The publication is the first of four parts of The Employment
Practices Data Protection Code and it covers the areas of
recruitment and selection. The Code is not legally binding in
itself; but because it indicates how the Information Commissioner
will interpret the wording of the Data Protection Act of 1998,
which is legally binding, it should be followed by employers.
It gives guidance on when it is and is not appropriate to store
certain data on employees, such as membership of trade unions and a
checklist for procedures to follow in advertising jobs, handling
applications and interviewing. It also addresses the destruction of
personal data contained in applications.
Among the recommendations of the checklist, employers are told to
“provide a secure method for sending applications.” It explains
that employers should, “Ensure that a secure method of transmission
is used for sending applications on-line (e.g. encryption-based
software.”
No further guidance is given on the level of security required
or the nature of the encryption. Struan Robertson, editor of
OUT-LAW.COM, commented:
“It is likely that a business could comply
with this by hosting on-line recruitment forms on a secure system.
One way of doing this could be to use HTTPS (Hypertext Transfer
Protocol over Secure Socket Layer, or HTTP over SSL) to protect the
information in the web pages. An alternative would be for
recruiters to offer a public key which the applicant can use to
encrypt his transmission.”
“The latter approach may be less attractive
although it can offer a greater level of security. The problem for
many businesses is that use of public/private key cryptography is
still in its infancy and a lack of understanding may scare away
potential applicants.”
HTTPS systems are common in e-commerce sites. The page on which
credit card numbers are entered will usually have a URL which
begins with https:// instead of http://. When the customer has
entered his card details and clicked the “submit” button on the
page, his browser’s HTTPS layer encrypts the information. The
acknowledgement returned by the seller’s server will also travel in
encrypted form, arrive with an https:// URL, and be decrypted for
the customer by his browser.
The Code’s Checklist also states that once electronic
applications are received, the employer must ensure that “they are
saved in a directory or drive which has access limited to those
involved in the recruitment process.”
The Checklist goes on to advise employers to assess who in the
organisation possesses the recruitment information and to “inform
them that electronic files should be kept securely, for example by
using passwords and other technical security measures.”
The second part of the Code, dealing with employment records,
will be published in April. The third part (monitoring at work) and
fourth (medical information) are due to follow at monthly intervals
thereafter.
The Code and additional notes can be downloaded from the
Information Commissioner’s web site.
