Record keeping
[ch 7: pages 70-72]The ICO Employment Practices Code also contains guidance on record keeping. It explains that the DPA does not prevent employers collecting information about staff and job applicants, but that the Code aims to strike a balance between the employer’s need for information and an individual’s right to respect for their private life. Here is some of the key guidance taken from the Code:
• employers do not need consent to keep records for employment-related purposes, but individuals must know what the information is to be used for, and it should be used only for that purpose;
• anyone with access to employment records must understand that data protection rules apply and that personal information must be handled with respect;
• employers should check that those asking for information are who they claim to be, and that they are entitled to access;
• fairness to the worker should be the first consideration. Data protection law will not prevent disclosures that employers are legally obliged to make, for example to HM Revenue and Customs, but employers must be careful not to disclose more information than is required;
• a confidential reference or similar information should not be supplied without a worker’s consent;
• workers should be allowed to check their own records periodically to ensure mistakes can be corrected and information kept up to date;
• employment records must be secure, with paper records under lock and key and using password protection for computerised records. Only staff with proper authorisation and the necessary training should have access to them;
• where possible, sickness records containing information about a worker’s illness or medical condition should be kept separate from other less sensitive information, for example a simple record of absence. Except with the worker’s express consent, information about a worker’s condition should only be shared with others, for example a line manager, where the information is genuinely needed in order to carry out the job, with maximum collaboration with the individual worker; and
• when employers no longer have a business need or legal requirement to keep a worker’s employment record, it should be securely disposed of, for example by shredding.
The DPA 98 does not set a specific maximum period for which records must be kept, stating only that personal data should not be kept longer than is necessary for the purposes for which it is being processed. Employers can set their own retention periods, as long as these are based on business need and take into account any professional guidelines.
As well as statutory obligations under the DPA, employers must not act negligently when dealing with workers’ personal information, or breach the implied contractual duty of trust and confidence owed to all employees.
https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf