The next few days will see the launch of the new Code of Conduct for
Employers in the field of Data Protection. There was widespread criticism
of the October 2000 draft code. The Information Commissioner’s Office held
back on the originally intended publication date (March 2001) and has now
determined to publish the Code in 4 tranches commencing Mid March 2002.
The Code will cover the data protection requirements for Employers handling
employees’ personal data over the period pre recruitment to many years after
termination of employment. The first tranche of the code will deal with
recruitment and record keeping and later sections will deal with monitoring
employees and medical records.
The Draft code met with complaints from business and the trades unions. It
was alleged to be too complex and unworkable. At a June 2001 conference
hosted by the Information Commissioner in Manchester one critic described
compliance as being like a game of snakes and ladders.
Critics felt at the time that the draft code, which contained over 200
requirements for employers, was badly drafted, too long and complex. The
draft Code, it was felt, failed to recognise the pressures on employers and
did not adequately balance the risks for employers of the use of email with
employees’ rights to privacy. One of the severest criticisms was that it
was “totally unrealistic”.
Some critics felt that the Code contradicted other regulations, notably the
Lawful Business Practices Regulations, with regard to interception of
employee’s emails. The Information Commissioner’s office took the view
that although something could be permissible under the Lawful Business
Practices Regulations it might yet be unlawful under the Code and the Data
Protection Act.
On the employees’ side of the fence it was felt that the code needed to be
realistic and fair. Recognition had to be made of the rights employees had
under the European Convention on Human Rights.
For the Information Commissioner the point was made that the Code imposed no
new obligations; the code of practice merely reflected the obligations
Employers had under the existing law. Following the criticisms and the
formal consultation period the Information Commissioner agreed to look at
the draft again.
It remains to be seen whether the new version achieves clarity and
widespread acceptance. Employers feeling that they are drowning in a
welter of regulations may not welcome the code, however drafted. It is
clear however, that they must take steps to ensure that it is followed and
that managers are aware of the Code’s requirements.
The Code is likely to be just as all-encompassing as the draft; much of the
draft Code was the Information Commissioner’s view of the law, the balance
was her interpretation of what was “good practice”. Failing to adhere to
the Information Commissioner’s notions of “good practice” might mean that
the Information Commissioner considered it “unfair” processing; which would
itself be a breach of the Act and an Employer could face enforcement action
in the Courts.
The Code is aimed at medium sized organisations, though the requirements of
the Act and the Code will apply to all employers, whatever their size.
There is likely to be supplementary information published for the benefit of
smaller organisations and for employees.