Law guide: Workplace

See how we helped Liz

"It's not just a website... there are people there on call who can help answer your queries."

Liz W, London

Data protection

Data protection

Introduction

Employers need your personal information (data) to employ you. For example, they'll need your name, bank details and National Insurance number so that they can pay you correctly. You may also need to inform them about a health condition that affects your work, which may legally require them to make reasonable adjustments to help you.

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 govern your employer's obligations in relation to this data. In particular, how they collect, use, process and store it, and the rights you have about its use. These rights are enforced in the UK by the Information Commissioner's Office (ICO).

Here we summarise some of the key parts of data protection law that relate to your employment. Note that references to processing mean the different ways your data may be used – i.e. collecting, filtering, sorting, reading/analysing, presenting (in a readable format) and storing.

Data protection laws after Brexit

The General Data Protection Regulation (GDPR) became law in the EU and UK on 25 May 2018. The Data Protection Act 2018, introduced at the same time as the GDPR, covered areas not dealt with by the GDPR.

From 1 January 2021 (when the UK no longer had to comply with EU law), the UK created the UK GDPR – this is broadly the same as the previous GDPR, with some amendments. This means data being processed in the UK about you, must now comply with the UK GDPR and the Data Protection Act 2018.

The version of the GDPR that continues to apply within the EU is now known in the UK as the 'EU GDPR'.

If your employer complied with the EU GDPR before 1 January 2021, they're likely to be compliant with the UK GDPR and the Data Protection Act 2018.

How employers must process your data

For your employer to lawfully process your data in the UK, that data must be:

1. obtained for a clear purpose;

2. adequate and relevant for that purpose, i.e. there must be a rational link to the purpose and the amount of data obtained must be no more than necessary to achieve it; and

3. used for one of the following reasons:

  • Performance of a contract (e.g. your employment contract)
  • Legal obligations (e.g. ensuring you have a right to work in the UK)
  • Protection of your vital interests
  • Performance of a task carried out in the public interest
  • You've consented to it being used
  • The employer's or a third party's 'legitimate interests' – but this must be balanced against your rights and interests.

An employer's reason will most often relate to performance of a contract, legal obligations or legitimate interests.

In addition, your employer must tell you about the processing and must keep the data secure.

Legitimate interests

This is the most flexible of the reasons. It will be appropriate if the processing is important and clearly in everyone's interest, and no other reason applies. However, to use this your employer must balance their interest in processing the data against your rights and interests.

Using consent

It's also lawful to process data if you agree (consent) to it. However, your employer should avoid relying solely on your consent. This is because in an employer-employee relationship there is a natural imbalance of power, meaning that your consent will not necessarily be truly free, except in a few situations. Note that you have a right to change your mind at any time and withdraw your consent, requiring your employer to immediately stop processing your data.

Information that requires more protection

Certain types of data are, by law, protected more strictly. This applies to data relating to criminal convictions or offences, and several 'special categories' of data.

The special categories are data that reveals:

  • racial or ethnic origins
  • political opinions
  • religious or philosophical beliefs or trade union membership
  • genetic data
  • biometric data for the purpose of uniquely identifying individuals
  • data relating to health
  • data relating to your sex life or sexual orientation.

If your employer processes data in any of these special categories, additional rules will apply. For example, if they rely on your consent as justification, you must have given explicit consent – for other types of data, consent can sometimes be inferred.

Your employer must have an appropriate policy in place, such as a data protection policy, to process data relating to criminal convictions or special categories. It also must be necessary for your employer to use it due to existing legal obligations or rights associated with your employment, social security status or your protection.

More information

For more information see the ICO's Guide.

Documents your employer should provide

Your employer should give you documents that explain your data protection rights and what both they – and you – should do to comply with data protection laws.

Privacy notices

The UK GDPR says that if your employer processes data, they must do so transparently. It also says that when they collect personal data from you, they should provide certain information to you about the processing. This is often referred to as a privacy notice – however, it can be known as a privacy policy or privacy statement.

The obligation to provide a privacy notice applies regardless of the reason for processing your data. For example, before requesting a reference about you, your employer must tell you that they intend to request it and use and store the information.

You should really receive different privacy notices at the application stage and at the employment stage, as your employers collect different information for different purposes. However, it's possible that your employer might have one document that combines the two scenarios.

The privacy notice should:

1. Use clear, concise and accessible language.

2. Identify who controls your data, i.e. your employer

3. Give contacts details if they have a data protection officer

4. Explain the purpose for holding and using your data, and the legal reason relied on

5. Identify any other entity that your data might be sent to

6. Identify any other organisation from which they might indirectly receive data about you

7. Let you know if they intend to transfer your information to other organisations in third countries (i.e. those outside of the UK), including documenting the safeguards being used

8. Say for how long they intend to store your information, or how they'll decide it, e.g. until the end of your employment

9. Inform you if they use automated decision-making and explain the logic/how it's done

10. Outline what steps they take to keep your data secure, e.g. if they remove the parts of the data that can identify you, they should say that

11. Explain your right:

  • To ask the employer to erase the information if it's no longer needed, or to ask for it to be corrected
  • To withdraw consent (if you've given it) to them receiving your information (and that it'll be erased if you do so)
  • To request to see the data held about you (this is known as a 'subject access request')
  • To complain to the Information Commissioner's Office (ICO).

Data protection policy

Your employer should also have an internal policy explaining how staff should approach other people's personal information. This can be referred to as a 'privacy or data protection policy', but your employer may use different terminology.

This is important as some reasons for using data require an employer to have an appropriate policy in place, such as to process data about criminal convictions or 'special categories' of data.

What should be included in a data protection policy

It should cover similar matters to the privacy notice, but from a different perspective. It should provide practical advice to staff on what to do and how to process data to comply with data protection laws. For example, what to do if you receive a data subject access request from a customer. There should be a way for you to escalate the matter so that it can be dealt with efficiently by the organisation at the appropriate level of seniority.

Your data protection rights

As well as your right to know how your employer will use your personal data (using a privacy notice), you also have the right to:

  • Get copies of your personal data (via a data subject access request)
  • Have your data corrected
  • Have your data deleted
  • Object to the use of your data
  • Limit how your employer uses your data
  • Have your data transferred to another organisation
  • Prevent your data from being used in automated decision making
  • Complain to the Information Commissioner's Office

Data subject access request

You have a right of access to your personal information. That means that you can request to see all the personal information your employer holds, that relates to you. This right can be made verbally or in writing.

Unless your request is manifestly 'unfounded, excessive or repetitive', your employer must provide this information free of charge. They have a month from receipt of the request to provide the information to you, though this can be extended by a further 2 months if your request is complex or if you have made several requests.

For more information, see the ICO guidance.

Correcting your data

You can question the accuracy of your personal data held by your employer and ask for it to be corrected, deleted or, if your data is incomplete, completed by adding more information.

To do this you should inform your employer that you are challenging the accuracy of your data and want it corrected. You should:

  • state clearly what you believe is inaccurate or incomplete
  • explain how the organisation should correct it, and
  • provide evidence of the inaccuracies (if available).

This right can be made verbally or in writing, but it's recommended you follow up any verbal request in writing.

Unless your request is manifestly 'unfounded or excessive', your employer must comply with your request free of charge. They have a month from receipt of the request to comply. If your employer needs more time to consider your request it could take a further 2 months. If they do this, you should be told within one month that more time is needed and why.

For more information, see the ICO guidance.

Have your data deleted

In certain circumstances, you can ask your employer to delete the personal data they hold on you.

You can do this if your employer (or previous employer):

  • no longer needs your data for the original reason they collected or used it for
  • obtained your consent to use the data and you have now withdrawn it
  • received an objection from you about the use of your data, and your interests outweigh their need to use it
  • collected or used your data unlawfully
  • has a legal obligation to erase your data.

This right can be made verbally or in writing, but it's recommended you follow up any verbal request in writing.

The law allows your employer to refuse your request in certain circumstances. If your request is manifestly 'unfounded or excessive', your employer can refuse to deal with it or require a reasonable fee to do so.

They have a month from receipt of the request to respond to it. If your employer needs more time to consider your request, it could take a further 2 months. If they do this, you should be told within one month that more time is needed and why.

For more information, see the ICO guidance.

Object to the use of your data

In certain circumstances, you can ask your employer to stop using your personal data.

There are several circumstances when an objection can be raised. In the employment context, the main ones will be if your employer is using your data for a task carried out in the public interest or for their legitimate interests.

This right can be made verbally or in writing, explaining why you believe it should stop using your data in the way it does. It's recommended you follow up any verbal request in writing.

The law allows your employer to refuse your request in certain circumstances. This will include if it is manifestly 'unfounded or excessive' (though your employer could require a reasonable fee to deal with your request, instead of refusing).

They have a month from receipt of the request to respond to it. If your employer needs more time to consider your request it could take a further 2 months. If they do this, you should be told within one month that more time is needed and why.

For more information, see the ICO guidance.

Limit how your employer uses your data

This right can be used when challenging the accuracy of your data and/or objecting to its use (see above). It allows you to limit the way your data is used by your employer or, if necessary, stop it from being deleted.

This right can be made verbally or in writing, saying what data you want restricted and/or why you believe it should be stopped from being deleted. It's recommended you follow up any verbal request in writing.

Unless your request is manifestly 'unfounded or excessive', your employer must comply with your request free of charge. They have a month from receipt of the request to comply. If your employer needs more time to consider your request, it could take a further 2 months. If they do this, you should be told within one month that more time is needed and why.

For more information, see the ICO guidance.

Your other rights

See the ICO website for information on your other data protection rights.

Sending your data to other organisations outside the UK

Under the EU GDPR, a transfer of personal data to a 'third country' (a country outside the EU) is allowed if the European Commission has decided that the third country has been granted an 'adequacy decision'.

A similar system will be used for transfers out of the UK under the UK GDPR, if the UK has made an adequacy decision.

Sending your personal data to the EEA

There are currently no restrictions for data going to the EEA (the 'European Economic Area' – which is the countries of the EU, plus Iceland, Norway and Liechtenstein). This is because the UK GDPR provides that EEA countries are deemed by the UK to have an adequate level of data protection. The government is keeping this under review.

Sending data to the USA

In 2016, the European Commission and US government established the 'Privacy Shield' framework (known as the EU-US Privacy Shield) as a method of providing adequate protection for data transfers to organisations in the US, which had signed up to agreed principles.

This was invalidated by a decision of the Court of Justice of the European Union, essentially because US public authorities have too much power to access and use personal data.

As a result, if your employer transfers your personal data to the US it must put in place alternative mechanisms (see below).

Sending data to other countries

All adequacy decisions made by the EU have been adopted by the UK, so that personal data may be freely transferred to these countries without additional safeguards being required. You can check to see if the country is listed on this Adequacy decision page.

If there's no adequacy decision

To send personal data to countries where there is no adequacy decision (which includes the US), additional safeguards must be put in place.

Your employer is only allowed to transfer your personal data if there are:

  • appropriate safeguards in place; and
  • legal rights and remedies for you.

Appropriate safeguards may include:

  • 'standard contractual clauses' (template clauses adopted or approved by the European Commission under the EU GDPR or by the ICO under the UK GDPR); or
  • 'binding corporate rules' (agreements governing transfers made between organisations within a corporate group).

If your employer uses either of the above to lawfully transfer personal data to any country where there is no adequacy decision, they must make an 'equivalence assessment' - i.e. they must assess, on a case-by-case basis, whether the country provides a level of protection that's essentially equivalent to that guaranteed within the UK.

This equivalence assessment must consider:

  • the terms of the standard contractual clauses/binding corporate rules
  • any access that the public authorities (national or local) in the recipient's country might have to your personal data
  • whether the country's legal system gives enough rights for you to challenge them.

The data recipient must inform your employer if they can't comply with the standard contractual clauses/binding corporate rules or any supplementary extra measures. If so, your employer must stop transferring data to it and/or end the contract with them.

Copyright © 2021 Epoq Group Ltd. All trademarks acknowledged, all rights reserved

This website is operated by Epoq Legal Ltd, registered in England and Wales, company number 3707955, whose registered office is at 2 Imperial Place, Maxwell Road, Borehamwood, Hertfordshire, WD6 1JN. Epoq Legal Ltd is authorised and regulated by the Solicitors Regulation Authority (SRA number 645296).