Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

UK Commissioner seeks views on employee data [2000] PLBIRp 50; (2000) 56 Privacy Laws and Business International Report 10

UK Commissioner seeks views on employee data

A CODE OF PRACTICE will soon regulate UK employers' use of human resources data. As the code will apply to paper records as well as automated data, practically all HR data are included under its scope.

The draft Code of Practice on the Use of Personal Data in Employer/ Employee relationships was developed to meet the need for guidance in this area. The Commissioner's office constantly receives requests for advice on employment matters. As the 1998 Act extends data protection to manual records, human resources records are now caught by the legislation. In addition, the development of new technologies, especially those to monitor employees, requires attention, as well as public concern over issues such as genetic and drug testing.

The Data Protection Commissioner released the draft code for comment on 6th October. It was presented to the participants at the Privacy Laws & Business consultation meeting in London, on October 17th, with a view to getting a first hand reaction from employers.

THE CODE APPLIES TO ORGANISATIONS OF ALL SIZES

The draft code's principal author, Assistant Commissioner David Smith explained its main provisions. He stressed that the draft code covers not only those currently employed, but also job seekers and former employees.

The draft code goes beyond the Data Protection Act 1998. Under the new law, the Commissioner has a legal duty not only to enforce the law, but also to promote good practice. The draft code distinguishes legal requirements from recommendations. However, David Smith emphasised that this is not a rigid boundary, and what is seen as good practice today, may, in the future, be seen as a requirement.

CAUTIOUS INITIAL REACTION FROM BUSINESS

Participants at the PL&B consultation meeting discussed some of the issues that employers may find too burdensome. There was some confusion over when it is necessary to seek employees' consent.

David Smith explained that consent is not the only condition an employer can rely on when processing employee data. The grounds for legitimate processing of non-sensitive data include situations where processing is necessary to comply with a legal requirement. However, when the data in question is sensitive, such as information on health or trade union membership, an explicit consent is required. He also said that as sickness records include sensitive data, their processing would require employees' explicit consent. This point raised some opposing views. Also queried was how detailed the notice about data collection should be. Is it possible to inform employees about their data protection rights only when joining the organisation, and does a consent obtained then last throughout the employment? David Smith explained that in cases of collecting sensitive data, it is possible to obtain consent at the beginning, and this would last. However, the fair processing requirement obliges organisations to inform employees if their data will be processed for new purposes. Therefore, it would be good to remind people from time to time how their data is being used.

The Chairman of the Data Protection Working Group of the Confederation of British Industries, Vivian Bowern, had a list of initial concerns about the draft code. He told the audience that the CBI will be discussing the issues in detail, and will submit a formal response to the Commissioner.

Following the October 17th meeting, Privacy Laws & Business drafted a memorandum reflecting the views of the participants which will be submitted to David Smith by the end of this year.

The draft code is available on the Internet at http://www. dataprotection.gov.uk. Responses to the consultation should be sent to David Smith by 5th January 2001 at dsmith@dpexecutive.demon.co.uk.