EPC_Employment Practice Code

avatar
Created by
Patrick Forrest

Cards (233)

  • Data protection
    The employment practices code
  • The following information has not been updated since the Data Protection Act 2018 became law. Although there may be some subtle differences between the guidance on this page and guidance reflecting the new law – we still consider the information useful to those in the media.
  • About the code
    • Aim is to help employers comply with the Data Protection Act and encourage adoption of good practice
    • Strikes a balance between legitimate expectations of workers and legitimate interests of employers
    • Does not impose new legal obligations
  • Who the code is for
    • Applicants (successful and unsuccessful)
    • Former applicants (successful and unsuccessful)
    • Employees (current and former)
    • Agency staff (current and former)
    • Casual staff (current and former)
    • Contract staff (current and former)
  • Personal information
    Information which is about a living person and affects that person's privacy, and identifies a person
  • Processing
    Includes the initial obtaining of personal information, the retention and use of it, access and disclosure and final disposal
  • Sensitive personal information
    Information concerning an individual's racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, commission or alleged commission of any offence
  • Workers, as well as employers, have responsibilities for data protection under the Act
  • Parts of the code
    • Recruitment and selection
    • Employment records
    • Monitoring at work
    • Workers' health
  • Responsibility for data protection compliance
    Departmental heads and individual line managers who process information about workers understand their own responsibility for data protection compliance and if necessary amend their working practices in the light of this
  • Briefing
    Prepare a briefing to departmental heads and line managers about their responsibilities
  • Assessing personal information about workers
    1. Assess what personal information about workers is in existence and who is responsible for it
    2. Use the various parts of this code as the framework to assess what personal information your organisation keeps and where responsibility for it lies
    3. Remember that personal information may be held in different departments as well as within the personnel/human resource function
  • Eliminating irrelevant or excessive personal information
    1. Consider each type of personal information that is held and decide whether any information could be deleted or not collected in the first place
    2. Check that the collection and use of any sensitive personal data satisfies at least one of the sensitive data conditions
  • Worker liability for data protection breaches
    Workers can be criminally liable if they knowingly or recklessly disclose personal information outside their employer's policies and procedures
  • Making data protection breaches a disciplinary matter

    1. Make serious breaches of data protection rules a disciplinary matter
    2. Prepare a guide explaining to workers the consequences of their actions in this area
    3. Make sure that the serious infringement of data protection rules is clearly indicated as a disciplinary matter
    4. Ensure that the guide is brought to the attention of new workers
    5. Ensure that workers can ask questions about the guide
  • Notification of data controller status
    1. Consult the ICO website to check the notification status of your organisation
    2. Check whether your organisation is exempt from notification using the website
    3. Check whether all your processing of information about workers is correctly described there - unless your organisation is exempt
    4. Allocate responsibility for checking and updating this information on a regular basis, for example every 6 months
  • Consulting workers about employment practices
    1. Consultation is only mandatory under employment law, in limited circumstances and for larger employers but it should nevertheless help to ensure that processing of personal information is fair
    2. When formulating new employment practices and procedures, assess the impact on collection and use of personal information
  • The recruitment and selection process necessarily involves an employer in collecting and using information about workers. Much of this information is personal in nature and can affect a worker's privacy. The Act does not prevent an employer from carrying out an effective recruitment exercise but helps to strike a balance between the employer's needs and the applicant's right to respect for his or her private life.
  • Verification
    Checking that details supplied by applicants (e.g. qualifications) are accurate and complete, including taking up references provided by the applicant
  • Vetting
    The employer actively making its own enquiries from third parties about an applicant's background and circumstances
  • Vetting is particularly intrusive and should be confined to areas of special risk. It is for example used for some government workers who have regular access to highly classified information.
  • Limited vetting may be a legal requirement for some jobs, for example, child care jobs under the Protection of Children Act 1999. The Department of Health has developed a Protection of Vulnerable Adults list which employers intending to recruit certain types of care workers are required to consult. Such vetting usually takes place through the Criminal Records Bureau.
  • Advertising
    Any method used to notify potential applicants of job vacancies, using such media as notices, newspapers, radio, television and the internet
  • Informing applicants about use of personal information in advertising
    1. Ensure that the name of your organisation appears in all recruitment advertisements
    2. Ensure that your organisation is named on the answerphone message which invites potential applicants to leave details
    3. Ensure that your organisation is named on your website before personal information is collected on an online application form
    4. To the extent that it is not self evident describe in the advertisement the purposes for which you may use personal information, for example, to market your organisations products and service
  • Recruitment agency responsibilities
    If you use a recruitment agency check that it identifies itself in any advertisement, and that it informs applicants if the information requested is to be used for any purpose of which the applicant is unlikely to be aware
  • Informing applicants about employer identity
    1. Inform the applicant as soon as you can of the employer's identity and of any uses that the employer might make of the information received that are not self-evident
    2. If the employer does not wish to be identified at an early stage in the recruitment process, ensure the agency only sends anonymised information about applicants. Ensure the employer is identified to individuals whose applications are to be pursued further
  • Application forms
    1. Ensure the name of your organisation is stated on the application form
    2. If information from the application form will be used for any other purpose than to recruit for a specific job or passed to anyone else, make sure that this purpose is stated on the application form
  • Collecting only relevant personal information
    1. Determine whether all questions are relevant for all applicants
    2. Consider customising application forms where posts justify the collection of more intrusive personal information
    3. Remove or amend any questions which require the applicant to provide information extraneous to the recruitment decision
    4. Remove questions that are only relevant to people your organisation goes on to employ (e.g. banking details) but are not relevant to unsuccessful applicants
  • Collecting information about criminal convictions
    1. Consider whether the collection of information about criminal convictions can be justified for each job for which it is sought
    2. Check that it is stated that spent convictions do not have to be declared (unless the job is one covered by the Exceptions Order)
    3. In any case limit the collection of information to offences that have a direct bearing on suitability for the job in question
  • Explaining information sources

    Ensure there is a clear statement on the application form or surrounding documents, explaining what information will be sought and from whom
  • Collecting sensitive data
    1. Assess whether the collection of sensitive data is relevant to the recruitment process
    2. Remove any questions about sensitive data that do not have to be asked at the initial application stage
    3. Ensure that the purpose of collecting any relevant sensitive data is explained on the application form or surrounding documentation
    4. Ensure the purpose of collection satisfies one of the sensitive data conditions
    5. If health information is to be collected, refer to Part 4 of the code: Information About Workers' Health
  • Secure transmission of applications
    1. Ensure that a secure method of transmission is used for sending applications online. (e.g. encryption-based software)
    2. Ensure that once electronic applications are received, they are saved in a directory or drive which has access limited to those involved in the recruitment process
    3. Ensure that postal applications are given directly to the person or people processing the applications and that these are stored in a locked drawer
    4. Ensure that faxed applications are given directly to the person or people processing the applications and that these are stored in a locked drawer
    5. If applications are processed by line managers, make sure line managers are aware of how to gather and store applications
  • Explaining verification process
    1. Ensure that information provided to applicants for example on an application form or associated documents explains what information will be verified and how, including in particular any external sources that will be used
    2. Do not force applicants to use their subject access rights to obtain records from another organisation (i.e. by making such a requirement a condition of getting a job)
  • Obtaining criminal record checks
    1. Do not attempt to obtain information about criminal convictions by forcing an applicant to use his/her subject access right or from sources other than the CRB, Disclosure Scotland or the applicant
    2. Confine the obtaining of a disclosure, as far as practicable, to an applicant it is intended to appoint. Avoid requiring all short-listed applicants to obtain a disclosure
    3. Do not share with other employers the information obtained through a "disclosure"
    4. Abide by the CRB or Disclosure Scotland's code of Practice in obtaining and handling disclosure information
  • Obtaining consent for information release
    Ensure applicants provide signed consent if this is required to secure the release of documents to you from another organisation or person
  • Allowing applicant representations on verification discrepancies
    1. Ensure that those staff who are involved in verification in your organisation are aware what to do should inconsistencies emerge between what the applicant said in the application and what your checks have discovered
    2. Make sure that in this situation, staff inform the applicant and allow them the opportunity to provide an explanation of the inconsistencies
    3. Ensure this feedback to the applicant is incorporated into any recruitment procedures
  • Consistent use of personal information in shortlisting
    Check shortlist methods with sources of good practice such as the Equality and Human Rights Commission
  • Informing applicants about automated shortlisting
    1. Ensure all the applicants are informed that an automated system is used as the sole basis of short-listing and of how to make representations against any adverse decision
    2. Test and keep the results produced by the system under review to ensure they properly and fairly apply your short-listing criteria to all applicants
  • Use of psychometric and other scientific tests

    1. Determine which such tests are used within your organisation
    2. Ensure all tests are assessed by properly qualified persons
  • Retaining interview records
    1. Ensure that all interviewers are aware that interviewees may have a right to request access to their interview notes
    2. Ensure that all interviewers are given instructions on how to store interview notes
    3. Make provisions for interview notes to be destroyed after a reasonable time, allowing the organisation to protect itself from any potential claims such as unfair dismissal