Search

How can we help?

Icon
  • 01 June 2023
  • Privacy and Data Protection

Facts employees should know about their personal data

We previously published an article on facts an employer should know about holding personal data (check out this article here), so it is only fair that we also write about the other side of the coin – facts employees should know as individuals whose personal data is held by their employer.

But first thing’s first, what is personal data?

This is any information relating to a particular person which can be used to identify said person, whether directly or indirectly.

Employers generally hold large amounts of personal data about each of their employees, such as their name, address, date of birth, sex, education and qualifications, National Insurance number, employment history, their current employment contract containing details of the employee’s hours of work, pay, benefits, etc.

The facts to know

1. Protecting personal data

Employees’ personal data held by their employer must be kept secure and not be susceptible to data breaches. Employee data breaches are serious and employers have strict obligations when it comes to protecting employees’ personal data. If the breach causes actual harm to the data subjects/employees, it may be that the employee chooses to report the matter to the ICO and could decide to progress this further by pursuing court proceedings.

2. Special category data

There are various types of personal data which belong to this category as they are considered to be ‘sensitive’, such as race and ethnicity, religion, medical conditions and sexual orientation. Employers usually require an employee’s consent before being able to process such personal data. Another point to note is that the employer will require a particular purpose to process such personal data. As an employee you should be aware that employers are required to ensure that additional safeguards are in place to protect this type of data due to the sensitive nature of it.

3. References

Unless a relevant exemption applies, for example, if the job reference contains another individual’s personal data, as an employee you may be able to obtain a copy of your job reference from your current employer.

4. Data subject access requests (DSARs)

DSARs are requests made by individuals to organisations which hold their personal data, to access this personal data. Organisations must respond without undue delay, and in any case, within one month of a DSAR being made unless this is not possible and an extension is required (the maximum to 3 months). Employees can make DSARs to their employers at any time, and the request does not only have to relate to receiving copies of your personal data, but also includes other requests, such as a request to delete your personal data and find out if any automated processing is involved in processing your personal data.

 
Sana Nahas

Trainee Solicitor

View profile

‪+44 118 960 4611

Employers are considered to be data processers, and there are six lawful reasons for processing data

5. Data processing in general

Employers are considered to be data processers, and there are six lawful reasons for processing data. In an employment context, these are the following:

  • The employee consents to the data processing
  • There is a contractual reason for the data processing
  • The employer is processing data to comply with a legal obligation
  • The employer is processing data to protect the vital interests of people
  • There is a public interest reason or the employer is carrying out its official functions
  • The employer is processing data for its legitimate business interests, as long as these interests are not overridden by the employee’s legitimate interests

6. Data processing using artificial intelligence (AI)

There are limitations on an employer’s use of AI in the processing of employee personal data. AI should not be used in making employment decisions without any human scrutiny as this would fall within the restricted area of “solely automated decision”. This is a crucial data protection right in the UK GDPR, and if you are an employee who suspects that your employer has breached this, by for example, dismissing you based on an automated system, you could have grounds to pursue a claim for unfair dismissal.

7. Data retention

As an employee you have a right to your data not being kept for longer than is necessary. So if you’ve left your employment, your previous employer should delete from its records your personal data which it is unlikely to need again. Examples of such data could be emergency contacts or previous addresses. Please note that some statutory provisions apply in respect of certain amount of records, for example, pay and tax records, and the retention periods will also be subject to your employer’s retention policy.

8. Challenging the accuracy of personal data

Any data subject can challenge the accuracy of personal data held by an organisation and ask that it is corrected. As an employee you can therefore ask your employer to rectify or delete personal data it holds on you. For example, this could relate to updating your address or bank details. Keep in mind, however, that opinion data is not the same as personal data, so if the data you seek to “correct” is an opinion about you, and the record is clear that the data is an opinion, it is difficult to argue that this is inaccurate and needs correcting.

If you have any data protection concerns, please do not hesitate to contact our Data Protection lawyers who would be happy to help.

 

 

FAQs – Personal Data

Personal data refers to any information related to an identifiable living individual.

That individual has to be identified or identifiable, directly or indirectly, from one or more identifiers (such as  a name, an identification number, location data, an online identifier) or from factors specific to the individual (such as physical, physiological, genetic, mental, economic, cultural or social identity).

The person in question is often referred to as a ‘data subject’.

Some personal data, referred to as ‘special category data’ is treated as being more sensitive, and therefore requires a greater level of protection.  This is information about the data subject’s:

  • Race
  • Ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Sexual orientation or sex life
  • Genetic data
  • Biometric data
  • Trade union membership
  • Health data

Information about criminal convictions and offences is also treated as requiring greater protection.

A data controller is a legal person, public authority, agency or other body that determines the purposes and means of processing personal data.

A data processor is a person, public authority, agency or other body that processes data on behalf of the data controller.

An entity can be both a data controller and data processor.

Data controllers must have a valid legal basis to process personal data. There are six legal bases:

  • Consent – the data subject has given consent to the processing
  • Contract – the processing is necessary for the performance of a contract to which the data subject is a party (or in order to take steps at the request of the data subject prior to entering the contract)
  • Legal Obligation – the processing is necessary to comply with a legal obligation to which the data controller is subject
  • Vital Interests – the processing is necessary to protect the vital interests of the data subject or another person (this is usually used in cases of life and death)
  • Public Task – the processing is necessary to perform a task in the public interest or in the exercise of official authority vested in the data controller
  • Legitimate Interests – the processing is necessary for the controllers (or third party’s) legitimate interests except where these are overridden by the interests or fundamental rights and freedoms of the data subject. This involves balancing the data controller’s interests against the data subject’s rights.

If a data controller is processing special category data or data related to criminal convictions, it needs to identify a lawful basis for the processing but also satisfy an additional condition relating to the processing.

Right to be informed: individuals have a right to be given certain information about their personal data and how it is processed. This includes information on the purposes for processing personal data, details of who has access to this and retention periods that apply to that data.

Right of access: individuals may request access to their personal data held by an organisation.  Requests are made via a data subject access request.

Right to rectification: individuals may request that inaccurate or incomplete personal data held about them is rectified or completed.

Right to erasure: individuals may request the deletion of their personal data in certain circumstances.

Right to restrict processing: individuals may request that the processing of their personal data is restricted in certain circumstances.

Right to data portability: individuals have the right to receive their personal data (which they provided to the data controller) in a structured, commonly used and machine-readable format.  They also have the right to request that the data controller transmit this data to another data controller.

Right to object: individuals have the right to object to specific processing activities in certain circumstances.

Rights related to automated decision making: individuals have the right not to be subject to a decision based solely on automated means without any human involvement, if the decision produces legal effects concerning the individual or similarly significantly affects them.

Subscribe to our mailing list

About this article

  • Subject
    Facts employees should know about their personal data
  • Author
    Sana Nahas
  • Expertise
    Privacy and Data Protection
  • Published
    01 June 2023

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.
Sana Nahas

Trainee Solicitor

View profile

‪+44 118 960 4611

About this article

  • Subject
    Facts employees should know about their personal data
  • Author
    Sana Nahas
  • Expertise
    Privacy and Data Protection
  • Published
    01 June 2023

Read, listen and watch our latest insights

art
  • 10 April 2024
  • Employment

New Guidance: Confidence to Recruit

The new Government guide in collaboration with the CIPD aims to give employers the confidence to recruit its workforce from a wider range of people including those who may have been overlooked in the past as a problem rather than an asset.

art
  • 03 April 2024
  • Employment

FAQ’s on the new Carer’s Leave Act

Beginning on 6 April 2024, the Carer’s Leave Act comes into force, meaning carers are now entitled to request 1 week’s unpaid leave to care for their dependants.
art
  • 26 March 2024
  • Employment

Navigating Neuroinclusion: A Guide for Employers

Over the past few years, we have seen a marked rise in awareness of neurodiversity, as well as campaigns for awareness and inclusion in the workplace for neurodiverse employees.
Pub
  • 21 March 2024
  • Employment

TUPE Podcast Series: Who Transfers?

In this fifth podcast in our TUPE Podcast Series, Amanda Glover will be focusing on ‘who transfers’ under TUPE. Looking at the definition of ‘employee’ under TUPE legislation and the tests that apply in deciding if those employees transfer.
art
  • 20 March 2024
  • Employment

Changes to Employment Laws from April 2024 – are you ready?

There’s a large number of employment law changes coming in April which are set to shake up the workplace. It’s crucial for employers to stay informed and prepared.
art
  • 19 March 2024
  • Employment

Instant Messaging in the Workplace: Factors to be aware of

Workplaces have changed beyond recognition in the four years since the first COVID-19 lockdowns. This anniversary represents an opportunity to look back at how workplaces have changed in that period, from the increased use of flexible and hybrid working, to the continuing and significant integration of more technology in office-based work.
See More