The Data Protection Act (1998) governs the personal information you hold and includes requirements to keep records up-to-date, and only to keep the details you need.

Personal information means any information relating to a living person, including opinion. If you hold sensitive personal information, stricter rules apply to your handling of this.

If you breach the DPA you could face compensation claims from individuals, and possibly a fine. A code of practice, called the Employment Practices Data Protection Code, aims to help organisations comply with the DPA in relation to their employees, ex-employees and job candidates.

The Code sets out best practice in four areas: recruitment; employment records; employee monitoring; and information about employees’ health.

On your application forms, the Code suggests that you:

• only request personal information relevant to the recruitment decision

• remove questions which are only relevant to people you employ but not to unsuccessful candidates

• when requesting information about a candidate’s criminal convictions, make it clear that spent convictions do not have to be declared.

If you want to verify information provided by a candidate you should:

• explain what information will be verified and how

• obtain signed consent from the candidate

Individuals are entitled to see copies of personal information you are holding about them. This would include notes you take at interview. If the candidate is unsuccessful, you should still keep the interview notes as they may be relevant if the candidate subsequently brings a claim against you.

Although you do not generally need an employee’s consent to keep records, your employees should know what you are keeping and why.

The Code’s recommendations include:

• keep personal information secure, and make sure it can only be accessed by someone who has a legitimate reason to see it

• information about an employee’s ethnic origin, disability, religion or sexual orientation should only be obtained and kept with the employee’s consent, and should usually be anonymous

• delete personal information which is no longer relevant - in particular, after an employee leaves you should retain their records for only as long as you need.

If someone requests copies of their personal information, you are required to provide it within 40 days.

There are many different types of monitoring, for example, installing a hidden camera to catch a thief, CCTV cameras to see if staff are meeting health and safety requirements, or regular checking of websites visited by employees.

The Code suggests that you:

• consider, before introducing monitoring, why it is needed, the impact on employees, and whether there is any alternative

• only monitor as far as is necessary

• tell your employees what monitoring you are carrying out and why, unless you can justify covert monitoring

• avoid monitoring in areas where employees would expect privacy, such as toilets, unless you suspect serious crime.

• If you monitor phones, e-mail or internet access make sure you also have a clear policy specifying permitted and prohibited use of your systems.

The Code recommends that you only collect health information that you really need. If you use a pre-employment medical questionnaire, make sure the questions are clearly relevant to the employee’s ability to do the job.

Any health information you hold should be kept securely, and the Code suggests you:

• ideally, separate it from other personnel information

• limit the people who have access

• ensure that anyone who does see it only sees the parts they need to. l

Anna West is an employment lawyer with City solicitors, Travers Smith.