10 facts an employer should know about holding personal data

Personal data is any information that can be used to identify an employee. This can include for example their name, address, ethnicity, financial details, or health records. For data protection purposes ‘Employee’ includes job applicants, former employees, contract and agency staff.

1. Process limited data

Employers can process limited data, including, but not limited to: name, address, gender, education, and emergency contact details without an employee’s consent (and can instead rely on other lawful processing grounds such legitimate business purposes). Although an employer is also allowed to ask an employee to disclose details of their age, sexuality, religion and more in the interests of equality monitoring, the employee is not under any obligation to disclose any of this information if they don’t want to.

2. Sensitive data

Data pertaining to an employee’s health and wellbeing is extremely sensitive (known as ‘special category data’). Special category data requires more protection due to its sensitive nature. To comply with legal obligations, employers must identify a lawful basis (under Article 6 of the UK GDPR) to process special category data, as well as another separate condition under Article 9. Employers must decide which such conditions will apply before they begin processing data and should document this clearly.

3. Six lawful reasons for processing

To process an employee’s data employers must meet one of the six lawful reasons for processing:

• Consent. The individual has provided clear consent for their personal data to be processed for a specific purpose
• Contract. Processing is necessary for a contract connection you may have with the individual, or the individual has asked you to take certain steps before entering into a contract
• Legal obligation. The processing is necessary to comply with legal obligation
• Vital Interests. To protect vital interests of the data subject or another person
• Public Task. Processing is required for exercising a task in the public interest or for official authority
• Legitimate Interests. Necessary for the purposes of the legitimate interests of the controller or a third party, unless these are overridden by the employee’s legitimate interests

4. Effective privacy notices

Employers should have effective privacy notices in place which clearly explain the personal data they are holding, why they are keeping these records and remind employees (and applicants) of their GDPR rights. Effective and accessible privacy notices will help employers to comply with their legal obligations as well as building trust with their employees.

5. Data Protection Impact Assessment

When implementing a new data collection system or process an employer should carry out a Data Protection Impact Assessment (DPIA) to balance the risks and ensure that the reason for processing data outweighs the employee’s right to privacy. A DPIA is an essential tool for employers, whereby they can show they are proactive in safeguarding employee data, especially as the landscape regarding data protection is ever-changing.

6. Store data records carefully

Employers should store data records carefully and in accordance with data retention periods, and make sure that those with consent to access these records understand their obligations. This includes for example, ensuring those giving out references know how much information they are allowed to disclose in the reference.

7. Data subject access requests

Employers should ensure that any data subject access requests (‘DSARs’) are valid, including doing ID checks on the person making the request. Once a DSAR is received, the date to provide a response to this DSAR should be diarised and complied with.

8. Data breaches

An employer should already have in place a response plan to deal with data breaches. This should be clearly communicated to staff in writing, and supplemented with training, so they know what to do and are proactive with reporting such data breaches when they arise.

9. Data up to date and correct

Review the data held annually to ensure that it is up to date and correct. This is especially important for emergency contact details and next of kin, to ensure that breaches do not accidentally occur. It also aligns with the data subjects’ principle of ensuring that all personal data that is processed is accurate.

10. Should not store information for longer than necessary

Employers shouldn’t store information for longer than necessary for the specific purpose it was collected. Once there is no longer a compelling reason for it to be processed, the data should be deleted. It is also helpful to have a data retention policy in place to ensure that staff within the organisation are aware of how long to keep various personal data for.

If you are concerned about your data, or would like help with a Subject Access Request, please contact our Data Protection Lawyers who would be happy to help.