Tag: 上海夜生活ZUI

Records management… at a glance

first_imgRecords management… at a glanceOn 24 Sep 2002 in Personnel Today Comments are closed. The Information Commissioner has published part two of the EmploymentPractices Data Protection Code and its requirements are effective immediately.Warren Wayne explains the code and what you need to do to comply with itPart two of the Employment Practices Data Protection Code guides employersover the handling and retention of various types of employee records. Although,strictly speaking, still within the second transitional period (which expireson 23 October 2007) under the Data Protection Act 1998, the Act is now fullyeffective in relation to the rights of data subjects and the maintenance ofemployee records. Whose records are covered? In the context of the employment relationship, the code applies to records kepton the following people: – Current job applicants (whether successful or not) – Previous job applicants (whether successful or not) – Current employees – Former employees – Agency workers (both current and former) – Casual workers (both current and former) – Contract workers and freelancers (both current and former) What does the code demand of these records? The code applies the eight data protection principles to these categories ofstaff. The most relevant of these are the third, fourth and fifth principles,which require employee records to be: – Relevant – Not excessive in relation to the purposes for which they are used andstored – Accurate – Kept up-to-date where necessary – Not kept for longer than is necessary What is the legal status of this code? Although the code is not legally binding, it sets standards of goodpractice. According to the commissioner, this includes both compliance with theletter of the law and the spirit of the legislation. Naturally, there is somedisquiet among employers over this approach, as it suggests the commissionerwill enforce higher standards than those strictly required by the legislation. What do employers need to do in order to comply? The code contains numerous recommendations and benchmarks and employers willneed to look through all of these. The code can be downloaded from theInformation Commissioner’s website (see links). However, the mainrecommendations include: – Workers should be provided with a copy of their basic employment recordannually. This should either be a paper record, or supplied in anothereasily-intelligible, permanent form. – Personal data which is irrelevant or excessive should be eliminated fromfiles. This is an awkward task for HR departments, as it will require files tobe individually reviewed. – Staff should be informed that if they knowingly or recklessly disclosepersonal data about other workers, they could be committing a criminal offenceand be personally liable. The best approach here is to incorporate this intodisciplinary procedures and to ensure staff are warned of their data protectionobligations during the induction process. – It is recommended that employees’ contracts contain confidentialityclauses that ensure the security of staff data. – There should be established procedures and security rules for removingstaff records from the workplace, including those on laptops or palmtops. – A distinction should be drawn between ‘sickness records’, which includedetails of the illness, and ‘absence records’, which do not refer to anyparticular medical condition, but may give the absence reason as ‘sickness’.This is because the details of a particular illness will constitute ‘sensitivepersonal data’ under the Act, making them a restricted form of record. – As a result of the above, it is recommended that sickness records andabsence records should be kept separately and used in different contexts. Forexample, when company sick pay is being calculated, the payroll department willonly need to refer to the length of the absence and will not need details ofthe illness itself. – Taking this further, managers should be permitted to have access tosickness records, so they can investigate persistent short-term illness orlong-term illness absence issues. This information should only be available tothose who reasonably require it as part of their duties (including HRdepartments). – Although staff are not entitled to have access to references written bytheir current employer, the commissioner regards it as good data protectionpractice to allow staff to see these references so they can challengeinformation which they believe is inaccurate or misleading. This recommendationplaces the code at odds with the strict legal position. – In relation to general record keeping, information should not be kept justbecause ‘it might be useful one day’. – The commissioner requires that employers conduct a risk analysis, bybalancing the risks to workers of data being kept, against the consequences ofkeeping information that is only rarely used. No specific guidelines are givenas to how long records should be kept, but it is difficult to see how thecommissioner can object to records being kept for up to a year aftertermination, in case they are needed as evidence in employment-relatedlitigation. What can the Information Commissioner do to enforce these rules? The Commissioner has a variety of enforcement powers, although they haverarely (if ever) been used in the employment context. The powers are: – Enforcement action. The commissioner can revoke the employer’snotification, which effectively prevents all further data processing in theorganisation. Continued breaches after this will be a criminal offence. – Prosecution. This is likely to occur where personal data has beenunlawfully obtained or unlawfully sold. – Assessment. The commissioner has powers to investigate and assess acompany’s use of personal data. The commissioner must investigate if asked todo so by an individual who makes a legitimate complaint. She has widediscretion over the way in which the investigation is conducted and has thepower to serve an information notice. Staff also have the right to claim compensation in the civil courts, butonly if they have suffered both damage and distress. It is unlikely that manyemployees will be able to prove that they have suffered financial damage as aresult of any breach of data protection, although it is possible in somecircumstances. Is this code really necessary? This part of the code is helpful to employers, in as much as it gives muchneeded clarity in an area which has previously been beset by confusion. Dataprotection practices will no doubt continue to evolve as employers adjust tothese guidelines. Warren Wayne is a partner in the Employment Group at Boodle Hatfield – www.boodlehatfield.co.ukLinksEmployment Practices Data Protection Code Part 2: Employment recordscan be found at www.dataprotection.gov.ukunder Codes of practice, our responses & other papers Related posts:No related photos. Previous Article Next Articlelast_img read more