Commonly asked questions on the legal issues relating to data protection, surveillance and privacy in the workplace
Data protection issues have an impact on most HR activities, from handling recruitment and employer references to employee record-keeping and performance monitoring. So it's crucial that employers have a solid grasp of data protection principles and law, understanding how to manage data responsibly while keeping up-to-date with legal developments.
This factsheet outlines the Data Protection Act which currently governs data protection in the UK, as well as the legal obligations of employers and individual rights surrounding access to information. It provides guidance on following good data protection practices at work and offers a practical action plan for organisations. This covers various elements, from appointing a data protection officer and auditing information systems to issuing guidelines for managers on how to gather, store and retrieve data.
It’s important that employers understand their responsibilities and potential liabilities under data protection law. Organisations that ignore their legal obligations risk reputational damage and potential prosecution in the courts.
However, our research shows that, where employees feel they are under excessive monitoring or surveillance, they have more negative attitudes to their employer and are more likely to suffer from stress. Employers should therefore develop policies that take a compliant, but balanced, approach. They should ensure that employees understand their own rights and obligations under data protection law. We recommend that HR professionals:
- Read the guidance issued by the Information Commissioner’s Office (ICO).
- Follow 'The employment practices code' issued by the ICO.
- Prepare for the 2018 EU General Data Protection Regulation (GDPR) changes to data protection rules.
What is data protection?
Data protection laws are intended to protect individuals from the misuse and abuse of information held on them.
Data protection issues have an impact on most HR activities, from handling recruitment and employer references to employee record-keeping and performance monitoring. Therefore, it's crucial that employers have a sound knowledge of data protection principles and law, understand how to manage data responsibly and keep up to date with new legal requirements.
The legal position
Data protection is a global issue for employers because data is easily transferred across geographical boundaries, which makes the legal position complicated. International developments inevitably affect data protection matters. For example, in 2015 a European court ruling in the Schrems case significantly changed the legal position for the majority of data transfers from the EU to the US.
GDPR - The EU General Data Protection Regulation
This EU regulation, coming into force on 25 May 2018, is an overhaul of data protection law designed to produce a single set of data protection rules for the entire EU.
Although the regulation comes into force nine months before the UK is scheduled to leave the EU, UK businesses need to prepare for compliance with the GDPR. The UK government has committed to implementing the GDPR irrespective of Brexit and has a new Data Protection Bill currently progressing through Parliament which will amend the UK’s existing Data Protection Act 1998 (DPA) in line with the new rules, as well as introducing a few additional changes.. Employers must ensure they are data protection compliant and may need to designate a data protection officer, which could involve training and developing existing staff.
For more on what Brexit could mean for employment law, visit our Brexit hub.
The Data Protection Act 1998 (DPA)
The main UK legislation governing data protection is the Data Protection Act 1998 (DPA) which came into force on 1 March 2000, although further amendments will be needed before May 2018 to comply with the GDPR. A new Data Protection Bill was announced in the 2017 Queen’s speech.
The ICO promotes and enforces the DPA (as well as the Freedom of Information Act 2000). The ICO is independent from government and encourages openness by public bodies and data privacy for individuals. It provides a self-assessment tool to help small and medium-sized organisations assess their compliance with the DPA. It also provides guidance and takes appropriate action where the law is broken. More about the role and work of the ICO, as well as its guidance on data protection, can be found on the ICO website.
The DPA, and the EU Directive it implements, give individuals rights concerning the processing of personal data. The DPA applies to personal data in a computerised format as part of an accessible record, or held manually as part of a relevant filing system. For public authorities, the DPA is extended to all personal recorded information.
In essence, the law means that those who decide how and why personal data are processed (data controllers), must comply with certain data protection principles. Those about whom data are processed (data subjects) have a number of rights, for example in relation to accessing that data. In an employment context, employers will generally be data controllers and employees, workers and applicants will be data subjects.
Personal data means data which relate to an identifiable living individual and includes any expression of opinion about that individual. So personnel records, including sickness absence, performance appraisals, recruitment notes etc are personal data. The DPA also gives extra protection to certain types of personal data called sensitive personal data which includes information about the data subject's race, ethnicity, politics, religion, trade union status, health, sex life or criminal record (see below). Such data should be treated with particular care. In addition, the ICO considers that financial data, although not technically defined as ‘sensitive personal data’ under the DPA should be treated in the same way.
Processing information or data, means obtaining, recording or holding it or carrying out any operation on it, including its retrieval, consultation or use.
The DPA has eight principles which specify that data must be:
- fairly and lawfully processed
- processed for limited purposes
- adequate, relevant and not excessive
- not kept for longer than is necessary
- processed in line with an individual’s rights
- not transferred to countries outside the European Economic Area (EEA) without adequate protection.
It's against the law if a data controller, for example an employer, doesn't follow these principles, and substantial penalties may be imposed. The Information Commissioner can issue 'undertakings', enforcement notices, and for serious breaches, civil monetary penalties of up to £500,000 for a breach of one or more of the principles.
CIPD members should see the more detailed information on the above and the 2018 changes expected as a result of the GDPR in our Data protection law Q&As.
The Telecommunications (Lawful Business Practice) Regulations 2000
These UK regulations were issued under the Regulation of Investigatory Powers Act 2000 to comply with the EU’s Telecommunications Data Protection Directive. They cover all types of telecommunications (telephone, email, fax, etc) on public and private systems. Employers may intercept these with the parties’ consent.
Employers can also intercept telecommunications without consent:
- to establish facts
- to find out if a communication is for business or private purpose
- for quality control or training
- to comply with regulatory or self-regulatory procedures
- for system maintenance
- to detect unauthorised use
- to prevent or detect crime
- for national security purposes.
If employers don't have consent, they'll have to show that they've taken reasonable steps to inform every user that there may be interception.
The Investigatory Powers Act 2016
This controversial Act replaced the Data Retention and Investigatory Powers Act 2014. It is not primarily directed at the employer/employee relationship but at the communications industry. However, it potentially affects many types of business, for example an online market place or website provider providing a telecommunications service to its users and customers. The Act imposes powers to enable the police, government and other authorities to gather and retain data about people.
Access to information
If information falls within the DPA, a data subject can request a copy from the relevant data controller. The request must be in writing with sufficient detail to enable the controller to identify the data requested, and carries a £10 fee. Unless a relevant exemption applies, the information must be supplied within 40 days. The 40-day time limit won’t start until it’s clear exactly what’s being requested.
Under the DPA, it’s an offence for an individual to knowingly or recklessly obtain, disclose or procure personal data without the consent of the data controller. This could be of real concern to HR professionals because employees or others working for an employer who misuse data (for example, selling personal data on or disclosing personal data to others where they have no right to see it) might fall foul of this section. In this case the onus would be on an employer to report them to the Information Commissioner or the police as well as taking them through internal disciplinary/ dismissal proceedings.
Section 56 of the DPA means that it is a criminal offence for an employer to require people to use their subject access rights under the DPA to provide certain information, including criminal records, as a condition of employment. The ICO has issued specific guidance on subject access.
Data protection at work
The employment practices code, issued with supplementary guidance by the ICO, is an important source of information and all employers should follow it carefully. The code covers:
- Recruitment and selection
- Employment records
- Monitoring at work
- Information about workers' health.
Most personnel and employment files and records will be covered by the DPA. Find out more in our factsheet on retaining HR records.
Together with information on race, religion or belief, union membership, sexual life and crimes, health information is legally classed as 'sensitive information'. It should be held with the explicit consent of the individual, which can create problems for employers holding health records. For new employees, consent may be included in their employment contract. Existing employees may be asked to give their consent.
Unless a relevant exemption applies, data subjects have the right to request and be given a copy of their reference. However, what action is taken by an employer depends on whether the request is made of the organisation providing the reference (usually the previous or current employer) or the organisation requesting the reference (the new or prospective employer). The recipient of a confidential reference can only disclose the reference by complying with the DPA's confidentiality rules. The referee who has provided a confidential reference for employment, self-employment or educational purposes can withhold the reference from disclosure, though this only applies where the reference is given in confidence.
CIPD members should see the more detailed information in our References law Q&As.
Email and the internet
Many legal issues arise concerning employees' potential abuses of email and the internet. As a starting point, all organisations should devise and implement a comprehensive Internet, social media and communications policy. As far as data protection is concerned, merely looking at someone's information on a website is not a breach of data protection law, although the ICO has investigated certain networking sites and voiced concerns about the fact that it's difficult to remove all personal information from some of the sites.
Supplying staff with their own smart phones, laptops, tablets, or even USB devices, can raise important data protection issues, as can allowing staff to use their own devices. An effective Internet, social media and communications policy must cover the permissible use of employees' own devices for working purposes, and the permissible use of (and return of) devices supplied by the employer. A survey by ICO has revealed that many employers appear to have an overly relaxed attitude to allowing staff to use their personal laptop, tablet or smart phone for email, editing documents and other work business, which may be placing personal information at risk if it’s not subject to adequate security measures.
The terms of the DPA differ in several respects from the Telecommunications (Lawful Business Practice) Regulations concerning the form of consent required from the data subject before an employer can access information. The ICO recommends that an employer should have a policy setting out permitted use and that monitoring should be as unintrusive as possible, for example using traffic data (such as information about the routing, duration or timing of a message) rather than accessing the content of an email.
Sending information abroad
Information about individuals may be sent to any country within the EEA but it may only be sent to a country outside the EEA if adequately protected. The ICO’s Guide to data protection gives more information but employers should seek specific advice when transferring data outside the EEA.
Action plan for employers
- Appoint a data protection officer to be in charge of all aspects of information including compliance with the Data Protection Act 1998, and Freedom of Information Act for public authorities.
- Audit information systems to find out who holds what data, and why.
- Consider why information is collected and how it is used, and issue guidelines for managers about how to gather, store and retrieve data.
- Ensure that all information collected complies with the DPA.
- Check the security of the information stored.
- Check the transfer of data outside the EEA.
- Check the organisation’s use of automated decision making.
- Review policy and practice in respect of references.
- Review or introduce a policy for the private use of telephones, email and post.
- Take steps now to prepare for the GDPR which will be in force from May 2018.
The employment practices code contains additional good practice recommendations.
Useful contacts and further reading
Information Commissioner’s Office Tel: 01625 545745 (information line)
BYGRAVE, L.A. (2014) Data privacy law: an international perspective. Oxford: Oxford University Press.
CAREY, P. (2015) Data protection: a practical guide to UK and EU law. 4th rev ed. Oxford: OUP.
WRIGHT HASSALL. (2016) What is data protection: your questions answered.
FOSTER, S. (2017) Get ready for 2018’s changes to data protection laws. PM Daily, 27 Mar.
HANNAH, D.R. and ROBERTSON, K. (2015) Why and how do employees break and bend confidential information protection rules? Journal of Management Studies. Vol 52, No 3, May. pp381-413
HARTLEY, A. (2013) Protecting confidential information in the digital workplace. Employers' Law. February. pp14-15.
KIRTON, H. (2017)What does HR need to know about GDPR?PM Daily. 23 August
MOREY, T., FORBATH, T. and SCHOOP, A. (2015) Customer data : designing for transparency and trust. Harvard Business Review. Vol 93, No 5, May. pp97-105.
WEBSTER, M. (2014) Data protection compliance. Company Secretary's Review. Vol 37, No 21, 29 January. pp168, 167.
CIPD members can use our online journals to find articles from over 300 journal titles relevant to HR.
Members and People Management subscribers can see articles on the People Management website.
This factsheet was last updated by Lisa Ayling, solicitor and employment law specialist, and by Rachel Suff.
Rachel Suff: Employee Relations Adviser
Rachel joined the CIPD as a policy adviser in 2014 to increase the CIPD’s public policy profile and engage with politicians, civil servants, policy-makers and commentators to champion better work and working lives. An important part of her role is to ensure that the views of the profession inform CIPD policy thinking in ER areas such as health and well-being, employee engagement and employment relations.
As well as developing policy on UK employment issues, she helps guide the CIPD’s thinking in relation to European developments affecting the world of work. Rachel is a qualified HR practitioner and researcher; her prior roles include working as a researcher/editor for XpertHR and as a senior policy adviser at Acas.
Explore our related content
Episode 51: What can your people data tell you about your organisation? This podcast discusses how human capital analytics has evolved and how it can drive value in your business.
Information to help employers comply with the Data Protection Act