Data Protection and Managing Staff Records at the Recruitment Stage
The Data Protection Act 1998 (“DPA”) establishes a framework of rights and duties which are designed to safeguard personal data. This framework balances the legitimate needs of an organisation to collect and use personal data for business and other purposes against the right of individuals to respect for the privacy of their personal details.
The Information Commissioner has issued guidance to employers in the form of an Employment Practices Code and Employers should follow data protection rules when handling information on job applicants.
Anyone processing personal data must formally notify the Information Commissioner that they are doing so, unless they fall within one of the exemptions under the DPA.
Employment Records and Retention
The DPA does not require a data controller employer to retain employment records (or any personal data) for any specified periods. On the contrary, under the DPA the emphasis is on deletion of personal data once it is no longer needed, so employment records amounting to personal data should not be kept for longer than is necessary. In the case of recruitment this means that information should only be kept for as long as you have a clear business need for it, and dispose of it securely afterwards (e.g. by shredding). Therefore if an applicant is unsuccessful then once the post has been filled this data should be irretrievably deleted.
What is Personal Data?
Personal data is information that relates to an identifiable living individual. Only information that qualifies as personal data is subject to protection. Under the DPA, very broadly, ‘data’ is information that is either held electronically or as part of a relevant filing system or with the intention that it should form part of a relevant filing system. The definition of relevant filing system is intended to capture hardcopy records such as paper files, letters, rolodex index cards, microfiches, faxes and general notes.
Sensitive Personal Data
Some types of data about individuals are viewed as particularly sensitive and are afforded greater protection under the DPA. These types of information are termed “sensitive personal data” and are defined in Section 2 of the DPA as including information about such things as a person's race, political and religious beliefs, trade union membership, health, sexual life and criminal record.
Lawful Processing and the Data Protection Principles
Personal data must be processed in compliance with the DPA. The primary obligation of a data controller or processor is to process personal data in accordance with the eight data protection principles set out in the DPA. In summary, these principles are that personal data must be:-
- processed fairly and lawfully processed and only when certain conditions are met
- obtained and processed only for specified and lawful purposes
- adequate, relevant and not excessive
- accurate and updated
- not kept longer than necessary
- processed in accordance with the data subject's rights
- kept secure
- kept within the European Economic Area and only transferred outside that area to countries with an adequate level of protection
Disclaimer: This article does not contain a full statement of the law and it does not constitute legal advice. Please contact the Employment Law Team on 020 3743 0600 if you have any questions about the information set out above.