Iain Bourne of the Information Commission explains how its code of practice for the Data Protection Act can help firms

IT Week: Why is the government's Information Commission publishing guidelines for the Data Protection Act?

Iain Bourne: To make firms aware of their obligations, and to give clear, practical advice on how to meet those obligations. For example, we encourage firms to ask if it is necessary to subject staff to audio and video surveillance, medical testing, vehicle-tracking, email monitoring, and so on. In some circumstances very intrusive techniques may be justified, but this is not normally the case. The code, particularly through its risk assessment approach, helps firms assess the information-processing techniques that are acceptable in particular circumstances.

What impact will the DPA have on firms?

It can be difficult to assess the impact that law has on business. It's true, though, that the DPA will have the least impact on businesses that have already adopted transparent information handling practices and take information standards and security seriously. However, there may well be businesses that don't address any of those issues properly and for whom data protection compliance may be a difficult, onerous and expensive business.

How will the code of practice help?

We hope the code will make compliance easier. It doesn't place any additional burdens on business and doesn't contain any advice we wouldn't provide to individual employers had they asked us to. Issuing the code will allow us to pre-empt some of the many questions employers wish to ask us.

How did you choose the areas to cover?

We tried to structure the code so it would make sense to human resources staff. As well as general information about data protection, the code includes a section on recruitment, job advertisements and so forth, and general record keeping. The code finishes off by dealing with the specialised and potentially difficult areas of monitoring and surveillance and handling medical information about workers, including carrying out drug-tests.

Did you make compromises in the code?

We developed it in the light of comments we received on its drafts. Hopefully this is reflected in its realistic and practical approach. The form the code takes is primarily determined by the contents of the DPA. This means that we're fairly constrained in terms of the code's key concepts such as access to information, security and transparency in information-processing operations.

How has industry reacted to the code?

There has been some opposition to the code from some employers. A few object to such key data protection concepts as restricting covert information-gathering and giving workers access to information about them. However, Parliament has given us the law and employers, like everybody else, must comply with it - we hope the code will help them to do so.

Have your say: contact IT Week

About Iain Bourne

• Iain Bourne is the Information Commission's strategic policy manager.
• He has worked for the Information Commission since 1996.
• Bourne deals with the employment code of practice, as well as e-commerce, Internet and legal issues.