DPA personal data: Policies for employee information privacy

Many organisations don't realise that DPA regulations on personal data privacy apply just as much to prospective employees as to recruited ones.

The Data Protection Act applies to information about living, identifiable people, and any organisation that has employees must comply with it. The act doesn’t prevent businesses from collecting, maintaining and using employment records, but it does make them legally responsible for ensuring the data is used appropriately and is kept secure.

What employers often overlook, though, is the fact that DPA personal data strictures apply to job applicants and their information, even if they don’t end up getting the job. You can’t just throw their application forms in the bin! All application forms and CVs that companies receive, even those sent in on spec, contain personal information and require protection under the act. To make sure you remain compliant with the DPA in this regard, it's important to ensure the organisation's recruitment procedures follow some basic employee information privacy principles.|

Your job ads should identify your organisation or the recruitment agency working on your behalf, as applicants need to know who they are sending their information to and how it will be used. If you want to use their contact details for any other purpose than review for employment, such as notifying them of future vacancies, you must make this clear. Your application form should not ask for personal information that is irrelevant or excessive in regard to the particular vacancy, so don’t use a standard application form. Certain information may only be necessary for a particular type of job; for example, asking for details of motoring offences could be acceptable for a delivery job, but not for a receptionist position.

If you are going to verify the information applicants provide, make sure they know how this will be done and what information will be checked. Senior positions or roles that require high-level system access rights will obviously require thorough checks. Applicants must be made aware of what these will be. Secretly carrying out background checks is not acceptable.

When it comes to checking for criminal convictions, only do so through the Criminal Records Bureau, carefully following CRB procedures. (Don’t ask for spent convictions unless the job is covered by the Exceptions Order to the Rehabilitation of Offenders Act 1974.) Applicants should certainly be warned if you intend to carry out a CRB check as part of the recruitment process. Where possible, don’t retain the detailed report; dispose of it securely, and keep only a record that a satisfactory or unsatisfactory check was made.

Everyone involved in the recruitment process, which may extend beyond the HR department if members from a team or department are asked to participate in the selection process, must understand their role in ensuring personal information is handled appropriately. All forms and personal information the organisation receives must be kept secure; leaving applicants’ forms piled on a desk while you pop out for lunch is not acceptable. Paper-based documents should be filed in a locked cabinet, while digital data should be encrypted or have tightly controlled access. Only staff with the proper authorisation and the necessary training should be given access. Once the company has recruited a candidate, the information obtained from all the applicants should only be kept for as long as there is a clear business need.

When it comes to employees, the organisation doesn't need their consent to keep records about them, but it should be made clear how the company will use the records. For example, employees know you are legally obliged to tell the Inland Revenue about payments you make to them. But you must obtain their informed consent if you intend to pass on their details to another organisation -- a third-party pension or healthcare provider, for example. Just because employees know your company uses the third-party’s services isn’t enough.

Sensitive information, such as employees’ disabilities, race or sexual orientation, that is used to monitor the organisation’s commitment to equal opportunities, can only be used for the purpose given when it was collected. It is good practice to keep sensitive information like that separate from other, less sensitive information. For example, an employee’s medical condition shouldn’t be stored with his or her record of absence.

You must ensure employee records don’t contain information irrelevant, excessive or out of date. It’s a good idea to let employees periodically check their own records so any mistakes or misleading information can be corrected, while your own checks can ensure there is a legal duty or genuine business need for the information you hold. Any information no longer required must be securely disposed of by shredding or securely erasing it from all storage media, including backup tapes.

Companies should, of course, be careful when responding to reference requests from other employers. There is always a chance someone asking for information is not in fact who they claim to be. Always check with the person concerned if they consent for you to provide a reference and to whom it should be sent. Do not disclose more information than required.

The Data Protection Act does provide for situations where businesses can share personal information without the individual’s direct consent. These exceptions mainly apply where there is some form of legal action, such as in criminal or tax investigations. In real life-or-death situations, you can also share an individual’s personal information when it is in their vital interests.

The Data Protection Act’s eight principles state how information about your employees can be collected, handled and used. The fact that it gives them rights to access this information and claim compensation if it is not being handled correctly means you cannot ignore your responsibilities. It is in your organisation’s best interests to make sure records are well managed and used responsibly.

Read more on Regulatory compliance and standard requirements

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.