Data protection law; what employers need to know

Data protection has become much more stringent in the last few years and is now governed in the UK by the Data Protection Act 2018 (DPA 2018), alongside the introduction of the more recent UK General Data Protection Regulation (UK GDPR) which came into effect at the start of 2021.

As you can imagine it’s a complex and wide-ranging topic, and one that impacts businesses both in their day-to-day operations and their longer-term plans.

What is GDPR and why do I need to comply with it?

GDPR is in place to protect individuals in relation to the processing of their personal data. In the UK this is monitored by The Information Commissioners Office (ICO), who have the power to take action against any reported breaches.

In an employment context it concerns the processing of personal data where employees are the data subjects and employers are the data controllers. It focuses on the methods organisations use to collect, process and store information and the different technology being used to do that.

How is data processing defined by GDPR?

The processing of personal data is defined by GDPR in the following ways:

– Collection, recording, organisation, structuring or storage

– Adaption or alteration

– Retrieval, consultation or use

– Disclosure by transmission, dissemination or otherwise making available

– Alignment or combination

– Restriction, destruction or erasure

The key data protection principles of GDPR

Employers must comply with the following key principles of GDPR when managing and storing employee data:

Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation: Personal data must be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimisation: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Accuracy: Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without delay.

Storage limitation: Personal data kept in a way that permits identification of data subjects must be kept for no longer than is necessary once it has been processed.  There are some exceptions that allow data to be stored for longer periods such as archiving in the public interest, scientific or historical research or statistical purposes (but technical and organisational safeguarding measures are still required to protect the data subjects).

Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Accountability: The controller is responsible for, and must be able to demonstrate compliance with the other data protection principles.

What is personal data?

It’s important to define what is considered personal data and what responsibilities employers have in terms of managing this.

Personal data is any information relating to an identified or identifiable living individual. In an employment context this can include an employee’s name, address, date of birth, next of kin and emergency contact details.

It can also cover data relating to their role such as pay, social security and pensions, sickness and holiday records, attendance, and performance records. Under certain circumstances it can also extend to email correspondence involving them.

Special categories of personal data

There are also other types of personal data that employers may have access to but that need protecting, GDPR identifies these as “special categories of personal data” and they include:

– Racial or ethnic origin

– Political opinions

– Religious or philosophical beliefs

– Trade union membership

– Genetic data

– Biometric data that uniquely identifies an individual

– Data concerning health

– Data concerning a person’s sex life or sexual orientation

Additional safeguards and obligations are in place to protect special categories of data and it can only be processed in limited circumstances and with the consent of the employee.

What should be covered in an employee data protection policy

We always recommend businesses have a detailed policy on data that covers not just employee data, but also data relating to customers, suppliers and other business partners.

Ideally an employee related data protection policy should cover the following key points:

– What data is held

– The purpose for holding that data

– How that data is processed

– Who that data is shared with

– How long it is kept for

– A process for employees to access their own personal data

An employer’s processes and systems must be designed to protect the data it holds in line with the policy and the data protection legislation.

Ways to better understand data protection law

The ICO created an Employment Practices Code to help employers better understand what they need to do to comply with data protection law and to encourage best practice. It’s quite a lengthy document but useful for reference as it covers the following topics:

– Recruitment and selection

– Employment records

– Monitoring at work

– Information about workers health

You can take a look at the code here.

Alternatively, you could speak to an expert from our friendly team who can talk through your needs and help tailor a policy to your exact specification. Contact us here.