The basic legal rules on protecting employment data are set out in the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (the DPA). The DPA governs the processing (eg collection and distribution) of personal data (eg names, addresses and sensitive personal data, such as information about mental and physical health) in the UK.
If you breach your staff’s data protection rights this could automatically breach other duties you owe them. For example, a serious breach of data protection and privacy rights could amount to a breach of contract as a result of a failure to meet the duty to maintain trust and confidence. A breach could even be constructive dismissal.
Openness is key. You should tell employees the types of data you might collect about them and what you do with it in an Employee privacy notice, also known as a 'fair processing statement'. This statement details how you collect, use, retain and disclose personal information. Similarly, if you engage consultants, you should create a Consultant privacy notice.
Where data processing is likely to result in a high risk to individuals (eg they risk being denied work opportunities), you must conduct a Data protection impact assessment (DPIA). Where intrusive action is unavoidable, think of ways to manage and reduce the impact. Provide written instructions to those involved, as a record of the steps taken.
Putting a Data protection and data security policy in place in your organisation helps ensure that you follow a set process that gives confidence to employees and clients alike and helps avoid any potential claims.