Commonly asked questions on the legal issues relating to data protection, surveillance and privacy in the workplace
Data protection issues have an impact on most HR activities, from handling recruitment and employer references to employee record-keeping and performance monitoring. So, it's crucial that employers have a solid grasp of data protection principles and law, understanding how to manage data responsibly while keeping up-to-date with legal developments.
This factsheet outlines the new Data Protection Act 2018 which currently governs data protection in the UK, as well as the General Data Protection Regulation (GDPR) and other laws affecting how organisations gather, store and use data about individuals, and individual’s rights over access to information. It offers guidance on following good data protection practices at work and a practical action plan for organisations.
Log in to view more
Log in to view more of this content. If you don't have a web account why not register to gain access to more of the CIPD's resources. Please note that some of our resources are for members only.
What is data protection?
Data protection laws protect individuals from the misuse of information about them. The rapid spread of the internet and ownership of electronic devices made it easier for data to be collected and modernised legal provisions are needed to limit data spread only to those who need to know.
Information is easily transferred nationally and internationally, making data protection a complex global issue. For example, HR systems can be cloud-based with international servers. Any worldwide company, for example US or Russian based can hold data on UK and other European citizens.
Data protection affects most HR activities, from recruitment and references to employee record-keeping and performance monitoring. Data must be managed responsibly with sound current knowledge of all data protection principles.
The legal position
The main UK legislation governing data protection is the Data Protection Act 2018 (DPA), in force from 25 May 2018 (replacing the 1998 version). The DPA reflects the General Data Protection Regulation (GDPR), the mutually-agreed framework governing organisations who hold data on EU citizens. The GDPR must be read and understood together with the DPA.
The DPA 2018 contains other rules, covering, for example data for immigration purposes and criminal law enforcement. Other data legislation is summarised below.
The Information Commissioner’s Office (ICO)
The ICO promotes and enforces legislation including the DPA and is independent from government. It provides tools and guidance to aid DPA compliance and takes action where needed. There's more about its role and guidance on the ICO website.
The General Data Protection Regulation (GDPR)
The GDPR gives people rights to access information held about them. In addition, there are obligations for better data management and a regime of fines.
The UK government committed to implementing the GDPR irrespective of Brexit. Employers must ensure they are data protection compliant.
The Data Protection Act 2018 (DPA)
The DPA and GDPR contain rights concerning the processing of personal data which is held in either a computerised format as part of a database or manual records forming part of a relevant filing system.
In essence, the law means that those who decide how and why personal data is processed (data controllers) must comply with certain principles. Those whose data is held or processed (data subjects) have rights, for example in relation to accessing that data. In an employment context, employers will generally be data controllers and employees, workers, ex-employees and applicants will be data subjects. Most HR and employment files and records are covered by the DPA.
Personal and sensitive data
Personal data relates to someone who can be identified, directly or indirectly, by an ‘identifier’ such as their name, or an identification number, or by location. It also includes people who can be identified by various factor in online data. HR records, including sickness absence, performance appraisals, recruitment notes etc. are personal data.
Sensitive personal data includes information about the an individual’s race, ethnicity, politics, religion or beliefs, trade union status, health, sex life, sexual orientation or crimes. Genetic or biometric data (for example, fingerprint images for security or payment systems) are included. It is legitimate to process ‘sensitive personal data’ where necessary to carry out an obligation under an employment contract or collective agreement.
Criminal records are sensitive data. Checks are permissible for roles that involve working with children or vulnerable adults but cannot be carried out routinely.
Health information should only be held with explicit consent. Processing medical records may be permissible for preventative steps, assessing working capacity or confirming diagnoses.
When handling personal data, organisations must have safeguards on confidentiality. Employers must tell employees why the organisation is collecting the information, what will happen to it and who will see it.
Processing data includes obtaining, holding, retrieving, consulting and using data by carrying out any operation on it. There are six key principles which specify for example that data must be limited, processed fairly and collected for specified and legitimate purposes.
Data subjects have eight individual rights including the right to be informed about the processing of personal data and to be forgotten by having data deleted where there’s no compelling reason for it to be processed.
The full list of these rights on the ICO website is accompanied by useful lists for checking compliance.
Substantial penalties may be imposed if an employer doesn’t follow the data protection principles. There are enforcement sanctions and monetary penalties for serious breaches. The maximum fines are just under £17.5m, or 4% of global annual turnover, whichever is the greater. The ICO has said it will operate in a similar vein as previously, which means fines are likely to be a last resort.
CIPD members should see the more detailed information on enforcement of the DPA and the GDPR in our Data protection law Q&As.
The Freedom of Information Act 2000
This well-known law affects public sector employers providing public access to information held by public authorities and requires them to publish certain information about their activities.
The Telecommunications (Lawful Business Practice) Regulations 2000
These cover all telecommunications (telephone, email, fax, etc). Employers may intercept these with the parties’ consent.
Employers can also intercept telecommunications without consent:
- to establish facts
- to find out if a communication is for business or private purpose
- for quality control or training
- to comply with regulatory or self-regulatory procedures
- for system maintenance
- to detect unauthorised use
- to prevent or detect crime
- for national security purposes.
If employers can’t demonstrate consent, they’ll need to show they took reasonable steps to inform every user that there may be interception.
The Investigatory Powers Act 2016
This controversial law is not primarily directed at the employer/employee relationship but at the communications industry. However, it affects many types of business, for example online market places or website providers providing a telecommunications service. It imposes powers to enable the police, government and other authorities to gather and retain data about people.
Privacy and Electronic Communications Regulations 2003 (amended 2004-2016)
Data protection at work
All employers should read and follow the guide to the GDPR issued by the ICO. A fuller combined guide covering both the GDPR and DPA is due to be published in due course.
The ICO guidance covers matters such as what personal data is, lawfulness of processing, fairness and transparency. Data minimisation is also covered plus the right to be informed, rights of access, rectification and erasure. The right to restrict processing and data portability is covered too. The following are some key areas employers should be aware of.
Organisations must demonstrate that employees were:
- informed of the purpose and use of their personal data, and
- given a clear explanation of how it will be treated.
Employees must consent freely to specific use, purpose, or processing of data. Employees’ silence or lack of complaint about the processing, consent incorporated as a standard employment contract term or in data protection policies does not meet the standard required.
Employers must record the grounds on which they will be processing each separate category of employee data.
Organisations may process personal information lawfully for six reasons including complying with an employment contract or legal obligation, and protecting the legitimate interests of the employer or a third party.
Unless a relevant exemption applies, data subjects can request and be given a copy of their reference. The obligation depends on whether the request is made of the organisation providing the reference (usually the previous employer) or the organisation who obtained the reference (the prospective employer).
CIPD members should see the more detailed information in our References law Q&As.
Email and internet
Data protection issues often surround email and internet use. Organisations need a comprehensive internet, social media and communications policy governing permitted data use.
Staff with smart phones, laptops, tablets or USB devices, can raise data issues, as can work use of employees’ own devices. An effective policy must cover permissible work use of all devices. ICO guidance suggests employers underestimate risks of personal use of devices for work. Information may be at risk if there are inadequate security measures.
Monitoring should not be intrusive, for example using traffic data (about the routing, duration or timing of messages) rather than accessing email content. Both the DPA and Telecommunications Regulations must be complied with.
Employers must demonstrate data protection compliance by training, auditing and documenting processing activities, and reviewing HR policies, as well as:
- appointing a data protection officer (DPO) where appropriate – see below
- only collecting personal data that is adequate, relevant and necessary
- removing names from data (anonymisation) or use data encryption to anonymise it (pseudonymisation conceals identities but allows them to be recovered)
- being open with employees about data processing and allowing them to monitor it
- improving data security features
- identifying and limiting any detrimental effects on individual privacy.
Data protection officers (DPOs)
Any organisation can appoint a DPO, but organisations must to appoint one if they:
- are a public authority
- carry out large scale systematic monitoring of individuals
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
DPOs report to the highest management level (usually the board). They must be given adequate resources, have a degree of independence, and protection from dismissal or detrimental treatment in connection with performing their duties.
Subject access requests (SARs)
SARs are written requests for information from individuals under the DPA. Organisations must respond for free and without ‘undue delay’, which means within a month. The number of SARs that can be made is unrestricted although some unspecific SARs or those made for non-data protection purposes can be refused.
SARs may be used to obtain preliminary information before a tribunal claim, although normal tribunal disclosure requirements entitle employees to more information than SARs. Organisations must comply if SARs arise during disciplinary processes too.
- identify who is responsible for responding to SARs and provide sufficient training
- make managers and HR aware of the DPA rules governing requests
- deal with SARs efficiently.
When organisations receive SARs, they should:
- check its scope
- identify onerous requests or those made for non-data protection purposes
- set clear deadlines for responding
- follow a response procedure.
The ICO has a useful checklist. Breaching the SAR rules attracts fines.
Sharing and transferring personal data
Third parties, such as payroll providers, external HR and recruitment agencies process employee data. The employer must ensure the third party is data protection compliant and:
- clarify the information needed and why, and what the receiving organisation will do with it
- only share essential data
- anonymise or pseudonymise the data
- check contract terms with third parties are GDPR compliant
- check the relevant requirements for overseas transfers of data.
It may be possible to avoid sending personal data, or there may be a legitimate processing ground (thereby avoiding issues of employee consent).
Data security must be appropriate to the processing risks. The size of the organisation, the nature of information processed, and the potential harm from security breaches are all relevant.
In addition to clear policies covering security incidents, organisations should:
- carry out risk assessments of data systems and act on the results
- maintain up-to-date security systems (for example, using firewalls and encryption technology)
- restrict access to personal data to those who need it
- train staff on data security
- review data security regularly.
Record-keeping and correction
Organisations with over 250 employees must keep clear, accessible records of all their data processing activities. Smaller organisations only need to record any data processing they do regularly, or any processing of personal data which is sensitive, or could be harmful to, or intrude on the personal life of, the person concerned. The ICO can inspect records at any time. Data should only be kept for as long as needed to fulfil the purpose.
- think about the purpose of data retention
- consider any legal requirement to keep the data for a period of time (tax records, for example)
- decide whether the data is needed to defend a potential claim (such as a job applicant’s information who now alleges discrimination)
- be able to justify retaining the data
- respond to correction requests within the timeframe.
Find out more on UK statutory and recommended time periods for keeping HR records.
Action plan for employers
- Appoint a data protection officer to cover all aspects of information including DPA and Freedom of Information Act compliance.
- Audit information systems to find out who holds what data, and why.
- Consider how data is used, and issue guidelines for managers about how to manage data.
- Ensure that all information collected complies with the DPA and GDPR.
- Check the security of information stored.
- Check the transfer of data internationally.
- Check the organisation’s use of automated decision making.
- Review policies and practice for example for references and the private use of telephones, email and post.
- Monitor data compliance from May 2018 onwards.
Useful contacts and further reading
Information Commissioner’s Office Tel: 01625 545745 (information line)
Books and reports
BYGRAVE, L.A. (2014) Data privacy law: an international perspective. Oxford: Oxford University Press.
CAREY, P. (2015) Data protection: a practical guide to UK and EU law. 4th rev ed. Oxford: OUP.
VOIGHT, P. and von dem BUSSCHE, A. (2017) The EU General Data Protection Regulation (GDPR): a practical guide. Springer.
GDPR: what employers need to know – 1. (2018) IDS Employment Law Brief. No 1091, April. pp10-19.
GDPR: what employers need to know – 2. (2018) IDS Employment Law Brief. No 1092, May. pp15-19.
HANNAH, D.R. and ROBERTSON, K. (2015) Why and how do employees break and bend confidential information protection rules? Journal of Management Studies. Vol 52, No 3, May. pp381-413
THOMPSON, S. (2018) What to do after the GDPR. People Management website. 18 May.
TREVELYAN, L. (2018) The GDPR: everything you know about data protection is changing. People Management website. 22 February.
CIPD members can use our online journals to find articles from over 300 journal titles relevant to HR.
Members and People Management subscribers can see articles on the People Management website.
This factsheet was last updated by Lisa Ayling and Rachel Suff.
Lisa Ayling: solicitor and employment law specialist
Lisa is a lawyer with many years’ experience of contentious and non‐contentious employment law. During her career she has advised companies and individuals on diverse legal issues including contractual disputes, restrictive covenants, TUPE, redundancy, unfair dismissal and discrimination. Her practical experience includes all stages of claims in the employment tribunal, High Court and Appeal courts and many negotiated settlement agreements.
As well as writing and editing employment law content for the CIPD, Lisa lectures extensively on employment law, including years as a senior lecturer and leader of the employment team at BPP University and on the LLM programme at Kingston University. She has delivered numerous professional development courses for other members of the law profession, as well as assessing trainees on their advocacy, research and drafting skills.
Rachel Suff: Employee Relations Adviser
Explore our related content
Episode 51: What can your people data tell you about your organisation? This podcast discusses how human capital analytics has evolved and how it can drive value in your business.
Information to help employers comply with the Data Protection Act