All employers should read and follow the ICO guide on the DPA and the GDPR as it applies in the UK. It covers matters such as what personal data is, lawfulness of processing, fairness and transparency, as well as the right to be informed, rights of access, data rectification and erasure. The right to restrict processing and data portability is also covered.

While the guide is aimed at data protection officers and others with responsibility for data protection and primarily aimed at small and medium-sized organisations, it may help larger organisations too.

There are some key themes that employers should be aware of.

Consent

Organisations must demonstrate that employees were:

informed of the purpose and use of their personal data, and

given a clear explanation of how it will be treated.

Employees must consent freely to specific use, purpose, or processing of data. Employees’ silence or lack of complaint about the processing, consent incorporated as a standard employment contract term or in data protection policies does not meet the standard required.

Employers must record the grounds on which they will be processing each separate category of employee data.

Lawful processing

Organisations may process personal information lawfully for six reasons including complying with an employment contract or legal obligation, and protecting the legitimate interests of the employer or a third party.

Job references

Unless a relevant exemption applies, data subjects can request and be given a copy of their reference. The obligation depends on whether the request is made of the organisation providing the reference (usually the previous employer) or the organisation who obtained the reference (the prospective employer).

CIPD members should see the more detailed information in our References law Q&As.

Email and internet

Organisations need a comprehensive internet, social media and communications policy governing permitted data use including email and internet issues.

Providing staff with smart phones, laptops, tablets or USB devices has data protection implications, as can working from home including use of employees’ own devices. ICO guidance suggests employers underestimate the risks associated with use of personal devices for work. Information may be at risk if there are inadequate security measures. An effective policy must cover permissible work use of all devices.

Monitoring should not be intrusive, for example using traffic data (about the routing, duration or timing of messages) rather than accessing email content. Both the DPA and Telecommunications Regulations (see below) must be complied with.

Accountability

Employers must demonstrate data protection compliance by training, auditing and documenting processing activities, and reviewing HR policies. They should also:

Appoint a data protection officer (DPO) where appropriate – see below.

Only collect personal data that is adequate, relevant and necessary.

Remove names from data (anonymisation) or use data encryption to anonymise it (pseudonymisation conceals identities but allows them to be recovered).

Be open with employees about data processing and allowing them to monitor it.

Identify and limit any detrimental effects on individual privacy.

Data protection officers (DPOs)

Any organisation can appoint a DPO, but organisations must to appoint one if they:

Are a public authority.

Carry out large scale systematic monitoring of individuals.

Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

DPOs report to the highest management level (usually the board). They must be given adequate resources, have a degree of independence, and protection from dismissal or detrimental treatment in connection with performing their duties.

Subject access requests (SARs)

SARs are written requests from individuals for information covered by the DPA. Organisations must respond for free and without ‘undue delay’, which means within a month. The number of SARs that can be made is unrestricted although some unspecific SARs or those made for non-data protection purposes can be refused.

SARs may be used to obtain preliminary information before an employment tribunal claim, although normal tribunal disclosure requirements entitle employees to more information than SARs. Organisations must comply if SARs arise during disciplinary processes.

Employers should:

Identify who is responsible for responding to SARs and provide sufficient training.

Make managers and HR aware of the DPA rules governing requests.

Deal with SARs efficiently.

When organisations receive SARs, they should:

Check its scope.

Identify onerous requests or those made for non-data protection purposes.

set clear deadlines for responding.

Follow a response procedure.

The ICO has a useful checklist. Breaching the SAR rules attracts fines.

Sharing and transferring personal data

Third parties, such as payroll providers, external HR and recruitment agencies process employee data. The employer must ensure the third party is data protection compliant and:

Clarify the information needed and why, and what the receiving organisation will do with it.

Only share essential data.

Anonymise or pseudonymise the data.

Check contract terms with third parties are GDPR compliant.

Check the relevant requirements for overseas transfers of data.

It may be possible to avoid sending personal data, or there may be a legitimate processing reason which avoids the need for employee consent.

Data security

Data security must be appropriate to the processing risks. The organisation’s size, the nature of information processed, and the potential harm from security breaches are all relevant.

In addition to clear policies covering security incidents, organisations should:

Carry out risk assessments of data systems and act on the results.

Maintain up-to-date security systems (for example, using firewalls and encryption technology).

Restrict access to personal data to those who need it.

Train staff on data security.

Review data security regularly.

Record keeping and correction

Organisations with over 250 employees must keep clear, accessible records of all their data processing activities. Smaller organisations only need to record any data processing they do regularly, or any processing of personal data which is sensitive, or could be harmful to, or intrude on the personal life of, the individual. The ICO can inspect records at any time. Data should only be kept for as long as needed to fulfil the purpose.

Organisations should:

Think about the purpose of data retention.

Consider any legal requirement to keep the data for a period of time (tax records, for example).

Decide whether the data is needed to defend a potential claim (such as a job applicant’s information who now alleges discrimination).

Be able to justify retaining the data.

Respond to correction requests within the timeframe.

Find out more on UK statutory and recommended time periods for keeping HR records.