New technology has helped to streamline many personnel processes, but it has also created extra legal hurdles and headaches. Olga Aikin discusses how to keep e-HR within the law
HR Software Show 2002 - show guide, 26 Jun 2002
HR practitioners must be viewing the advent of e-HR and the development of electronic communications with mixed feelings. On the plus side, these new tools can simplify record-keeping and give immediate access to information. But issues of privacy, use and security, particularly under the Lawful Business Practice Regulations 2000, the Data Protection Act 1998 (DPA) and the Human Rights Act 1998, can limit the use of these tools and create new headaches for HR.
The four-part Code on Employment Practices, currently being issued by the Information Commission, does give useful guidance, but in some ways extends the statutory duties in its advice on best practice. Part one of the code, on recruitment, is available on the commission’s web site and part two, on records, should be available soon. Part three, on surveillance, has aroused considerable controversy, particularly in its recommendation that covert monitoring should take place only in respect of criminal activity and normally after informing the police. This has not yet been issued. The final part will be on health.
As far as HR systems are concerned, few would question the advantages of a computerised system. As well as the obvious advantages, it can also make it easier to meet some of the new requirements of the DPA and the best practices advised by the Information Commission. One requirement is that a person properly accessing a file should not be able to see confidential information that is not relevant to their enquiry. This means that certain information – health, disciplinary record, grievances, etc – should not be available to everyone. Blocking and password-protecting this information is relatively simple in computerised systems, but far more difficult to achieve in a manual one.
The DPA and the code also insist that information should not be retained for longer than is needed and that employers should decide when different types of information should be removed. Once the retention period has been decided – not an easy task – the software can be programmed to do the job automatically. But this is where the problems start.
In particular, sickness or disciplinary material may need to be retained. If it is impossible to have an entirely automatic deletion system then human intervention is still required.
Nor is e-mail communication without its difficulties. Because it is not a secure system the commission recommends that CVs, references, health information and other confidential data should not be sent by e-mail unless security such as encryption is in place. There is also the increased security risk of employees taking work, including confidential information, home. This is easily done – some simply e-mail the material to their home PC, while others take it by disk.
A currently intractable problem relates to health records. Health information is clearly sensitive data and can be held only with “explicit” consent unless one of the exceptions apply. But no exception covers a general holding of health records, only holding in particular instances such as sick certificates and accidents at work.
Another problem is controlling employees’ use of the system. A policy, with disciplinary action as the sanction, is advisable and will be recommended by the commission.
But what should go into the policy? Obviously it should deal with the extent to which the employee can make personal use of e-mail and access the internet. HR will want to ensure that this use is not exceeded.
The commission insists that the least intrusive method of monitoring should be undertaken and that the employee, and their correspondents, should be alerted to this. Covert monitoring is to be avoided. Traffic data may be sufficient, with no need to access the communication itself. Software can be used to weed out offensive communications and unsuitable sites can be blocked. But the commission does not favour banning the downloading of pornography or offensive material because that is ambiguous.
The employee will also need to be aware when e-mails will be accessed, for example during absence. And the policy should deal with the risks to the employer of viruses, communication of confidential information and that defamation and harassment claims can result from inappropriate e-mails. It should be clear that breach will be a disciplinary matter.
Of course, the employer may be tempted to avoid this by simply banning use. But this is easier said than done. If, despite the ban, use continues, consent may be implied. Simply failing to discipline employees breaching the policy could be enough to imply consent.
HR’s use of electronic systems can only grow, but it is not entirely a bed of roses.
Olga Aikin is an employment law specialist at the Aikin Driver Partnership
Measured response By dramatically reducing the time and money spent on managing human capital, the latest HR software systems are freeing up more time for strategic thinking
