Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Account
Profile information Account settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Get guidance About us
Account
Sign up Log in
Help
Help Contact us
Make documents
Easily make legal documents
See all documents
Popular business documents
Popular employment documents
Popular property documents
Popular family documents
Terms and conditions Privacy policy Non disclosure agreement Shareholders' agreement
Employment contract Health and safety policy Environmental policy Consultancy agreement
Tenancy agreement Lodger agreement Eviction notice Declaration of trust
Affidavit Prenuptial agreement Last will and testament Power of attorney
Ask a lawyer
Get quick legal advice from a lawyer
Ask your question
Popular legal topics
COVID-19: Business legal help Brexit for businesses Startup legal help Run an online business
Hire employees Manage employees Discipline employees Dismiss employees
Rent residential property Rent commercial property Manage rented property Evict tenants
Get divorced Apply for probate Make a lasting power of attorney Bespoke legal drafting
Get guidance
Get reliable legal guidance
Read legal guides
Popular business guides
Popular employment guides
Popular property guides
Popular family guides
COVID-19: Business legal help COVID-19: Individual legal help Types of shares Ending a contract
Overpayment of wages Notice periods Summary dismissal Implied employment terms
Declaration of trusts Legal interests in property Section 21 notices Security of tenure
Affidavits Executing a will Changing your name Getting married
About us
Learn more about Rocket Lawyer
Contact us
Get more information
Pricing
Help
About us
Careers
  1. /gb/en
  2. Legal guides
  3. Data protection and employees

Data protection and employees

Because of the close relationship between employer and employees and the special duties owed, particular data protection issues arise in the employment context.
Make your Data protection policy
Get started
Answer a few questions. We'll take care of the rest

The basic legal rules on protecting employment data are set out in the Data Protection Act 2018 - the main legislation governing the collection, processing and distribution of personal data in the UK. These are set out in our Quick Guide on Data Protection, however, bear in mind that breaching data protection rights of staff could also automatically breach other duties you owe them (eg serious breach of data protection and privacy rights could amount to breach of contract as a result of failure in the duty to maintain trust and confidence, or it could even be constructive dismissal).

Openness is key; you should tell employees the types of data you might collect about them and what you do with it in a Data Protection Privacy Notice/'Fair Processing Statement' - a statement describing how you collect, use, retain and disclose personal information. For information on creating a Data Protection Privacy Notice, Ask a lawyer. A good tool for handling tricky data protection issues is to do a privacy impact assessment (PIA). Where intrusive action is unavoidable, think of ways to manage and reduce the impact and provide written instructions to those involved, as a record of the steps taken.

Putting a data protection and data security policy in place in your organisation can ensure that you follow a set process which gives confidence to employees and clients alike and helps avoid any potential claims.

Recruitment processes and pre-employment checks can be intrusive; be open about your processes, don’t collect more information than you need at each stage of recruitment and don’t retain information longer than necessary. Comply with rules about criminal convictions.

You will unavoidably handle data coming within the 'special' categories of personal data, i.e. sensitive personal data (eg when you manage sickness absence or administer employee benefits); this can usually only be done with explicit and freely-given consent, to safeguard health and safety or avoid disability discrimination.

Many employers monitor emails and other IT use or have workplace CCTV. This is permitted if justified and you have a legal basis to do so (eg a legal obligation), but you should tell staff you do this, target your monitoring, consider less intrusive ways to achieve the same goal and take steps to avoid reviewing obviously personal materials. Accessing an employee’s computer material or personal account without their consent is considered hacking and is a criminal offence which can have serious legal implications. Consider introducing a Communications and equipment policy to maintain transparency when it comes to monitoring communications and IT equipment and resources. Covert surveillance is especially intrusive and can only be used in extreme cases and on a limited basis. For more information read Employees' use of IT.

All health information is, in principle, private and there should be a clear basis for collecting or processing it. Health information must be kept particularly secure. Transfer of data outside the European Economic Area (including to group companies) requires special safeguards to be in place. For more information, read International transfer of personal data. Drug or alcohol testing will usually only be permissible for clear health and safety reasons.

Using information from employees’ personal social media usage to take employment decisions raises difficult issues of discrimination, privacy and data protection. It’s worth protecting the interests of yourself and your employees with a Social media policy. For further information, read Employees and social media.

Make your Data protection policy
Get started
Answer a few questions. We'll take care of the rest

Follow us

We use cookies to provide the best experience