Data protection code lays down law for IT staff

IT staff have some suprising new responsibilities according to the first Data Protection code of practice, and job applicants have some unexpected rights

IT staff have new responsibilities for ensuring compliance with the Data Protection Act 1998, which came into full force last autumn, according to a code of practice to be published next week.

The code, which details best practices for compliance with the law when recruiting staff, says IT managers are should consider themselves equally responsible with HR managers for ensuring that out-of-date personnel records are deleted from computers.

The code is the first of four parts of the Employment Practices Data Protection Code that is being drawn up by the Information Commission. The Data Protection Act, which the codes address, was drawn up mainly to protect personal data held on computers, but also relates to data stored on paper or microfiche and held in any "relevant filing system", which means, according to the commission, any set of information about workers in which it is easy to find a piece of information about a particular worker. In addition, information collected with the intention that it be put in a relevant filing system is covered.

"It is important to remember that data protection compliance is a multi-disciplinary matter," says a draft copy of the code. "For example, a company's IT staff may be primarily responsible for keeping computerised personal information secure, whilst a human resources department may be responsible for ensuring that the information requested on a job application form is not excessive, irrelevant or inadequate."

All workers, including line managers, have a part to play in securing compliance, "even if only to ensure that waste paper bearing personal information is properly disposed of."

The code also addresses selection processes by automated means, and warns that job applicants may have a right to see the logic involved in making decisions based on automated procedures.

An example of a decision that is covered is where an individual is shortlisted purely on the basis of answers provided through a touch-tone telephone in response to psychometric questions posed by a computer. Any applicant who is rejected or treated in a way that is significantly different from other applicants solely as a result of the use of an automated process will have the right to see how the decision was made.

The code will be published next week on the Information Commission's Web site. Later this year, the Commission expects to publish codes of practice for keeping employment records, monitoring employees at work, and medical testing.


Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.

Have your say instantly, and see what others have said. Go to the ZDNet news forum.

Let the editors know what you think in the Mailroom.