- 16 May 2023
Personal data is any information that can be used to identify an employee. This can include for example their name, address, ethnicity, financial details, or health records.
For data protection purposes ‘Employee’ includes job applicants, former employees, contract and agency staff.
1. Process limited data
Employers can process limited data, including, but not limited to: name, address gender, education, and emergency contact details without an employee’s consent (and can instead rely on other lawful processing grounds such legitimate business purposes). Although an employer is also allowed to ask an employee to disclose details of their age, sexuality, religion and more in the interests of equality monitoring, the employee is not under any obligation to disclose any of this information if they don’t want to.
2. Sensitive data
Data pertaining to an employee’s health and wellbeing is extremely sensitive (known as ‘special category data’) and should only be collected if it is really needed for a specific purpose, and with the employee’s explicit consent which consents to what is being collected and who it will be shared with.
3. Six lawful reasons for processing
To process an employee’s data employers must meet one of the six lawful reasons for processing:
- Employee Consent for one of more specific purposes
- Necessary in connection with a contract
- Necessary to comply with legal obligation
- To protect vital interests of the data subject or another person
- Exercise of public interest of official authority
- Necessary for the purposes of the legitimate interests of the controller or a third party, unless these are overridden by the employee’s legitimate interests
4. Effective privacy notices
Employers should have effective privacy notices in place which clearly explain the personal data they are holding, why they are keeping these records and remind employees of their GDPR rights. This also includes a privacy notice required for applicants.
5. Data Protection Impact Assessment
When implementing a new data collection system or process an employer should carry out a Data Protection Impact Assessment (DPIA) to balance the risks and ensure that the reason for processing this data outweighs the employee’s right to privacy.
Employers should have effective privacy notices in place which clearly explain the personal data they are holding, why they are keeping these records and remind employees of their GDPR rights.
6. Store data records carefully
Employers should store data records carefully and in accordance with data retention periods, and make sure that those with consent to access these records understand their obligations. This includes for example, ensuring those giving out references know how much information they are allowed to disclose in the reference.
7. Data subject access requests
Employers should ensure that any data subject access requests (‘DSARs’) are valid, including doing ID checks on the person making the request. Once a DSAR is received, the date to provide a response to this DSAR should be diarised and complied with.
8. Data breaches
An employer should already have in place a response plan to deal with data breaches. This should be clearly communicated to staff in writing, and supplemented with training, so they know what to do and are proactive with reporting such data breaches when they arise.
9. Data up to date and correct
Review the data held annually to ensure that it is up to date and correct. This is especially important for emergency contact details and next of kin, to ensure that breaches do not accidentally occur. It also aligns with the data subjects’ principle of ensuring that all personal data that is processed is accurate.
10. Should not store information for longer than necessary
Employers shouldn’t store information for longer than necessary for the specific purpose it was collected. Once there is no longer a compelling reason for it to be processed, the data should be deleted. It is also helpful to have a data retention policy in place to ensure that staff within the organisation are aware of how long to keep various personal data for.
If you are concerned about your data processing, or would like help with a Subject Access Request, please contact our Data Protection team who would be happy to help.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.
About this article
Subject10 facts an employer should know about holding personal data
Published16 May 2023
Read, listen and watch our latest insights
- 22 February 2024
Time to take the heat off menopausal women
On 22 February 2024, the EHRC released guidance and resources for employers designed to help employers understand their legal obligations in relation to supporting workers experiencing menopausal symptoms.
- 22 February 2024
Talking Employment Law: What to do if you’re at risk of redundancy
In this podcast, Harry Berryman and Rebecca Dowle, members of the employment team, will talk through the steps that need to be taken for a redundancy to be fair and the range of criteria that can be used when determining which employees will be made redundant.
- 12 February 2024
The World of Work in 2024- What Can HR Expect?
In many senses, 2024 is unlikely to be a year with radical ruptures from those that have gone before it. The significance of 2024 though, is that it is likely to build upon those megatrends impacting the world of work, which have been emerging for some time now and are only likely to strengthen as we move on in time.
- 30 January 2024
Large-scale Redundancies – What to expect as an employee
In today’s uncertain economic environment, it is rare to see a week go by without a major employer announcing redundancies, be they as a result of a restructuring, a contracting business or a merger or acquisition.
- 23 January 2024
Navigating Redundancy: Top Tips for Employers Considering Redundancies
Redundancy law in the UK can be tricky to get right. With that in mind, here are our top tips for employers who are considering making redundancies.