Getting the Recruitment Paperwork Right

Getting the Recruitment Paperwork Right

 

 

You really haven’t been concentrating for the last few years, have you?  ‘Data’, for the purposes of the Data Protection Act 1998 (‘the Act’), includes any paper data held in a filing system, or which is to be filed or put onto computer.  So no, it’s not just about computers, and yes, you do have to think very carefully about what you do with staff data.  Incidentally, whilst I’ll be talking about paperwork, you should be aware that the Code also applies to handling staff via websites or automated telephone systems.

 

Not any more.  The Act lays down some detailed (if difficult to understand) requirements about what you must, can, and cannot do with data.  If you get it wrong, the Information Commissioner – who replaced the Data Protection Registrar – can require you to comply.  If you don’t, it’s a criminal offence.  Also, the Courts can award compensation to any individual for any damage caused to them by a failure to comply, and also for any distress caused to them.  So it’s got teeth.

 

 

You need to get hold of a copy of the Employment Practices Data Protection Code.  You can download this from http://www.ico.gov.uk/documentUploads/ICO_EmpPracCode.pdf

but make sure first that you have plenty of paper in the printer!  The Code is an interesting approach to legislation.  It doesn’t have any statutory force, and the Courts will have to use the Act itself, but the Code represents the Commissioner’s view of how the legal requirements of the Act can be met, with benchmarks set to ensure compliance.  As the introduction to the Code says, you may find alternative ways of meeting the Act’s requirements, but the risk of non-compliance is yours.  You can bet that the Courts will take the Code as being best practice.

 

 

It’s in four parts.  Part 1 is recruitment and selection, and that’s what I want you to concentrate on today.  Then it goes on in Part 2 to employment records generally.  Part 3, relating to the monitoring of use by the staff of telephones, e-mails and cars, is in the process of being revised, and Part 4, on medical records, hasn’t been issued yet.

 

 

No, you certainly can’t.  You and your partners are what the Act calls the ‘data controller’, and you need to appoint someone suitably senior to take the responsibility for compliance, and to establish a system within which that compliance can be achieved.  It’ll probably end up being you, as usual.  It’ll be your job to find out what personal data is held about staff anywhere in the firm, to ensure the systems for handling that are acceptable, and to train all those handling the data so that there is no doubt they are aware of their responsibilities.  And, by the way, you should also make sure your registration details are up-to-date and correct.

 

 

No, I’m afraid it starts to apply right from the beginning of the recruitment process, when you place an advert.  Those whose data you handle are called ‘data subjects’, and that includes any applicants, even if unsuccessful.  Anyone who responds to an advert must be told what the organisation is, and (unless it’s obvious from the advert) how their data will be handled.  If you’re using an agency, you have to make sure they do this for you.

 

 

There is a way round it, but it’s clumsy.  You’d have to use an agency, and ask them to supply applicants’ data to you without giving the names or other identifying details to you.  You can then do your shortlisting, and so any you cut out at that stage need never know who you were.  If you happen to shortlist someone local however, and ask the agency for details, then you or they will have to tell everyone on the shortlist who the firm is.  Incidentally, you can’t get round it by using a box number.  The initial advert in those circumstances has to give the identity of the advertiser – yes, I know that defeats the object of the exercise!

 

 

No, you don’t.  I would suggest you do, as they can help to reduce your risk in other areas as well, like the chance of discrimination claims, but it’s up to you.  There are provisions however which cover any form of application paperwork, whether it’s your application form, or a letter or CV sent in response to an advert.  Where you can, you should ensure that you only ask for details which are really important to the recruitment process.  Don’t for instance, ask everyone at this stage for information you’re only really going to want for the successful candidate, such as their bank account details.  Try to avoid collecting ‘sensitive data’ (e.g. data relating to health, disabilities, race, trade union membership, political or religious opinions, or criminal offences) because if you do collect this you will have to comply with extra conditions as to the necessity of processing the data, obtaining explicit consent, and providing safeguards for the data subjects.   By the way, even a CV has been sent by someone to you ‘on spec’, these provisions can apply, unless you have a policy that such applications will be neither acknowledged nor retained, and of course it’s generally reckoned to be at least a courtesy to send an acknowledgment.  Any applications sent must be securely stored, e.g. in a locked filing cabinet.

 

 

Provided you go abut it the right way, yes.  If you need to verify anything by contacting a third party, or to obtain any copy documents, you should get the consent of the applicant, and explain what steps you are going to take.  If your enquiries throw up any problems, you shouldn’t assume the applicant has been lying, so you should give them a chance to explain the position.  You’re unlikely to get into the realm of much more active vetting, but be aware that there are additional requirements if you do.  Similarly, if for some special reason it is necessary for you to ask candidates to obtain a basic disclosure from the Criminal Records Bureau, as to any ‘unspent’ convictions, you should have a clear policy as to the storage and use of such information.

 

 

Not really, so long as you’re consistent in the way you handle the data when you’re preparing the shortlist.  Again, demonstrable consistency is vital for employment law purposes anyway, to protect yourself against discrimination claims.  If you use any sort of scientific testing, such as handwriting analysis or psychometric testing, you have to make sure that whoever analyses the results is suitably qualified.

 

 

Wrong.  Unless you rely entirely on your memory, you’ll be making notes, won’t you?  The Code applies to those notes.  You have to store and use those notes securely and fairly.  Perhaps most important of all, you need to be aware that the interviewee can make what’s called a ‘subject access request’ and demand that you show them your notes.  So be careful not to get too carried away with what you write down!

 

 

Yes, I’m afraid you do.  One the reference is passed on to you, there is no exemption, and the applicant can make a subject access request.  The theory is that you’re allowed to withhold the identity of other individuals who are involved, such as the author of the reference, but since the applicant is the one who will, in the first place, have given you the details of who to apply to, he won’t need to be a genius to work out where its come from.  (You might, incidentally, like to keep this in mind when you yourself are asked to give references to other firms.)

 

 

There’s nothing in the Code to say you have to keep papers.  You are however well advised to keep them for a while, in order to be able to defend any claim which may subsequently be brought against you for discrimination etc.  It’s generally thought to be good practice to be able to respond to any request from an unsuccessful candidate to be told why they didn’t get the job, and you might need the papers for that.  You may want to keep the details of unsuccessful candidates on file in case another vacancy crops up.  That’s acceptable, provided you tell them you are going to do so, and give them the chance to ask that their details are taken out of the system.  Your best bet is to establish a policy as to the length of time you will securely and confidentially hold records, which is enough for your protection, and then destroy them.  Incidentally, any criminal records disclosure information must be destroyed after six months at most.

 

 

No, sorry.  You should remove any data which is not relevant to the continuing employment relationship.  An example the Code gives is of previous salary levels.  Any irrelevant information as to a criminal record should go as well.  What you may want to do is to design your application form, if you’re using one, so that the information you need to keep is all on one page, or in one section, and you can simply ditch the rest at the same time you destroy everything relating to the other candidates.

 

 

I can understand the problem.  There is however a helpful checklist in section 5 of the Code, which you should hang on to, and use as a frame of reference.  And don’t say you’ll never remember where you put it, because you’re going to be handling all your paperwork much more carefully from now on, aren’t you?  To help you, part 2 of the Code goes on to deal with staff paperwork generally – but that’s for another day.