Data protection issues have an impact on most HR activities, from handling recruitment to employee record-keeping, performance monitoring and references. It's crucial that employers understand their responsibilities and liabilities under data protection law. They must manage data responsibly and keep up-to-date with data protection principles and legal developments.

This factsheet outlines the Data Protection Act 2018 which currently governs data protection in the UK, as well as the General Data Protection Regulation (GDPR) and other related legislation. These laws affect how organisations gather, store and use data and individual rights over access to information. The factsheet offers guidance on following good data protection practices at work and a practical action plan for organisations.

Data protection laws protect individuals from the misuse of information about them. Updated laws give individuals more control over their personal data as the digital age develops and evolves.

Employers should develop policies that take a compliant, but balanced, approach. They should also ensure that employees understand their own rights and obligations under data protection law.

Information is easily transferred nationally and internationally, making data protection a complex global issue. Any worldwide organisation company can hold data on UK and other European citizens.

Data protection law is a highly technical area, so employers should seek appropriate legal advice if unsure of any aspect. Organisations that ignore their legal obligations risk reputational damage, potential prosecution in the courts and heavy penalties.

Data protection issues that may arise include:

  • Sharing health information - Employers may have to manage data about employees’ coronavirus vaccination status, their Covid status certificates on the NHS app or information about actual infection and what can be disclosed to colleagues, public health professionals or authorities. Employers have responsibilities to care for their workforce’s health and safety, and data rules do not prevent staff being informed about actual infections. There’s no need to name individuals or volunteer more information than necessary. If disclosure to the authorities is required, employers may be covered by existing public health provisions contained in the Data Protection Act 2018 (DPA). Other provisions allow processing of special category data, and data for health and safety purposes.

  • Homeworking - Whenever an organisation creates new ways of working (including home working and new systems on returning to the workplace) it puts data, including sensitive data, at greater risk. Employers should adapt data protection policies if needed, address security risks and data compliance, establishing strict access rights and encrypting or pseudonymising data. Data protection and cyber security expertise may provide guidance on how to protect and process data correctly.

Other issues may especially affect the health and care sector employers needing to share data. Generally, exemptions in the DPA allow data sharing if it’s necessary and proportionate. 

The Information Commissioner’s Office Data protection and coronavirus information hub explains their approach and whilst employers’ time and resources are diverted away from usual data compliance, the ICO will not unduly penalise organisations.

The main UK legislation governing data protection is the Data Protection Act 2018 (DPA) which replaced the 1998 version. The DPA reflects the General Data Protection Regulation (GDPR). This framework governs organisations that conduct business within the EU and hold data on EU citizens. Any major international corporation that wishes to offer goods or services to EU-based customers should have a compliant data protection strategy.

The Information Commissioner’s Office (ICO)

The ICO promotes and enforces data protection legislation and is independent from government. It provides tools and guidance to aid DPA compliance and takes action where needed. There's more about its role and guidance on the ICO website.

The General Data Protection Regulation (GDPR)

The GDPR gives people rights to access information held about them. In addition, there are obligations for better data management and a regime of fines.

The Data Protection Act 2018 (DPA)

The DPA and GDPR contain rights concerning the processing of personal data which is held in either a computerised format as part of a database or manual records forming part of a relevant filing system.

In essence, the law means that those who decide how and why personal data is processed (data controllers) must comply with certain principles. Those whose data is held or processed (data subjects) have rights, for example in relation to accessing that data. In an employment context, employers will generally be data controllers and employees, workers, ex-employees and applicants will be data subjects. Most HR and employment files and records are covered by the DPA.

Personal and sensitive data

Personal data relates to someone who can be identified, directly or indirectly, by an ‘identifier’ such as their name, or an identification number, or by location. It also includes online data which identifies an individual. For example, HR records, including sickness absence, performance appraisals and recruitment notes are personal data.

Sensitive personal data includes information about an individual’s race, ethnicity, politics, religion or beliefs, trade union status, health, sex life, sexual orientation or crimes. Genetic or biometric data (for example, fingerprint images for security or payment systems) are included. It's legitimate to process ‘sensitive personal data’ where necessary to carry out an obligation under an employment contract or collective agreement.

Criminal records are also sensitive data. Employers can carry out criminal record checks for roles that involve working with children or vulnerable adults but not on a routine basis.

Health information should only be held with explicit consent from the individual. Processing medical records may be permissible in certain circumstances, for example assessing working capacity or confirming diagnoses.

When handling personal data, organisations must have confidentiality safeguards. Employers must tell employees why the organisation is collecting the information, what will happen to it and who will see it.

Processing data

Processing data includes obtaining, holding, retrieving, consulting and using data by carrying out any operation on it. There are seven general key principles which apply for example that data must be limited, processed fairly and collected for specified and legitimate purposes.

Individual rights

Data subjects have individual rights including the right to be informed about the processing of personal data and to be forgotten by having data deleted where there’s no compelling reason for it to be processed.

The full list of these rights is on the ICO website, accompanied by useful lists for checking compliance.


Substantial penalties may be imposed if an employer doesn’t follow the data protection principles and fails to remedy issues in an enforcement notice or to co-operate with an inspection. There are enforcement sanctions and monetary penalties for serious breaches. The fines are linked to turnover with maximums of just under £17.5m, or 4% of global annual turnover, whichever is the greater. Fines of this level are extremely rare and would reflect material contraventions that threaten life or have significant adverse impact on the UK economy.

CIPD members should see the more detailed information on enforcement of the DPA and the GDPR in our Data protection law Q&As.

All employers should read and follow the ICO guide on the DPA and the GDPR as it applies in the UK. It covers matters such as what personal data is, lawfulness of processing, fairness and transparency, as well as the right to be informed, rights of access, data rectification and erasure. The right to restrict processing and data portability is also covered.

While the guide is aimed at data protection officers and others with responsibility for data protection and primarily aimed at small and medium-sized organisations, it may help larger organisations too.

There are some key themes that employers should be aware of.


Organisations must demonstrate that employees were:

  • informed of the purpose and use of their personal data, and
  • given a clear explanation of how it will be treated.

Employees must consent freely to specific use, purpose, or processing of data. Employees’ silence or lack of complaint about the processing, or consent incorporated as a standard employment contract term or in data protection policies does not meet the standard required.

Employers must record the grounds on which they will be processing each separate category of employee data.

Lawful processing

Organisations may process personal information lawfully for six reasons including complying with an employment contract or legal obligation, and protecting the legitimate interests of the employer or a third party.

Job references

Unless a relevant exemption applies, data subjects can request and be given a copy of their reference. The obligation depends on whether the request is made of the organisation providing the reference (usually the previous employer) or the organisation who obtained the reference (the prospective employer).

CIPD members should see the more detailed information in our References law Q&As.

Email and internet

Organisations need a comprehensive internet, social media and communications policy governing permitted data use including email and internet issues.

Providing staff with smart phones, laptops, tablets or USB devices has data protection implications, as can working from home including use of employees’ own devices. ICO guidance suggests employers underestimate the risks associated with use of personal devices for work. Information may be at risk if there are inadequate security measures. An effective policy must cover permissible work use of all devices.

Monitoring should not be intrusive, for example using traffic data (about the routing, duration or timing of messages) rather than accessing email content. Both the DPA and Telecommunications Regulations (see below) must be complied with.


Employers must demonstrate data protection compliance by training, auditing and documenting processing activities, and reviewing HR policies. They should also:

  • Appoint a data protection officer (DPO) where appropriate – see below.
  • Only collect personal data that is adequate, relevant and necessary.
  • Remove names from data (anonymisation) or use data encryption to anonymise it (pseudonymisation conceals identities but allows them to be recovered).
  • Be open with employees about data processing and allowing them to monitor it.
  • Identify and limit any detrimental effects on individual privacy.

Data protection officers (DPOs)

Any organisation can appoint a DPO, but organisations must appoint one if they:

  • Are a public authority.
  • Carry out large scale systematic monitoring of individuals.
  • Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

DPOs report to the highest management level (usually the board). They must be given adequate resources, have a degree of independence, and protection from dismissal or detrimental treatment in connection with performing their duties.

Subject access requests (SARs)

SARs are written requests from individuals for information covered by the DPA. Organisations must respond for free and without ‘undue delay’, which means within a month. The number of SARs that can be made is unrestricted although some unspecific SARs or those made for non-data protection purposes can be refused.

SARs may be used to obtain preliminary information before an employment tribunal claim, although normal tribunal disclosure requirements entitle employees to more information than SARs. Organisations must comply if SARs arise during disciplinary processes.

Employers should:

  • Identify who is responsible for responding to SARs and provide sufficient training.
  • Make managers and HR aware of the DPA rules governing requests.
  • Deal with SARs efficiently.

When organisations receive SARs, they should:

  • Check its scope.
  • Identify onerous requests or those made for non-data protection purposes.
  • set clear deadlines for responding.
  • Follow a response procedure.

The ICO has a useful checklist. Breaching the SAR rules attracts fines.

Sharing and transferring personal data

Third parties, such as payroll providers, external HR and recruitment agencies process employee data. The employer must ensure the third party is data protection compliant and:

  • Clarify the information needed and why, and what the receiving organisation will do with it.
  • Only share essential data.
  • Anonymise or pseudonymise the data.
  • Check contract terms with third parties are GDPR compliant.
  • Check the relevant requirements for overseas transfers of data.

It may be possible to avoid sending personal data, or there may be a legitimate processing reason which avoids the need for employee consent.

Data security

Data security must be appropriate to the processing risks. The organisation’s size, the nature of information processed, and the potential harm from security breaches are all relevant.

In addition to clear policies covering security incidents, organisations should:

  • Carry out risk assessments of data systems and act on the results.
  • Maintain up-to-date security systems (for example, using firewalls and encryption technology).
  • Restrict access to personal data to those who need it.
  • Train staff on data security.
  • Review data security regularly.

Record keeping and correction

Organisations with over 250 employees must keep clear, accessible records of all their data processing activities. Smaller organisations only need to record any data processing they do regularly, or any processing of personal data which is sensitive, or could be harmful to, or intrude on the personal life of, the individual. The ICO can inspect records at any time. Data should only be kept for as long as needed to fulfil the purpose.

Organisations should:

  • Think about the purpose of data retention.
  • Consider any legal requirement to keep the data for a period of time (tax records, for example).
  • Decide whether the data is needed to defend a potential claim (such as a job applicant’s information who now alleges discrimination).
  • Be able to justify retaining the data.
  • Respond to correction requests within the timeframe.

Find out more on UK statutory and recommended time periods for keeping HR records.

Organisations should:

  • Appoint a data protection officer to cover all aspects of information including DPA and Freedom of Information Act compliance.
  • Audit information systems to find out who holds what data, and why.
  • Consider how data is used, and issue guidelines for managers about how to manage data.
  • Ensure that all information collected complies with the DPA and GDPR.
  • Check the security of information stored.
  • Check the transfer of data internationally.
  • Check the organisation’s use of automated decision making.
  • Review policies and practice for example for references and the private use of telephones, email and post.
  • Monitor data compliance on an ongoing basis.

The Freedom of Information Act 2000

This law affects public sector employers providing public access to information held by public authorities and requires them to publish certain information about their activities.

The Telecommunications (Lawful Business Practice) Regulations 2000

These rules cover all telecommunications (telephone, email, fax, etc). Employers may intercept these with the parties’ consent. If employers can’t demonstrate consent, they’ll need to show they took reasonable steps to inform every user that there may be interception.

Employers can also intercept telecommunications without consent, for example:

  • To find out if a communication is for business or private purpose.
  • For quality control or training.
  • To comply with regulatory or self-regulatory procedures.
  • For system maintenance.
  • To detect unauthorised use.
  • To prevent or detect crime.
  • For national security purposes.

The Investigatory Powers Act 2016

This law is primarily directed at the at the communications industry, not the employer/employee relationship. However, it affects many types of business, for example online market places or website providers providing a telecommunications service. It imposes powers to enable the police, government and other authorities to gather and retain data about people.

Privacy and Electronic Communications Regulations 2003 (amended 2004-2018)

These rules regulate direct marketing activities by telephone, email or other electronic methods. They ban companies from sending unsolicited electronic communications to consumers for direct marketing, unless that individual has given their consent or if the sender can demonstrate an existing commercial relationship with the recipient. They also regulate security of communications, use of cookies and 'spyware'. They govern emergency alert texts and require those making marketing calls to display their number. They complement the DPA regarding personal data safeguards.


Information Commissioner’s Office Tel: 01625 545745 (information line)

Information Commissioner’s Office – for organisations

GOV.UK - data protection

GOV.UK - personal data an employer can keep about an employee

Books and reports

BARNETT, D. (2020) GDPR for HR professionals. (Employment Law Library 2). London: Nielsen.

BYGRAVE, L.A. (2014) Data privacy law: an international perspective. Oxford: Oxford University Press.

CAREY, P. (2018) Data protection: a practical guide to UK and EU law. 5th rev ed. Oxford: OUP.

TUC (2018) I’ll be watching you: a report on workplace monitoring. London: TUC.

VOIGHT, P. and von dem BUSSCHE, A. (2017) The EU General Data Protection Regulation (GDPR): a practical guide. Springer.

Journal articles

BEAUMONT, A. (2020) Staying GDPR compliant during Covid-19. People Management (online). 25 August.

FRY, E. (2019) Are you getting GDPR compliance right? People Management (online). 9 August.

HANNAH, D.R. and ROBERTSON, K. (2015) Why and how do employees break and bend confidential information protection rules? Journal of Management Studies. Vol 52, No 3, May. pp381-413.

TRAPNELL, L. (2021) What businesses need to know about the GDPR post Brexit. People Management (online). 2 March.

CIPD members can use our online journals to find articles from over 300 journal titles relevant to HR.

Members and People Management subscribers can see articles on the People Management website.

This factsheet was last updated by Lisa Ayling and Rachel Suff.

Lisa Ayling

Lisa Ayling: solicitor and employment law specialist

Lisa is a lawyer with many years’ experience of contentious and non‐contentious employment law. During her career she has advised companies and individuals on diverse legal issues including contractual disputes, restrictive covenants, TUPE, redundancy, unfair dismissal and discrimination. Her practical experience includes all stages of claims in the employment tribunal, High Court and Appeal courts and many negotiated settlement agreements.

As well as writing and editing employment law content for the CIPD, Lisa lectures extensively on employment law, including years as a senior lecturer and leader of the employment team at BPP University and on the LLM programme at Kingston University. She has delivered numerous professional development courses for other members of the law profession, as well as assessing trainees on their advocacy, research and drafting skills.

This factsheet was last updated by Rachel Suff: Senior Employee Relations Adviser, CIPD

Rachel informs CIPD policy thinking on health and wellbeing as well as employment relations. She has over 20 years’ experience in the employment and HR arena.

Explore our related content