Data protection and GDPR in the workplace
Introduces the legal position on data protection in the UK, the obligations of employers, and individual rights surrounding access to information
Commonly asked questions on the legal issues relating to data protection, surveillance and privacy in the workplace
Log in to view more of this content. If you don't have a web account why not register to gain access to more of the CIPD's resources. Please note that some of our resources are for members only.
The main legislation governing data protection is the Data Protection Act 1998 (DPA) and the Investigatory Powers Act 2016 (IPA), and a full list of applicable legislation is given at the end of these Q&As.
The current DPA implements the EU Data Protection Directive, and both aim to give individuals rights in connection with the processing of manual and computerised personal data about them.
All data protection law must adapt frequently because technology and the ability for organisations to process data continues to develop at high speed and in 2015 the EU, including the UK, reached agreement on the General Data Protection Regulation (GDPR).
The UK is exempt from parts of the GDPR, but new rules will be adopted in a new Data Protection Bill which has been published. Subject to any further changes this will replace the DPA from 25 May 2018. The government has confirmed that the departure from the EU will not affect implementing the GDPR.
Many of the core principles are similar to the current rules, but there are some significant changes which will affect how all employers deal with personal data. Processors of personal data will need to be more accountable, individuals will have stronger rights, and there are significantly tougher sanctions and criminal penalties for breaches of the rules relating to the processing of personal data.
The Information Commissioner’s Office (ICO) Guide to the General Data Protection Regulations (GDPR) will help employers keep abreast of the changes. As well as detailed guidance, there is a helpline for small businesses and a ‘12-steps to take now’(pdf) checklist.
Data protection means that data controllers (those who decide how and why personal data are processed) must comply with the eight data protection principles:
It is against the law if a data controller, for example an employer, does not keep to these principles.
Data subjects (those about whom data are processed) are also provided with rights allowing them to access certain information, and in some cases they also have control over the way it is processed.
The Information Commissioner’s Office urges organisations not to hide behind the DPA unnecessarily and to take a common sense approach to all data protection matters. It is also worth emphasising that the principles have given rise to many common misunderstandings (for example, the DPA does not stop parents from taking photos in schools for the family album, although the DPA may apply to photos taken for official use by schools if the images are stored with personal details, like names).
Reporting directly to the UK Parliament, the Information Commissioner’s Office (ICO) is an independent supervisory authority which ensures that organisations which process data comply with the DPA, Freedom of Information Act 2000 (the FOI), the Privacy and Electronic Communications Regulations 2003 and the Environmental Information Regulations 2004. Among other responsibilities, the ICO:
Significant changes will come into force as a result of the General Data Protection Regulation (GDPR). This major overhaul of data protection law will apply to all EU member states from 25 May 2018. The UK government has confirmed that it will implement the GDPR, and all businesses must become compliant by that date.
The new Data Protection Bill (which will become the Data Protection Act 2018) applies before and after the UK’s departure from the EU. It incorporates both the GDPR’s provisions, and replicates and updates the Data Protection Act 1998 (DPA). Many of the GDPR’s core principles are similar to the current DPA, but there are some differences.
Several key areas will have an impact on employers.
Public authorities, and organisations where data processing is a core activity of the business or done on a large scale, will need to appoint a data protection officer with expert knowledge of data protection. This can be an employee or an outside consultant.
Several organisations can share the same DPO, provided there is no conflict of interests.
Organisations have previously been able to rely on implied consent to data processing. The GDPR requires a higher standard of consent. Individuals must clearly and positively establish specific agreement to their personal data being processed, such as by a written statement. Employers relying on consent to process personal data should review their procedures to ensure that any consent obtained clearly indicates agreement (the example used in the GDPR is that ticking a blank box is sufficient, but failing to un-tick a pre-ticked box is not valid consent). Individuals can withdraw their consent at any time.
Individuals can ask organisations to delete their personal data if that data is no longer needed for the reason it was collected, or if they decide to withdraw their consent.
Individuals are entitled to a copy of their personal data in a commonly used, machine-readable format and have the right to transfer that data to another organisation.
Organisations must notify the ICO (Information Commissioner's Office) of all data breaches without undue delay and, where possible, within 72 hours.
Employees often use SARs under the current Data Protection Act to request information in support of an employment tribunal claim. The key changes to SARs under the GDPR include removing the ability to charge fees, unless the request is excessive. The time limits for responding to requests have also been shortened from 40 days to one month. (For further information on these changes, see Q 'What is the procedure for a subject access request?')
The penalties for non-compliance with data protection rules are increasing. Under the current Data Protection Act 1998, the maximum penalty is £500,000 (see Q 'What penalties do employers face for breaching the DPA?'). Once the new Act is in force, the maximum penalty will be €20 million or 4% of global annual turnover. Administrative breaches of the Act will attract a lower fine.
Keeping an eye on the ICO’s Guide to the General Data Protection Regulation will help organisations stay abreast of changes as they happen as they prepare for compliance with the GDPR. Following its 12-step guide is advisable.
The Information Commissioner’s Office is the most comprehensive source of current good practice guidance.
Some of the codes of practice and guidance are designed specifically to deal with employment issues, but others are designed to help individuals, businesses, employers or public sector bodies.
The main codes of practice are statutory codes. This means that they have been approved by Parliament and although some of the provisions are not strictly legally enforceable, any breach or disregarding of the principles supplied may be relied on by the ICO in any enforcement action.
An example of a key statutory code includes the employment practices code dealing with important matters such as recruitment and selection, employment records, monitoring at work and Information about workers’ health.
There is also important guidance for SMEs, including information on keeping IT systems safe and secure, cloud data processing risks, how to comply with the DPA, and a self-assessment tool to help assess compliance with the DPA.
Many employers will have their own communications and data protection policy, which takes into account the guidance and explains how employees’ personal data is processed.
The distinction between data controllers and data processors is important because the extent of an organisation’s obligations in dealing with data depends on it. Note that the same organisation can be both a data controller and data processor.
A data controller is any person who determines why personal data is, or has been, processed and the way in which it is dealt with. Control of the data is the key factor and many employers will be data controllers.
All data controllers must provide a notification to the Information Commissioner’s Office and be included on the register of data controllers. There is a two-tier notification fee structure, depending on the data controller’s turnover and number of staff.
Data controllers must also comply with other legal requirements. They must, for example, follow the data protection principles, such as processing data fairly and lawfully, and use it for legitimate purposes only.
A data processor is anyone who processes personal data on behalf of a data controller. For example, if data is stored on a third party’s server, or processed by an external payroll service, then that organisation is a data processor.
Data processors are currently subject to fewer legal obligations than data controllers but all data processors will face additional obligations under the new Data Protection Bill (in force from May 2018). To avoid heavy fines, processors must familiarise themselves with the new rules. They will, for example, have to:
No, the Employment practices code refers to ‘workers.’ This means that employers must be careful with data relating to current employees and many others, for example, previous employees, job applicants, agency workers, contractors, volunteers and those on work placements.
The DPA must be complied with when an employer provides information about the transfer of a business under the Transfer of Undertakings (Protection of Employment) Regulations (TUPE). TUPE requires that certain information is provided to the new employer before the transfer takes place, including details of pay, hours, holiday entitlement and any details of disciplinary/grievance action. Both parties must consider their data protection obligations early in the transfer process and exchange only accurate, current and secure information required by the new employer.
The DPA can apply to many sorts of data, including computerised and manual records, photographs, CCTV footage, mainframes, laptops, tablets, organisers, palm pilots, audio and video systems, telephone logging/surveillance systems, microfiche and microfilm. Whether the DPA applies depends both on what the information is and how it is processed. Employers should look at each subject access request individually.
Data generally means data from which a living individual is identified, or is identifiable.
Anonymous data is where it is impossible to establish the identity of individuals whose details are in a database. It is not subject to the DPA.
Pseudonymous data is where the data attributed to a particular person is organised separately to ensure it is not attributed to the individual. Personal details are removed (for example, names replaced with unique number codes), but there will be a second set of details elsewhere so the identities of individuals can be established with some cross-referencing. This remains personal data under the DPA because it is capable of identifying an individual, but if used properly it may meet obligations to ensure security of data.
The definition of data falling within the DPA is complex. It includes information which:
The individual must be identified from the data (or from the data and other information which is in the possession of the data controller). Personal data will include that which is obviously about an individual or clearly linked to them.
The data must also be:
There has been considerable confusion and litigation over what types of information and filing systems fall within the definition of data. Whether the DPA applies to manual filing systems can be particularly difficult to understand, although the CA gave guidance in a leading data protection case, Durant v Financial Services Authority (2003). See also ‘Are manual personnel and other manual files likely to be covered by the DPA?’
Every document merely mentioning an individual’s name does not have to be disclosed. Personal data will include that which is obviously about an individual or clearly linked to them, in other cases it may be necessary to consider if the data:
*For example, data will be included even if it merely records an individual’s whereabouts at a particular time or involvement in an event. An attendee in the minutes of a meeting does have biographical significance because the minutes record the individual’s whereabouts at a specific time. The need to disclose may be restricted to the list of attendees, depending on the meeting.
Personal data includes information related to an individual’s:
More general information, for example about a house or a car, could also be personal data because that information is directly linked to an individual, as are marketing lists containing a name together with contact details such as street and email addresses and telephone numbers.
For more information, see the Data protection in the workplace factsheet.
Much of the information held in personnel files is likely to be covered by the DPA. The DPA applies to personal data which is both suitably biographical and contained in a sufficiently accessible filing system.
As the DPA applies to both information held on computer and manual information, the key question is if manual data is organised into a ‘relevant filing system’.
The leading case of Durant v Financial Services Authority (2003) gave guidance on what falls within the DPA, and though it did not expressly deal with personnel records it implied that they are covered depending on the filing system used. It would be unwise for employers to disregard the DPA without specific legal advice.
After the guidance issued by courts and the Information Commissioner, manual personnel files (and other manual files) which:
are likely to be held in a ‘relevant filing system’ for the purposes of the DPA.
A relevant filing system does not cover a manual filing system which requires a person to search through files to find information qualifying as personal data.
The system must also indicate at the outset whether specific information capable of being personal data is held within the system and, if so, in which file or files it is held.
The DPA is often misunderstood and ex-employees may attempt to use the DPA to obtain information which they are not entitled to if the law is applied strictly. Employers may voluntarily disclose information held in a manual form if the confidentiality of other employees is not compromised.
DPA protection is for the privacy of personal data only, not documents as such. Only manual filing systems that are broadly equivalent to computerised systems fall within the DPA.
A subject access request (SAR) is a request for personal information an employer (or any other organisation) holds about an individual. The request must be in writing. The information requested can include an HR file, depending on the nature of the information and the way it’s held.
The individual is entitled to be told:
They are also entitled to be given:
Employers must not make any alterations to data so as to make it more acceptable to the data subject. If the employer has any adverse comments in relation to performance, for example, the employee has a right to see them.
Under the new Data Protection Bill, in force from May 2018, the procedure for making a SAR is changing. (For further details, see Q How should employers respond to subject access requests (SARs)?
Before a prospective employer asks a person about their criminal convictions or police record, it must ensure that it is entitled to ask that person to reveal their conviction history. This is a very complex issue.
Disclosure and Barring Service (DBS) checks (criminal background checks, still sometimes referred to as CRB checks) may be needed for certain jobs or voluntary work, for example working with children and vulnerable adults or in healthcare.
The DPA makes it a criminal offence to force others to make subject access requests about themselves and then reveal the results to a third party. This is a practice known as ‘enforced subject access requests’. Employers must not avoid the complexities of the DBS checking process by demanding that prospective employees use their rights under the DPA to see information held about them.
Provisions of the DPA make it a criminal offence to force individuals, such as employees, to make subject access requests and then reveal the results. This is a practice known as ‘enforced subject access’ and is punishable by a fine.
For example the DPA prevents:
This does not stop employers getting access to criminal records completely, as in some jobs these checks can be undertaken.
Sensitive personal data is personal data relating to the data subject’s:
The DPA gives additional protection to sensitive personal data over and above that given to other personal data.
To lawfully process sensitive personal data, at least one of the conditions contained in Schedule 3 of the DPA must be met. The main ones are that the:
Data relating to the medical condition of an employee amounts to sensitive personal data for the purposes of the DPA, so care needs to be taken with using and storing the data.
The Employment practices data protection code (Part 4: information about workers’ health) addresses the collation and use of information about a worker’s physical or mental health. It does not impose legal obligations.
The code covers sickness and injury records, occupational health schemes, information from medical examination and testing, drug and alcohol testing and genetic testing. As this information is sensitive, employers should collect health information only where it is necessary for health and safety reasons, or to prevent discrimination, or to satisfy other legal obligations, or if each worker has freely given explicit consent.
The Information Commissioner recommends that absence and sickness records be kept separately.
For more detailed information on statutory and recommended retention periods, see our factsheet on Retention of HR records.
The fifth data protection principle provides that ‘personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.’ Neither the DPA nor the Employment practices code (Part 2: employment records) sets a specific time period that is appropriate for the retention of workers’ records. It is therefore the responsibility of the employer to decide on retention periods. Most employers will set up a personnel records system and many have an express policy dealing with data retention.
All organisations need to keep certain records on current employees. For instance, keeping records of hours worked or rates of pay to check compliance with the Working Time Regulations, or the Minimum Wage Act.
The termination of an employment relationship does not mean that all records should be deleted:
If information is needed for possible litigation the overall time limit for bringing any civil legal action is six years (five years in Scotland).
With some matters, for example disciplinary issues and warnings, employers cannot use all records for all purposes six years later. For example, many employers will have a discipline and grievance policy which states that oral warnings will expire after six months and written warnings for no longer than 12 months (as recommended by Acas). Employers may be able to use expired warnings if their disciplinary procedure states that the underlying conduct leading to an expired warning may still be taken into account by the employer.
An employee can complain to the ICO and ask for an assessment as to whether processing of personal data is being carried out in accordance with DPA principles.
Information notices The Commissioner can serve an information notice requesting certain details from the employer, and to obtain a warrant to enter and inspect premises where there are reasonable grounds for suspecting that the data protection principles have been, or are being, contravened.
Enforcement notices If a breach of the data protection principles has occurred, the Commissioner may serve an enforcement notice on the employer. This requires an employer to take certain remedial steps and actions, for example stopping processing data altogether, or if the data is inaccurate to remedy this, or even erase certain items of data. Employers can appeal against enforcement notices within 28 days of the date on which the notice was served, unless exceptional circumstances apply.
Monetary penalties Where there is a serious contravention of the data protection principles, the Information Commissioner can serve a monetary penalty notice for breaches of the data protection principles requiring money to be paid before a set deadline. The Commissioner must be satisfied the contravention was deliberate or the data controller knew (or should have known) of the risk, and that substantial damage or distress would be caused. The Commissioner allows written representations before the actual penalty notice is served.
The maximum monetary penalty under the DPA is £500,000 for serious breaches. For example, a monetary penalty of £100,000 was issued in 2017 to Onecom Ltd for sending spam texts about mobile phone upgrades without obtaining the proper consents for marketing using text messages.
Compensation The individual affected may also seek compensation under the DPA. For example, if a conditional offer of employment is withdrawn as a result of an inaccurate reference, compensation may be claimed in addition to other claims (such as discrimination). Other applications may be made to rectify, remove or destroy personal data.
Criminal offences Breaches of the DPA concerning the disclosure of certain personal information may also be a criminal offence with a maximum penalty of two years’ or 12 months’ imprisonment, depending on the type of conviction.
Since March 2014 the Ministry of Justice and the EU have been reviewing the sanctions available for breaches of the DPA so a decision can be made on whether some penalties should be increased (see Are there any future developments expected in the area of data protection, surveillance and privacy at work?).
This question is extremely complex and legal advice should be taken. Monitoring by videoing and or tapping a public telephone system is illegal unless expressly permitted by the law.
The basic position is that an employer can monitor employees’ communications only if there is a legitimate business reason and the employer does not go any further than necessary. Employers who undertake monitoring are likely to be processing personal data, which will trigger obligations under the DPA and may be breaching an employee’s human rights too.
The law does not allow employees’ communications via company systems to be monitored or intercepted only for checking if employees are breaching company policies on the use of email in the workplace.
The Home Office has published guidance under the thrilling title A code of practice for covert surveillance, while the ICO has gone with the less glamorous sounding Employment practices code (Part 3: monitoring at work).
All employers must have their own detailed communications, internet, social media and data protection policy in place which should be clearly communicated to employees, for example, on the company intranet, in employee handbooks and during staff inductions.
If policies are used effectively employers may:
If you decide that monitoring personal communications on business accounts is the only option available, then employees’ expectation of privacy must be managed carefully.
Employees must know the extent to which they can send personal communications on company systems, whether outside or during work time, and know how often their communications will be monitored and why this is necessary.
The policy should be linked to disciplinary and dismissal proceedings making it clear that failure to comply with the policy could result in disciplinary proceedings, up to and including dismissal.
Workers have a legitimate expectation of keeping their personal lives private at work, and are entitled to a degree of privacy in the workplace. The Employment practices code (Part 3: monitoring at work) contains detailed guidance on monitoring of communications. Any monitoring should be justified by the benefits it delivers, and the code recommends employers undertaking impact assessments beforehand.
If an employer intends to monitor its workers, it should:
Under separate legislation, employers may be able to monitor without the employee’s specific consent first being obtained for:
Employers should still take reasonable steps to inform employees that their communications might be intercepted and should always consider whether there are less intrusive ways of monitoring correspondence. For example, automated monitoring that blocks emails containing obscene language may be preferable to monitoring by a line manager who can see every email sent by their direct reports.
The TUC has referred to the UK’s Facebook users as “3.5 million HR accidents waiting to happen.” Employers must have an internet and communications policy which specifies internet use that is, and is not, acceptable.
Many employers have adopted a complete ban on social networking sites at work because of time wasting concerns. However, employers who trust their staff may wish to allow responsible personal use of the internet during break times, as long as this does not interfere with work or damage the employer’s reputation.
Employers have a number of options:
If restrictions are placed on social media use this must be clearly covered in the internet and communications policy. Both the policy and contracts of employment should specify what social media use is gross misconduct and sufficiently serious to justify summary dismissal. Disciplinary policies must co-ordinate with the social media policies.
Employees must be warned in advance of the monitoring which will take place and why.
Acas has published guidance on social networking and social media.
Many cases have arisen concerning the use of social networking sites by employees, including:
If email systems and the internet are misused claims for the following could arise:
Race discriminationWalker v Charles Russell (2002) demonstrated the dangers of email comments and the liability they can attract. A black woman, who was a secretary in a law firm, resigned from her role and a solicitor colleague sent an email asking that her replacement be a ‘fit busty blonde’. The secretary read the email and she sued the firm for race discrimination, though the case was settled out of court for an undisclosed amount.
Human rights In Halford v UK (1997) the European Court of Human Rights decided that monitoring personal telephone calls made by an employee from work was a breach of the employee’s human rights. A significant factor was that the monitored phone was provided specifically for personal use, giving the employee a ‘reasonable expectation of privacy.’ This case demonstrates the need for all employers to have a detailed communications, internet and data protection policy and/or to inform employees of possible monitoring or interception of communications.
Breach of contract A senior manager at a football club used his work email account to send pornographic images to several people, including a junior female colleague. About five years later, the club found out about the emails and summarily dismissed him for gross misconduct.
The manager claimed damages for wrongful termination of contract. A week before his dismissal, he had been given notice of redundancy. Had he not been summarily dismissed, his contract would have allowed him a 12-month notice period during which he would have received his salary and some other benefits. Although the judge found that the club had deliberately searched for reasons to dismiss the manager without notice, presumably to avoid the financial cost of what he would otherwise have been entitled to under the termination terms of his contract, the fact that it found what it was looking for did not make the manager’s dismissal unlawful (Williams v Leeds United FC (2015)).
Unfair dismissal In Crisp v Apple Retail (UK) Ltd (2011), an Apple employee posted derogatory remarks about his employer and its products on Facebook. Apple had a clear social media policy prohibiting employees from doing anything to damage its image, reinforced by specific training relating to social networking sites. The conduct was a breach of the policies in place, and the dismissal was fair.
Likewise, a pub manager who swore and made derogatory comments about a customer on Facebook was dismissed. The social media policy explicitly stated that employees were prohibited from making comments in blogs, including Facebook, which may lower the reputation of the company or its customers. The dismissal was a reasonable response and deemed fair (Preece v J D Wetherspoons plc (2011)).
Supplying staff with their own smartphones, laptops, tablets or even USB devices can raise important data protection issues, as can allowing staff to use their own devices. An Information Commissioner’s Office (ICO) survey revealed that many employers appear to have an overly relaxed attitude to allowing staff to use personal laptops, tablets or smartphones for email and other work business, which may be placing personal information at risk.
The physical security of equipment is important as there are risks of data breaches and cyber theft. Many data breaches arise from the theft or loss of a device.
An effective internet, social media and communications policy must cover the permissible use of employees‘ own devices for working purposes, and the permissible use and return of employer-owned devices. Staff should be trained so that they are fully aware of their data protection responsibilities on any devices supplied to them.
The ICO has published Bring your own device (BYOD), explaining some of the risks under the DPA and other risks organisations must consider when allowing personal devices to be used to process work-related personal information.
Particular risks employers should consider include public cloud-based sharing services and the types of personal data that can be processed on personal devices. Some mobile devices have a remote disable or wipe facility, which means a signal can be sent to a lost or stolen device to securely delete all data.
The Employment practices code published by the ICO offers clear guidance on the obligations of employers and employees on the separation of personal and corporate data to ensure compliance with the DPA. The ICO has also published a guide for small businesses on IT security.
The overriding guidance to deal with such cases is that employers should have in place clear and detailed policies. These will be scrutinised by courts and tribunals, and will often be one of the determining factors in employment proceedings.
In Barbulescu v Romania [2016] ECHR the employer asked an employee to set up a Yahoo Messenger account to communicate with customers. The employee used the account for personal messages, in breach of an internal policy prohibiting the use of company computers for personal use.
The employee claimed human rights breaches because the employer had read his personal emails and used them as a reason to dismiss him. The employer won as the court said that the human right to respect for private and family life had not been infringed. It was reasonable for the company to check if employees were completing their professional tasks during working hours. The employer only used transcripts of the employee’s communications where necessary to prove breach of company policy. The employer initially had viewed the employee’s account looking for client-related communications.
Employers do not have blanket permission to ‘snoop’ on employees’ personal accounts and must justify an intrusion into an employee’s personal life. In this case, although this was a Yahoo account, it was set up for work purposes and was not a personal account. The employer had a clear policy prohibiting personal use of all of its resources.
Data protection law is frequently in need of change, primarily because it needs to adapt as new technologies become available, and also because trust in data flows is fundamental to engagement in the digital economy.
Significant UK and EU changes are proposed which will affect how employers (and other institutions) deal with personal data. A major overhaul of EU data protection law has been in progress for some time, with an important new Regulation – the GDPR – due to come into force on 25 May 2018. As this will be in force before the UK leaves the EU and is likely to be in force after Brexit, businesses must take steps to ensure they comply with it.
The new Data Protection Bill (which will become the Data Protection Act 2018) applies before and after the UK’s departure from the EU. It incorporates both the GDPR’s provisions, and replicates and updates the Data Protection Act 1998 (DPA). Many of the GDPR’s core principles are similar to the current DPA, but there are some differences (see Q What are the key changes under the GDPR?).
In May 2017 the ICO published a five-year plan, setting out its mission to increase the confidence in data use in government, public bodies and the private sector.
The plan commits the ICO to leading implementation of the GDPR and other data protection reforms.
A new Data Protection Regulatory Action Policy will be prepared as part of the ICO’s preparations for the GDPR and will be laid before Parliament in 2018.
A review of public sector information by YouGov founder Stephan Shakespeare called for a national data strategy, which was followed by the Information Economy Strategy and the Open Government Partnership National Action Plan. The UK has developed three action plans, most recently 2016-18.
In July 2015 the government announced a cross-party Commission on Freedom of Information to look into the Act. The commission was dissolved in March 2016, but its reports are still available.
For information on what Brexit may mean for employment law, read the blog by our Public Policy Advisor (Employer Relations) and visit our resource hub.
*Applies to public authorities only
Introduces the legal position on data protection in the UK, the obligations of employers, and individual rights surrounding access to information
Episode 51: What can your people data tell you about your organisation? This podcast discusses how human capital analytics has evolved and how it can drive value in your business.