Ian Bourne, Strategic Policy Manager at the Office of the Information Commissioner, gives valuable insight into the preparation and contents of the Information Commissioner's Code of Practice on personal information in the workplace.

The vast majority of us are workers of one sort or another.  Whether we are professionals or blue-collar workers, our employers keep a variety of records about us.  A typical personnel file will contain a wide range of information - sickness and disciplinary records, annual appraisals, reports and comments made by managers and others.  Clearly, such information can be sensitive and will need careful handling.  

It is easy to imagine how detrimental to an individual's career an inaccurate or misleading entry on a file can be, or how much damage could ensue where the contents of an individual's sickness record are improperly disclosed.  The Information Commissioner's Code of Practice ('the Code') is intended to help human resources professionals and others with responsibility for keeping records to ensure that those records are kept in compliance with the Data Protection Act 1998 ('the Act') and that good information handling practices are adopted.

It is relatively easy to calculate how much money a business loses through a worker's misuse of the office telephone system, or through his or her impairment at work through alcohol or drug abuse.  However, it can be difficult to put a value on privacy.  Perhaps in assessing the Code, we should consider just how intrusive and unpleasant the experience of working could become if standards for carrying out surveillance of workers and for keeping records about them are not put in place.  Is it acceptable to film workers in the toilet or to monitor or record the conversations they hold in the staff-room?  The technologies of surveillance certainly develop fast.  Cameras have become smaller, cheaper and more powerful, facilitating the type of covert surveillance that was once confined to the espionage novel.

Techniques for monitoring workers' keyboard usage and the amount of time they spend away from their work-stations become more prevalent.  Email and Internet usage can easily be monitored.  Software is available that can supposedly distinguish between pornography and 'tasteful' fashion shots.  It is possible to buy kits for carrying out drug-tests for a few dollars on the Internet.  

A whole industry is developing around drug-testing and counter-testing techniques.  One company even specialises in the supply of synthetic 'body fluids' to those drug-users seeking to avoid detection.  We know from the world of professional sport just how complex the issues surrounding drug-testing can be.  Is genetic testing of workers round the corner?

Striking a Balance

Although it is not the purpose of the Data Protection Act to prevent employers from taking effective measures to check what their workers are doing and to protect their businesses, the Act does set down standards as to how this may be done.  We have endeavoured throughout the Code to strike a balance between the employer's need to protect his or her business on the one hand, and the worker's right to respect for his or her private life on the other. 

During the consultation exercise that we held earlier in the year, some employers thought that we had struck that balance inappropriately.  We have considered the comments of those who took part in the consultation exercise carefully and consequently various changes are being made to the Code.  However, the general approach taken in the finished Code will be generally similar to that taken in the draft.  The Data Protection Act is primarily concerned with individuals' rights, and the Directive on which the Act is based is concerned in particular with the right to privacy. 

In my view, some people who took part in the consultation objected to the Act itself rather than to the Code.  I am afraid that the Information Commissioner cannot, nor would she wish to, deviate from the Act's primary purpose and central principles: the protection of individuals with regard to the processing of personal information about them.

Paper Records

Apart from the fact that most of us are the subject of a personnel file, and that the keeping of such a record has a significant impact on our lives, the other main driver for producing the code at this time is that a whole range of records that formerly fell outside the scope of data protection legislation have now been brought within it.  Although personnel files are generally kept on paper for historic reasons, in some cases those records may not have been computerised in order to escape the clutches of the Data Protection Act, and in particular its access rights. However, that loophole in the legislation has now been closed.

Access rights now apply to manual personnel records and all the standards of data protection - accuracy, adequacy, security etc. will eventually also apply.  This will have significant implications for human resources professionals.  It is no longer the case that a manager can keep an inadequate or inaccurate record in a filing cabinet, safe in the knowledge that the person to whom it relates will be unable to see it or to exercise any rights over it.  

This issue is certainly something that some human resources staff have expressed their reservations about, saying that the application of the Data Protection Act to personnel files will prevent effective management and will lead to anodyne records that are devoid of content being kept.  The Information Commissioner rejects this view, but recognises that the application of the Act to workers' records may mean that more care has to be taken in their preparation and handling.  However, if the application of the Act leads to a better standard of record keeping, this must be good news for workers and managers alike.

What's in The Code?

The Code is intended to cover the whole range of employment practices, in so far as those practices involve the processing of personal information.  The Code covers everything from the handling of information during the recruitment and selection of workers via general record keeping, monitoring and testing through to the final disposal of records about former workers.  It has been put to us that it is not the Information Commissioner's business to issue advice about such issues as the medical testing of workers, this going beyond the scope of the Commissioner's duties.

We recognise that in some cases, for example in relation to the retention of workers' records, it is appropriate for the employer to follow the relevant professional guidance with there being no need for the Commissioner to issue additional guidance.  However, in so far as the carrying out of monitoring or testing results in records about identifiable individuals being compiled, those activities will fall full square within the scope of the Data Protection Act.  Indeed, where the processing is being done by automated equipment, a record need not even be made for the processing to be covered by the Act. 

It would not make sense to seek to provide good practice guidance about handling personal information without addressing the information gathering practices, for example the surveillance activities that lead to personal information being obtained in the first place.  As anyone with an interest in data protection will know, rules relating to the obtaining of personal information lie at the heart of the legislation.  It is not enough, therefore, for the Code to merely address good practice in respect of the handling of information that has already been obtained, the Code must also set standards for its initial obtaining.

How is The Task being Approached?

The Act places a duty on the Commissioner to promote the following of good practice by data controllers, typically employers in this case.  Crucial to the purposes of the Act, 'good practice' includes, but is not limited to, compliance with the Act.  When we carried out the consultation exercise referred to above, it became clear that the distinction in the Code between the legally enforceable requirements of the Act and good practice guidance was problematic.

Some people thought that the Code, as it was drafted, did not make the distinction sufficiently clear, and that its readership would find it confusing or even misleading.  For our own part, in drafting certain parts of the Code we found it extremely difficult to draw a hard and fast distinction between strict legal requirement and good practice. This difficulty is partly because the requirements of the data protection principles - the enforceable rules of good practice that form the backbone to the Act - are couched in very broad terms.

In order to solve the good practice versus legal requirement problem we have decided to present the Code purely as a good practice guidance rather than draw a distinction in this area.  We have been careful in redrafting the Code to ensure that this is made clear, and that those using the code are not misled into believing that they are legally required to implement a provision in the Code when this is not the case.  We have attempted to explain that whilst some of the standards in the Code clearly go beyond the requirements of the Act (for example the advice that workers should be given an annual print-out of their personnel record), in other cases it is difficult to envisage how the Act can be complied with unless a particular standard is met (for example that standard that the application form should state who the information is being requested by and how it will be used).

The Consent Issue

One issue that almost all of those who took part in the consultation exercise commented on, and were critical of, was the emphasis placed in the draft Code on the importance of obtaining workers' consent as the basis for legitimising the processing of personal information about them, particularly in the context of sensitive personal information.  The draft Code implied that employers would not be able to keep sickness records unless they have the worker's' consent to do so.

In the light of the comments we received during the consultation exercise, we have looked again at the 'consent issue' and it is fair to say that our view has evolved.  Taking into account the wide range of statutory, common law and fiduciary duties placed on employers, it is clear that they can generally perform the processing of some sensitive personal data because the processing is necessary for exercising or performing rights or obligations conferred or imposed on them by employment law.  This means that, in general, it is not necessary to obtain consent, explicit or otherwise, in order to keep sickness records about workers.

In any event, we have considerable doubts as to how freely given consent can be within a worker – employer relationship, and therefore we doubt how valid consent can be as a basis for legitimising the processing of personal data within such a relationship.

What Happens Next?

The Code is currently being redrafted.  An external consultant is helping us to make it clearer and more user-friendly.  The Code will be issued in four parts dealing with recruitment, general record keeping, and monitoring and medical testing. The first two parts should be available early in the New Year with the others following soon after.  As soon as the redrafted sections are available, they will appear on the Commissioner's website at www.dataprotection.gov.uk 

Ian Bourne, Strategic Policy Manager
Office of the Information Commissioner