Introduces the legal position on data protection in the UK, the obligations of employers, and individual rights surrounding access to information
Data protection is about safeguarding important information and making sure it is used properly and legally. In the UK, the Data Protection Act 2018 implements the General Data Protection Regulation (GDPR) which came into force in May 2018. It replaces the previous Data Protection Act 1998. All employers need to be aware of their duties under the law as the penalties for breaching the rules can be severe. Here we provide resources on the law governing data protection and GDPR, surveillance and privacy at work.
Log in to view more
Log in to view more of this content. If you don't have a web account why not register to gain access to more of the CIPD's resources. Please note that some of our resources are for members only.
Data protection principles
Data protection law requires data controllers (those who decide how and why personal data is processed) to comply with the seven data protection principles:
- Lawfulness, fairness and transparency – in the way data is processed
- Purpose limitation – data must only be processed for specific, limited purposes
- Data minimisation – personal data processing must be relevant and not excessive in relation to the purposes for which it is processed
- Accuracy – every reasonable step must be taken to ensure that personal data is accurate and kept up to date
- Storage limitation – data must not be kept for longer than is necessary
- Integrity and confidentiality – data must be handled in a secure way that ensures processing in line with the law, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
- Accountability – This additional principle specifically requires data controllers to take responsibility for complying with the principles, and to have appropriate processes and records to demonstrate compliance.
Some of these represent changes from previous principles. Under the GDPR there is no ‘principle’ for individuals’ rights (these are dealt with separately in Chapter 3 of the GDPR).
Although not strictly speaking a principle, data must not be transferred internationally outside the EU without adequate protection. This is now dealt with separately in Chapter 5 of the GDPR.
It is against the law for a data controller, for example, an employer, not to keep to these principles.
Data subjects (those about whom data is processed) are also provided with rights allowing them to access certain information, and in some cases they also have control over the way it is processed.
DPA 2018 and GDPR
A major overhaul of data protection law was undertaken as a result of the DPA 2018 and the GDPR. The DPA 2018 incorporates both the GDPR, and replicates and updates the previous data protection legislation, the Data Protection Act 1998. Many of the DPA principles are similar to the previous Act, but there are some differences.
The new legislation introduces new rights for people to access the information businesses hold about them, obligations for better data management for businesses, and a new regime of fines and enforcement actions. It is intended to increase individuals’ ability to remove consent for their personal data being used. Companies will need to obtain explicit consent when they process sensitive personal data.
Other changes include:
- making subject access requests (SARs) easier so that people can obtain data held on them more freely
- a new ‘right to be forgotten’ so that people can ask for their data to be deleted more easily
- clarification of the definition of personal data to include IP addresses, biometric data and cookies
- giving data individuals wider rights to claim compensation, not just for breaches that cause financial loss or distress but where other adverse effects are suffered too.
Criminal sanctions have also been increased to include:
- intentionally or recklessly revealing individual’s details from data that was previously made anonymous
- altering records to prevent disclosure of data following a subject access request
- unlawfully obtaining or disclosing personal data without the data controller’s consent.
More detail on some of these changes is summarised below.
Data protection officers
Public authorities, and organisations where data processing is a core activity or done on a large scale, need a data protection officer with expert knowledge of data protection. This can be an employee or an outside consultant.
Several organisations can share the same DPO, provided there is no conflict of interests.
Changes to consent
The DPA 2018 requires a higher standard of consent compared to previously implied consent to data processing. Individuals must clearly and positively establish specific agreement to their personal data being processed, such as by a written statement. Employers relying on consent to process personal data should review their procedures to ensure that any consent obtained clearly indicates agreement (the example used in the GDPR is that ticking a blank box is sufficient but failing to un-tick a pre-ticked box is not valid consent). Individuals can withdraw their consent at any time.
The right to be forgotten
The right only applies in certain circumstances. For example, individuals have the right to have their personal data erased if:
- the data is no longer necessary for the purpose for which it was originally collected or processed
- the lawful basis for holding the data is based on consent and the individual withdraws their consent.
It is unlikely employers would make personal data public in an online environment such as a website but, if they do, reasonable steps should be taken to get that personal data erased. If personal data has been disclosed to others, or made public in an online environment, employers should tell those other organisations about the need for erasure.
Employers cannot charge a fee to comply with a request for erasure, other than administrative costs if the request is manifestly unfounded or excessive.
Exemptions to the right to be forgotten
The right to erasure does not apply if processing is necessary to:
- exercise the right to freedom of expression
- comply with a legal obligation
- carry out a task in the public interest or in the exercise of official authority
- assist archiving in the public interest, or for scientific or historical research or statistical purposes, if erasure would seriously impair the achievement of that processing
- for the establishment, exercise or defence of legal claims.
The right to erasure may not apply to special data where the processing is necessary for public health purposes in the public interest (for example, cross-border threats to health, or to ensure high standards and safety of health care products and medicines).
The right may also not apply if data is being processed by a professional who has an obligation of professional secrecy such as a doctor. This would cover processing needed for occupational health, such as assessing the working capacity of an employee; or for medical diagnosis; or for the provision of, or management of, health or social care services.
If there is an exemption, employers can refuse to comply with a request for erasure, but not all of the exemptions apply in the same way. Employers should consider each exemption carefully to see how it applies to a particular request.
Refusing to delete data
Employers can refuse to comply with a request to delete data if the request is:
- manifestly unfounded; or
For example, a request may be manifestly unfounded if the individual is making a request but will drop it in return for a payment, or the request is being used in the context of a grudge to harass and cause disruption. Cases where individuals bombard employers with different requests as part of a weekly campaign would also be unfounded.
If an employer has grounds to refuse a request for erasure it must inform the individual within one month after the request. The employer should confirm the reasons for refusing to delete the data and the fact that the individual may complain to the ICO or take legal steps.
It does not matter that the request is not made in a specific format, and it is good practice to record details of the requests received.
Individuals are entitled to a copy of their personal data in a commonly used, machine-readable format and have the right to transfer that data to another organisation.
The right to data portability only applies to data the individual provided themselves and data that concerns them and is most likely to be relevant at the end of the employment relationship. Most of the basic data will be things like an employee’s address, bank account number and so on, which the employee could transfer anyway.
Problems may arise with things like personality tests that an employee participated in being transferred to another potential employer. However, this seems not to be classed in the current rules as personal data that the employee provided or produced. Given this limitation, the right to data portability seems to have few HR implications.
The right to data portability must not prejudice the rights and freedoms of others. Most other data, such as client contact details in Outlook, would affect the rights of third parties or the employer and so does not fall within the portability provisions.
Organisations must notify the ICO of all data breaches without undue delay and, where possible, within 72 hours.
Subject access requests (SARs)
Employees often use SARs to request information in support of an employment tribunal claim. Organisations can no longer charge a fee for responding to SARs, unless the request is excessive. The time limits for responding to requests is one month (for further information, see the section ‘Subject access requests' procedure below).
The penalties for non-compliance with data protection rules has increased under the DPA 2018 to €20 million or 4% of global annual turnover. Administrative breaches of the Act attract a lower fine.
Information Commissioner’s Office
Reporting directly to the UK Parliament, the Information Commissioner’s Office (ICO) is an independent supervisory authority which ensures that organisations which process data comply with the DPA. The ICO also provides guidance on the Freedom of Information Act 2000 (FOI), the Privacy and Electronic Communications Regulations 2003 and the Environmental Information Regulations 2004.
Among other responsibilities, the ICO:
- publishes extensive guidance and develops codes of practice designed to assist individuals and organisations to comply with the legislation
- maintains a public register of data controllers under the DPA and the list of public authorities with approved publication schemes under the FOI Act
- prosecutes persons in respect of offences committed under the legislation.
Common sense approach
Data protection is commonly misunderstood. The ICO urges organisations not to hide behind the DPA unnecessarily and to take a common-sense approach to all data protection matters. The data protection principles have given rise to many misunderstandings (for example, the DPA does not stop parents from taking photos in schools for the family album, although the DPA may apply to photos taken for official use by schools if the images are stored with personal details, like names).
Personal data online is everywhere, ranging from online shopping security information to comments on social networks. The primary purpose of the DPA and GDPR is to ensure personal data can only be gathered legally for a legitimate purpose. Data is valuable and can easily be sold on to companies which highlights one of the reasons why protections are needed. Although the initial setting up of systems can be daunting for employers, falling victim to large-scale data loss with the resultant financial penalties would be a far greater problem.
The ICO is a comprehensive source of current good practice guidance on data protection.
Some of the codes of practice and guidance are designed specifically to deal with employment issues, but others are designed to help individuals, businesses, employers or public sector bodies.
The main codes of practice are statutory. This means they have been approved by Parliament and although some of the provisions are not strictly legally enforceable, they should be followed. Any breach, or disregarding of the principles, may be relied on by the ICO in any enforcement action and can be used in evidence in court and tribunal proceedings.
An example of a key statutory code includes the Employment practices code (PDF) dealing with important matters such as recruitment and selection, employment records, monitoring at work and information about workers’ health. The ICO is currently updating the code.
There is also important guidance for SMEs, including information on keeping IT systems secure, cloud data processing risks, how to comply with the DPA, and a self-assessment tool to help assess compliance with the DPA.
Many employers have their own communications and data protection policies, taking into account the guidance and explaining how employees’ personal data is processed.
Data controllers and data processors
The distinction between data controllers and data processors is important because the extent of an organisation’s obligations in dealing with data depends on it. Note that the same organisation can be both a data controller and data processor.
A data controller is any person who determines why personal data is, or has been, processed and the way in which it is dealt with. Control of the data is the key factor and many employers will be data controllers.
All data controllers must provide a notification to the Information Commissioner’s Office and be included on the register of data controllers. There is a two-tier notification fee structure, depending on the data controller’s turnover and number of staff.
Data controllers must also comply with other legal requirements. They must, for example, follow the data protection principles, such as processing data fairly and lawfully, and use it for legitimate purposes only.
A data processor is anyone who processes personal data on behalf of a data controller. For example, if data is stored on a third party’s server, or processed by an external payroll service, then that organisation is a data processor.
Data processors are currently subject to fewer legal obligations than data controllers but all data processors face additional obligations under the Data Protection Act 2018. To avoid heavy fines, processors must familiarise themselves with the new rules. They will, for example, have to:
- maintain a record of all the data processing operations they are responsible for
- take responsibility for being a joint controller if any data is processed beyond the controller’s instructions
- be directly responsible for security measures
- inform the data controller immediately of any data breach
- appoint a Data Protection Officer if certain criteria are met.
Employees, workers and TUPE
The Employment Practices Code (pdf) makes it clear that the code applies to ‘workers.’ This means that employers must be careful with data relating to current employees and many others, for example, previous employees, job applicants, agency workers, contractors, volunteers and those on work placements.
The DPA must be complied with when an employer provides information about the transfer of a business under TUPE (for more information, see our Transfer of Undertakings (TUPE) Q&As ). TUPE requires that certain information is provided to the new employer before the transfer takes place, including details of pay, hours, holiday entitlement and any details of disciplinary or grievance action. Both parties must consider their data protection obligations early in the transfer process and exchange only accurate, current and secure information required by the new employer.
Types of data covered
The DPA can apply to many sorts of data, including computerised and manual records, photographs, CCTV footage, mainframes, laptops, tablets, organisers, audio and video systems, telephone logging/surveillance systems, microfiche and microfilm. Whether the DPA applies depends both on what the information is and how it is processed. Employers should look at each subject access request individually.
Data generally means data from which a living individual is identified, or is identifiable.
Anonymous data is where it is impossible to establish the identity of individuals whose details are in a database. It is not subject to the DPA.
Pseudonymous data is where the data attributed to a particular person is organised separately to ensure it is not attributed to the individual. Personal details are removed (for example, names replaced with unique number codes), but there will be a second set of details elsewhere so the identities of individuals can be established with some cross-referencing. This remains personal data under the DPA because it is capable of identifying an individual, but if used properly it may meet obligations to ensure security of data.
The definition of data falling within the DPA is complex. It includes information which:
- is personal data relating to a living individual, and
- includes any expression of opinion about the individual, and/or
- is an indication of the intentions of the data controller or any other person in respect of the individual.
The individual must be identified from the data (or from the data and other information which is in the possession of the data controller). Personal data will include that which is obviously about an individual or clearly linked to them.
The data must also be:
- processed by means of equipment operating in response to instructions given for that purpose, or
- recorded with the intention that it should be so processed, or
- recorded as part of a relevant filing system, or
- part of an accessible record.
There has been considerable confusion and litigation over what types of information and filing systems fall within the definition of data. Whether the DPA applies to manual filing systems can be particularly difficult to understand (see Manual personnel and other manual files).
Every document merely mentioning an individual’s name does not have to be disclosed. Personal data will include that which is obviously about an individual or clearly linked to them. In other cases it may be necessary to consider if the data:
- has biographical significance*
- can be used to inform or influence a decision about an individual
- focuses or concentrates on an individual as its central theme rather than on some other person, object or transaction
- is linked to an individual so that it provides information about that person
- affects a person’s privacy, whether in their personal or family life, business or professional capacity
- is capable of having an impact on an individual.
*For example, data will be included even if it merely records an individual’s whereabouts at a particular time or involvement in an event. An attendee in the minutes of a meeting does have biographical significance because the minutes record the individual’s whereabouts at a specific time. The need to disclose may be restricted to the list of attendees, depending on the meeting.
Examples of personal data
Personal data includes information related to an individual’s:
- medical history
- salary details
- tax liabilities
- bank statements
- spending preferences.
More general information, for example about a house or a car, could also be personal data, because that information is directly linked to an individual, as are marketing lists containing a name together with contact details, such as street and email addresses, and telephone numbers.
For further summarised information, see our Data protection and GDPR in the workplace factsheet.
HR files and ‘relevant filing systems
Much of the information held in HR files is likely to be covered by the DPA because the Act applies to personal data which is contained in a sufficiently accessible filing system.
As the DPA applies to both information held digitally and as hard copy, the key question is whether manually held data is organised into a ‘relevant filing system’.
The leading case on this, Durant v Financial Services Authority (2003), gave helpful guidance on what falls within the DPA and, although the law has developed since the case, is still useful. The judgment indicates that staff records are likely to be covered, depending on the filing system used, and it would be unwise for employers to disregard any aspect of the DPA without specific legal advice.
Relevant filing system
After the guidance issued by courts and the Information Commissioner, manual staff files (and other manual files) are likely to be held in a ‘relevant filing system’ for the purposes of the DPA if they:
- use individuals’ names or unique identifiers as the file names, or
- are sub-divided or indexed to allow retrieval of personal data without a manual search (such as sickness, absence, contact details etc).
A relevant filing system does not cover a manual filing system which requires a person to search through files to find information qualifying as personal data.
The system must also indicate at the outset whether specific information capable of being personal data is held within the system and, if so, in which file or files it is held.
The DPA is often misunderstood and ex-employees may attempt to use the Act to obtain information to which they are not entitled if the law is applied strictly. Employers may voluntarily disclose information held in a manual form if the confidentiality of other employees is not compromised.
DPA protection is for the privacy of personal data only, not documents as such. Only manual filing systems that are broadly equivalent to computerised systems fall within the DPA.
- Mentioning a name in data does not necessarily make it personal data. The data has to be about the employee; there is no need to disclose data if the employee is not the focus of the data or if it was not biographical.
- Files must be organised in such a way as to allow the retrieval of information about a specific individual (for example, subdividing a file in alphabetical name order will probably fall within the DPA).
- For manual files to be in a ‘relevant filing system’, the content must be subdivided so as to allow the searcher to go straight to the correct category and retrieve the information requested (without a manual search) or must be indexed to enable the relevant page to be found directly.
- A filing system containing files about individuals, or topics about individuals, where the content of each file is structured purely in chronological order will not be a relevant filing system as the files are not organised to allow the retrieval of personal data without leafing through the file.
Subject access requests (SARs)
A subject access request (SAR) is a request for personal information an employer (or any other organisation) holds about an individual. The request must be in writing. The information requested can include an HR file, depending on the nature of the information and the way it’s held.
The individual is entitled to be told:
- whether personal data about them is being processed
- why it is being processed
- who has received, or will receive, their personal data.
They are also entitled to be given:
- a description of what that personal data is
- the data itself in an understandable format
- any information available about the origins of the data if it was not collected from the employer.
An employer must respond to a SAR without delay and at least within one month of receipt of the request. This can be extended by a further two months if the request is complex or a number of requests have been made.
The exact number of days a data controller has to comply with a request will vary slightly, depending on the month in which the request was made. The ICO guidance originally said that the one-month time limit should be calculated from the day after the request is received until the corresponding calendar date in the next month. However, the ICO guidance was amended in 2019 to state that the time limit for a response to a SAR starts from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. Therefore, if the SAR was received on 19 August, the response deadline for the data controller to respond is the 19 September.
If the following month is shorter and there is no corresponding calendar date, the date for response is the last day of the next month. So, if the SAR is made on the 31 August, the response deadline is the 30 September. If the corresponding date falls on a weekend or a public holiday, the data controller will have until the next working day to respond.
Employers should ensure that their SAR policies and procedures reflect the correct time limits to comply with their data protection obligations.
Altering the data
Employers must not make any alterations to data in order to make it more acceptable to the data subject. If the employer has any adverse comments in relation to performance, for example, the employee has a right to see them.
Enforced subject access requests as a condition of employment
Before a prospective employer asks a person about their criminal convictions or police record, it must check that it can ask that person to reveal their conviction history. This is a very complex issue.
Disclosure and Barring Service (DBS) checks (criminal background checks, still sometimes referred to as CRB checks) may be needed for certain jobs or voluntary work, for example, working with children and vulnerable adults, or in healthcare.
The DPA makes it a criminal offence to force others to make subject access requests about themselves and then reveal the results to a third party. Employers must not avoid the complexities of the DBS checking process by demanding that prospective employees use their rights under the DPA to see information held about them.
Provisions of the DPA make it a criminal offence to force individuals, such as employees, to make subject access requests and then reveal the results. This is a practice known as ‘enforced subject access’ and is punishable by a fine.
For example, the DPA prevents:
- employers from requiring job applicants to use the DPA to obtain records, such as police records, as a condition of employment, and
- companies from requiring certain records as a condition for providing services like housing or insurance.
This does not stop employers getting access to criminal records completely, as in some jobs these checks can be undertaken (see our Recruitment and selection Q&As for more info).
Processing sensitive personal data
Sensitive personal data is data relating to the data subject’s:
- racial or ethnic origin
- political opinions
- religious (or similar) beliefs
- trade union membership
- physical or mental health
- sex life
- criminal history, including actual and alleged offences (special conditions apply to the processing of such data).
The DPA gives additional protection to sensitive personal data over and above that given to other personal data.
Processing sensitive data
To lawfully process sensitive personal data, at least one of the conditions contained in Schedule 3 of the DPA must be met. The main ones are that the:
- explicit consent of the data subject has been freely given
- processing is necessary to comply with any obligation or legal duty imposed on the data controller
- processing is necessary to protect the vital interests of the data subject or another person (for example, life threatening issues such as disclosure of a data subject’s medical history to a hospital A&E department treating the data subject after a road accident)
- processing is necessary for, or in connection with, legal proceedings (including prospective legal proceedings)
- processing is necessary for the exercising of legal rights or obtaining legal advice
- information contained in the personal data has been made public by the data subject for equal opportunities monitoring
- processing is necessary as it is deemed to be in the public interest.
Sickness absence data and consent
Data relating to an employee’s medical condition amounts to sensitive personal data for the purposes of the DPA, so care needs to be taken with using and storing the data.
The Employment practices code (pdf), Part 4: information about workers’ health, addresses the collation and use of information about a worker’s physical or mental health. The code, which is currently being updated, is a statutory one, which means it can be used in evidence in court proceedings, and the courts must take its provisions into account wherever relevant. The code’s aim is to assist organisations in complying with their legal obligations under the DPA 2018.
The code covers sickness and injury records, occupational health schemes, information from medical examination and testing, drug and alcohol testing and genetic testing. As this information is sensitive, employers should collect health information only where it is necessary for health and safety reasons, or to prevent discrimination, or to satisfy other legal obligations, or if each worker has freely given explicit consent.
The Information Commissioner recommends that absence and sickness records be kept separately.
Time limits for retaining personal data
The fifth data protection principle (see ‘Data protection principles’ above) provides that ‘personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes’. Neither the DPA nor the Employment practices code (pdf) Part 2: employment records, sets a specific time period that is appropriate for the retention of workers’ records. It is, therefore, the responsibility of the employer to decide on retention periods. Most employers will set up a staff records system and many have an express policy dealing with data retention.
(For more detailed information on statutory and recommended retention periods, see our Retention of HR records factsheet.)
Reasons for retaining data
All organisations need to keep certain records on current employees: for instance, keeping records of hours worked, or rates of pay, to check compliance with the Working Time Regulations 1998, or the Minimum Wage Act 1998 (see our Working Time Regulations Q&As, and our Reward and pay factsheet).
The termination of an employment relationship does not mean that all records should be deleted. There may be a real business need to retain some of them. For example, employers may need to keep information relating to the employee’s pension arrangements:
- to enable references to be provided
- to be able to defend future claims made by the employee.
There may also be a legal requirement to retain records, for example, in relation to:
- income tax
- certain aspects of health and safety.
If information is needed for possible litigation, the overall time limit for bringing any civil legal action is six years (five years in Scotland).
Employers cannot use all records for all purposes six years later. With some matters, for example, disciplinary issues and warnings, many organisations’ discipline and grievance policies will state that oral warnings expire after six months and written warnings last no longer than 12 months (as recommended by Acas). Organisations may be able to use expired warnings if their disciplinary policy states that the underlying conduct leading to an expired warning may be taken into account by the employer in future disciplinary procedures.
An employee can complain to the ICO (see ICO guidance on this procedure) and ask for an assessment as to whether processing of personal data is being carried out in accordance with DPA principles. The ICO has a range of approaches for enforcing compliance.
The Information Commissioner can serve an information notice requesting certain details from the employer, and can obtain a warrant to enter and inspect premises where there are reasonable grounds for suspecting that the data protection principles have been, or are being, contravened.
If a breach of the data protection principles has occurred, the Information Commissioner may serve an enforcement notice on the employer. This requires an employer to take certain remedial steps and actions, for example, stopping processing data altogether or, if the data is inaccurate, to remedy this or even erase certain items of data. Employers can appeal against enforcement notices within 28 days of the date on which the notice was served, unless exceptional circumstances apply.
Where there is a serious contravention of the data protection principles, the Information Commissioner can serve a monetary penalty notice for breaches of the data protection principles requiring money to be paid before a set deadline. The ICO must be satisfied the contravention was deliberate or the data controller knew (or should have known) of the risk, and that substantial damage or distress would be caused. The ICO allows written representations before the actual penalty notice is served.
The maximum monetary penalty under the previous DPA was limited to a maximum of £500,000. For example, the ICO imposed a fine of £500,000 on Facebook in October 2018 (under the DPA 1998) for its role in Cambridge Analytica’s use of millions of Facebook users’ information. The data was collected through a quiz from quiz participants and their friends without sufficient consent. The fine also included a failure to take adequate remedial action once the misuse of data was discovered.
The ICO can now impose a fine of up to €20 million, or 4% of an organisation’s total annual worldwide turnover in the preceding financial year, whichever is greater. There are two tiers of penalty for an infringement - the higher maximum and the standard maximum.
The higher maximum amount is the €20 million above, which is for failure to comply with any of the data protection principles, individual rights under Part 3 of the Act, or transfers of data to third countries.
The standard maximum relates to administrative requirements of the legislation which attracts €10 million (or equivalent in sterling) or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
The individual affected may also seek compensation under the DPA. For example, if a conditional offer of employment is withdrawn as a result of an inaccurate reference, compensation may be claimed in addition to other claims (such as discrimination). Other applications may be made to rectify, remove or destroy personal data.
Breaches of the DPA concerning the disclosure of certain personal information may also be a criminal offence. The 2018 Act uses financial penalties only, rather than imprisonment which was available under the previous legislation. However, there are many criminal offences relating to data protection in the UK, outside of those required by the GDPR, which were updated in the DPA 1998:
- Access and disclosure offences: It is an offence to knowingly or recklessly to obtain, disclose or procure personal data without the consent of the data controller (for example, those who access healthcare and financial records without legitimate reason) but now it is also an offence to knowingly or recklessly retain personal data without consent.
- Subject access requests: It is an offence to require relevant records (relating to health, convictions or cautions) as a requirement for employment or a contract for providing services. This is designed to prevent organisations from trying to use subject access requests as background checks.
- Investigation offences: It is an offence to provide false statements in response to a demand from the ICO to produce information.
- False statements: Obstructing a warrant, or making a false statement in response to a request for information pursuant to a warrant, is also a criminal offence.
- ICO staff: Former or current ICO staff who unlawfully disclose data obtained during the course of their duties also commit a crime.
Two entirely new offences since 2018 are:
- Re-identifying personal data, that has previously been de-identified, by removing or concealing personal data.
- It is a criminal offence to alter, erase, destroy or conceal information, with the intention of preventing disclosure, in response to requests for personal data.
How should employees’ use of social media be managed?
Employers must have an internet and communications policy which specifies the internet use that is, and is not, acceptable. WhatsApp, Instagram, Facebook, Twitter, LinkedIn and other social media platforms can be a professional asset, increasing employer’s visibility and communication with customers and colleagues. On the other hand, employees’ personal use of social media can eat into the employer’s time and profit and cause serious disciplinary issues.
Many employers have adopted a complete ban on social networking sites at work because of time wasting concerns. However, employers who trust their staff may wish to allow responsible personal use of the internet during break times, provided this does not interfere with work or damage the employer’s reputation.
Employers have a number of options. They can:
- permit unlimited access to social networking sites (this may suit you if the marketing and business generation aspects of these sites are crucial)
- restrict access to work purposes only
- restrict personal use, for example, to lunch hours and outside business hours
- completely block certain sites.
If restrictions are placed on social media use, this must be clearly covered in the internet and communications policy. Both the policy and contracts of employment should specify what social media use is gross misconduct, and sufficiently serious to justify summary dismissal. Disciplinary policies must co-ordinate with the social media policies.
Employees must be warned in advance of the monitoring which will take place and why.
Acas has published guidance on Social media in the workplace.
Case law examples
Many cases have arisen concerning the use of social networking sites by employees, including:
- Virgin Atlantic dismissed 13 cabin crew after disciplinary proceedings concerning messages on Facebook referred to passengers as ‘chavs’ and made jokes about them.
- A prison officer was dismissed for gross misconduct after befriending former and current prison inmates on Facebook.
- An employee successfully sued his employer for sexual orientation discrimination when two colleagues used his own mobile phone to post a prank comment relating to his sexual orientation (see Otomewo v Carphone Warehouse Ltd, 2011).
- Other Facebook comments which lead to dismissal included comparing a workplace to ‘Dante’s Inferno’ (see Weeks v Everything Everywhere Ltd, 2012).
- Also see Barbulescu v Romania (2016), where an employer monitored employees’ personal emails on a Yahoo Messenger account to communicate with customers.
- An employee with a clean disciplinary record for 17 years was fairly dismissed after she had made derogatory comments on Facebook. She put her job title as ‘general dogsbody’, and said, ‘bloody place I need to hurry up and sue them’. The employee knew of the social media policy and so her dismissal was within the band of reasonable responses (Plant v API Microelectronics Ltd, 2017).
If email systems and the internet are misused, claims for the following could arise:
- data protection breaches
- breach of confidentiality or trade secrets
- claims under the Human Rights Act 1998
- unfair dismissal
- intellectual property rights breaches (for example, employees may not be aware of the legal issues involved in downloading unlicensed software and using it for business purposes)
- breach of contract (the implied term of mutual trust and confidence in all employment contracts may be broken if an employee makes a damaging posting about the employer)
- discrimination (many forms of discrimination claim can occur via emails, including harassment, and the employer is likely to be vicariously liable for that, even when it is unauthorised).
Can organisations video employees, or monitor their calls, emails and internet use?
This question is extremely complex. Monitoring is often illegal unless expressly permitted by the law and legal advice should be taken before carrying it out.
The basic position is that organisations can monitor employees’ communications only if there is a legitimate business reason for doing so and the monitoring does not go any further than necessary. Employers who undertake monitoring are likely to be processing personal data, which will trigger obligations under the DPA and may be breaching an employee’s human rights too.
The law does not allow employees’ communications via company systems to be monitored or intercepted only for checking if employees are breaching company policies on the use of email in the workplace.
The ICO has published guidance as part of the Employment practices code (pdf) (Part 3: monitoring at work).
Monitoring by videoing and/or tapping a telephone system is also illegal unless expressly permitted by law. Even if an employer knows theft is taking place, surveillance cameras should be a last resort.
Covert surveillance should only be used in exceptional circumstances to detect wrongdoing by employees and must be authorised by senior management. The employer must assess whether the intrusion into employees’ private lives is limited to what is absolutely necessary. Covert surveillance should be strictly targeted at obtaining evidence within a set timeframe and cease once the investigation has been completed.
Organisations must justify their actions only by assessing the purpose of the monitoring, any adverse impact, alternatives to covert monitoring, why alternatives are not appropriate, and how the recordings will be used.
If workplace surveillance or monitoring is thought to be essential in an investigation into employees’ misdeeds, employers must ensure it is proportionate.
Employers must strike a fair balance between the employees’ right to privacy and the organisation’s interest in protecting its property. Covert surveillance, for example, may involve monitoring all employees without being time-limited, which may be disproportionate and could infringe their right to privacy under Article 8 of the European Convention on Human Rights (ECHR).
Brexit, surveillance and guidance
The future of the Human Rights Act 1998 after Brexit is uncertain as there have been plans to replace it with a UK Bill of Rights. However, any covert surveillance would have to be in accordance with the DPA 2018 and the Employment practices code (pdf) published by the ICO. That guidance states that covert surveillance should only be undertaken in exceptional circumstances, including suspicion of criminal activity or equivalent malpractice, where notifying the employees would prevent the detection of crime.
The ICO states that any covert monitoring must be:
- time-limited to a specific investigation
- only disclosed to a limited number of employees directly involved in the investigation
- not used in private places (for example, changing rooms, toilets or private offices)
- deleted if it does not directly relate to the investigation.
Covert recordings by employees
It is not only employers who covertly record matters; employees may attempt to record events such as meetings. The Employment Appeal Tribunal has clarified it may acceptable for an employee to make a covert recording of a meeting without it being considered misconduct in some circumstances (see Recent cases, Phoenix House v Stockman 2017).
Need for policies
All employers must have their own detailed communications, internet, social media and data protection policies in place which should be clearly communicated to employees on, for example, the company intranet, in employee handbooks and during staff inductions.
If policies are used effectively, employers may:
- monitor and/or intercept communications if the employee has given prior consent, for example, in their contract of employment, and
- in certain very limited circumstances, monitor and/or intercept communications where the employee has not given consent.
If an organisation decides that monitoring personal communications on business accounts is the only option available, then employees’ expectation of privacy must be managed carefully.
Employees must know the extent to which they can send personal communications on company systems, whether outside or during work time, and know how often their communications will be monitored and why this is necessary.
The policy should be linked to disciplinary and dismissal proceedings making it clear that failure to comply with the policy could result in disciplinary proceedings, up to and including dismissal.
Points for employers
- Workers should be made aware that they are being monitored and why. Secret monitoring of workers can rarely be justified.
- Workers are entitled to privacy in the work environment.
- If there are suspicions of serious criminal activity, covert monitoring may be used as part of a specific investigation.
- Communications, such as emails, that are clearly personal, should be monitored by address or heading only and not opened.
- Monitoring should be targeted at an area of risk, for example, in the accounts department where irregularities have taken place.
- Information obtained through monitoring should be used only for the purpose for which the monitoring was carried out.
- Monitoring information should be kept securely and for no longer than necessary.
Guidance on monitoring
Workers have a legitimate expectation of keeping their personal lives private at work and are entitled to a degree of privacy in the workplace. The Employment practices code (pdf), Part 3: monitoring at work, contains detailed guidance on monitoring communications. Any monitoring should be justified by the benefits it delivers, and the code recommends employers undertaking impact assessments beforehand.
If an employer intends to monitor its workers, it should:
- be clear about the purpose of such monitoring
- justify the benefits of monitoring communications
- communicate the policy on monitoring to workers to counteract any expectation of privacy of communications in the work environment
- judge whether monitoring is justified.
Under separate legislation, employers may be able to monitor, without the employee’s specific consent first being obtained, for:
- recording evidence of business transactions
- ensuring compliance with regulatory or self-regulatory guidelines
- maintaining the effective operation of the employer’s systems (for example, preventing viruses)
- monitoring standards of training and service
- preventing or detecting criminal activity
- preventing the unauthorised use of the computer/telephone system, for example, ensuring the employee does not breach the company’s email or telephone policies.
Employers should still take reasonable steps to inform employees that their communications might be intercepted and should always consider whether there are less intrusive ways of monitoring correspondence. For example, automated monitoring that blocks emails containing obscene language may be preferable to monitoring by a line manager who can see every email sent by their direct reports.
Does allowing employees to use their own devices at work raise data protection issues?
Supplying staff with their own personal smartphones, laptops, tablets or even USB devices can raise important data protection issues, as can allowing them to use their own devices for work purposes. An Information Commissioner’s Office (ICO) survey revealed that many employers appear to have an overly relaxed attitude to allowing staff to use personal laptops, tablets or smartphones for email and other work business, which may be placing personal information at risk.
The physical security of equipment is important as there are risks of data breaches and cyber theft. Many data breaches arise from the theft or loss of a device.
An effective internet, social media and communications policy must cover the permissible use of employees’ own devices for working purposes, and the permissible use and return of employer-owned devices. Staff should be trained so that they are fully aware of their data protection responsibilities on any devices supplied to them.
The ICO has published Bring your own device (BYOD)(pdf) guidance on this issues and, although this has not been updated to refer to the DPA 2018, it is still valid advice, explaining some of the data protection and other risks organisations must consider when allowing personal devices to be used to process work-related personal information.
Particular risks employers should consider include public cloud-based sharing services and the types of personal data that can be processed on personal devices. Some mobile devices have a remote disable or wipe facility, which means a signal can be sent to a lost or stolen device to securely delete all data.
The ICO’s Employment practices code (pdf) offers clear guidance on the obligations of employers and employees regarding separating personal and corporate data to ensure compliance with the DPA.
The overriding guidance to deal with such issues is that employers should have in place clear and detailed policies. These will be scrutinised by courts and tribunals and will often be one of the determining factors in employment proceedings.
Recent case law
William Morrison Supermarkets Plc v Various Claimants | Court of Appeal | 22 October 2018
 EWCA Civ 2339
Issue: Data protection – vicarious liability
The claimants in this case were over 5,500 supermarket employees. The senior internal IT auditor at the supermarket (Skelton) uploaded personal data including names, addresses, dates of birth, home and mobile phone numbers, national insurance numbers, and details of bank accounts and salaries relating to nearly 100,000 Morrisons' employees to a file-sharing website. He then copied the data to three UK newspapers.
Skelton was seeking revenge for an internal disciplinary procedure – he had allegedly operated a side-business from the supermarket’s post room. He was eventually arrested and convicted of fraud, and various data protection and other offences and sentenced to eight years in prison.
The employees brought group legal proceedings against Morrison’s for breaches of the data protection legislation, misuse of private information, and breaches of confidence. They also claimed Morrison’s was vicariously liable for Skelton's misuse of private information and breaches of confidence.
Two of the key issues by the time the matter reached the appeal stage were whether:
- there was sufficient connection between Skelton’s employment and the wrongful conduct to make his employer liable for his actions
- the data protection legislation excludes vicarious liability.
The Court of Appeal agreed that Morrison’s was vicariously liable for the employee’s misuse of data, even though the retailer had done as much as it reasonably could to prevent the misuse, and it was the employee’s intention to cause financial damage to the company.
The organisation had entrusted Skelton with the payroll data as part of his job, so it was the supermarket’s risk and it might have been wrong to trust him with the data.
The company had argued against its liability because the breach was not committed at work but at home on a Sunday, using Skelton’s own computer. The Court of Appeal said although the place where the act occurred is relevant, the real question was whether there was an unbroken chain linking the employee’s work with the release of the personal data and, in this case, there was such a link.
The organisation has permission to appeal the decision to the Supreme Court.
Implications for employers
This case was decided under the Data Protection Act 1998, but the same principles apply to requests under the Data Protection Act 2018.
This is the first successful UK group action for a data protection breach and the outcome is a worry for employers. If an employee misuses data entrusted to them, their employer can be vicariously liable, even if the employer has not committed a data protection breach itself and has tried to prevent misuse.
Employers must be proactive in using appropriate data security measures, policies and procedures and should also consider implementing stricter controls on those dealing with personal data. There will be more group action claims for data breaches and this case indicates an employer can be held vicariously liable for deliberate wrongdoing by an employee.
Key points to note are that:
- Motive is irrelevant, even if the employee’s motive is to cause financial or reputational damage to the employer.
- Organisations can still be liable to pay compensation arising out of acts committed by an employee who was actively seeking to cause damage to the employer.
- Businesses should protect themselves by taking out comprehensive insurance policies to protect against losses caused by employees with a grudge.
- An employer can be held vicariously liable for a deliberate wrongful act carried out by an employee, even in their own home, provided that a sufficient connection is established between the nature of the person’s job and the wrongful conduct.
Having organisational measures in place to prevent breaches may not be enough to avoid vicarious liability, but the employer's potential exposure to sanctions by the Information Commissioner may be minimised if some preventative systems are in place.
B v General Medical Council | Court of Appeal |28 June 2018
 EWCA Civ 1497
Issue: Data protection – mixed personal data
A patient alleged that a GP had misdiagnosed him and submitted a subject access request under the Data Protection Act 1998 to the General Medical Council. The doctor argued that the GMC medical report needed to investigate the complaint should not be disclosed to the patient complaining as it would contain information about the GP’s alleged lack of fitness to practice. The doctor said this would breach his right to privacy.
The report contained mixed personal data, in other words, personal data relating to both the GP and the patient. Obviously the GP did not consent to the report’s disclosure, because the request for the report was being made with a view to bringing legal proceedings against him.
The GMC said the report should be disclosed but a judge at the initial hearing held that the patient was not entitled to see it, and the patient appealed.
The Court of Appeal allowed the appeal and ordered disclosure of the report. It held that:
- The initial judge was wrong in thinking there was a presumption against disclosure in a mixed personal data case.
- The sole or dominant purpose of the request being to obtain information for suing the doctor was not a big factor in favour of refusal.
Implications for employers
This case is now the leading case on mixed personal data and is helpful for employers faced with subject access requests where disclosure of mixed personal data is requested.
Under data protection legislation, employers can often refuse to make a disclosure of a third party’s data if that person has not consented to the information being released. If the data is mixed, employers should proceed with caution before refusing the request just because a third party has refused consent.
Organisations need to strike a balance between the competing interests of the person objecting to the disclosure of mixed data and the person requesting it. Businesses can presume that they should deny disclosure only if all the other interests are equally balanced. Access to personal data does not depend on the motives of the person making the request. An individual requesting the disclosure in order to bring legal proceedings is only one factor to be considered by the data controller. For example, if the person requesting data is a vexatious litigant, disclosure might be refused. The person seeking the disclosure should not be ignored just because the information may assist their case.
Phoenix House v Stockman|EAT|July 2019
UKEAT/0284/17/OO & UKEAT/0058/18/OO
Issue: Covert surveillance by employee
An employee in the finance department at an alcohol and drug addiction charity was told her role was redundant. Following the restructure, she obtained the much more junior role of payroll controller. A dispute with the finance director arose about whether the restructure was biased, and she raised a grievance. As a result of an inappropriate outburst during a meeting, disciplinary proceedings were started in parallel with the grievance. In a meeting with the director of resources, the employee covertly recorded it.
The disciplinary and grievance hearings were held in her absence as she went on sick leave. Eventually there was a written warning and the grievance was not upheld. Ultimately there was another hearing to decide whether the working relationship had irretrievably broken down and she was dismissed for ‘some other substantial reason’.
Many issues arose in the tribunal claim for unfair dismissal. In an earlier hearing in 2016, the EAT confirmed the tribunal finding of unfair dismissal. It was unreasonable for the employer to conclude there was an irretrievable breakdown in the working relationship because the employee said she would put the matter behind her. There had also been insufficient notice about the final hearing and no real understanding of the case against her. However, the data privacy issue in the case emerged in the later hearing which examined the effect of the covert recording she undertook during the meeting.
The EAT clarified when it is acceptable for an employee to make a covert recording of a meeting. The EAT said it was good practice for an employee or employer to reveal their plans to record a meeting, and that it would generally be misconduct if an employee making the recording did not reveal this.
The covert recording did not come to light until the tribunal hearing and the employer said had it been aware of the recording it would have dismissed the employee for gross misconduct, which would reduce her compensation award to nil anyway.
The EAT found that covert recording was not specifically banned in the employer’s disciplinary policy and the employee was not sure that the device was working properly while recording the meeting. Therefore, it could not be considered gross misconduct.
If an employee does not trust their employer and thinks they are about to be unfairly dismissed, they might want to record the conversation to use as evidence in any subsequent tribunal claim. There is no specific legislation governing whether employees can record conversations with HR.
The basic position is that if an employee is going to record a conversation they should do so openly and notify the employer of this. If an employee secretly records the conversation historically it was thought this would not be admissible as evidence in a court or tribunal. However, since the case of Amwell View School v Dogherty (2006) recordings have been admissible at least for the part of the meeting when the employee was present. Employers should always assume that there is a risk they could be recorded in meetings and should behave accordingly.
If the employee is feeling bullied and threatened, and makes a recording to protect themselves, this is less likely to be misconduct, whereas a manipulative employee seeking to entrap the employer, or one who lies about making the recording, may be guilty of gross misconduct and the covert evidence is less likely to be allowed. Other relevant factors include if the employee was specifically told there must be no recording, or if the meeting included highly confidential personal information about a third party.
Employers who do not want employees to record conversations should:
- make it very clear in their policies that the recording of meetings is expressly prohibited; and
- only allow recordings with the consent of all parties.
If a covert recording is made, there is always a risk an employment tribunal may still allow the evidence even if the employer’s policy prohibited it. Organisations should:
- Aim for a culture of trust and reliability. Then it is unlikely employees will feel the need to record conversations.
- Carefully document all conversations with employees in order to provide a written trail of evidence.
- Ensure an independent witness is present in conversations where an employee’s job is at risk or their behaviour is under consideration.
- Confirm the outcome of meetings in writing.
Data protection law has to change frequently, primarily because it needs to adapt to new technologies, but also because trust in data is fundamental to engagement in the digital economy. Data handling is also an international matter as data can so easily cross international boundaries.
A major overhaul of UK and EU data protection law took place in 2018 alongside the introduction of important new legislation, the Data Protection Act (DPA) 2018 and the GDPR, which affect how employers (and other organisations) deal with personal data. The DPA 2018 applies before and after the UK’s departure from the EU, and incorporates both the GDPR’s provisions, and replicates and updates the Data Protection Act 1998. Many of the GDPR’s core principles are similar to the previous DPA, but there are some differences (see ‘DPA 2018 and GDPR’ above).
Information Rights Strategic Plan 2017-2021
In May 2017, the ICO published a five-year plan, setting out its mission to increase confidence in data use in government, public bodies and the private sector. The plan commits the ICO to leading implementation of the GDPR and other data protection reforms.
A new ‘Data protection regulatory action policy’ (pdf) was prepared as part of the ICO’s preparations for the GDPR and laid before Parliament in 2018. It provides an overview of how the ICO will use its expanded regulatory enforcement powers provided by the GDPR and the DPA 2018. This supplements the Information Rights Strategic Plan for 2017-2021 and International Strategy for 2017-2021.
Brexit and the e-privacy regulation
The EU is replacing the outdated Privacy and Electronic Communications (EC) Directive 2002/58/EC with a new regulation which will set out specific rules for processing personal data in electronic communications. The previous directive applies in the UK through the Privacy and Electronic Communications Regulations 2003.
The new EU Regulation is unlikely to be fully agreed until 2020. Whether it will influence UK law or apply in the UK after Brexit depends on the terms of our departure from the EU.
If there is no deal, and the UK relinquishes EU membership without a withdrawal agreement, the 2003 regulations will be retained under the UK European Union (Withdrawal) Act 2018, and UK case law that applies to the 2003 legislation will continue to be relevant, even if it relied on EU cases. There will need to be amendments to the 2003 regulations to ensure that they continue to operate after the UK's withdrawal. The new regulation will not apply to the UK but substantially similar rules may be necessary in order for the UK to trade with the EU in the future.
If a withdrawal agreement is passed, the relevant EU law will continue to apply in the UK during the transition period (until 31 December 2020 under Theresa May’s withdrawal agreement, unless extended). If the EU Regulation applies during the transition period, it will become UK national law under the European Communities Act 1972. At the end of the transition period, if the European Union (Withdrawal) Act 2018 e EU Regulation is applicable in the UK, it will be turned into UK law.
If the EU Regulation is applied or followed here, then its changes will include:
- removing notification requirements about breaches, as these are now covered in the GDPR
- fines consistent with the GDPR (up to 4% of annual worldwide turnover)
- harmonising cookie consent rules throughout the EU
- creating exemptions in order to harmonise communications data processing rules and direct marketing consent requirements.
The UK government remains uncertain what implications the ePrivacy regulations will have in the UK. In the meantime, the ICO has confirmed that the old Privacy and Electronic Communications (EC Directive) Regulations 2003 will still apply.
Brexit data protection regulations
When the UK exits the EU, some EU laws (including limited employment rights) will initially automatically become part of UK domestic law, provided the European Union (Withdrawal) Act 2018 is implemented as drafted.
Many references to EU laws and institutions will cease to be relevant in the UK after Brexit. Comprehensive regulations, therefore, will be needed to amend the DPA 2018, and be read alongside the GDPR. Some examples include:
- Schedules 1 and 2 effectively merge the two pre-existing regimes from the GDPR and the DPA 2018.
- Part 1 of Schedule 3 amends certain EU data protection law that forms part of domestic law.
- Part 4 of Schedule 3 makes general provision for references to the GDPR to have effect as references to the UK GDPR on and after exit day.
- Regulation 8 makes amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2002/2013) relating to the meaning of consent.
The new regulations also deal with post-exit international data transfers from the UK. For the lawful transfer of personal data from the EU into the UK, we will need to apply to the EU for adequacy status, which allows cross-border data transfer outside the EU – hence the need for the UK version of the GDPR to be close to the EU version.
The EU-US Privacy Shield is a binding legal basis for transferring personal data to the US. The EU-US Privacy Shield is a binding legal basis for transferring personal data to the US, and is one of a number of agreements governing transfers of data to the US.
After the UK leaves the EU, personal data transferred from the UK to organisations covered by the US Privacy Shield would no longer be covered by the legislation. New legislation will come into force immediately before the UK leaves the EU focusing on personal data transferred from the UK to US. Organisations that have signed up to the Privacy Shield will therefore continue to be covered by the Privacy Shield legislation when the UK leaves the EU, and must specifically ensure that their privacy policies refer to personal data transfers from the UK.
Binding corporate rules
The European Data Protection Board released early guidance on binding corporate rules in the event of a 'no deal' Brexit. These rules allow multinational companies to transfer personal data from the EEA to companies outside the EEA without breaching legislation. Companies need to apply to a lead supervisory authority to authorise their binding corporate rules. Following Brexit, UK organisations will need to identify an appropriate Supervisory Authority in an EU member state, as the new rules will not be governed by the ICO anymore.
In a 'no deal' scenario, UK companies with applications that have only reached the review stage will have to transfer the application to a new EU Supervisory Authority. Binding corporate rules that have already been authorised prior to Brexit will remain valid across the EU.
Transfers of data outside EU
The arrangements for transfers of personal data to other countries after Brexit will depend on the agreements reached with the country in question. Many places have data protection law that limits the transfer of personal data to countries which do not have an adequate level of protection. For example, the Commissioner of Data Protection in Dubai has announced that the UK will be treated as offering an adequate level of protection for personal data after the UK leaves the EU because the GDPR has been absorbed into UK law in the Data Protection Act 2018. This confirmation ensures that businesses in Dubai can continue to transfer personal data to the UK after Brexit.
For more information on what Brexit may mean for employment law, visit our Brexit hub.
Explore our related content
Episode 51: What can your people data tell you about your organisation? This podcast discusses how human capital analytics has evolved and how it can drive value in your business.
Information to help employers comply with the Data Protection Act