Data protection

The General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA 2018) together create a new regime which governs the processing by data controllers of personal data relating to data subjects (concepts with which employers will be familiar from the Data Protection Act 1998).

In the employment context the data controller is the person or entity that determines the purposes and means of the processing of personal data (usually the employing entity), the data processor the person or company that processes data on behalf of the data controller and the data subject is the employee.

Personal data is ‘any information relating to an identified or identifiable living individual’ and that can be identified, directly or indirectly, in particular by reference to either of the following:

  • an identifier such as a name, an identification number, location data or an online identifier
  • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

‘Processing data’ includes collection, recording, organisation, storage, altering, retrieving, using, transmitting, combining, destroying and erasing data.  Employers process personal data in respect of employees in numerous ways at all stages of employment from recruitment until after employment has ended.  Data controllers are under an obligation to process data in accordance with the data principles:

  • lawfulness, fairness and transparency
  • purpose limitation
  • data minimisation
  • accuracy
  • storage limitation
  • integrity and confidentiality
  • accountability.

Data controllers may only process personal data if one of the lawful conditions for processing is met.  In an employment context this will often be one of the following conditions:

  • the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering into a contract
  • the processing is necessary to comply with a legal obligation to which the controller is subject
  • the processing is necessary to protect the vital interests of the data subject or another person.

Certain kinds of personal data are known as ‘special categories’ of personal data (previously sensitive personal data under the DPA 1998, although there are some differences) and require higher levels of protection.  These are racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health, sex life and sexual orientation.  Employers need to have further justification for collecting, storing and using this type of personal information.

When processing special categories of personal data, employers must having a policy in place that explains the employer’s procedures for complying with the data protection principles in connection with the processing of the data and explains the employer’s policies regarding the retention and erasure of personal data processed, giving an indication of how long such personal data is likely to be retained.  They must also comply with additional safeguarding requirements relating to record keeping.  Employers can only process special categories of personal data in certain circumstances, including where they need to carry out their legal obligations or exercise rights in connection with employment, in some cases with explicit written consent, where it is needed in the public interest (for example for equal opportunities monitoring), where it is needed in relation to legal claims, or where it is needed to protect the data subject’s interests (or someone else’s interests) and they are not capable of giving consent.

Employees, as data subjects, have various rights under the GDPR in some circumstances to:

  • request access to their personal information (commonly known as a ‘data subject access request’)
  • request correction of the personal information that is held about them
  • request erasure of their personal information
  • object to processing of their personal information
  • request the restriction of processing of their personal information
  • request the transfer of their personal information to another party.

Employers need to make employees aware of their rights under the GDPR.  Most employers process data, which means that they must be registered with the Information Commissioner as doing so.

Employees are entitled to see what data are held on them, provided that their requests are made in writing.  Access to the data must normally be given within one month of the request although the employer may extend that period by two months where necessary, taking into account the complexity and number of requests.  If the data identify a third person, the employee does not have an automatic right to see those data.  Either the consent of the third party must first be obtained, or identifying features must be removed.