Data Protection is primarily governed by the Data Protection Act 1998 (the Act). The Act is concerned with respecting the rights of individuals when their personal data is processed. Personal data means information about individuals who can be identified from that information − such as names, addresses and National Insurance numbers − and also includes the employer's opinions and intentions with respect to employees. Sensitive data is also covered and subject to more robust legal requirements. Sensitive data includes information about an individual's racial or ethnic origins, political opinions, religious or other beliefs, trade union membership, health and criminal proceedings or convictions. Generally speaking, personal data does not include day-to-day business correspondence to, from or copying the employee, where normal work activities are being carried out.

An employer will be processing (collecting, retaining, recording, deleting, etc.) personal data throughout an employment relationship for a number of reasons, including to recruit, to monitor performance, and for health and safety reasons. From time to time, as part of routine checks or a specific investigation, an employer may also monitor or check an employee's telephone, emails and Internet usage, which will inevitably result in accessing or using personal data. There are strict legal requirements regarding such monitoring.

The Act requires employers to comply with eight principles when processing personal data. These principles include the requirement that data must be collected and used fairly and lawfully, be accurate, be up to date, be kept for no longer than necessary, be protected by appropriate security measures, and not be transferred outside the European Economic Area, unless certain protective measures are first put in place.

Employees' Rights

Employees have the right to request a copy of the personal data their employer holds about them. This includes information about grievance and disciplinary issues, and information obtained through monitoring. Arrangements should be in place to deal with requests, as a 40-day time limit is required by the Act. There are some exemptions to providing such data, such as, when giving information would make it more difficult to detect a crime and where the information concerns a third party. For example, if an employee has been accused of harassment, the employer may need to protect the identity of the person making the accusation.

Employees can object to their employer holding or using personal data about them if it causes distress or harm, and in such instances, the employer should delete that information or stop using it in the way complained about, unless the employer has a compelling reason not to delete or stop using it. If an employee considers that there has been a breach of the Act in respect of personal data about that employee, the employee should first raise the matter internally with the person responsible for dealing with it. However, employees also have the right to apply to the Information Commissioner's Office (ICO), who will determine whether there has been a breach by the employer. The ICO can serve enforcement notices, requiring employers to comply with the data protection principles and information notices, requiring employers to provide certain information within a specified time. If the employer fails to comply with either of the notices, it will be guilty of a criminal offence with a maximum fine of £5,000. If employees suffer damage because their employer fails to comply with its data protection obligations, they can also issue court proceedings whereby unlimited damages could be awarded. Where data is inaccurate, the court also has powers to order its rectification, blocking, erasure or destruction.

Employers' Obligations

Set out below are some of the key requirements employers need to observe when processing employee data:

  1. Employees must be notified of the employer's processing activities, typically through a privacy policy, covering the conditions under which personal data will be processed (for example, monitoring of email/Internet/telephone should be explicitly stated), ensuring that everyone is aware of their individual responsibilities and the employer's expectations regarding privacy.
  2. Records should be kept secure, e.g. manual files kept in locked filing cabinets and computer records password protected.
  3. Data should be accessed only by appropriate, authorised staff members who have been adequately trained.
  4. Records should be kept up to date, with employees asked to check and update them periodically.
  5. Data must not be irrelevant or excessive, and should be deleted once there is no longer a business or legal requirement to keep it.
  6. Data needs to be discarded securely, e.g. by using confidential shredding.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.