The next few days will see the launch of the new Code of Conduct for Employers in the field of Data Protection. There was widespread criticism of the October 2000 draft code. The Information Commissioner’s Office held back on the originally intended publication date (March 2001) and has now determined to publish the Code in 4 tranches commencing Mid March 2002.
The Code will cover the data protection requirements for Employers handling employees’ personal data over the period pre recruitment to many years after termination of employment. The first tranche of the code will deal with recruitment and record keeping and later sections will deal with monitoring employees and medical records.
The Draft code met with complaints from business and the trades unions. It was alleged to be too complex and unworkable. At a June 2001 conference hosted by the Information Commissioner in Manchester one critic described compliance as being like a game of snakes and ladders.
Critics felt at the time that the draft code, which contained over 200 requirements for employers, was badly drafted, too long and complex. The draft Code, it was felt, failed to recognise the pressures on employers and did not adequately balance the risks for employers of the use of email with employees’ rights to privacy. One of the severest criticisms was that it was “totally unrealistic”.
Some critics felt that the Code contradicted other regulations, notably the Lawful Business Practices Regulations, with regard to interception of employee’s emails. The Information Commissioner’s office took the view that although something could be permissible under the Lawful Business Practices Regulations it might yet be unlawful under the Code and the Data Protection Act.
On the employees’ side of the fence it was felt that the code needed to be realistic and fair. Recognition had to be made of the rights employees had under the European Convention on Human Rights.
For the Information Commissioner the point was made that the Code imposed no new obligations; the code of practice merely reflected the obligations Employers had under the existing law. Following the criticisms and the formal consultation period the Information Commissioner agreed to look at the draft again.
It remains to be seen whether the new version achieves clarity and widespread acceptance. Employers feeling that they are drowning in a welter of regulations may not welcome the code, however drafted. It is clear however, that they must take steps to ensure that it is followed and that managers are aware of the Code’s requirements.
The Code is likely to be just as all-encompassing as the draft; much of the draft Code was the Information Commissioner’s view of the law, the balance was her interpretation of what was “good practice”. Failing to adhere to the Information Commissioner’s notions of “good practice” might mean that the Information Commissioner considered it “unfair” processing; which would itself be a breach of the Act and an Employer could face enforcement action in the Courts.
The Code is aimed at medium sized organisations, though the requirements of the Act and the Code will apply to all employers, whatever their size. There is likely to be supplementary information published for the benefit of smaller organisations and for employees.