Employment codes of practice and guidance – Data Protection Act 1998


The Guide to Data Protection:

This Guide explains the purpose and effect of each principle, and gives practical examples to illustrate how the principles apply in practice. We hope that, by answering many frequently asked questions about data protection, the Guide will prove a useful source of practical advice to those who have day-to-day responsibility for data protection.

A Brief Guide to Data Protection for Small Businesses

This is a guide to following the requirements of the Data Protection Act 1998 (the Act).

The Employment Practices Code

This code is intended to help employers comply with the Data Protection Act and to encourage them to adopt good practice. The code aims to strike a balance between the legitimate expectations of workers that personal information about them will be handled properly and the legitimate interests of employers in deciding how best, within the law, to run their own businesses. It does not impose new legal obligations.

Quick Guide to the Employment Practices Code

This guidance has been produced with the needs of small businesses in mind. It is designed to help them comply with the Data Protection Act when recruiting and employing workers. It is based on the Information Commissioner’s ‘Employment practices code’. The code itself contains, in full, the Information Commissioner’s recommendations on how to meet the legal requirements of the Act.

The Employment Practices Code Supplementary Guidance

Supplements the Information Commissioner’s Employment Practices Code.

Subject Access Code of Practice

This code of practice explains the rights of individuals to access their personal data. It also clarifies what an employer must do to comply with its duties as a data controller. These rights and duties are set out in Sections 7–9A of the Data Protection Act 1998 (DPA) and are often referred to as ‘the right of subject access’, a phrase this code also uses. The code refers to a request made under section 7 of the DPA as a ‘subject access request’ (SAR). The DPA’s sixth data protection principle requires employers to process personal data in accordance with the rights the Act gives to individuals. Subject access is one of those rights. The code is intended to help employers provide subject access in accordance with the law and good practice. It aims to do this by explaining how to recognise a subject access request and by offering practical advice about how to deal with, and respond to, such a request. It provides guidance on the limited circumstances in which personal data is exempt from subject access. The code also explains how the right of subject access can be enforced when things go wrong.

Disclosure of Employee Information under TUPE

This guidance explains what organisations need to do to comply with the Data Protection Act 1998 when providing information about their employees under the Transfer of Undertakings (Protection of Employment) Regulations 2006 as amended by the Collective Redundancies and Transfer of Undertakings (Protection of Employment) (Amendment) Regulations 2014 (known as TUPE).

Determining what is Personal DataThis guidance explains how to determine whether information is ‘personal data’ for the purposes of the DPA. It is designed to help you decide whether data falls within the definition of personal data in circumstances where this is not obvious.
Outsourcing: A guide for small and medium-sized businesses

This guidance explains the factors to be considered when an employer chooses to use another organisation (whether inside or outside the EEA) to process personal data on its behalf.

Bring your own device (BYOD)

Bring your own device is a term which refers to when employees use their personal computing devices (typically smart phones and tablets) in the workplace. Permitting devices which an employer does not have sufficient control over to connect to the corporate IT systems can introduce a range of security vulnerabilities and other data protection concerns if not correctly managed. This guidance explores what employers need to consider if permitting the use of personal devices to process personal data for which that employer is responsible.

Guidance on the use of cloud computing

This guidance explains what an employer should consider prior to a move to cloud computing for the processing of personal data.

CCTV Code of Practice

This code provides good practice advice for those involved in operating CCTV and other surveillance camera devices that view or record individuals, and covers other information that relates to individuals, for example vehicle registration marks captured by ANPR equipment. This code uses the terms ‘surveillance system(s)’, ‘CCTV’ and ‘information’ throughout for ease of reference. Information held by organisations that is about individuals is covered by the DPA and the guidance in this code will help organisations comply with these legal obligations. The DPA not only creates obligations for organisations, it also gives individuals rights, such as the right to access their personal information, and to claim compensation when they suffer damage.

Case Study

The possibility of losing your job whether through dismissal, redundancy or sickness is something that doesn't bear thinking about for…The Disciplinary Hearing: Understanding the Process, and Surviving it
Business, Finance & Law