top stories

Share

A Draft Code of Practice issued by the Data Protection Commission

The code is available from the Commission's web site at http://www.dataprotection.gov.uk

Comments from the Association of Chartered Certified Accountants
December 2000

Executive Summary

The Association of Chartered Certified Accountants is pleased to have the opportunity to submit its comments on the draft Code of Practice issued by the Data Protection Commission.

We welcome the proposed publication of a Code on this matter. We believe that it will be helpful as a benchmark of good practice in an area which is currently subject to a range of new and potentially confusing influences. Employers and employees, not to mention employment tribunals, should find it a useful source of reference.

In a number of respects, we believe that the Draft is too ambitious in attempting to codify good practice in the use of workplace information. We see no reason why a Code of this nature needs to encompass, for example, matters such as financial control and the processing of candidates for short-listing.
For ease of application, the actual Standards in the Code should be framed as concisely as possible.

Standards should not extend to more than two sentences; if they are too long, their effect will be diluted. Also, in a number of cases, the Draft uses phrases such as 'It is difficult to see' when discussing the possible implications of particular measures. We do not think that users of the Draft will find advice framed in such terms helpful. Wherever possible, the Code should be written in clear and unambiguous terms.

Specific comments

Our comments on specific sections of the Draft are set out in the following paragraphs.

Managing Data Protection: Line Management (Part 1.4)

1 Given that personal data, e.g. details of applications/CV's, salary, medical details etc, will very often be held by line managers, we suggest that the Standard under this heading needs to be strengthened. The present wording is unlikely to prevent managers from 'recklessly disclosing personal data…,' albeit unwittingly, particularly given the frequent lack of knowledge/understanding amongst this group of the potential implications of data protection issues.

Recruitment: Advertising (Part 2.1)

2 With regard to the second Standard under this heading, it would be helpful if the Draft could expand upon 'uses that go beyond despatching and keeping a short term record of the despatch of these details.'

3 In the third Standard, the recommendation to include 'any explanation that is needed' in advertisements is vague. Compliance with this recommendation could also be extremely costly given current advertising rates and may deter employers from including such information.

4 In the fourth Standard, the recommendation that '… no personal data are passed from the agency to the employer' is neither practical nor helpful for recruitment purposes. In any case, on receipt of applications, agencies are likely to discuss the employer with those candidates who match the short-listing criteria prior to submitting details to employers. It would be preferable for the passage to read: '…no personal data are passed from the agency to the employer without the applicant's consent'.

5 As drafted, the recommendation would seem to be more appropriate for a recruitment advertising agency than a recruitment agency. If this is the case, Standards 1-3 would be preventative measures for the protection of such data, although it could be argued that some of the onus should be on applicants responding to this type of 'anonymous' advertising.

Recruitment: Verification (Part 2.3)

6 The passage states that employers should avoid asking questions and checking the responses for no other reason than to test the applicant's honesty. The Standard adds that verification of personal information for the purposes of testing honesty should not take place unless the requirement for honesty is a particular feature of the job. In our view, employers should always be entitled to take steps to ensure that those whom they employ are likely to be honest. It is, moreover, misleading to infer that honesty is a criterion which is only applicable to certain types of job: if employers are justified in dismissing staff because of false information provided at the recruitment stage, they should be entitled to take appropriate steps before appointment to check that the information provided to them is accurate. We do not consider that verification of personal information in order to check a candidate's honesty is likely to breach the requirement of the Data Protection Act that personal data should not be processed in a way which is irrelevant or excessive. We suggest, therefore, that the passage is re-worded so as to recognise an employer's right to take reasonable steps, where this is considered appropriate, to verify information provided by a candidate, or by an agency on behalf of a candidate, for employment.

Recruitment: Shortlising (Part 2.4)

7 The first Standard under this heading requires employers to 'ensure that shortlisting is carried out in a way that produces results that are objective, consistent and fair to applicants ….' There is no obvious data protection-related reason for including this recommendation. We question whether the Commission needs to set new standards where these are already sufficiently and more appropriately covered under anti-discrimination legislation.

Recruitment: Interviews (Part 2.6)

8 The second Standard calls for employers to limit their recording of responses to questions posed at the interview to those which are relevant to and not excessive for making a recruitment decision. We do not consider that it is appropriate to place restrictions on employers in this way. The purpose of the interview is to give the employer the opportunity to ascertain the prospective employee's suitability for the vacant job. The employer will not have an interest in recording any information other than that which will help him to make a decision on whether to appoint the interviewee. It would be sufficient, we believe, for the Code to limit itself to a reminder that the information recorded should be relevant and not excessive.

Recruitment: Retention of Recruitment Records (Part 2.8)

9 The passage suggests that information which identifies individuals should be deleted from records. In practical terms, this would be a very time consuming exercise, particularly for organisations with small HR departments (or none at all).

Employment Records: Review/Appraisal (Part 3.9)

10 We suggest that the Draft acknowledges that records relating to individuals' employment history, including salary details, may be required for dealing with discrimination claims. This is particularly relevant given the likely changes to the rules on burden of proof in discrimination cases.

Fraud Prevention/Detection (Part 3.11)

11 Data matching is increasingly being used within public sector organisations for the purpose of combatting fraud, which is now, in financial terms, the second most serious crime in the UK. We consider that data matching can be a useful weapon in the fight against fraud. The Code should avoid placing restrictions which could result in an unreasonable impediment to the effectiveness of the exercise.

Financial Control (Part 3.12)

12 The second Standard provides that contracts of employment should state that employees are not permitted to have significant debts to the employer and that checks will be carried out to monitor compliance with this. While we do not disagree with such a provision in itself, we consider that this is an issue which should be left to the employer to decide and should not appear in a Code of Practice on use of personal data.

References (Part 4.3)

13 It is proposed to include in the Code a basic right of access by employees to confidential references about them given by their employers. We agree that good data protection practice is to be as open as possible with employees about information which relates to them. We have reservations, however, about whether this should extend to documents which are intended, justifiably, to be confidential. We do not think, in any case, that it should be standard, and thereby enforceable, practice to require employers to allow access to references, at least without the consent of both referee and recipient.

Monitoring Communications (Part 6.3)

14 We note that this section is to be re-drafted so as to take into account the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. We would appreciate the opportunity to comment on the revised passage in due course.

15 One aspect of the current Draft on which we feel bound to comment, however, relates to the third Standard under 6.3.1 (Telephone Monitoring). It is suggested here that employers should be required to provide special telephone lines for the purpose of allowing employees to make private calls. We are aware that this reflects tribunal precedent but it appears to be us to be excessive when presented as a standard requirement for all employers in all circumstances. It would be a particular burden on small firms. We suggest that the Draft is toned down so as to make it clear that it is good practice to make private lines available but that it should not be seen as a right available to employees in all circumstances.

Internet Access Monitoring (Part 6.3.3)

16 The passage states that, in company policy statements, a simple ban on access to pornography by employees is not sufficiently clear. It argues further that, if employers wish to ban employees from accessing sexually explicit material, they should be more specific about what categories of material they are not prepared for employees to view and copy. This infers a degree of familiarity with pornography on the part of employers which we do not consider is justified. We do not regard it as a realistic proposition for employers to be required go into further detail on this matter. The widely-adopted restriction on access to internet pornography is, we suggest, well understood by employees, employers and tribunals alike. We would dispute, in any case, the Draft's implication that employers should be prepared to tolerate the access by their employees to certain types of pornographic material in the workplace.

Back to top