The basics of data protection in the workplace
The basic legal rules on protecting employment data are set out in the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (the DPA). The DPA governs the processing (eg collection and distribution) of personal data (eg names, addresses and sensitive personal data, such as information about mental and physical health) in the UK.
If you breach your staff’s data protection rights this could automatically breach other duties you owe them. For example, a serious breach of data protection and privacy rights could amount to a breach of contract as a result of a failure to meet the duty to maintain trust and confidence. A breach could even be constructive dismissal.
Openness is key. You should tell employees the types of data you might collect about them and what you do with it in an Employee privacy notice, also known as a 'fair processing statement'. This statement details how you collect, use, retain and disclose personal information. Similarly, if you engage consultants, you should create a Consultant privacy notice.
Where data processing is likely to result in a high risk to individuals (eg they risk being denied work opportunities), you must conduct a Data protection impact assessment (DPIA). Where intrusive action is unavoidable, think of ways to manage and reduce the impact. Provide written instructions to those involved, as a record of the steps taken.
Putting a Data protection and data security policy in place in your organisation helps ensure that you follow a set process that gives confidence to employees and clients alike and helps avoid any potential claims.
What tricky data protection issues arise in employment?
Recruitment
Recruitment processes and pre-employment checks can be intrusive. Be open about your processes, don’t collect more information than you need at each stage of recruitment and don’t retain information longer than necessary.
You should take extra care to comply with rules about checking criminal records and convictions.
Special category personal data
You will unavoidably handle data that sits within the 'special' categories of personal data, ie sensitive personal data (eg when you manage sickness absence or administer employee benefits). This can usually only be done with explicit and freely-given consent, to safeguard health and safety or to avoid disability discrimination.
Workplace monitoring
Many employers monitor emails and other IT use or have workplace CCTV. This is permitted as long as you have a legal basis to do so. You should tell staff if you have such procedures in place and you should consider less intrusive ways to achieve the same goal.
You should also take steps to avoid reviewing obviously personal materials. Accessing an employee’s computer material or personal account without their consent is considered hacking and is a criminal offence that can have serious legal implications. Consider introducing a Communications and equipment policy to maintain transparency when it comes to monitoring communications and IT equipment and resources. Covert surveillance is especially intrusive and can only be used in extreme cases and on a limited basis. For more information, read Employees' use of IT.
Health and medical information
In principle, all health information is private. If you collect it, there should be a clear basis (ie justified reason) for collecting or processing it. For example, employers may require certain information from staff about their Coronavirus (COVID-19) vaccination status to comply with employment law, the employer’s health and safety duties and for reasons of the public interest. Once processed, health information must be kept secure.
Drug or alcohol testing will usually only be permissible for clear health and safety reasons.
International transfers of personal data
Transferring data outside the UK (including transfers to group companies) requires special safeguards (eg standard contractual clauses) to be in place. For more information, read International transfers of personal data.
Social media
Using information from employees’ personal social media to make employment decisions raises difficult issues related to discrimination, privacy and data protection. It’s worth protecting the interests of yourself and your employees with a Social media policy. For further information, read Employees and social media.
If you have any questions about data protection in the workplace, Ask a lawyer.