How often do you clear out your files? If the answer is "rarely" or "never", you could be breaching the Data Protection Act (DPA). The DPA governs how you should deal with all the personal information you hold, such as information about employees and job candidates, and sensitive personal information such as details of someone's religious belief, health or sex life.
If you breach the DPA you could face compensation claims from individuals whose information you hold, and possibly a fine. A code of practice called the Employment Practices Data Protection Code aims to help organisations comply. It sets out best practice in four areas: recruitment; employment records; employee monitoring; and information about employees' health.
On your application forms, the code suggests you:
Request only personal information relevant to the recruitment decision (a relationship status is not relevant)
Remove questions which are not relevant to unsuccessful candidates, such as bank details
When requesting information about a candidate's criminal convictions, make it clear that spent convictions do not have to be declared.
If you want to verify information provided by a candidate (such as their qualifications) explain what information will be verified and how. Obtain signed consent from the candidate (unless the person you are contacting is a referee the candidate has given).
Individuals are entitled to see copies of personal information you hold about them (subject to certain exceptions). This would include notes you take at interview, so be careful what you write. Keep interview notes for about six months.
Although you don't generally need an employee's consent to keep records, employees should know what you are keeping and why. You could achieve this with an appropriate statement in their employment contract.
The code also recommends you:
Keep personal information secure
Information about an employee's ethnic origin, disability, religion or sexual orientation, for equal opportunities monitoring, should be obtained and kept only with the employee's consent, and should usually be made anonymous
After an employee leaves you should retain their records for only as long as you need (for example, appraisals could be deleted after a year, but you would need to keep tax records for longer).
If someone requests copies of their personal information, you are required to provide this within 40 days.
There are many types of monitoring, from hidden cameras to CCTV. The code suggests:
Before introducing monitoring, consider why it's needed, the impact on employees and whether there is any alternative
Monitor only as far as is necessary (for example, install CCTV only in the areas you really need it)
Tell staff what monitoring you are carrying out and why, unless you can justify covert monitoring
Avoid monitoring in areas where employees would expect privacy, such as toilets, unless serious crime is suspected.
Information about an employee's health is sensitive personal information, so more stringent rules apply. The code recommends you collect only that health information you really need. If you use a pre-employment medical questionnaire, make sure the questions are relevant to the employee's ability to do the job.
In some situations, you might want an employee to undergo a medical examination. As well as obtaining the employee's consent, the code recommends you consider whether the examination is genuinely necessary and why, for example, because you need to assess when an employee may be fit to return to work, or to find out what changes you may need to make to his or her job to accommodate a disability.
Any health information you hold should be kept securely, and the code suggests you:
Separate it from other personnel
Limit the people who have access to it
Ensure anyone who sees it sees only the parts they need to.
You can find out more about the DPA, and get a copy of the code, on the Information Commissioner's website at www.ico.gov.uk.Anna Anna West is an employment lawyer with solicitors Travers Smith