Keeping secrets

Employers' surveillance of their workers and the collection of information about them have tended to be seen by the law as a matter for unregulated management prerogative. The Data Protection Act 1984 had a limited impact, perhaps because it was restricted to automatically processed data. Its successor, the Data Protection Act 1998 (DPA), will have a much greater effect.
Introduced to comply with a European Directive (95/46) with the protection of privacy at its heart, the DPA applies to 'personal data' processed automatically or recorded in paper filing systems. Any use of the data – or even simply keeping the data – must comply with the eight data protection principles in Schedule 1. These requirements state that data is processed fairly, is processed only for certain purposes, and is adequate, relevant and not excessive.
Particularly strict rules apply to the processing of 'sensitive personal data', which includes matters such as health, sex life or political opinions. Forms of surveillance that infringe the right to private life in Article 8 of the European Convention on Human Rights – an example is interception of workers' phone or email communications without sound justification – will almost certainly infringe the DPA.
The Information Commissioner Elizabeth France has taken a keen interest in the processing of data about workers. In October 2000, her office published a Draft Code Practice on 'The Use of Personal Data in the Employer/Employee Relationship'. Leaving few areas of management practice untouched, the code applies to recruitment, employment records – including sickness records – covert monitoring, monitoring of phones and emails, video monitoring, and drug and alcohol testing.
As the recently published Code of Practice on Recruitment and Selection states: “It is likely that most information about workers that is processed by an organisation will fall within the scope of the DPA.”
As well as illustrating the wide scope of the DPA, the draft code also wants to ensure that workers' interests, including their right to privacy, are properly protected. In relation to monitoring, the code states that “an employee's right to expect a degree of trust from his/her employer, and be given reasonable freedom to determine his/her own actions without constantly being watched or asked to explain must… be respected”. The code adds that covert monitoring should be used only if specific criminal activity is identified and informing employees would prejudice its purpose.
In the same vein, the code states that drug testing is justified only for reasons of voluntary treatment or safety, and any information revealed which has no significant bearing on an individual's ability to do the job, should be discarded.
Following lengthy consultation, the draft code is to be replaced with four individual codes dealing with recruitment and selection, record keeping, monitoring at work and medical testing. Only the first has been published, although consultation has taken place in relation to the others.
It is unlikely that the individual codes will depart significantly from the approach of the earlier draft code, much of which was driven by a proper understanding of the DPA itself. The Code on Recruitment and Selection exhibits the same concerns about openness and fairness as the earlier code. It states that information about criminal convictions should be requested only if it can be justified by the nature of the role; that the process of checking information should be explained to applicants; that psychological tests should be performed only by those with appropriate training; and that vetting should be used only where there are particular and significant risks to the employer or third parties.
It is unlikely that this tightened regulation of management practice can be loosened by the device of a worker or applicant's 'agreement', whether in a contract or otherwise. True, consent is one of the permissible conditions for processing of both personal data and sensitive personal data, but the meaning of consent can be analysed in the European Directive which led to the DPA, and in accordance with which the DPA must be interpreted. The European Working Party, established under the directive, said: “Reliance on consent should be confined to cases where the worker has a genuine free choice and is subsequently able to withdraw consent without detriment.” The Information Commissioner's Code of Practice on Recruitment similarly takes the view that “it is misleading to seek consent from workers if they have no real choice”.
The result is that employers should scrutinise all of their methods of surveillance and information collection and ensure that the purposes for which they have been adopted are clear and that the practices draw a fair balance between the ends pursued and the effect on employees.
There have been predictable objections to this inroad into what the law hitherto saw as matters for management prerogative. But new techniques of information collection and exchange present new threats to individuals' rights to privacy and other interests. The rhetoric of Human Resources, with its talk of employee “empowerment” and the like, can disguise this darker side of management techniques. All the DPA requires is that these processes are fair – a necessary and minimum condition for dignity at work.
Michael Ford is a barrister at Old Square Chambers