Part of the role of the Information Commissioner’s Office (ICO) is to publish guidance for businesses and stakeholders of businesses about privacy and data protection. Some of these guides are applicable specifically to the protection of employee data.
Sharing personal information
The ICO’s Framework Code of Practice provides guidance to organisations as to how they can operate to protect and assure the privacy and confidentially all individuals, including staff.
The code can be applied to all types of business in the UK, including companies limited by guarantee and unincorporated organisations.
The Code of Practice advises that data should be:
- only shared for necessary purposes
- relevant to the request and not excessive
- processed fairly - employees must be made aware what personal information is being shared and for what purpose it will be used
- appropriate in scope
- accurate
- deleted if it no longer is required
- kept securely
- accessible to the person about whom it relates
Additionally, transfers of personal data outside the European Economic Areas should not be made unless the country to which the data is transferred has suitable data protection measures in place
The Employment Practices Code
The ICO has also issued a related document called The Employment Practices Code ("EPC"). This is more specific to employees and other individuals working for an organisation, and relates to:
- job applicants, irrespective as to whether they were eventually hired
- employees (full time, part time and casual)
- contractors and agency staff
The Code recommends that a specific person within the business is given responsibility to make sure that the organisation complies with the Data Protection Act. This person is known as the Data Controller. It is likely to be a senior manager or director.
Breaches of business rules regarding employee data should be deemed as a serious offence and strict disciplinary action should be taken.
Employees and trade unions should be consulted when employment policy documents are created or put in place.
What the Employment Practices Code covers
There are four sections of the EPC.
The first section covers recruitment. The key points are:
Applicants should be made aware of all parties in the recruitment process, including agencies and the employer.
Only questions relevant to employment should be asked, and only relevant information to the employment decision should be recorded.
The second part of the Code covers personal records of workers. The following topics are covered:
- general record-keeping and retention
- employment references
- outsourcing data processing
- marketing
- detection of fraud
- workers’ rights to see their own records
- security
- sickness and injury
- pensions and insurance
- equal opportunities
- disclosure and publication
- business reorganisation
- discipline
The third part of the Code covers how employees can be monitored at workplace and their right to work in a comfortable environment.
It emphasises how employers should be aware of issues that monitoring creates, and that they should evaluate the impact of those measures in place to monitor employees’ activity. If the measures create discomfort for employees, then the employer should consider alternatives.
Employees’ privacy should be considered. For example, monitoring should only take place when there is a real risk to the business, or where necessary, and employees should be told about monitoring practices.
The last section explains rules regarding the handling of employees’ health records: including routine health tests, drug and alcohol tests and others.