rss feed

Data Protection and recruiting staff

22 October 2003 by
Data Protection and recruiting staff

The long-awaited Employment Practices Data Protection Code has finally been issued by the Information Commissioner. The code provides guidance to employers on how they should process data to comply with the Data Protection Act 1998 when recruiting and employing staff.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /?>

What constitutes processing data?
Processing has a wide definition and includes gathering, accessing, transmitting, disclosing and even the final destruction of any data.

Are there any enforcement procedures? Both individuals and the Information Commissioner can start proceedings and not complying with the code will be evidence of a breach of the Data Protection Act. Penalties range from compensation for individuals to criminal sanctions for persistent breaches by companies.

Who is covered by the code?
It is not just employees who are covered. The following are also protected:

  • applicants
  • former applicants
  • employees
  • agency workers
  • casual workers
  • contract workers

What data is covered?
The code covers the processing of both personal and sensitive data. Personal data is any form of data that identifies a living person. Sensitive data is information relating to an individual's life, such as: racial or ethnic origin; political opinion; religious beliefs or similar; trade union membership; physical or mental health or condition; sexual life; whether they have committed or are alleged to have committed any offence.

What are the key areas covered? There are seven key areas:

1.Managing data protection To comply with this benchmark, companies should set up internal mechanisms to make sure they comply with the Data Protection Act:

  • allocate responsibility for compliance to a senior manager in human resources;
  • ensure that any employment procedures comply with the act;
  • provide Data Protection Act training to all staff;
  • make any breach of the act a disciplinary offence;
  • notify the Information Commissioner that employee records are processed and keep the register up to date;
  • audit the extent to which personal data is processed within the company and delete any data that is no longer relevant.

2. Advertising
Advertising includes any message used to notify potential applicants of a specific job vacancy and includes newspapers, radio, television and the Internet. The code sets out the following guidelines in advertising for staff:

  • prospective applicants should be informed of the name of the company to which they will provide their details and how this information will be used, unless this is self-evident;
  • recruitment agencies used to hire staff must clearly identify the name of the agency on the advertisement. If the information supplied in response to a recruitment advertisement is retained for future use, the advertisement should make this clear;
  • although any advertisement placed by a recruitment agency need not show the identity of the employer on whose behalf it is recruiting, the agency may pass the information to the employer provided that the applicant is informed that his or her details will be passed on.

3. Applications Applications include written responses to specific job advertisements, whether made on paper or online. The code also covers CVs sent "on spec".

The code sets out the following benchmarks for complying with the Data Protection Act:

  • state on an application form to whom the information is being provided and how that information will be used if this is not self-evident
  • if the organisation is conducting an initial trawl of applicants for a range of different jobs, perhaps to keep on file and return to as needed, this should be explained to any prospective applicant
  • where a company receives unsolicited applications by way of e-mail or letter the company need only provide the applicant with an explanation where the application is to be retained and the use made of the information on the application or the period of retention goes beyond what would be self-evident to the applicant.

5. Verification Verification involves checking that details supplied by applicants are accurate and complete. The process could include confirmation of qualifications and financial information if this is justified to meet the requirements of the position involved. Applicants should be told as soon as possible in the recruitment process that any details provided will be verified and what methods will be used.

6. Shortlisting Shortlisting includes selecting applicants who will go on to a further stage in the recruitment process, usually an interview. It can be conducted through evaluating applications and/or by conducting tests. The code again sets out certain benchmarks when shortlisting applicants:

  • employers should be consistent in the way personal data is used in the process of shortlisting candidates for a particular position
  • applicants should be informed if an automated shortlisting system will be used as the sole basis for making a decision. Where the shortlisting process is carried out solely by computerised means and where no human element is involved, applicants have the right to have the logic of the decision-making process explained to them. Where a human element is involved, such an explanation is not necessary
  • ensure that any tests used in shortlisting, such as psychological tests and handwriting analysis, are only used by those who have received appropriate training

6. Interviews There are no detailed benchmarks on the interview process but personal data recorded and retained following an interview should be necessary for the recruitment process itself or for defending the process against legal challenge. Applicants will also be entitled to have access to interview notes about them that are retained as part of the record of the interview.

7. Retention of recruitment records
There is no specific period for the retention of recruitment records under the Data Protection Act, although personal data contained should not be kept for longer than is necessary. Any period of retention must be based on a business need, such as the possible defence of a discrimination action. The possibility that an individual may bring a legal action does not, however, justify the indefinite retention of all records relating to workers. A record of the results of a vetting or verification exercise should be kept no longer than six months. Companies will need to use discretion in deciding at what point data should no longer be retained.

by Jonathan Exten-Wright and Mary Walsh Jonathan Exten-Wright is a partner in the employment department of law firm DLA and Mary Walsh is a solicitor at DLA.

Disclaimer

Recommended Articles

Archive

Pelican boosts profits during ‘fabulous' half-year

Archive

Caterer and Hotelkeeper – 30490

Archive

TEMPLES OF STYLE

Archive

Simplicity and style

The Caterer Breakfast Briefing Email

Start the working day with The Caterer’s free breakfast briefing email

Sign Up and manage your preferences below

Details given will be used in accordance with our Privacy Policy
Check mark icon
Thank you

You have successfully signed up for the Caterer Breakfast Briefing Email and will hear from us soon!

Jacobs Media is honoured to be the recipient of the 2020 Queen's Award for Enterprise.

The highest official awards for UK businesses since being established by royal warrant in 1965. Read more.

© {{year}} All rights reserved. Jacobs Media Group Limited is a company registered in England and Wales, company number 08713328. 3rd Floor, 52 Grosvenor Gardens, London SW1W 0AU.

close

Ad Blocker detected

We have noticed you are using an adblocker and – although we support freedom of choice – we would like to ask you to enable ads on our site. They are an important revenue source which supports free access of our website's content, especially during the COVID-19 crisis.

trade tracker pixel tracking