Law guide: Employment

See how we helped Michael

"Fantastic! The legal document I used was so comprehensive and easy to complete. It is very reassuring to know my business now has this level of protection"

Michael S, London

Data protection

Data protection


If you employ someone, you'll receive personal information from them. For example, you'll ask for their name and their age. You'll also need their bank details so that you can pay them and their National Insurance Number, so that you can pay their tax appropriately; they may tell you about a health condition that affects their work (which may necessitate reasonable adjustments), and you may have a disciplinary file relating to them.

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 govern your obligations in relation to this data, in particular: how you process and store it, and what you tell the individuals concerned about your processing of the data. These information rights are enforced in the UK by the Information Commissioner's Office (ICO).

Here we summarise some of the key parts of data protection law that relate to employment.

The GDPR uses these terms, which we'll also use for convenience:

  • Data subject: the individual the data relates to
  • Data controller: the person or business controlling the data – in this case, we're talking about you or your business
  • Data processor: another person or entity processing information on your behalf, e.g. a bank

Below we summarise some of the main aspects of the GDPR. For more information you may wish to look at the ICO's Guide to the GDPR.

Lawful processing

For processing of data to be lawful, you must have one of the justifications listed in the GDPR. That means the processing must be necessary for one of these reasons:

1. Performance of a contract with the data subject – i.e. employee or applicant

2. Your legal obligations

3. Protection of the data subject's vital interests

4. Performance of a task carried out in the public interest

5. Your or a third party's legitimate interests – but this must be balanced against the interests and rights of the data subject

It's also lawful to process data if the data subject agrees to that processing. However, relying on consent as the basis for processing data should be avoided in the employment context. This is because in an employer-employee relationship there is a natural imbalance of power, meaning that consent is not thought to be truly free except in a few situations.

You should therefore consider other justifications before consent. This is true even outside of an employment situation as the big problem with consent is that if they change their mind and withdraw their consent, you must stop processing the data in that way.

The GDPR protects certain classes of data more strictly. That is, data relating to criminal convictions or offences and several 'special categories' of personal data: data that reveals racial or ethnic origins, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the purpose of uniquely identifying individuals, data relating to health or data relating to someone's sex life or sexual orientation.

If data falls into one of these special categories there are additional hurdles. For example, if you rely on consent as your justification the data subject has to have given explicit consent – for other types of data, consent can sometimes be inferred from clear affirmative action.

In the employment context, if you have an appropriate policy document in place, such as a data protection policy, you're allowed to process this special category data if it's necessary for obligations or rights created by law in connection with employment, social security or social protection.

Some examples

In the employment context, your justification will most often relate to performance of a contract, legal obligations or legitimate interests.

Note that even if you have a valid justification for processing the data, there are further obligations that you must follow. Most importantly, you must tell the data subject about your processing and you must keep the data secure.

Performance of their contract

This will often be the most relevant justification. For example, without their bank details you won't be able to pay your staff.

Note that this is unlikely to be relevant during the recruitment process until you decide on the successful candidate, as you won't have a contract with the applicant.

Legal obligations

Here are a few examples of information you're legally obligated to process:

1. You're obligated to pay your staff's correct tax and National Insurance Contributions, and you'll need their National Insurance Numbers for that.

2. Unless they've opted out, most employees should automatically be enrolled into a pension scheme, and you'll need certain information in order to do that.

3. You're legally obligated to ensure that employees are entitled to work in the UK.

4. You may be faced with legal action and have disclosure obligations.

5. For a small number of jobs, it's a legal requirement to undertake a criminal record check. For those jobs, you'll be justified in doing a criminal record check. For jobs where there's no requirement, this is more complicated.

Legitimate interests

This is the most flexible of the justifications. It will often be appropriate if the processing is important and clearly in everyone's interest, but no other justification applies. However, to use this justification you must balance your interest in processing the data against the rights of the data subject.

During recruitment, at least until the candidate has been chosen, there will be no contract with that applicant and there'll rarely be a legal obligation to process information about them. Accordingly, legitimate interest will normally be your justification – the legitimate interest being finding the most suitable person for the job. You'll have to balance this interest against the candidate's rights and interests, but given that they also want the job, as long as you only ask for information which is relevant to the role you should be justified.

A few examples:

1. Information given in the application form: it might appear at first that you're relying on consent – they've applied and given the information voluntarily. However, the issue is about how you store and process the information (e.g. by reading it) – consider processing it insofar as that's necessary in your interests to recruit the right person, rather than asking whether they consent.

If you ask that they consent to you processing it in certain ways, they'll probably say yes because they need the job. As with consent in the employment context more generally, it might not be freely given.

2. Information for 'extra-curricular' roles in the business that an employee applies for, e.g. to be an employee representative for collective redundancy or for the transfer of an undertaking of service (TUPE). If an employee stands for election to be a representative in that situation, you'll have a legitimate interest sharing and processing certain information about them.

In this situation, you could also probably also rely on consent – they're free not to apply for that position. However, legitimate interest may be preferable in case they change their mind and withdraw consent.

Privacy notices

The GDPR says that if you process data, you must do so transparently. It also says that when you collect personal data from individuals you should provide certain information to them about the processing. This is often referred to as a privacy notice – however, some people use other terms such as privacy policy or privacy statement.

The obligation to provide a privacy notice applies whichever justification for processing the data you're relying on. For example, before requesting an employee reference you must tell the candidate that you intend to request it and that you intend to store and process the information.

You should provide different privacy notices at the application stage and at the employment stage, as you'll collect different information for different purposes.

The general rules are as follows:

1. Use clear, concise and accessible language.

2. Identify who controls the data – e.g. yourself if you're a sole trader, or the company you work through. If you have a data protection officer, give their contact details.

3. Explain your purpose for holding and using the data, and the legal justification for it – e.g. performance of a contract, legal obligation or legitimate reason.

4. Identify any other entity that the data might be sent to. Also, if you receive data indirectly from another organisation, state the source that will apply to references.

5. Say if you intend to transfer the information to an organisation based outside of the European Economic Area (EEA), in which case you must also say why you're entitled to transfer the information to that country. (The EEA is the EU plus Iceland, Liechtenstein and Norway.)

6. Say for how long the information will be stored, or how you'll decide. For example, 'until the end of the employment'.

7. Explain people's right:

  • To ask that you erase the information if it's no longer needed, or to ask that you correct information; if for any information you relied on consent, you must also tell them that you'll erase the information if they withdraw consent.
  • To see the data - i.e. to make a data subject access request
  • To complain to a supervisory authority.

8. Say if you use automated decision-making in relation to their data and explain its logic.

You should also outline in this notice the steps you take to keep the information secure. For example, if you remove the parts of the data that enable you to identify the data subject you should say that. (If you destroy that identifying information, so that it can't be reassembled, it will no longer count as personal data and the GDPR wouldn't apply. However, more often, it would be possible to reassemble the information, in which case, it would still be personal information, though it would be more secure that way than intact. This will please both the individuals concerned and the ICO.)

The ICO recommends using a 'layered approach' to privacy notices, otherwise they're unlikely to be concise, clear and comprehensive. For example, in an online application form when you ask for each item of information explain very briefly why you need it and how you intend to process it, and provide a link to a fuller privacy notice.

Privacy/data protection policy

In addition to telling data subjects about the data of theirs that you hold, you should have an internal policy explaining to staff how they should approach other people's personal information – i.e. that they should take the matter very seriously. This can be referred to this as a 'privacy policy', but you may use different terminology.

This is important for at least two reasons:

1. In the employment context, some justifications for using data rely on you having an appropriate policy in place, which a privacy policy will achieve.

2. You may be vicariously liable if a member of staff unlawfully discloses personal information that they've come into possession of through work.

This should cover similar matters to the privacy notice, but from a different perspective. In particular, it should provide practical advice to staff as to how they process actions relating to data protection – for example, what to do if they receive a data subject access request. (There should be a way for them to escalate the matter so that it can be dealt with efficiently by the organisation at the appropriate level of seniority.)

Data subject access request

You should be aware of the right of access of individuals to their personal information. That means that you may receive a request by an individual to see all the personal information that you possess that relates to them. This right is often invoked by former staff members if they consider bringing a claim in an employment tribunal.

Unless the request is manifestly unfounded, excessive or repetitive, you must provide this information free of charge. You have a month from receipt of the request to provide the information, though this can be extended by a further 2 months if requests are complex or numerous.

For more information, we'd suggest you see look at the Information Commissioner's Office's guidance.

Copyright © 2020 Epoq Group Ltd. All trademarks acknowledged, all rights reserved

This website is operated by Epoq Legal Ltd, company number 3707955, whose registered office is at 2 Imperial Place, Maxwell Road, Borehamwood, Hertfordshire, WD6 1JN. Epoq Legal Ltd is authorised and regulated by the Solicitors Regulation Authority (SRA number 645296).