The Data Protection Act 1998

Original draft of the code of practice concerning the use of personal data in employer/ employee relationships.

Prepared on behalf of the UK Information Commissioner’s Office by Robin Chater, director of the Personnel Policy Research Unit, in April 1999.

1. Status, purpose and scope

1: This code of practice (the code) has been prepared under Section 51 (3) (b) of the Data Protection Act 1998 (the Act)

2: All references in the code will be to the processing of personal data in the employment relationship.

3: The purpose of the code is to set out clearly those requirements of the Act which are relevant to the employment relationship and to indicate areas of good practice.

4: The code applies to all personal data which is processed within the United Kingdom by, or on behalf of, employers.

5: Where other appropriate statutory or common law rights, guidelines and codes of practice exist it is the intention of the code to complement them and enhance their application. This applies, in particular, to the International Labour Office’s Code of Practice on the Protection of Workers’ Personal Data 1997, Article 8 of the Human Rights Act 1998 and the Freedom of Information Act 2000. References to particular Acts, codes and guidelines shall be to versions of those provisions which are in force at any particular time.

6: No element of the code shall exclude any party in the employment relationship from their rights and/or obligations under employment law. In particular, the code should not be used as a pretext for non-compliance with statutory disclosure in respect to collective bargaining, collective redundancies, the transfer of undertakings and the insolvency of an employer.

7: It is assumed for the purposes of the code that the Data Protection Act 1998 has been fully implemented.

2. Definitions

8: For the purposes of the code:

- “Personal data” means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

- “Processing” means any operation or set of operations performed upon personal data, whether or not by automatic means. These include collection, recording, organisation, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. This definition incorporates a) automated data (including word processed documents and files); b) manual data (including expressions of opinion about, and an employer’s intentions towards, an individual) and c) other recorded data (photographic film, video and/or sound material).

- “Consent” means any freely given specific and informed indication of an individual’s wishes by which he/she signifies agreement to personal data relating to him/her being processed. Consent has therefore not been given if it arises from a) any significant pressure being placed upon an employee, b) a lack of information or c) misinformation.

- “Employee” means an individual who is subject to personal data in the employment relationship. For the purpose of this code it applies to any current, past or prospective individual who has entered into, or intends to enter into, a contract of employment, service or apprenticeship with an employer. This includes contractors operating on an employer’s premises, certain agency staff, students undergoing work experience and other individuals for whom an employer may be vicariously liable.

All other terms used in the code are those defined in the Act. Where a particular definition is not present in the Act, reference should be made to those definitions provided in relevant UK employment legislation.

3. General provisions

9: Employers should respect their employees’ privacy and human dignity and no intrusive action should be taken unless it may be readily justified as wholly reasonable in the circumstances.

10: All personal data should be obtained, as far as possible, from the individual worker and processed on the basis of informed consent. All requests for consent should be in plain language, specific to the employee (or employees) being addressed and clearly state the purposes for which the data is being obtained.

11: Practical steps should be taken to inform current employees about their legal rights under the Act. Where appropriate, it would be good practice for this to involve detailed consultation with employee representatives.

12: A complete inventory should be made of all personal data processed in any form by managers, first line supervisors, health and safety officers, medical staff and all other individuals with a legitimate reason for processing such data. This inventory should updated on at least an annual basis.

13: Employers should ensure that:

- they have made a valid, accurate and timely statutory notification to the Office of the Information Commissioner,
- the notification is up to date, and
- the personal data is processed only in accordance with the strict terms of that notification.

4. The data protection principles in an employment context

14: Personal data may not be obtained by any means which mislead or deceive either current or prospective employees and it should be processed fairly and lawfully. Moreover, increased protection is provided in respect to a special category of sensitive personal data (see section 8 below).

15: Employers may only collect personal data for justified reasons and specified purposes. These should normally be communicated, in advance, to the employees concerned. Examples include data which is necessary :

- for compliance with employment law and the administration of an individual’s employment contract.
- to establish an employee’s training and/or development requirements
- to assess an employee’s qualifications for a particular job, or task
- to gather further evidence where there is a prima facie case for disciplinary action
- for remuneration policy and payroll administration
- to establish a contact point in the case of an emergency (next of kin).

16: The obtaining of personal data for vague or generalised purposes is not legitimate. No further use should be made of any personal data if that use is incompatible with the purpose for which it was collected. This includes the matching of two or more sets of data when any of the personal data being matched has been collected for a different purpose, except where sanctioned by law. Information collected on behalf of a third party, such as a government department for security purposes, should be clearly marked as such and should be kept separate from information collected by the employer for their own use.

17: Every effort should be made by employers to ensure that employee data is processed in an accurate and valid way and neither significantly exceeds, nor falls short of, that which is necessary to satisfy their requirements. Once those requirements have been satisfied the data should be deleted in a secure manner.

18: The security of employee data should be comprehensively protected through the adoption of BS 7799, or an equivalent standard. Such data should not be vulnerable to unauthorised access, improper use, accidental loss, destruction and/or damage.

19: Employers should normally transmit personal data about their current employees to any country outside the European Union, Norway, Iceland and Liechtenstein only after obtaining the consent of the employees concerned to the transfer. Any other transfer should be strictly limited to contractual relations where an employer can show that it was either essential to the performance of a contract, entering into a contract or in the interests of employees subject to a contract and that the employer had reasonably considered all practicable alternatives.

20: It would be ‘good practice’ within the spirit of the Act to ensure that any country to which data is being transmitted operates data protection safeguards which at least conform to one of the following – the 1980 OECD recommendation concerning and guidelines governing the protection of privacy and transborder flows of personal data or the 1981 Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data – or adheres to ‘Safe Harbour’ principles approved by the European Commission. In all cases employers should:

- not transmit non-encrypted e-mails containing personal data via the Internet
- not use another country as a staging post for transfers to any third country
- ensure that data protection laws are subject to an official supervisory authority with the power to investigate complaints.

5. Recruitment

21: No decision about the recruitment of an individual for a particular job should be based exclusively upon the results of an analysis carried out by automated means. The prior, informed consent of prospective employees and internal candidates should be sought before their applications are subjected to automated short-listing or selection. At this point they should be given an opportunity to have their application evaluated by a manager, or professional recruiter, on a no penalty basis. Those who choose to accept the processing of their application by automated means should have access to an independent appeals process if their application is turned down.

22: Applicants for employment should be informed in advance that the details they provide may be subject to verification. In order that this may take place an employer, or an agency acting for them, will require the applicant’s written consent both to contact those parties who would be able to confirm the facts contained in the application and for the parties concerned to reveal appropriate personal data about the applicant to the employer, or the agency concerned. Employment agencies should state in writing which personal details are being passed on to the prospective employer.

23: An employee has no right to gain access from their current employer to a reference given, in confidence, by that employer. They do, however, have a right to see references given about them by a third party (including their previous employer) and held on their current employer’s files – but only if that third party individual is not identified, or is not identifiable, within the reference itself.

24: Employment agencies should operate with all due regard to the data protection principles set out in the Act (see section 4 above). In particular, they should ensure that those individuals being placed by their agency have given them informed and explicit consent to hold personal data, that it is accurate and kept up to date, kept for no longer than is necessary and not subject to unauthorised and unlawful processing. Appropriate guidance on the respect for candidate’s confidentiality is given in the Federation of Recruitment and Employment Service’s Code of Professional Standards.

6. The management of personal data about employees

25: Access to human resource records by management should be strictly controlled, at all times, on a formal ‘need to know’ basis.

26: Employees should be informed on a periodic basis (at least annually) that personal data relating to them is being held by their employer, the nature of that data and the use(s), or intended use(s), of the data. In particular, they should be given details about:

- the sources of personal data,
- the types, or categories, of data,
- the parties who have access to that data,
- the precise purpose(s) for holding the data,
- if they are the subject of automated decisions,
- their individual rights to access files and rectify, erase or block data which is incomplete or inaccurate.

27: Employees have the right (at reasonable intervals) to gain a copy of all personal data about themselves which is held by their employer. The request must be clearly stated in writing and may involve payment of a fee of up to £10.00. An access request should be satisfied within forty days from an employer’s receipt of details about the personal data being sought and any required fee. An employer has the right to remove personal data about any third party and/or to seek the consent of the third party before complying with the access request. Where the supply of certain data would involve disproportionate effort an employer has the right to withhold it. An example would be the provision of manual payroll information contained in a remote archive and held solely for statutory purposes.

28: If an employee would be unlikely to comprehend the meaning of any information held on the files which they have requested, a written explanation must be provided of the relevant terms. If an employee is the subject of automated decisions relating to matters such as performance at work, reliability or conduct they should be informed by their employer about the logic involved in that decision-taking – unless such additional information constitutes a trade secret.

29: Where an employee’s request for a copy of personal data about themselves is subject to a legal exemption under the Act (see section 14 below), they will still have the right to gain access to that data if it is for the purpose of obtaining legal advice or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

30: The disclosure of all personal data to third parties should either be on the basis of a statutory right – such as the collection of tax, duty or any imposition of a similar nature – or after obtaining the prior, explicit consent of the employee concerned. No personal data should be released to a third party until their identity has been carefully verified and all such disclosures should be logged by reference to the party making the request, the time and date when the request was satisfied. Where an employer becomes aware that disclosure requests may involve imposture or other fraudulent behaviour the employee concerned should be informed and encouraged to contact the police.

31: Where an employer seeks to determine the knowledge, intelligence, skill or ability of an employee through the use of a test or practical exercise it shall not be necessary to comply with a personal data access request made before the day when the results are published or made available / communicated to the employee making the request until:

- five months after the date when the request was made, or
- forty days after the date of the announcement

whichever is the earlier. The original personal data, together with any amendments which have been made (or are intended to be made), should be included in the material provided to employees making such a request. An employee does not have a right to obtain personal data recorded on the scripts of any test, or examination, they have completed – only the results of such an exercise.

32: If personal data is processed by a third party on behalf of an employer the relationship between the employer and the third party concerned should be subject to a written contract. This should clearly state that the third party must process that data only within the terms of the instructions issued by the employer and also comply with all relevant obligations under the Act.

7. Special safeguards

33: Employers must not require or encourage a current, past or prospective employee to supply them with copies of, or material from, records about their past employment, health or any other relevant matter (either directly or via a third party) by utilising their individual data access rights, unless the employer has a statutory right or duty to do so.

34: No decision about an employee’s work performance, remuneration, grading, job evaluation, career potential, reliability, conduct, suitability for promotion, transfer or redeployment should be based exclusively upon the results of an analysis carried out by automated means:

- unless the effect of that decision is to grant a request made by the employee, or
- the outcome of that decision is subject to a formal grievance procedure

35: No personal data should be processed in any form which may give rise to substantial damage, distress or detriment to any employee – or any other individual identified by that data. An example of this situation might be the presence of an employee’s details on a ‘blacklist’. Such a case may also contravene the special safeguards relating to ‘sensitive data’ (see section 8 below) and protection provided under the Employment Relations Act 1999. If a notice in writing is made by an employee to prevent such processing an employer must respond within twenty one days stating:

- how he intends to comply with the notice, or
- giving reasons why full compliance would not be justified.

If refused, the employee may subsequently seek legal redress through the courts.

36: Performance monitoring should only take place on the basis of the prior, informed consent of the employees concerned. Employees (and / or their representatives) subject to performance monitoring should be given the opportunity to review the method(s) used and comment on the validity of the results obtained.

37: In the event of a potential, intended or actual transfer of an undertaking employers should take all reasonable steps to limit disclosure of personal data about employees to any of the third parties concerned by, for instance, the omission of names or other identifying particulars. The new entity shall cease to be a third party on the date of the formal transfer, except in respect to personal data concerning certain rights and obligations – such as those relating to supplementary pensions – not acquired under the Transfer of Undertakings (Protection of Employment) Regulations 1981 (As amended by the Trade Union Reform and Employment Rights Act 1993).

8. Sensitive personal data

38: A special category of sensitive personal data is subject under the Act to a number of particularly tight restrictions. This category embraces data relating to racial or ethnic origin; political opinions; religious or other belief systems; membership of a trade union; physical or mental health or condition; sexual life and data relating to offences, criminal convictions or security measures. Such data may only be processed if the employee has either given their explicit consent, or the processing is necessary:

- For the purposes of carrying out the obligations and specific rights of an employer in the field of employment law, or
- In connection with any legal proceedings or for the purpose of obtaining legal advice, or
- For the administration of justice, for the exercise of functions conferred by statute or for the exercise of any functions of the crown, or
- For medical purposes by a health professional (see section 9 below), or
- For the purposes of racial or ethnic monitoring (see section 10 below)

From the outset, employers should record in writing the purposes for which all sensitive data is held.

39: Sensitive health data includes any genetic susceptibility to physical or mental ill health.

40: The requirement for explicit consent applies to the disclosure of personal data to, and processing by, any occupational pension scheme which has a distinct legal status and identity which sets it apart from that of an individual’s employer.

41: The special safeguards for sensitive data could provide the basis for both employers and employee representatives to enter into a dialogue about the type of data which is held on human resource records and the uses to which such data is put.

9. The management of health and safety

42: Employee health information is classified as ‘sensitive data’ under the Act and should be handled in accordance with the Faculty of Occupational Medicine’s Guidance on Ethics for Occupational Physicians. The only types of data which should normally be processed on general human resource record systems are a brief ‘fitness for work’ statement, days absent attributed to sickness, maternity and/or industrial injury and details in compliance with the Disability Discrimination Act 1995. Applications and claims in respect to permanent health insurance schemes should be returned by employees directly to insurance companies in a sealed envelope. In the case of private medical insurance where a claim for a group scheme potentially involves a discretionary payment, no permanent record of any consequent communications should be held by the employer on the employee’s file.

43: Employers may take those actions necessary to comply with the provisions of the Health and Safety at Work etc Act 1974, the Management of Health and Safety at Work Regulations 1992 relevant statutory codes of practice and specific regulations in this field.

10. Equal opportunities

44: Employers must not process data about individual employee’s membership of a trade union without the consent of each employee concerned. This includes the practice of recording union membership on corporate payroll systems for the purpose of deducting regular subscriptions. This limitation in no way exempts an employer from any obligations under section 137 of the Trade Union and Labour Relations (Consolidation) Act 1992 which makes it unlawful to discriminate in making offers of employment on the grounds of trade union membership, non-membership or willingness to become a trade union member.

45: Employers may process data in order to fulfill their obligations under section 8 of the Asylum and Immigration Act 1996 provided they do not prejudice prospective employee’s rights under the Race Relations Act 1976.

46: Data about any of the sensitive categories may be processed on an aggregated statistical basis for the purpose of monitoring the effectiveness of an employer’s equal opportunities policy. Monitoring should be based upon both voluntary participation by employees and the self-assessment of such factors as ethnic origin, disability, religion or sexual orientation. The right to process equal opportunities data for statistical purposes includes statutory compliance under the Fair Employment (Northern Ireland) Act 1989.

11. Criminal records

47: Employers shall not process any personal data concerning the alleged commission of any offence, any proceedings for any offence committed or alleged to have been committed by any employee unless they have a right to do so conferred or imposed by employment law, or the data is necessary for the purpose of, or in connection with, any actual or potential legal proceedings.

48: Employers have the right to request, process data about an employee’s criminal record in accordance with the terms of the Police Act 1997, providing that it does not involve the infringement of an individual’s rights under the Rehabilitation of Offenders Act 1974.

49: Data held about particular convictions on an employee’s criminal record should be automatically removed from an employer’s files as soon as the conviction is legally ‘spent’, unless the employee concerned is in an exempt occupation under the Rehabilitation of Offenders Act 1974 (Exemptions) Order 1975. Personal data relating to an employee’s criminal record should not be passed onto any third party without the prior, explicit consent of the employee concerned.

50: Employers must not require or encourage an individual to supply them with copies of, or material from, their criminal records (either directly or via a third party) by utilising their individual data access rights, unless the employer has a statutory right or duty to do so.

12. Employee testing

51: Employers should not require employees to undergo genetic testing (or other tests identifying susceptibility to disease) unless it can be objectively justified on either strong public, or employee, health and safety grounds. Such tests may only be carried out with the prior consent of the employee concerned and if the results are interpreted by a qualified health professional who has completed higher specialist training in clinical genetics under the Royal College of Physicians, or an equivalent overseas body.

52: There can rarely be any justification for the testing of employees in respect to HIV / AIDS and other blood borne diseases, except in the health service where the appropriate procedures are covered by established codes of professional conduct.

53: Alcohol and drugs testing in the workplace must be carried out with the prior informed consent of the employees concerned, be a clear element in their individual employment contracts and form part of an explicit health information, education and rehabilitation policy.

54: All aptitude, psychometric or other tests of knowledge, mental capacity or disposition should be conducted by those with at least an appropriate British Psychological Society (or equivalent) Certificate of Competence in Occupational Testing. No decisions significantly affecting an employee should be based exclusively upon the automated conduct and / or analysis of one or more such tests. Test users should always provide employees with feedback on their test scores.

13. Surveillance at work

55: Automated systems for measuring time, attendance, quality, productivity and other aspects of an individual’s or a group’s behaviour in the workplace should not be used as the only substantive basis for making decisions which affect the reward, discipline, employment or other treatment of an employee by their employer. All current employees should be notified, in advance, before such systems are brought into operation.

56: Surveillance equipment should be installed and used only for the purpose of detecting and observing intruders, granting access to restricted areas, tracking visitors who may pose a security threat, reducing pilferage and other workplace crime, countering fraud and the misuse of corporate resources, dealing with cases of suspected harassment and providing evidence in appropriate cases before the courts. It should normally be confined to visual detection and observation and not be used for any purpose other than that strictly justifiable on security grounds.

57: It would be good practice to seek agreement with employees and / or employee representatives about surveillance policy and practice through a workplace consultative forum. Where such a forum has been established, it should decide on the positioning of surveillance equipment in toilets, locker rooms and other areas which may invade an employee’s privacy. The forum should also agree a framework for the use of covert surveillance in the workplace and have the right to audit past usage once a particular exercise has been completed – provided that this does not infringe the rights of any individual under the Act.

58: The recordings made by surveillance equipment and material compiled during security investigations must be stored, transported and utilised in a secure, tamper-free environment. They should not be disclosed to any party except the individual (or individuals) who are the subject of the recordings, corporate management, the police, qualified legal representatives, authorised security personnel and the courts. All recordings should be retained for as long as necessary in order to protect the interests of employers and/ or employees and particularly in cases where the material has been accepted as evidence, or is likely to be accepted as evidence, for forthcoming court proceedings – or any other formal disciplinary action. The security procedures used by employers must be capable of being subject to a rigorous audit trail.

59: Covert forms of work surveillance, involving the processing of personal data, which result in employees being misled or deceived could be construed as unfair and/or illegal if such an activity was not clearly specified as the right of their employer within an individual’s employment contract.

60: Employers should refrain from carrying out surveillance activities which are based upon either the random selection of employees, or poor levels of prima facie evidence and involve a significant intrusion into an employee’s workplace activities and/or personal life. In particular, this should not lead to the covert surveillance of meetings, e-mails, Internet or Intranet access logs, telephone or face-to-face conversations, faxed or paged communications and messaging systems. No personal data which imputes any suspicions about an employee’s honesty, integrity, competence or reputation should be placed onto a human resource record if it could, in any reasonable way, be construed as a false statement which discredits the employee concerned.

14. Exemptions

61: Exemptions are made under certain sections of the Act in respect to:

- National security
- Crime and taxation
- Health, education and social work
- Regulatory authority
- Journalism, literature and art
- Research, history and statistics
- Information available to the public by or under enactment
- Disclosures required by law or made in connection with legal proceedings
- Domestic purposes

The exemption for ‘crime and taxation’ does not provide a general licence for employers to carry out wide-scale surveillance of employees. It relieves an employer from the obligation to satisfy a data access request, or comply with a non-disclosure rule, when such an action would be likely to prejudice the prevention or detection of crime, apprehension or prosecution of offenders.

62: The Act specifically excludes any document indicating an employer’s intentions towards an employee – such as a written ‘career plan’- where the provision of information to an employee would be likely to prejudice the conduct of that business or activity. It also excludes information concerning ‘negotiating intentions’ prior to the conduct of any negotiations with an employee.

15. Enforcement and compensation

63: The Information Commissioner (the Commissioner) has the power to issue a notice of ‘preliminary assessment’ to any employer on receiving notification of their intended processing activities if he/she believes such processing is particularly likely to cause substantial damage or distress to any individual. During the assessment (prior checking) period no further processing shall take place within the scope of the notification.

64: An employee (or their representative) may make a request, at any time, to the Commissioner for an assessment to be made if they believe that their employer is not carrying out processing in compliance with the Act. If the Commissioner believes there may be grounds for concern he/she may issue an ‘information notice’ to the employer. Where this request is in respect to the potentially spurious use of exclusions under the act for journalistic, literary or artistic purposes he/ she may issue a ‘special information notice’. The employer will have a right to appeal against either notice.

65: If the Commissioner is satisfied that an employer has contravened, or is contravening, any of the data protection principles he/she may serve them with an enforcement notice.

66: An employer who fails to comply with an enforcement notice, information notice or special information notice will be guilty of an offence. It will be a defence for the employer to prove that they acted with all due diligence to comply with the notice. However, if an offence takes place in an incorporated body (or Scottish partnership) and it can be proven that it was committed with the consent, connivance or due to the neglect of a director (Scottish partner or anyone acting in the capacity of a director) they may be individually liable for the offence in addition to the corporate body.

67: If an employee suffers ‘damage’ because their employer contravenes the Act they are entitled to compensation from the employer. This compensation may be increased if contravention also causes ‘distress’ to the employee concerned. It will be a defence for the employer to prove that they acted reasonably within the circumstances of the case.

16. Miscellaneous provisions

68: An employer’s grievance procedures should be modified to handle disputes concerning the application of the Act.

69: Employers should provide suitable training for managers, human resource practitioners and employee representatives in order to ensure full compliance with the Act and an informed approach to the application of this code.

70: The rights to confidence and the protection of data relating to an individual recognised under Section 182 (c) and (d) of the Trade Union and Labour Relations (Consolidation) Act (TULR(C)A 1992) are extended and elaborated by the Act in relation to the disclosure of information for collective bargaining purposes and good industrial relations practice. This further prohibition is effective through Section 182 (b) of TULR(C)A 1992.

71: An employer may collate, process and disseminate statistics based on an aggregation of data held on their human resource records, provided that data relating to any individual employee may not be identified from the resulting analysis.

72: Further information about the Act and this Code may be obtained from the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK

Back to top ↑