Employers need your personal information (data) to employ you. For example, they'll need your name, bank details and National Insurance number so that they can pay you correctly. You may also need to inform them about a health condition that affects your work, which may legally require them to make reasonable adjustments to help you.
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 govern your employer's obligations in relation to this data. In particular, how they collect, use, process and store it, and the rights you have about its use. These rights are enforced in the UK by the Information Commissioner's Office (ICO).
Here we summarise some of the key parts of data protection law that relate to your employment. Note that references to processing mean the different ways your data may be used – i.e. collecting, filtering, sorting, reading/analysing, presenting (in a readable format) and storing.
The General Data Protection Regulation (GDPR) became law in the EU and UK on 25 May 2018. The Data Protection Act 2018, introduced at the same time as the GDPR, covered areas not dealt with by the GDPR.
From 1 January 2021 (when the UK no longer had to comply with EU law), the UK created the UK GDPR – this is broadly the same as the previous GDPR, with some amendments. This means data being processed in the UK about you, must now comply with the UK GDPR and the Data Protection Act 2018.
The version of the GDPR that continues to apply within the EU is now known in the UK as the 'EU GDPR'.
If your employer complied with the EU GDPR before 1 January 2021, they're likely to be compliant with the UK GDPR and the Data Protection Act 2018.
For your employer to lawfully process your data in the UK, that data must be:
1. obtained for a clear purpose;
2. adequate and relevant for that purpose, i.e. there must be a rational link to the purpose and the amount of data obtained must be no more than necessary to achieve it; and
3. used for one of the following reasons:
An employer's reason will most often relate to performance of a contract, legal obligations or legitimate interests.
In addition, your employer must tell you about the processing and must keep the data secure.
This is the most flexible of the reasons. It will be appropriate if the processing is important and clearly in everyone's interest, and no other reason applies. However, to use this your employer must balance their interest in processing the data against your rights and interests.
It's also lawful to process data if you agree (consent) to it. However, your employer should avoid relying solely on your consent. This is because in an employer-employee relationship there is a natural imbalance of power, meaning that your consent will not necessarily be truly free, except in a few situations. Note that you have a right to change your mind at any time and withdraw your consent, requiring your employer to immediately stop processing your data.
Certain types of data are, by law, protected more strictly. This applies to data relating to criminal convictions or offences, and several 'special categories' of data.
The special categories are data that reveals:
If your employer processes data in any of these special categories, additional rules will apply. For example, if they rely on your consent as justification, you must have given explicit consent – for other types of data, consent can sometimes be inferred.
Your employer must have an appropriate policy in place, such as a data protection policy, to process data relating to criminal convictions or special categories. It also must be necessary for your employer to use it due to existing legal obligations or rights associated with your employment, social security status or your protection.
For more information see the ICO's Guide.
Your employer should give you documents that explain your data protection rights and what both they – and you – should do to comply with data protection laws.
The UK GDPR says that if your employer processes data, they must do so transparently. It also says that when they collect personal data from you, they should provide certain information to you about the processing. This is often referred to as a privacy notice – however, it can be known as a privacy policy or privacy statement.
The obligation to provide a privacy notice applies regardless of the reason for processing your data. For example, before requesting a reference about you, your employer must tell you that they intend to request it and use and store the information.
You should really receive different privacy notices at the application stage and at the employment stage, as your employers collect different information for different purposes. However, it's possible that your employer might have one document that combines the two scenarios.
The privacy notice should:
1. Use clear, concise and accessible language.
2. Identify who controls your data, i.e. your employer
3. Give contacts details if they have a data protection officer
4. Explain the purpose for holding and using your data, and the legal reason relied on
5. Identify any other entity that your data might be sent to
6. Identify any other organisation from which they might indirectly receive data about you
7. Let you know if they intend to transfer your information to other organisations in third countries (i.e. those outside of the UK), including documenting the safeguards being used
8. Say for how long they intend to store your information, or how they'll decide it, e.g. until the end of your employment
9. Inform you if they use automated decision-making and explain the logic/how it's done
10. Outline what steps they take to keep your data secure, e.g. if they remove the parts of the data that can identify you, they should say that
11. Explain your right:
Your employer should also have an internal policy explaining how staff should approach other people's personal information. This can be referred to as a 'privacy or data protection policy', but your employer may use different terminology.
This is important as some reasons for using data require an employer to have an appropriate policy in place, such as to process data about criminal convictions or 'special categories' of data.
What should be included in a data protection policy
It should cover similar matters to the privacy notice, but from a different perspective. It should provide practical advice to staff on what to do and how to process data to comply with data protection laws. For example, what to do if you receive a data subject access request from a customer. There should be a way for you to escalate the matter so that it can be dealt with efficiently by the organisation at the appropriate level of seniority.
As well as your right to know how your employer will use your personal data (using a privacy notice), you also have the right to:
You have a right of access to your personal information. That means that you can request to see all the personal information your employer holds that relates to you. This right can be made verbally or in writing.
Unless your request is manifestly 'unfounded, excessive or repetitive', your employer must provide this information free of charge. They have a month from receipt of the request to provide the information to you, though this can be extended by a further 2 months if your request is complex or if you have made several requests.
For more information, see the ICO guidance.
You can question the accuracy of your personal data held by your employer and ask for it to be corrected, deleted or, if your data is incomplete, completed by adding more information.
To do this you should inform your employer that you are challenging the accuracy of your data and want it corrected. You should:
This right can be made verbally or in writing, but it's recommended you follow up any verbal request in writing.
Unless your request is manifestly 'unfounded or excessive', your employer must comply with your request free of charge. They have a month from receipt of the request to comply. If your employer needs more time to consider your request it could take a further 2 months. If they do this, you should be told within one month that more time is needed and why.
For more information, see the ICO guidance.
In certain circumstances, you can ask your employer to delete the personal data they hold on you.
You can do this if your employer (or previous employer):
This right can be made verbally or in writing, but it's recommended you follow up any verbal request in writing.
The law allows your employer to refuse your request in certain circumstances. If your request is manifestly 'unfounded or excessive', your employer can refuse to deal with it or require a reasonable fee to do so.
They have a month from receipt of the request to respond to it. If your employer needs more time to consider your request, it could take a further 2 months. If they do this, you should be told within one month that more time is needed and why.
For more information, see the ICO guidance.
In certain circumstances, you can ask your employer to stop using your personal data.
There are several circumstances when an objection can be raised. In the employment context, the main ones will be if your employer is using your data for a task carried out in the public interest or for their legitimate interests.
This right can be made verbally or in writing, explaining why you believe it should stop using your data in the way it does. It's recommended you follow up any verbal request in writing.
The law allows your employer to refuse your request in certain circumstances. This will include if it is manifestly 'unfounded or excessive' (though your employer could require a reasonable fee to deal with your request, instead of refusing).
They have a month from receipt of the request to respond to it. If your employer needs more time to consider your request it could take a further 2 months. If they do this, you should be told within one month that more time is needed and why.
For more information, see the ICO guidance.
This right can be used when challenging the accuracy of your data and/or objecting to its use (see above). It allows you to limit the way your data is used by your employer or, if necessary, stop it from being deleted.
This right can be made verbally or in writing, saying what data you want restricted and/or why you believe it should be stopped from being deleted. It's recommended you follow up any verbal request in writing.
Unless your request is manifestly 'unfounded or excessive', your employer must comply with your request free of charge. They have a month from receipt of the request to comply. If your employer needs more time to consider your request, it could take a further 2 months. If they do this, you should be told within one month that more time is needed and why.
For more information, see the ICO guidance.
See the ICO website for information on your other data protection rights.
Under the EU GDPR, a transfer of personal data to a 'third country' (a country outside the EU) is allowed if the European Commission has decided that the third country ensures an adequate level of protection (this is known as an adequacy decision).
Similarly, transfers out of the UK under the UK GDPR are allowed if the UK has made an adequacy decision.
There are currently no restrictions for data going to the EEA (the 'European Economic Area' – which is the countries of the EU, plus Iceland, Norway and Liechtenstein). This is because the UK GDPR provides that EEA countries are deemed by the UK to have an adequate level of data protection. The government is keeping this under review.
In 2016, the European Commission and US government established the 'Privacy Shield' framework (known as the EU-US Privacy Shield) as a method of providing adequate protection for data transfers to organisations in the US, which had signed up to agreed principles.
This was invalidated by a decision of the Court of Justice of the European Union, essentially because US public authorities had too much power to access and use personal data.
However, on 10 July 2023, the European Commission made an adequacy decision in relation to the EU-US Data Privacy Framework.
And on 12 October 2023, a UK adequacy decision came into effect in relation to a UK-US Extension to the EU-US Data Privacy Framework (UK-US data bridge). This means that data may be transferred to the USA without further safeguards, but only to eligible organisations in the USA that have certified their commitment to comply with the UK-US data bridge and that appear on the Data Privacy Framework list.
All adequacy decisions made by the EU have been adopted by the UK, so that personal data may be freely transferred to these countries without additional safeguards being required. You can check to see if the country is listed on this Adequacy decision page.
To send personal data to countries where there is no adequacy decision (which includes transfers to US organisations that have not certified their commitment to comply with the UK-US data bridge), additional safeguards must be put in place.
Your employer is only allowed to transfer your personal data if there are:
Appropriate safeguards may include:
If your employer uses either of the above to lawfully transfer personal data to any country where there is no adequacy decision, they must make an 'equivalence assessment' - i.e. they must assess, on a case-by-case basis, whether the country provides a level of protection that's essentially equivalent to that guaranteed within the UK.
This equivalence assessment must consider:
The data recipient must inform your employer if they can't comply with the standard contractual clauses/binding corporate rules or any supplementary extra measures. If so, your employer must stop transferring data to it and/or end the contract with them.