individuals will be covered by the Code.
What are sensitive data?
Sensitive data are information concerning an individual’s;
racial or ethnic origin;
political opinions;
religious beliefs or other beliefs of a similar nature;
trade union membership (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);
physical or mental health or condition;
sexual life;
commission or alleged commission of any offence, or;
proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.
Sensitive data found in a worker’s record might typically be about their;
physical or mental health - as a part of sickness records;
disabilities - to facilitate adaptations in the workplace;
racial origin - to ensure equality of opportunity;
trade union membership - to enable deduction of subscriptions from payroll.
In the context of monitoring, typical circumstances in which sensitive personal information might be held include;
health information in e-mails sent by a worker to his or her manager, a personnel department or an occupational health advisor;
trade union membership revealed by internet access logs which show that a worker routinely accesses a particular trade union website;
information about a worker’s political opinions or religious beliefs obtained by intercepting and recording a private conversation.
The Act sets out a series of conditions, at least one of which has to apply before an employer can collect, store, use, disclose or otherwise process sensitive data.
What responsibilities do workers have under the Act?
Workers – as well as employers - have responsibilities for data protection under the Act. Line managers have responsibility for the type of personal information they collect and how they use it. No-one at any level should disclose personal information outside the organisation's procedures, or use personal information held on others for their own purposes. Anyone disclosing personal information without the authority of the organisation may commit a criminal offence, unless there is some other legal justification, for example under ‘whistle-blowing’ legislation.
Of course, applicants for jobs ought to provide accurate information and may breach other laws if they do not. However, the Act does not create any new legal obligation for them to do so.
Managing Data Protection Page 21 explains more about allocating responsibility.
Other Parts of the Code:
The Employment Practices Data Protection Code has three additional parts,
recruitment and selection – is about job applications and preemployment vetting;
employment records – is about collecting, storing, disclosing and deleting records;
medical information – is about occupational health, medical testing, drug and genetic screening.
Each part of the Code has been designed to stand alone. Which parts of the Code you choose to use will depend on the relevance to your organisation of each area covered.
