The legal position

The main UK legislation governing data protection is the Data Protection Act 2018 (DPA) which replaced the 1998 version. The DPA reflects the General Data Protection Regulation (GDPR). This framework governs organisations that conduct business within the EU and hold data on EU citizens. Any major international corporation that wishes to offer goods or services to EU-based customers should have a compliant data protection strategy. 

 

The ICO promotes and enforces data protection legislation and is independent from government. It provides tools and guidance to aid DPA compliance and takes action where needed. There's more about its role and guidance on the ICO website. 

 

The GDPR gives people rights to access information held about them. In addition, there are obligations for better data management and a regime of fines. 

 

The DPA and GDPR contain rights concerning the processing of personal data which is held in either a computerised format as part of a database or manual records forming part of a relevant filing system. 

 

In essence, the law means that those who decide how and why personal data is processed (data controllers) must comply with certain principles. Those whose data is held or processed (data subjects) have rights, for example in relation to accessing that data. In an employment context, employers will generally be data controllers and employees, workers, ex-employees and applicants will be data subjects. Most HR and employment files and records are covered by the DPA. 

 

Personal data relates to someone who can be identified, directly or indirectly, by an ‘identifier’ such as their name, or an identification number, or by location. It also includes online data which identifies an individual. For example, HR records, including sickness absence, performance appraisals and recruitment notes are personal data. 

 

Sensitive personal data includes information about an individual’s race, ethnicity, politics, religion or beliefs, trade union status, health, sex life, sexual orientation or crimes. Genetic or biometric data (for example, fingerprint images for security or payment systems) are included. It's legitimate to process ‘sensitive personal data’ where necessary to carry out an obligation under an employment contract or collective agreement. 

 

Criminal records are also sensitive data. Employers can carry out criminal record checks for roles that involve working with children or vulnerable adults but not on a routine basis. 

 

Health information should only be held with explicit consent from the individual. Processing medical records may be permissible in certain circumstances, for example assessing working capacity or confirming diagnoses. 

 

When handling personal data, organisations must have safeguards on confidentiality. Employers must tell employees why the organisation is collecting the information, what will happen to it and who will see it. 

 

Processing data includes obtaining, holding, retrieving, consulting and using data by carrying out any operation on it. There are six key principles which apply for example that data must be limited, processed fairly and collected for specified and legitimate purposes. 

 

Data subjects have individual rights including the right to be informed about the processing of personal data and to be forgotten by having data deleted where there’s no compelling reason for it to be processed. 

 

The full list of these rights is on the ICO website, accompanied by useful lists for checking compliance. 

 

Substantial penalties may be imposed if an employer doesn’t follow the data protection principles. There are enforcement sanctions and monetary penalties for serious breaches. The maximum fines are just under £17.5m, or 4% of global annual turnover, whichever is the greater.