Data protection and GDPR in the workplace
Introduces data protection law in the UK, covering the obligations of employers and individual rights to accessing information
Commonly asked questions on the legal issues relating to data protection, surveillance and privacy in the workplace
Data protection is about safeguarding important information and making sure it is used properly and legally. In the UK, the Data Protection Act 2018 implements the General Data Protection Regulation (GDPR) which came into force in May 2018. It replaces the previous Data Protection Act 1998. All employers need to be aware of their duties under the law as the penalties for breaching the rules can be severe. Here we provide resources on the law governing data protection and GDPR, surveillance and privacy at work.
COVID-19: Employers are likely to see an increased volume of requests relating to sickness and absence during the Coronavirus pandemic, and working from home can raise data protection issues. See individual Questions below for guidance on these matters.
Log in to view more of this content. If you don't have a web account why not register to gain access to more of the CIPD's resources. Please note that some of our resources are for members only.
Data protection law requires data controllers (those who decide how and why personal data is processed) to comply with the seven data protection principles:
Some of these represent changes from previous principles. Under the GDPR there is no ‘principle’ for individuals’ rights (these are dealt with separately in Chapter 3 of the GDPR).
Although not strictly speaking a principle, data must not be transferred internationally outside the EU without adequate protection. This is now dealt with separately in Chapter 5 of the GDPR.
It is against the law for a data controller, for example, an employer, not to keep to these principles.
Data subjects (those about whom data is processed) are also provided with rights allowing them to access certain information, and in some cases they also have control over the way it is processed.
A major overhaul of data protection law was undertaken as a result of the DPA 2018 and the GDPR. The DPA 2018 incorporates both the GDPR, and replicates and updates the previous data protection legislation, the Data Protection Act 1998. Many of the DPA principles are similar to the previous Act, but there are some differences.
The new legislation introduces new rights for people to access the information businesses hold about them, obligations for better data management for businesses, and a new regime of fines and enforcement actions. It is intended to increase individuals’ ability to remove consent for their personal data being used. Companies will need to obtain explicit consent when they process sensitive personal data.
Other changes include:
Criminal sanctions have also been increased to include:
More detail on some of these changes is summarised below.
Public authorities, and organisations where data processing is a core activity or done on a large scale, need a data protection officer with expert knowledge of data protection. This can be an employee or an outside consultant.
Several organisations can share the same DPO, provided there is no conflict of interests.
The DPA 2018 requires a higher standard of consent compared to previously implied consent to data processing. Individuals must clearly and positively establish specific agreement to their personal data being processed, such as by a written statement. Employers relying on consent to process personal data should review their procedures to ensure that any consent obtained clearly indicates agreement (the example used in the GDPR is that ticking a blank box is sufficient but failing to un-tick a pre-ticked box is not valid consent). Individuals can withdraw their consent at any time.
The right only applies in certain circumstances. For example, individuals have the right to have their personal data erased if:
It is unlikely employers would make personal data public in an online environment such as a website but, if they do, reasonable steps should be taken to get that personal data erased. If personal data has been disclosed to others, or made public in an online environment, employers should tell those other organisations about the need for erasure.
Employers cannot charge a fee to comply with a request for erasure, other than administrative costs if the request is manifestly unfounded or excessive.
The right to erasure does not apply if processing is necessary to:
The right to erasure may not apply to special data where the processing is necessary for public health purposes in the public interest (for example, cross-border threats to health, or to ensure high standards and safety of health care products and medicines).
The right may also not apply if data is being processed by a professional who has an obligation of professional secrecy such as a doctor. This would cover processing needed for occupational health, such as assessing the working capacity of an employee; or for medical diagnosis; or for the provision of, or management of, health or social care services.
If there is an exemption, employers can refuse to comply with a request for erasure, but not all of the exemptions apply in the same way. Employers should consider each exemption carefully to see how it applies to a particular request.
Employers can refuse to comply with a request to delete data if the request is:
For example, a request may be manifestly unfounded if the individual is making a request but will drop it in return for a payment, or the request is being used in the context of a grudge to harass and cause disruption. Cases where individuals bombard employers with different requests as part of a weekly campaign would also be unfounded.
If an employer has grounds to refuse a request for erasure it must inform the individual within one month after the request. The employer should confirm the reasons for refusing to delete the data and the fact that the individual may complain to the ICO or take legal steps.
It does not matter that the request is not made in a specific format, and it is good practice to record details of the requests received.
Individuals are entitled to a copy of their personal data in a commonly used, machine-readable format and have the right to transfer that data to another organisation.
The right to data portability only applies to data the individual provided themselves and data that concerns them and is most likely to be relevant at the end of the employment relationship. Most of the basic data will be things like an employee’s address, bank account number and so on, which the employee could transfer anyway.
Problems may arise with things like personality tests that an employee participated in being transferred to another potential employer. However, this seems not to be classed in the current rules as personal data that the employee provided or produced. Given this limitation, the right to data portability seems to have few HR implications.
The right to data portability must not prejudice the rights and freedoms of others. Most other data, such as client contact details in Outlook, would affect the rights of third parties or the employer and so does not fall within the portability provisions.
Organisations must notify the ICO of all data breaches without undue delay and, where possible, within 72 hours.
Employees often use SARs to request information in support of an employment tribunal claim. Organisations can no longer charge a fee for responding to SARs, unless the request is excessive. The time limits for responding to requests is one month (for further information, see the section ‘Subject access requests' procedure below).
The penalties for non-compliance with data protection rules has increased under the DPA 2018 to €20 million or 4% of global annual turnover. Administrative breaches of the Act attract a lower fine.
Reporting directly to the UK Parliament, the Information Commissioner’s Office (ICO) is an independent supervisory authority which ensures that organisations which process data comply with the DPA. The ICO also provides guidance on the Freedom of Information Act 2000 (FOI), the Privacy and Electronic Communications Regulations 2003 and the Environmental Information Regulations 2004.
Among other responsibilities, the ICO:
Data protection is commonly misunderstood. The ICO urges organisations not to hide behind the DPA unnecessarily and to take a common-sense approach to all data protection matters. The data protection principles have given rise to many misunderstandings (for example, the DPA does not stop parents from taking photos in schools for the family album, although the DPA may apply to photos taken for official use by schools if the images are stored with personal details, like names).
Personal data online is everywhere, ranging from online shopping security information to comments on social networks. The primary purpose of the DPA and GDPR is to ensure personal data can only be gathered legally for a legitimate purpose. Data is valuable and can easily be sold on to companies which highlights one of the reasons why protections are needed. Although the initial setting up of systems can be daunting for employers, falling victim to large-scale data loss with the resultant financial penalties would be a far greater problem.
The ICO is a comprehensive source of current good practice guidance on data protection.
Some of the codes of practice and guidance are designed specifically to deal with employment issues, but others are designed to help individuals, businesses, employers or public sector bodies.
The main codes of practice are statutory. This means they have been approved by Parliament and although some of the provisions are not strictly legally enforceable, they should be followed. Any breach, or disregarding of the principles, may be relied on by the ICO in any enforcement action and can be used in evidence in court and tribunal proceedings.
An example of a key statutory code includes the Employment practices code (PDF) dealing with important matters such as recruitment and selection, employment records, monitoring at work and information about workers’ health. The ICO is currently updating the code.
There is also important guidance for SMEs, including information on keeping IT systems secure, cloud data processing risks, how to comply with the DPA, and a self-assessment tool to help assess compliance with the DPA.
Many employers have their own communications and data protection policies, taking into account the guidance and explaining how employees’ personal data is processed.
The distinction between data controllers and data processors is important because the extent of an organisation’s obligations in dealing with data depends on it. Note that the same organisation can be both a data controller and data processor.
A data controller is any person who determines why personal data is, or has been, processed and the way in which it is dealt with. Control of the data is the key factor and many employers will be data controllers.
All data controllers must provide a notification to the Information Commissioner’s Office and be included on the register of data controllers. There is a two-tier notification fee structure, depending on the data controller’s turnover and number of staff.
Data controllers must also comply with other legal requirements. They must, for example, follow the data protection principles, such as processing data fairly and lawfully, and use it for legitimate purposes only.
A data processor is anyone who processes personal data on behalf of a data controller. For example, if data is stored on a third party’s server, or processed by an external payroll service, then that organisation is a data processor.
Data processors are currently subject to fewer legal obligations than data controllers but all data processors face additional obligations under the Data Protection Act 2018. To avoid heavy fines, processors must familiarise themselves with the new rules. They will, for example, have to:
The Employment Practices Code (pdf) makes it clear that the code applies to ‘workers.’ This means that employers must be careful with data relating to current employees and many others, for example, previous employees, job applicants, agency workers, contractors, volunteers and those on work placements.
The DPA must be complied with when an employer provides information about the transfer of a business under TUPE (for more information, see our Transfer of Undertakings (TUPE) Q&As ). TUPE requires that certain information is provided to the new employer before the transfer takes place, including details of pay, hours, holiday entitlement and any details of disciplinary or grievance action. Both parties must consider their data protection obligations early in the transfer process and exchange only accurate, current and secure information required by the new employer.
The DPA can apply to many sorts of data, including computerised and manual records, photographs, CCTV footage, mainframes, laptops, tablets, organisers, audio and video systems, telephone logging/surveillance systems, microfiche and microfilm. Whether the DPA applies depends both on what the information is and how it is processed. Employers should look at each subject access request individually.
Data generally means data from which a living individual is identified, or is identifiable.
Anonymous data is where it is impossible to establish the identity of individuals whose details are in a database. It is not subject to the DPA.
Pseudonymous data is where the data attributed to a particular person is organised separately to ensure it is not attributed to the individual. Personal details are removed (for example, names replaced with unique number codes), but there will be a second set of details elsewhere so the identities of individuals can be established with some cross-referencing. This remains personal data under the DPA because it is capable of identifying an individual, but if used properly it may meet obligations to ensure security of data.
The definition of data falling within the DPA is complex. It includes information which:
The individual must be identified from the data (or from the data and other information which is in the possession of the data controller). Personal data will include that which is obviously about an individual or clearly linked to them.
The data must also be:
There has been considerable confusion and litigation over what types of information and filing systems fall within the definition of data. Whether the DPA applies to manual filing systems can be particularly difficult to understand (see Manual personnel and other manual files).
Every document merely mentioning an individual’s name does not have to be disclosed. Personal data will include that which is obviously about an individual or clearly linked to them. In other cases it may be necessary to consider if the data:
*For example, data will be included even if it merely records an individual’s whereabouts at a particular time or involvement in an event. An attendee in the minutes of a meeting does have biographical significance because the minutes record the individual’s whereabouts at a specific time. The need to disclose may be restricted to the list of attendees, depending on the meeting.
Personal data includes information related to an individual’s:
More general information, for example about a house or a car, could also be personal data, because that information is directly linked to an individual, as are marketing lists containing a name together with contact details, such as street and email addresses, and telephone numbers.
For further summarised information, see our Data protection and GDPR in the workplace factsheet.
Much of the information held in HR files is likely to be covered by the DPA because the Act applies to personal data which is contained in a sufficiently accessible filing system.
As the DPA applies to both information held digitally and as hard copy, the key question is whether manually held data is organised into a ‘relevant filing system’.
The leading case on this, Durant v Financial Services Authority (2003), gave helpful guidance on what falls within the DPA and, although the law has developed since the case, is still useful. The judgment indicates that staff records are likely to be covered, depending on the filing system used, and it would be unwise for employers to disregard any aspect of the DPA without specific legal advice.
After the guidance issued by courts and the Information Commissioner, manual staff files (and other manual files) are likely to be held in a ‘relevant filing system’ for the purposes of the DPA if they:
A relevant filing system does not cover a manual filing system which requires a person to search through files to find information qualifying as personal data.
The system must also indicate at the outset whether specific information capable of being personal data is held within the system and, if so, in which file or files it is held.
The DPA is often misunderstood and ex-employees may attempt to use the Act to obtain information to which they are not entitled if the law is applied strictly. Employers may voluntarily disclose information held in a manual form if the confidentiality of other employees is not compromised.
DPA protection is for the privacy of personal data only, not documents as such. Only manual filing systems that are broadly equivalent to computerised systems fall within the DPA.
A subject access request (SAR) is a request for personal information an employer (or any other organisation) holds about an individual. The request must be in writing. The information requested can include an HR file, depending on the nature of the information and the way it’s held.
The individual is entitled to be told:
They are also entitled to be given:
An employer must respond to a SAR without delay and at least within one month of receipt of the request. This can be extended by a further two months if the request is complex or a number of requests have been made.
The exact number of days a data controller has to comply with a request will vary slightly, depending on the month in which the request was made. The ICO guidance originally said that the one-month time limit should be calculated from the day after the request is received until the corresponding calendar date in the next month. However, the ICO guidance was amended in 2019 to state that the time limit for a response to a SAR starts from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. Therefore, if the SAR was received on 19 August, the response deadline for the data controller to respond is the 19 September.
If the following month is shorter and there is no corresponding calendar date, the date for response is the last day of the next month. So, if the SAR is made on the 31 August, the response deadline is the 30 September. If the corresponding date falls on a weekend or a public holiday, the data controller will have until the next working day to respond.
Employers should ensure that their SAR policies and procedures reflect the correct time limits to comply with their data protection obligations.
Employers must not make any alterations to data in order to make it more acceptable to the data subject. If the employer has any adverse comments in relation to performance, for example, the employee has a right to see them.
Before a prospective employer asks a person about their criminal convictions or police record, it must check that it can ask that person to reveal their conviction history. This is a very complex issue.
Disclosure and Barring Service (DBS) checks (criminal background checks, still sometimes referred to as CRB checks) may be needed for certain jobs or voluntary work, for example, working with children and vulnerable adults, or in healthcare.
The DPA makes it a criminal offence to force others to make subject access requests about themselves and then reveal the results to a third party. Employers must not avoid the complexities of the DBS checking process by demanding that prospective employees use their rights under the DPA to see information held about them.
Provisions of the DPA make it a criminal offence to force individuals, such as employees, to make subject access requests and then reveal the results. This is a practice known as ‘enforced subject access’ and is punishable by a fine.
For example, the DPA prevents:
This does not stop employers getting access to criminal records completely, as in some jobs these checks can be undertaken (see our Recruitment and selection Q&As for more info).
Sensitive personal data is data relating to the data subject’s:
The DPA gives additional protection to sensitive personal data over and above that given to other personal data.
To lawfully process sensitive personal data, at least one of the conditions contained in Schedule 3 of the DPA must be met. The main ones are that the:
Data relating to an employee’s medical condition amounts to sensitive personal data for the purposes of the DPA, so care needs to be taken with using and storing the data.
The Employment practices code (pdf), Part 4: information about workers’ health, addresses the collation and use of information about a worker’s physical or mental health. The code, which is currently being updated, is a statutory one, which means it can be used in evidence in court proceedings, and the courts must take its provisions into account wherever relevant. The code’s aim is to assist organisations in complying with their legal obligations under the DPA 2018.
The code covers sickness and injury records, occupational health schemes, information from medical examination and testing, drug and alcohol testing and genetic testing. As this information is sensitive, employers should collect health information only where it is necessary for health and safety reasons, or to prevent discrimination, or to satisfy other legal obligations, or if each worker has freely given explicit consent.
The Information Commissioner recommends that absence and sickness records be kept separately.
Covid-19: During the Coronavirus crisis, employers are likely to have seen an increased volume of sickness and absence requests related to the virus. These may have been requests for sick or carer’s leave, or requests to change working practices due to individual concerns or potential vulnerabilities to the virus. Employers should keep their policies under review to ensure they are up to date, and process any sensitive health data in line with policies/practices for other types of illness.
Employers may also have been collecting additional information in order to protect employees and minimise the likelihood of spreading the virus within the workplace. This may have taken the form of asking employees whether they feel unwell, whether a member of their household is suspected of having the virus, or whether they have recently travelled to a particular country which may make them at greater risk of having the virus. Some employers may have carried out temperature tests on employees returning to the office, or required negative Covid-19 tests as a condition for returning to work.
Where Covid-19 has brought about new policies and practices, employers should ensure any additional data is collected strictly on a need to know basis, is treated fairly and proportionately, kept securely, and only retained for as long as necessary and for limited purposes. Employees should be informed how their data will be handled, and more intrusive practices, such as all forms of testing, should be evaluated in a data protection impact assessment before being deployed.
The fifth data protection principle (see ‘Data protection principles’ above) provides that ‘personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes’. Neither the DPA nor the Employment practices code (pdf) Part 2: employment records, sets a specific time period that is appropriate for the retention of workers’ records. It is, therefore, the responsibility of the employer to decide on retention periods. Most employers will set up a staff records system and many have an express policy dealing with data retention.
(For more detailed information on statutory and recommended retention periods, see our Retention of HR records factsheet.)
All organisations need to keep certain records on current employees: for instance, keeping records of hours worked, or rates of pay, to check compliance with the Working Time Regulations 1998, or the Minimum Wage Act 1998 (see our Working Time Regulations Q&As, and our Reward and pay factsheet).
The termination of an employment relationship does not mean that all records should be deleted. There may be a real business need to retain some of them. For example, employers may need to keep information relating to the employee’s pension arrangements:
There may also be a legal requirement to retain records, for example, in relation to:
If information is needed for possible litigation, the overall time limit for bringing any civil legal action is six years (five years in Scotland).
Employers cannot use all records for all purposes six years later. With some matters, for example, disciplinary issues and warnings, many organisations’ discipline and grievance policies will state that oral warnings expire after six months and written warnings last no longer than 12 months (as recommended by Acas). Organisations may be able to use expired warnings if their disciplinary policy states that the underlying conduct leading to an expired warning may be taken into account by the employer in future disciplinary procedures.
An employee can complain to the ICO (see ICO guidance on this procedure) and ask for an assessment as to whether processing of personal data is being carried out in accordance with DPA principles. The ICO has a range of approaches for enforcing compliance.
The Information Commissioner can serve an information notice requesting certain details from the employer, and can obtain a warrant to enter and inspect premises where there are reasonable grounds for suspecting that the data protection principles have been, or are being, contravened.
If a breach of the data protection principles has occurred, the Information Commissioner may serve an enforcement notice on the employer. This requires an employer to take certain remedial steps and actions, for example, stopping processing data altogether or, if the data is inaccurate, to remedy this or even erase certain items of data. Employers can appeal against enforcement notices within 28 days of the date on which the notice was served, unless exceptional circumstances apply.
Where there is a serious contravention of the data protection principles, the Information Commissioner can serve a monetary penalty notice for breaches of the data protection principles requiring money to be paid before a set deadline. The ICO must be satisfied the contravention was deliberate or the data controller knew (or should have known) of the risk, and that substantial damage or distress would be caused. The ICO allows written representations before the actual penalty notice is served.
The maximum monetary penalty under the previous DPA was limited to a maximum of £500,000. For example, the ICO imposed a fine of £500,000 on Facebook in October 2018 (under the DPA 1998) for its role in Cambridge Analytica’s use of millions of Facebook users’ information. The data was collected through a quiz from quiz participants and their friends without sufficient consent. The fine also included a failure to take adequate remedial action once the misuse of data was discovered.
The ICO can now impose a fine of up to €20 million, or 4% of an organisation’s total annual worldwide turnover in the preceding financial year, whichever is greater. There are two tiers of penalty for an infringement - the higher maximum and the standard maximum.
The higher maximum amount is the €20 million above, which is for failure to comply with any of the data protection principles, individual rights under Part 3 of the Act, or transfers of data to third countries.
The standard maximum relates to administrative requirements of the legislation which attracts €10 million (or equivalent in sterling) or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
The individual affected may also seek compensation under the DPA. For example, if a conditional offer of employment is withdrawn as a result of an inaccurate reference, compensation may be claimed in addition to other claims (such as discrimination). Other applications may be made to rectify, remove or destroy personal data.
Breaches of the DPA concerning the disclosure of certain personal information may also be a criminal offence. The 2018 Act uses financial penalties only, rather than imprisonment which was available under the previous legislation. However, there are many criminal offences relating to data protection in the UK, outside of those required by the GDPR, which were updated in the DPA 1998:
Two entirely new offences since 2018 are:
Employers must have an internet and communications policy which specifies the internet use that is, and is not, acceptable. WhatsApp, Instagram, Facebook, Twitter, LinkedIn and other social media platforms can be a professional asset, increasing employer’s visibility and communication with customers and colleagues. On the other hand, employees’ personal use of social media can eat into the employer’s time and profit and cause serious disciplinary issues.
Many employers have adopted a complete ban on social networking sites at work because of time wasting concerns. However, employers who trust their staff may wish to allow responsible personal use of the internet during break times, provided this does not interfere with work or damage the employer’s reputation.
Employers have a number of options. They can:
If restrictions are placed on social media use, this must be clearly covered in the internet and communications policy. Both the policy and contracts of employment should specify what social media use is gross misconduct, and sufficiently serious to justify summary dismissal. Disciplinary policies must co-ordinate with the social media policies.
Employees must be warned in advance of the monitoring which will take place and why.
Acas has published guidance on Social media in the workplace.
Many cases have arisen concerning the use of social networking sites by employees, including:
If email systems and the internet are misused, claims for the following could arise:
COVID-19: An increased proportion of the workforce may have been working from home or on their own devices during the pandemic. Employers should remind their workforce of any restrictions that are in place on the use of social media during any periods of remote working.
Employers should also be aware that, depending on measures taken by the organisation during the Coronavirus crisis, there may be an increased potential for negative social media posts about the organisation similar in nature the examples included above. Employers may therefore find it sensible to put in place a social media policy, re-circulate existing policies, or at least remind employees of the risks of using social media in a professional setting.
This question is extremely complex. Monitoring is often illegal unless expressly permitted by the law and legal advice should be taken before carrying it out.
The basic position is that organisations can monitor employees’ communications only if there is a legitimate business reason for doing so and the monitoring does not go any further than necessary. Employers who undertake monitoring are likely to be processing personal data, which will trigger obligations under the DPA and may be breaching an employee’s human rights too.
The law does not allow employees’ communications via company systems to be monitored or intercepted only for checking if employees are breaching company policies on the use of email in the workplace.
The ICO has published guidance as part of the Employment practices code (pdf) (Part 3: monitoring at work).
Monitoring by videoing and/or tapping a telephone system is also illegal unless expressly permitted by law. Even if an employer knows theft is taking place, surveillance cameras should be a last resort.
Covert surveillance should only be used in exceptional circumstances to detect wrongdoing by employees and must be authorised by senior management. The employer must assess whether the intrusion into employees’ private lives is limited to what is absolutely necessary. Covert surveillance should be strictly targeted at obtaining evidence within a set timeframe and cease once the investigation has been completed.
Organisations must justify their actions only by assessing the purpose of the monitoring, any adverse impact, alternatives to covert monitoring, why alternatives are not appropriate, and how the recordings will be used.
If workplace surveillance or monitoring is thought to be essential in an investigation into employees’ misdeeds, employers must ensure it is proportionate.
Employers must strike a fair balance between the employees’ right to privacy and the organisation’s interest in protecting its property. Covert surveillance, for example, may involve monitoring all employees without being time-limited, which may be disproportionate and could infringe their right to privacy under Article 8 of the European Convention on Human Rights (ECHR).
The future of the Human Rights Act 1998 after Brexit is uncertain as there have been plans to replace it with a UK Bill of Rights. However, any covert surveillance would have to be in accordance with the DPA 2018 and the Employment practices code (pdf) published by the ICO. That guidance states that covert surveillance should only be undertaken in exceptional circumstances, including suspicion of criminal activity or equivalent malpractice, where notifying the employees would prevent the detection of crime.
The ICO states that any covert monitoring must be:
It is not only employers who covertly record matters; employees may attempt to record events such as meetings. The Employment Appeal Tribunal has clarified it may acceptable for an employee to make a covert recording of a meeting without it being considered misconduct in some circumstances (see Recent cases, Phoenix House v Stockman 2017).
All employers must have their own detailed communications, internet, social media and data protection policies in place which should be clearly communicated to employees on, for example, the company intranet, in employee handbooks and during staff inductions.
Employers may only monitor and/or intercept communications in very limited circumstances. If an organisation decides that monitoring personal communications on business accounts is the only option available, then employees’ expectation of privacy must be managed carefully.
Employees must know the extent to which they can send personal communications on company systems, whether outside or during work time, and know how often their communications will be monitored and why this is necessary.
The policy should be linked to disciplinary and dismissal proceedings making it clear that failure to comply with the policy could result in disciplinary proceedings, up to and including dismissal.
Workers have a legitimate expectation of keeping their personal lives private at work and are entitled to a degree of privacy in the workplace. The Employment practices code (pdf), Part 3: monitoring at work, contains detailed guidance on monitoring communications. Any monitoring should be justified by the benefits it delivers, and the code recommends employers undertaking impact assessments beforehand.
If an employer intends to monitor its workers, it should:
Under separate legislation, employers may be able to monitor, without the employee’s specific consent first being obtained, for:
Employers should still take reasonable steps to inform employees that their communications might be intercepted and should always consider whether there are less intrusive ways of monitoring correspondence. For example, automated monitoring that blocks emails containing obscene language may be preferable to monitoring by a line manager who can see every email sent by their direct reports.
COVID-19: With an increasing number of employees work remotely, employers may have a particular interest in gathering productivity-related data.
If monitoring is carried out, it must be proportionate, lawful and fair, and should be conducted in line with the above guidance. Any changes or increase to monitoring activities may trigger the need to perform or re-visit a data protection impact assessment relating to an organisation’s monitoring of its employees. Those employees will also need to be informed of any change to existing monitoring activities, which may require the update and re-circulation of monitoring and employee privacy notices.
If employers wish to conduct increased monitoring of their employees’ health they should do so in accordance with the guidance in the section Sickness absence data above.
Supplying staff with their own personal smartphones, laptops, tablets or even USB devices can raise important data protection issues, as can allowing them to use their own devices for work purposes. An Information Commissioner’s Office (ICO) survey revealed that many employers appear to have an overly relaxed attitude to allowing staff to use personal laptops, tablets or smartphones for email and other work business, which may be placing personal information at risk.
The physical security of equipment is important as there are risks of data breaches and cyber theft. Many data breaches arise from the theft or loss of a device.
An effective internet, social media and communications policy must cover the permissible use of employees’ own devices for working purposes, and the permissible use and return of employer-owned devices. Staff should be trained so that they are fully aware of their data protection responsibilities on any devices supplied to them.
The ICO has published Bring your own device (BYOD)(pdf) guidance on this issues and, although this has not been updated to refer to the DPA 2018, it is still valid advice, explaining some of the data protection and other risks organisations must consider when allowing personal devices to be used to process work-related personal information.
Particular risks employers should consider include public cloud-based sharing services and the types of personal data that can be processed on personal devices. Some mobile devices have a remote disable or wipe facility, which means a signal can be sent to a lost or stolen device to securely delete all data.
The ICO’s Employment practices code (pdf) offers clear guidance on the obligations of employers and employees regarding separating personal and corporate data to ensure compliance with the DPA.
The overriding guidance to deal with such issues is that employers should have in place clear and detailed policies. These will be scrutinised by courts and tribunals and will often be one of the determining factors in employment proceedings.
COVID-19: As increasing numbers of employees are required to work from home, it is likely that there will be an increased use of personal devices for professional work. Employers should remind their employees of any existing Bring your own device policies (BOYD), or consider putting such policies in place.
Employers should keep in mind the above guidance, and remember that increased use of personal devices, especially by those who are not used to working remotely may pose an increased cyber security risk to their business.
During the Coronavirus pandemic, there has been an increased use of working from home, potentially where no such arrangements have been used before. Where this leads to organisations increasing the amount of information they record about their employees, for example collecting increased productivity related data, this should be done fairly and transparently, and must be communicated to employees. New measures should be implemented in accordance with the monitoring guidance set out above.
Employers should also be aware of the increased cyber security risks posed by increased numbers of their employees working remotely. This can include employees connecting their personal devices to the organisation’s network and saving data to personal devices. (See the guidance relating to use of personal devices above).
Employers will also need to be aware that physical measures relating to the protecting of sensitive information such as locked drawers or private spaces for calls may not be available to their employees. Employers should provide guidance to their workforce about how to work securely from home. This should take account of use of company and personal devices, increased cyber security threats such as anti-virus requirements, and an increasing incidence of phishing emails.
William Morrison Supermarkets Plc v Various Claimants | Supreme Court | 6 November 2019
[2020] UKSC 12
Issue: Data protection – vicarious liability
The claimants in this case were over 5,500 supermarket employees. The senior internal IT auditor at the supermarket (Skelton) uploaded personal data including names, addresses, dates of birth, home and mobile phone numbers, national insurance numbers, and details of bank accounts and salaries relating to nearly 100,000 Morrisons' employees to a file-sharing website. He then copied the data to three UK newspapers.
Skelton was seeking revenge for an internal disciplinary procedure – he had allegedly operated a side-business from the supermarket’s post room. He was eventually arrested and convicted of fraud, and various data protection and other offences and sentenced to eight years in prison.
The employees brought group legal proceedings against Morrison’s for breaches of the data protection legislation, misuse of private information, and breaches of confidence. They also claimed Morrison’s was vicariously liable for Skelton's misuse of private information and breaches of confidence.
Two of the key issues by the time the matter reached the final appeal stage were whether:
The Supreme Court decided that Morrison’s was not vicariously liable for the employee’s misuse of data. The Court of Appeal had misunderstood the principles governing vicariously liability. Looking at the two-stage test for vicarious liability, employers will not be liable for an employee’s wrongful act where that act is was not furthering the employer's business, and was an effort to deliberately cause financial damage to the company (as it was here – a personal vendetta).
This case was decided under the Data Protection Act 1998, but the same principles apply to requests under the Data Protection Act 2018.
This is the first UK group action for a data protection breach and it appears to restrict pursuit of vicarious liability claims against employers in similar future cases.The Supreme Court has given guidance on the potential scope of vicarious liability for rogue employees and internal threats of data breaches.
If an employee misuses data entrusted to them, their employer may not be vicariously liable, especially where the employer has not committed a data protection breach itself and has tried to prevent misuse.
Employers must be proactive in using appropriate data security measures, policies and procedures and should also consider implementing stricter controls on those dealing with personal data. In any group action claims for data breaches, employers may be able to avoid vicariously liability for deliberate wrongdoing by an employee acting outside the course of their employment when the data breach occurred. People whose data has been affected (data subjects) may not always be able to pursue a class action on grounds of vicarious liability. However, class actions may still arise under the DPA and there is always a risk employers can be held vicariously liable for a data breach.
Key points to note are that:
Having organisational measures in place to prevent breaches may not always be enough to avoid vicarious liability, but the employer's potential exposure to sanctions by the Information Commissioner may be minimised if some preventative systems are in place.
B v General Medical Council | Court of Appeal |28 June 2018
[2018] EWCA Civ 1497
Issue: Data protection – mixed personal data
A patient alleged that a GP had misdiagnosed him and submitted a subject access request under the Data Protection Act 1998 to the General Medical Council. The doctor argued that the GMC medical report needed to investigate the complaint should not be disclosed to the patient complaining as it would contain information about the GP’s alleged lack of fitness to practice. The doctor said this would breach his right to privacy.
The report contained mixed personal data, in other words, personal data relating to both the GP and the patient. Obviously the GP did not consent to the report’s disclosure, because the request for the report was being made with a view to bringing legal proceedings against him.
The GMC said the report should be disclosed but a judge at the initial hearing held that the patient was not entitled to see it, and the patient appealed.
The Court of Appeal allowed the appeal and ordered disclosure of the report. It held that:
This case is now the leading case on mixed personal data and is helpful for employers faced with subject access requests where disclosure of mixed personal data is requested.
Under data protection legislation, employers can often refuse to make a disclosure of a third party’s data if that person has not consented to the information being released. If the data is mixed, employers should proceed with caution before refusing the request just because a third party has refused consent.
Organisations need to strike a balance between the competing interests of the person objecting to the disclosure of mixed data and the person requesting it. Businesses can presume that they should deny disclosure only if all the other interests are equally balanced. Access to personal data does not depend on the motives of the person making the request. An individual requesting the disclosure in order to bring legal proceedings is only one factor to be considered by the data controller. For example, if the person requesting data is a vexatious litigant, disclosure might be refused. The person seeking the disclosure should not be ignored just because the information may assist their case.
Phoenix House v Stockman|EAT|July 2019
UKEAT/0284/17/OO & UKEAT/0058/18/OO
Issue: Covert surveillance by employee
An employee in the finance department at an alcohol and drug addiction charity was told her role was redundant. Following the restructure, she obtained the much more junior role of payroll controller. A dispute with the finance director arose about whether the restructure was biased, and she raised a grievance. As a result of an inappropriate outburst during a meeting, disciplinary proceedings were started in parallel with the grievance. In a meeting with the director of resources, the employee covertly recorded it.
The disciplinary and grievance hearings were held in her absence as she went on sick leave. Eventually there was a written warning and the grievance was not upheld. Ultimately there was another hearing to decide whether the working relationship had irretrievably broken down and she was dismissed for ‘some other substantial reason’.
Many issues arose in the tribunal claim for unfair dismissal. In an earlier hearing in 2016, the EAT confirmed the tribunal finding of unfair dismissal. It was unreasonable for the employer to conclude there was an irretrievable breakdown in the working relationship because the employee said she would put the matter behind her. There had also been insufficient notice about the final hearing and no real understanding of the case against her. However, the data privacy issue in the case emerged in the later hearing which examined the effect of the covert recording she undertook during the meeting.
The EAT clarified when it is acceptable for an employee to make a covert recording of a meeting. The EAT said it was good practice for an employee or employer to reveal their plans to record a meeting, and that it would generally be misconduct if an employee making the recording did not reveal this.
The covert recording did not come to light until the tribunal hearing and the employer said had it been aware of the recording it would have dismissed the employee for gross misconduct, which would reduce her compensation award to nil anyway.
The EAT found that covert recording was not specifically banned in the employer’s disciplinary policy and the employee was not sure that the device was working properly while recording the meeting. Therefore, it could not be considered gross misconduct.
If an employee does not trust their employer and thinks they are about to be unfairly dismissed, they might want to record the conversation to use as evidence in any subsequent tribunal claim. There is no specific legislation governing whether employees can record conversations with HR.
The basic position is that if an employee is going to record a conversation they should do so openly and notify the employer of this. If an employee secretly records the conversation historically it was thought this would not be admissible as evidence in a court or tribunal. However, since the case of Amwell View School v Dogherty (2006) recordings have been admissible at least for the part of the meeting when the employee was present. Employers should always assume that there is a risk they could be recorded in meetings and should behave accordingly.
If the employee is feeling bullied and threatened, and makes a recording to protect themselves, this is less likely to be misconduct, whereas a manipulative employee seeking to entrap the employer, or one who lies about making the recording, may be guilty of gross misconduct and the covert evidence is less likely to be allowed. Other relevant factors include if the employee was specifically told there must be no recording, or if the meeting included highly confidential personal information about a third party.
Employers who do not want employees to record conversations should:
If a covert recording is made, there is always a risk an employment tribunal may still allow the evidence even if the employer’s policy prohibited it. Organisations should:
Data protection law has to change frequently, primarily because it needs to adapt to new technologies, but also because trust in data is fundamental to engagement in the digital economy. Data handling is also an international matter as data can so easily cross international boundaries.
A major overhaul of UK and EU data protection law took place in 2018 alongside the introduction of important new legislation, the Data Protection Act (DPA) 2018 and the GDPR, which affect how employers (and other organisations) deal with personal data. The DPA 2018 applies before and after the UK’s departure from the EU, and incorporates both the GDPR’s provisions, and replicates and updates the Data Protection Act 1998. Many of the GDPR’s core principles are similar to the previous DPA, but there are some differences (see ‘DPA 2018 and GDPR’ above).
In May 2017, the ICO published a five-year plan, setting out its mission to increase confidence in data use in government, public bodies and the private sector. The plan commits the ICO to leading implementation of the GDPR and other data protection reforms.
A new ‘Data protection regulatory action policy’ (pdf) was prepared as part of the ICO’s preparations for the GDPR and laid before Parliament in 2018. It provides an overview of how the ICO will use its expanded regulatory enforcement powers provided by the GDPR and the DPA 2018. This supplements the Information Rights Strategic Plan for 2017-2021 and International Strategy for 2017-2021.
The EU is replacing the outdated Privacy and Electronic Communications (EC) Directive 2002/58/EC with a new regulation which will set out specific rules for processing personal data in electronic communications. The previous directive applies in the UK through the Privacy and Electronic Communications Regulations 2003.
The new EU Regulation is unlikely to be fully agreed until 2020. Whether it will influence UK law or apply in the UK after Brexit depends on the terms of our departure from the EU.
If there is no deal, and the UK relinquishes EU membership without a withdrawal agreement, the 2003 regulations will be retained under the UK European Union (Withdrawal) Act 2018, and UK case law that applies to the 2003 legislation will continue to be relevant, even if it relied on EU cases. There will need to be amendments to the 2003 regulations to ensure that they continue to operate after the UK's withdrawal. The new regulation will not apply to the UK but substantially similar rules may be necessary in order for the UK to trade with the EU in the future.
If a withdrawal agreement is passed, the relevant EU law will continue to apply in the UK during the transition period (until 31 December 2020 under Theresa May’s withdrawal agreement, unless extended). If the EU Regulation applies during the transition period, it will become UK national law under the European Communities Act 1972. At the end of the transition period, if the European Union (Withdrawal) Act 2018 e EU Regulation is applicable in the UK, it will be turned into UK law.
If the EU Regulation is applied or followed here, then its changes will include:
The UK government remains uncertain what implications the ePrivacy regulations will have in the UK. In the meantime, the ICO has confirmed that the old Privacy and Electronic Communications (EC Directive) Regulations 2003 will still apply.
When the UK exits the EU, some EU laws (including limited employment rights) will initially automatically become part of UK domestic law, provided the European Union (Withdrawal) Act 2018 is implemented as drafted.
Many references to EU laws and institutions will cease to be relevant in the UK after Brexit. Comprehensive regulations, therefore, will be needed to amend the DPA 2018, and be read alongside the GDPR. Some examples include:
The new regulations also deal with post-exit international data transfers from the UK. For the lawful transfer of personal data from the EU into the UK, we will need to apply to the EU for adequacy status, which allows cross-border data transfer outside the EU – hence the need for the UK version of the GDPR to be close to the EU version.
The EU-US Privacy Shield is a binding legal basis for transferring personal data to the US. The EU-US Privacy Shield is a binding legal basis for transferring personal data to the US, and is one of a number of agreements governing transfers of data to the US.
After the UK leaves the EU, personal data transferred from the UK to organisations covered by the US Privacy Shield would no longer be covered by the legislation. New legislation will come into force immediately before the UK leaves the EU focusing on personal data transferred from the UK to US. Organisations that have signed up to the Privacy Shield will therefore continue to be covered by the Privacy Shield legislation when the UK leaves the EU, and must specifically ensure that their privacy policies refer to personal data transfers from the UK.
The European Data Protection Board released early guidance on binding corporate rules in the event of a 'no deal' Brexit. These rules allow multinational companies to transfer personal data from the EEA to companies outside the EEA without breaching legislation. Companies need to apply to a lead supervisory authority to authorise their binding corporate rules. Following Brexit, UK organisations will need to identify an appropriate Supervisory Authority in an EU member state, as the new rules will not be governed by the ICO anymore.
In a 'no deal' scenario, UK companies with applications that have only reached the review stage will have to transfer the application to a new EU Supervisory Authority. Binding corporate rules that have already been authorised prior to Brexit will remain valid across the EU.
The arrangements for transfers of personal data to other countries after Brexit will depend on the agreements reached with the country in question. Many places have data protection law that limits the transfer of personal data to countries which do not have an adequate level of protection. For example, the Commissioner of Data Protection in Dubai has announced that the UK will be treated as offering an adequate level of protection for personal data after the UK leaves the EU because the GDPR has been absorbed into UK law in the Data Protection Act 2018. This confirmation ensures that businesses in Dubai can continue to transfer personal data to the UK after Brexit.
For more information on what Brexit may mean for employment law, visit our Brexit hub.
Introduces data protection law in the UK, covering the obligations of employers and individual rights to accessing information
Episode 51: What can your people data tell you about your organisation? This podcast discusses how human capital analytics has evolved and how it can drive value in your business.