The basic legal rules on protecting employment data are set out in the Data Protection Act 2018 (the DPA). The DPA governs the collection, processing and distribution of personal data in the UK.
If you breach data protection rights of your staff, this could automatically breach other duties you owe them. For example, a serious breach of data protection and privacy rights could amount to breach of contract as a result of failure in the duty to maintain trust and confidence, or it could even be constructive dismissal. For more information, read Data protection.
Openness is key; you should tell employees the types of data you might collect about them and what you do with it in a Fair Processing Statement, also known as a Privacy Notice. This is a statement detailing how you collect, use, retain and disclose personal information. For information on creating a Privacy Notice, Ask a lawyer.
You must conduct a privacy impact assessment (PIA) where processing is likely to result in a high risk to individuals. Where intrusive action is unavoidable, think of ways to manage and reduce the impact and provide written instructions to those involved, as a record of the steps taken.
Putting a Data protection and data security policy in place in your organisation can ensure that you follow a set process which gives confidence to employees and clients alike and helps avoid any potential claims.