UK: Top Data Protection Issues For HR Managers

Last Updated: 19 February 2008
Article by Piers Leigh-Pollitt


Gone are the days when data protection was just to do with maintaining employee confidentiality and updating contact details from time to time. As busy HR managers are finding, employees now have a much better awareness of their rights (though not necessarily their responsibilities): they have the right to know what information is being processed about them and why, they have the right of access to most of that information and they have the right to expect it to be held securely and not passed on to others who have no legitimate right to see it. Employees also need to understand their responsibilities towards other "data subjects" (ie those whose personal information is processed by the employer), so as to ensure that they do not (unwittingly or otherwise) trample on those other people's rights.

The purpose of this checklist is to provide a practical guide to the key data protection issues facing HR managers on a daily basis, and covers the following four areas: Recruitment; Employee Monitoring; Disputes; and Overseas data transfers and business disposals.

Recruitment Issues

Using employment agencies

  • Check your agency contract to ensure that it contains an obligation on the agency to inform potential candidates that their personal details may be forwarded to your organisation with the consent of the candidates.
  • Once you receive written information about a candidate, you should contact the candidate to let them know of any uses to which their information may be put, if such uses are not for the normal purposes intended by the provision of the candidate's details. This is unlikely to occur in practice.
  • If a candidate is unsuitable, inform the agency and destroy or remove from your IT system all personal information relating to that individual.

Interviewing candidates

  • Interview notes do not necessarily come within the ambit of the Act – if they are not scanned into the computer, nor placed in a relevant filing system, the candidate will not have an automatic right to see them under the Act. However, care should still be exercised when interviewing candidates because they may still apply for disclosure of the notes during the course of subsequent Employment Tribunal proceedings (typically a discrimination claim). It is obviously important for the organisation defending such a claim to be able to justify its decision not to appoint.
  • If employee personnel records have a clear internal structure and have an index to facilitate the easy retrieval of particular documents, they should be treated as a "relevant filing system", meaning that such records will come within the ambit of the Act. This means that any information from the recruitment stage of the process must still be relevant to the ongoing employment relationship, and is subject to the right of access by the employee.
  • You should let an unsuccessful candidate know if you intend to keep their personal details on file, should a more suitable vacancy arise, and give that candidate an opportunity to object.
  • Even if the candidate does object, this does not mean that you have to destroy all interview information, because you may retain such information as is necessary to defend the organisation or the interviewer in the event of future litigation. This should be made clear on the file.

Pre-employment vetting

  • The use of verification or vetting agents who verify the accuracy of information provided by successful candidates is not prohibited by the Act.
  • Due to the intrusive nature of vetting services, these should be used only where it is strictly necessary to vet candidates in addition to relying on references supplied.
  • Limit vetting to specific categories of data (such as educational/professional qualifications or previous directorships).
  • Vetting agents will be acting as your "data processor", which means that you must ensure that you have a written contract with them, whereby the agents agree to act only on your organisation's instructions and to comply with certain data security obligations.
  • You should obtain the candidate's written consent to the vetting exercise and offer them the opportunity to make representations about any adverse findings.
  • Any information provided by a vetting process should be destroyed as soon as possible, although a record of the result of the vetting process may be retained.

Criminal records

  • Unless the successful candidate will be working with children or vulnerable adults, then the only type of criminal record disclosure that will apply in most cases will be the "basic disclosure". Currently, basic disclosures are not available via the Criminal Records Bureau, although it is possible to obtain them through Disclosure Scotland.
  • If the successful candidate is going to be working with children or vulnerable adults, there are two levels of CRB checks, Standard and Enhanced Disclosure. Further advice should be obtained as to the suitable level of check to apply for.
  • Criminal records constitute "sensitive personal data", which means that one of the sensitive personal data conditions must be satisfied under the Act, of which "explicit consent" is one such condition. Since the candidate will have to apply for the disclosure themselves, the obtaining of their explicit consent should not pose any practical difficulty.
  • Do not retain criminal records data after a recruitment decision has been made – a record of the fact that a criminal record check was carried out and the result of that check should suffice.

Pre-employment medical

  • Any information concerning an individual's physical or mental health will fall within the category of "sensitive personal data" under the Act and should only be processed if one of the sensitive data conditions is satisfied. Usually, the easiest condition to satisfy is that of the individual's explicit consent.
  • Only where there is an intention to appoint should employers carry out medical examinations on candidates. They should be informed of the need for testing as early as possible in the recruitment process.
  • It may be sufficient for the employer to seek information via a medical questionnaire in the first instance, as this will be less intrusive than a full medical, but if the nature of the job requires a full medical, health and safety considerations will prevail.
  • You should inform individuals about the circumstances in which medical testing is to take place, the nature of the testing, what the individual is being tested for, how the information will be used and to whom it will be made available. If only a medical questionnaire is used, the candidate should be informed about how the information will be used and by whom.

Employee Monitoring

Drug and alcohol testing

  • As with all forms of employee monitoring, it is important to consider whether it is appropriate to carry out an "impact assessment" before undertaking any monitoring. This is designed to ensure that the benefits of processing such information about the employee justifies the intrusion on the employee's privacy.
  • Always consider less intrusive methods first – for example, there is equipment available to measure hand-eye co-ordination and response time, which may suffice for your purposes.
  • Since the chief justification for drug and alcohol testing is health and safety, testing should be targeted at jobs that pose a particular risk to the health and safety of others. Randomly testing all employees will not be justified if it is only employees in safety critical activities that pose a risk.
  • Make sure that employees have been warned that testing may take place in advance – for example, this could be done via a drug and alcohol testing policy or an email communication.
  • Inform employees of the procedure for testing (eg random/on suspicion only), what type of substances they are being tested for, what are the acceptable levels of use for a particular substance, and the possible consequences of a breach (eg dismissal).
  • Any samples taken should be analysed by an appropriately qualified professional or by an approved laboratory.
  • Remember that if a laboratory is used, that laboratory will be acting as your organisation's "data processor". Make sure that you enter into a data processor agreement with the laboratory, whereby the laboratory agrees to act only upon your instructions and to comply with certain data security obligations.
  • If you have a reasonable suspicion that one of your employees is under the influence of drugs or alcohol and is about to use a car or machinery that could pose a health and safety risk, the employee may be prevented from driving or operating machinery pending further investigation (which may include testing).

Email and internet monitoring

  • The key to fair monitoring is ensuring that employees are provided with clear information about how the monitoring will be carried out. A clear policy on the acceptable use of electronic communications within your organisation is a must. A good illustration of the importance of having an acceptable use policy in place is the 2007 European Court of Human Rights case of Copland v United Kingdom, in which Lynette Copland, an employee of Carmarthenshire College, successfully sued the UK Government for a breach of her human rights. She was able to do this as her employer is a publicly funded body, and the Government accepted that it was responsible for the College's actions for the purposes of the European Convention on Human Rights. Her employer had monitored her email traffic, internet activity and telephone usage and was unable to justify such behaviour. The Court said that Ms Copland "had been given no warning that her calls would be liable to monitoring, therefore she had a reasonable expectation as to the privacy of calls made from her work telephone. The same expectation should apply in relation to the applicant's email and internet usage". Ms Copland was awarded 3000 euros in damages and 6000 euros towards her costs.
  • It is equally important to ensure that the policy is enforced in practice. If reasonable personal use is permitted in practice, a policy which claims to ban all personal use may well be worthless in subsequent Employment Tribunal proceedings where you try to defend a claim of unfair dismissal against an employee who was dismissed for excessive personal use of the email.
  • If a blind eye has been turned to the abuse of the computer systems in the past, and you now want to take a firmer line, make sure you warn employees first by putting a "marker in the sand".
  • Carry out an impact assessment to determine whether monitoring is justified – weighing up the detrimental impact of an employee's suspected activity on the business against the adverse effect on his or her privacy.
  • It is considered less intrusive to use automated processes for detecting misuse of the system, rather than allowing IT to undertake manual checks. For instance, you could use content inspection software to monitor traffic of email and to filter content. Spot checks or audits are less intrusive than continuous monitoring.
  • Inform employees in your policy that their email inboxes may be checked in their absence in order to ensure your organisation can respond promptly to the needs of clients and customers.
  • Where emails are clearly marked "personal", they should only be opened in exceptional circumstances (for example, where the employee is suspected of using email to harass other employees or is suspected of downloading or disseminating pornography).


  • Carry out an impact assessment to see whether the use of CCTV can be justified, and on what grounds.
  • There should be a clear notice of the existence of the CCTV cameras, their purpose (eg for health and safety reasons; to protect against and detect crime etc), and you should also supply contact details of the data controller.
  • The Information Commissioner's Office has provided a lengthy Code of Practice on the use of CCTV systems.

Covert surveillance – using secret cameras and engaging private investigators

  • Such methods are highly intrusive and may only be justified when investigating criminal activities or "equivalent malpractice".
  • Make sure that senior management authorisation is obtained before covert monitoring takes place. This should be obtained after an impact assessment is carried out, fully documenting the reasons for undertaking such monitoring and stating why less intrusive methods to obtain evidence would not be suitable.
  • When undertaking the impact assessment, think about the positioning of the secret camera(s), which should not be placed in areas where employees have a high expectation of privacy (eg a cloakroom). If it is necessary to position cameras in such places, the police should be called.
  • Any incidental information obtained as part of the monitoring should be discarded, unless that information is so serious that it would be reasonable not to ignore it. For example, you should ignore evidence of an employee coming in late, but you may use evidence of an employee harassing another employee, even if your original purpose for setting up the camera was to detect some quite unrelated criminal activity.
  • If you decide to engage a private investigator, he or she will be acting as your organisation's data processor. Make sure you have a written contract in place, in which he or she agrees to act only upon your instructions and agrees to abide by the data security principle.


Subject access requests

  • Although not all subject access requests relate to disputes, they are often the starting point for individuals (or their legal advisers) to obtain information which will assist them in future potential litigation. Subject to certain exemptions, employees have the right to access information held about them by their employer or former employer.
  • Provided the information is held on computer or in a relevant filing system, the right of access applies to sickness records, appraisal or performance review notes, disciplinary notes and many documents held on their employer's email system.
  • Up to Ł10 can be charged for complying with each subject access request. Many employers choose to waive this fee, or exercise a discretion, which they apply only in cases where the extent of the search is time consuming and/or costly.
  • Your organisation must respond to a request promptly and in any event within 40 days.
  • The cost of undertaking a search of your systems cannot be taken into account when determining whether to comply with the request, but you may seek further information or try to limit the scope of the request. The motive behind the request is also not relevant for your purposes. However, in the High Court case of Ezsias v The Welsh Ministers in November 2007, the Act was interpreted purposively so that it now appears that the search for data, as well as the provision of copies of the data, only needs to be "reasonable and proportionate". This is welcome news for organizations that often spend huge sums of money and a great deal of time conducting far-reaching searches. Provided they can show that they have conducted a reasonable and proportionate search, they should be compliant with the Act. It is therefore useful if organizations faced with wide-ranging requests (where the data subject is unwilling to narrow the scope of the request) to quantify the time and costs involved in searching excluded locations (including IT related expenses, employee costs, and other service providers).
  • When complying with a request, you should provide information in a permanent form unless to do so would require "disproportionate effort", in which case you may invite the employee (under supervision) to view their information on computer and print off copies of what they need.
  • You may wish to provide a standard "subject access request form" which tries to direct employees to the usual sources of information so that they are less likely to make an open-ended request for "everything you have on me".
  • If your organisation is a large one and you do not know the employee personally, make sure you check the identity of the person making the request. Sometimes unscrupulous individuals or organisations will use this method to fraudulently obtain employee details. If you unwittingly disclose information to such third parties, you are likely to be in breach of the data security principle.
  • Responding to data subject access requests is often hampered by the amount of third party information that is often attached to the personal information about the individual who has requested it. Further advice should be sought if you are unsure whether to reveal such third party information.

Disciplinary proceedings - using evidence obtained from monitoring activities

  • Where an allegation against an employee is unsubstantiated as a result of monitoring, you should usually remove records of the allegation and the monitoring results from your organisation's records.
  • You may retain such records only in exceptional circumstances (eg if the allegation relates to bullying), but you must clearly record what is an unsubstantiated allegation and what is fact.
  • Make sure that the evidence is not obtained by deception or by misleading those from whom they are obtained.
  • Take particular care over the security of such evidence and limit access to such information to those employees who have a genuine need to know and who have an involvement in the disciplinary proceedings.
  • Establish clear procedures on how "spent" disciplinary warnings are handled. While reliance on spent disciplinary warnings should be seen as the exception rather than the rule, the Court of Appeal in the case of Airbus v Webb has held that taking into account a spent disciplinary warning will not necessarily make the dismissal unfair, because a range of factors need to be considered to assess whether an employer has acted within the "band of reasonable responses". It therefore may be appropriate to retain a note on file of the brief circumstances giving rise to a disciplinary warning and the sanction that was applied, so that if circumstances later arise that may make it relevant, it can be taken into account. For example, as in the case of Airbus v Webb, if an employee had committed the same act of misconduct for which an earlier disciplinary warning had just expired, and committed that act along with a number of colleagues, it may be relevant to consider the disciplinary records of all those employees before deciding whether dismissal is an appropriate sanction. Whereas his colleagues may have clean disciplinary records, and therefore may escape dismissal, such leniency may not be appropriate for the employee with a tarnished disciplinary record, even though the actual disciplinary warning had by that time expired.

Surveillance evidence and tribunal proceedings

  • The admissibility of evidence gathered through surveillance is likely to depend on the employer being able to justify its methods.
  • Generally, Employment Tribunals have taken the view that all relevant evidence should be admitted, regardless of the lawfulness of the method of its capture, although such considerations are likely to have costs or other legal implications for the offending party (see such cases as Jones v University of Warwick and Avocet Hardware Plc v Morrison). The main grounds for such reasoning are based on the conflicting human rights under Article 6 (right to a fair trial) and Article 8 (right to respect for private life), and Courts and Tribunals (perhaps not surprisingly) have generally preferred to allow Article 6 rights to trump Article 8 rights, while still being keen to warn that admissibility of evidence will not always necessarily be guaranteed.
  • Putting the boot on the other foot, and following recent case law (such as the case of Chairman and Governors of Amwell View School v Dogherty), employees who covertly tape record their own disciplinary interviews may well have evidence from such recordings declared admissible in subsequent Employment Tribunal cases. It is always worth asking the employee if they have secret recording equipment with them before proceedings start, or even allowing proceedings to be taped so that an agreed recording can be made. In the Dogherty case, Mrs Dogherty allowed her tape player to keep running when she was out of the room and the governors were privately discussing the case. It was held that while the recording of the disciplinary interview was admissible, the recording of the private musings of the governors was not. However, the Tribunal expressly stated that the conflicting public interests might have been differently determined if the claim had been one of unlawful discrimination and the private musings had involved an indication of unlawful discrimination.

Third party disclosure

  • You are allowed to disclose personal data to third parties where such disclosure is necessary for legal proceedings or prospective legal proceedings, or for obtaining legal advice or is otherwise necessary for the purpose of establishing, exercising or defending legal rights.
  • It is therefore permitted for lawyers to receive relevant sensitive personal data from their employer clients without either party being in breach of the Act.
  • It is common practice in cases involving information about third parties (such as other employees in a redundancy selection programme) for those third parties' details to be blanked out before being disclosed to the Claimant or his/her adviser, and for references to them to be to "Employee 1, 2, 3 etc" in related documentation. Tribunal Chairmen will usually want to see the named versions of such documents, so it is wise to take unredacted versions with you to Tribunal.

Overseas data transfers and business disposals

  • The Act prohibits the transfer of personal information outside the EEA (which consists of the 27 EU member states plus Norway, Iceland and Liechtenstein), unless those countries "ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data".
  • There are only a handful of countries whose data protection regime has been deemed to be "adequate" and they are: Switzerland, Canada, Hungary, Argentina, the Isle of Man and Guernsey. One of the top offshore destinations for UK companies, India, has yet to achieve a designation of adequacy by the European Commission.
  • There are a number of exemptions to the general ban on exporting personal information outside the EEA, such as where certain types of contract are in place. To benefit from this exemption, any transfer outside the EEA must be necessary for the purpose of performing the contract. The threshold of "necessity" is a high one; the Information Commissioner's view is that the transfer of employee data from an EEA subsidiary to its non-EEA parent company in order to centralise a multinational group's HR and payment functions is not necessary for the performance of the employees' employment contracts. While it may be desirable for the company to carry out its payroll and HR functions in this way, it is not objectively necessary for it to do so. The company would therefore have to consider some other means by which it can lawfully continue (for example, the company could justify the transfer of data on the grounds that the destination of the transfer and the circumstances of the transfer ensure an adequate level of protection). There are complex guidelines which should be followed, and further advice should be sought in such circumstances.
  • Another derogation that may apply is if your organisation can show that the employee has given specific, freely given and informed consent to the transfer of his or her data overseas. While this appears like an easy and attractive option, it can be difficult to achieve, particularly for large organisations. It is also important to remember that freely given consent can also be freely withdrawn.
  • If you incorporate model contract terms (approved by the European Commission and authorised by the Information Commissioner) into your contract with the overseas company to which your employee data will be exported, this will be another legitimate way to transfer employee data. Depending on whether the overseas company will be acting as your organisation's data processor or acting as a data controller in its own right, different model contract terms will apply.
  • More recently, some multinational companies have embraced the "binding corporate rules" (BCR) regime for ensuring overseas data transfer compliance where the data are transferred intra-group. These are not a particularly easy, quick or cheap solution, but they do provide a greater degree of certainty for organisations as BCR must be submitted for approval by the Information Commissioner. They must include, among other things, evidence of measures that are binding, both externally and internally, details of a data protection audit plan and a description of the data protection safeguards that are in place.

Transferring employee data to the United States

  • A unique regime exists in the United States, known as the "safe harbor" framework, which enables some data transfers to the US to be permitted by EU data protection legislation.
  • If you plan to transfer employee data from your UK subsidiary to your US parent, and use of the EU model contracts is not a preferred option, the US parent must first of all consider all the requirements it must satisfy before self-certifying to the US Department of Commerce. Among the information which must be provided to the US authorities is a description of the activities undertaken by the organisation in respect of the personal data received from the EU, and a description of the organisation's privacy policy regarding such personal information. The organisation must declare that it will comply with all 7 safe harbor principles, which are broadly similar to the Act's 8 data protection principles.

Business disposals

  • It is always useful if you have already informed employees that one of the purposes for which their personal information may be used will be in the event of a potential disposal of some or all of the organisation for which they work. You should also tell them that their details may be passed on to the potential buyer or their advisers for this purpose.
  • Without the above forewarning, it is possible that any disclosure of employee personal information to a potential buyer will be in breach of the first data protection principle, relating to the fair and lawful processing of their data. However, where there is a legal requirement to make a disclosure, this will take precedence.
  • In business transfers (as opposed to share sales) governed by the Transfer of Undertakings (Protection of Employment) Regulations 2006 ("TUPE Regulations"), there is a legal obligation to make disclosure of certain "employee liability information". Note, however, that any disclosure that goes beyond the requirements set out in regulation 11 of the TUPE Regulations, will not be governed by the "legal requirement" exemption referred to above, so any information that goes beyond those requirements should either be made with the knowledge of the employees or should be anonymised.
  • In the case of share sales, vendors and their advisers should, as far as possible, anonymise the employee details before disclosing them to potential purchasers and their advisers as part of the due diligence process unless the employees have been forewarned that their details may be disclosed in such circumstances and it is reasonable to do so.
  • Exercise caution in the type of information that is disclosed, because it is unlikely that sensitive personal information can be lawfully disclosed without the prior explicit consent of the employee concerned. If, for example, the purchaser's advisers have sought information about employees on long term sick leave, it may be possible to satisfy the request with statistical information that does not identify the employees concerned.
  • Consideration should also be given to what will happen with the information if the transaction does not go ahead. Formal assurances should be sought from the potential buyers and/or their advisers that information should be returned or destroyed by the shredding of paper or the expunging of electronic files.

For further information, visit: (Information Commissioner's Office) (Criminal Records Bureau) (Disclosure Scotland)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.