The UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) set out the basic legal rules on protecting data belonging to private individuals. These data protection laws exist to protect individuals and to prevent the misuse of their personal data.
In this blog, we cover how employers need to make sure that they comply with these rules when they process (eg collect, use or store) personal data belonging to their employees.
What is personal data?
Personal data is any information that relates to an individual who can be personally identified from the data. This includes:
- contact details (including addresses, phone numbers and email addresses)
- dates of birth
- job titles and National Insurance numbers
This type of personal data can be kept by employers without the employee’s express permission, where the employer can rely on other grounds for processing (eg to perform the employment contract).
Personal data can also take the form of ‘special category sensitive data’, which is awarded greater protection than non-sensitive data. Examples of special category personal data include information about:
- racial or ethnic origin
- religious or similar beliefs
- trade union membership
- physical health or mental health or health condition
Information about criminal convictions is treated separately and subject to more stringent controls.
Special category sensitive data cannot be kept without the employee’s consent. If it is processed, employers need to make sure that this type of data is kept more securely than other types of data.
Find out more about personal data and data protection.
What obligations does an employer have?
Employers must protect the personal data of their employees, and only use employee data for lawful purposes. Employers processing personal data need to comply with strict rules known as the ‘data protection principles’. Under these data protection principles, employers must ensure that information is:
- processed fairly, lawfully and in a transparent manner
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- accurate and kept up to date
- kept in a form that enables identification of data subjects for no longer than is necessary
- processed in a way that ensures it is appropriately secure
- not transferred outside the UK without adequate protection
Employees have a right to be told:
- what records of personal data employers are keeping
- how the personal data is used
- the confidentiality of the records
- how these records can help with their training and development at work
If an employee asks to find out what personal data is kept on them, the employer generally has 30 days to provide a copy of the information.
For more information, read Data protection.
What steps should an employer take?
When it comes to processing employee personal data, openness is key. Employers should inform employees of the types of data they might collect about them, detailing how the employer collects, uses, retains and discloses such personal information. This is typically set out in an Employee privacy notice.
Where the processing of personal data is likely to result in a “high risk” to the employees, employers must conduct a data protection impact assessment (DPIA). Personal data processing may be “high risk” if, for example, it involves the large-scale processing of special categories of data or personal data relating to criminal convictions.
Employers should consider putting in place a Data protection and data security policy, setting out the policies and procedures a business will comply with when dealing with personal information and personal data. Having such a policy in place can ensure that employers follow a set process that gives confidence to employees and helps avoid any potential claims.
Read Data protection and employees for more information.
What tricky areas should employers be aware of?
When recruiting new employees, employers should be open about the data collection and recruitment process, taking care not to collect more information than necessary at each stage of the recruitment process. Care should also be taken not to retain personal data for longer than necessary.
Special category sensitive data
When handling employee personal data, handling special category sensitive data is essentially unavoidable (eg when managing employee sickness absences) and care should be taken that such sensitive data is awarded the necessary protection.
As special category sensitive data can usually only be processed with explicit and freely-given consent (eg to safeguard health and safety or avoid disability discrimination), employers need to make sure that their employees give such consent. For more information, read Consent for GDPR.
Monitoring employees at work
Many employers monitor emails and other IT use or have workplace CCTV. This is generally permitted as long as employers can justify doing so (eg the use of CCTV to ensure staff safety or security by preventing theft).
Where employers monitor employees, they should tell staff that such monitoring procedures are in place and consider alternative and less intrusive ways to achieve the same goal. Employers should also take care not to review obviously personal materials. Accessing an employer’s computer material or personal account without their consent should generally be avoided, as it may be considered hacking and is a criminal offence that can have serious legal implications. However, certain exceptions do exist (eg to prevent or detect crime or investigate or detect any unauthorized or misuse of the telecommunications system).
Employers should consider putting in place a Communications and equipment policy to maintain transparency when it comes to monitoring communications and IT equipment and resources. Covert surveillance is especially intrusive and can only be used in extreme cases and on a limited basis.
International data transfer
The transfer of data outside the UK (including to group companies) requires special safeguards to be in place. Such safeguards include international transfer on the basis of standard data protection clauses approved by the UK or certification (ie where the organisation outside the UK has been formally recognised and certified as complying with UK data protection laws).
For more information, read International transfer of personal data.
What if an employer fails to adequately protect employee data?
If an employer fails to adequately protect employee data and/or breaches data protection rights, this could result in the employer automatically breaching other duties they owe to the employees. For example, a serious breach of data protection and privacy rights could amount to breach of contract as a result of failure in the duty to maintain trust and confidence, or it could constitute constructive dismissal (ie the employee resigns directly as a result of a significant breach of their employment contract by their employer).
If a data breach occurs, this may need to be reported to the Information Commissioner’s Office (ICO) within 72 hours of the employer becoming aware of the breach. A personal data breach is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Personal data breaches can include:
- access by an unauthorised third party
- devices being lost or stolen that contained personal data (eg laptops and mobile phones)
- alteration of personal data without permission
For more information, read Data breach reporting.
If you need more advice on data protection you can Ask a lawyer.