Data protection issues that employers need to be aware of
Employers’ data protection obligations are wide ranging and apply to job applicants, employees, agency, contract and other casual workers, volunteers and others in the workplace; e.g individuals on work experience.
The law governing data protection is found in the Data Protection Act 1998 (DPA). The DPA governs the processing of personal data and sensitive personal data by data controllers in accordance with the 8 data protection principles. Failure to comply with the DPA can amount to a criminal offence and can attract financial sanctions up to £50,000.
Alongside the DPA is the Employment Practices Code (EPC) introduced by the Information Commissioner in 2005. While the EPC is not legally enforceable, its acts in the same way as the Acas code of practice. Failure to comply with the EPC can be construed as a breach of the data protection legislation as a whole.
Pre-employment checks trigger data protection considerations when prospective employers seek to obtain personal and sensitive personal data from applicants in the course of the recruitment process. As with any exercise involving the gathering of personal data and sensitive personal data, it is important that prospective employers tell individuals why it is being collected, what they intend to do with it and how long it will be held for.
Employers should only request information about criminal convictions if they may be relevant to the role being filled and questions should be designed to illicit no more that the necessary information.
An employer should not seek to collect more information about an employee’s health than is necessary. For example, pre-employment medical reports should focus solely on the employee’s fitness for employment in the job for which they have applied and should not include more medication information than is relevant to that question. Employees should not be medically examined or tested unless there is a real likelihood that they will be appointed.
Although not mandatory, employers often carry out equalities monitoring in relation to their workforce and, specifically, large public sector employers carry out equalities monitoring in order to comply with their public sector equality duty under the Equality Act 2010. Conducting equalities monitoring helps to identify workplace inequality, determines problems and reduces the risk of discrimination challenges.
Unless it would hinder meaningful monitoring, all information gathered for these purposes should be anonymised, at which point it will cease to be personal data as the data subject can no longer be identified. There may be instances where this is not possible, for example, where the employer is monitoring how many employees in a particular group are being promoted and to what grades. Using serial or payroll numbers instead of names will not necessarily render data “anonymous” for these purposes.
There should be a clear and foreseeable need for any personal data collected about employees and the data collected should be only that which is required to meet that need.