DATA PROTECTION

A guide to data protection in the workplace by the employment law experts

Marjon Law, specialist employment lawyers is owner-led by Marc Jones, who is ranked and recommended in legal publications as a leading employment law solicitor, with over 20 years of experience practising solely in employment law.

If you would like urgent advice on data protection in the workplace, please contact us as soon as possible.

What is data protection?

Data protection is the process of protecting information from damage, loss, or corruption.

The Data Protection Act 2018 (DPA) controls how personal information is used by organisations, businesses or the government.

The DPA is the UK’s implementation of the UK General Data Protection Regulation (UKGDPR).

This web page is concerned with data protection in an employment context only.

What are the data protection principles?

Employers will process personal data about employees and will be governed by the DPA and UKGDPR, where the data is:

processed electronically
kept in a filing system (manually or otherwise)
part of an accessible record, eg an education record
held by a public authority.

Employers must follow strict rules called data protection principles, which state that an employer must ensure that the information is:

used fairly, lawfully and transparently
used for specified, explicit purposes
used in a way that is adequate, relevant and limited to only what is necessary
accurate and, where necessary, kept up to date
kept for no longer than is necessary
handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

What is personal data?

Personal data only includes information relating to natural persons (eg employees, partners and company directors) who:

can be identified or who are identifiable, directly from the information in question
who can be indirectly identified from that information in combination with other information eg a payroll or staff number
pseudonymised data
special categories of personal data or criminal conviction and offences data, which are considered to be more sensitive and may only be processed in more limited circumstances.

Personal data is not subject to the DPA/UKGDPR, if:

it is truly anonymised - although it is important to understand what personal data is in order to understand if the data has been anonymised
information about a deceased person
information about companies or public authorities (but not sole traders).

There is stronger legal protection for more sensitive information, such as:

race
ethnic background
political opinions
religious beliefs
trade union membership
genetics
biometrics (where used for identification)
health
sex life or orientation.

There are separate safeguards for personal data relating to criminal convictions and offences.

What data protection rights do employees have?

Under the DPA, employees have the right to find out what information their employer has about them. These include the right to:

be informed about how your data is being used
access personal data
have incorrect data updated
have data erased
stop or restrict the processing of your data
data portability (allowing you to get and reuse your data for different services)
object to how your data is processed in certain circumstances

Employees also have rights when employers use their personal data for:

automated decision-making processes (ie without human involvement)
profiling (eg predicting behaviours or interests).

The UKGDPR requires employers to provide employees with a privacy notice/policy setting out the legal reasoning and justification for the collection and processing of employee personal data, which should be separate from their employment contract. The privacy notice/policy must include:

the identity and contact details of the employer as the data controller
the data protection officer (or the person responsible for data protection) contact details
the purposes for which the data is being collected and the legal reasoning for processing
where the legal basis for processing is the legitimate interests of the employer or a third party, the legitimate interests relied on
the recipients, or categories of recipients, of the data, if any
details of any sharing of the data outside the European Economic Area and the appropriate procedures in place
the period for which the data will be stored
the employee's right (as a data subject) to request access to, correction or deletion of data, to request the restriction of processing of data, or to object to the processing of data
the right to data portability
the right to withdraw consent at any time
the right to lodge a complaint with the Information Commissioner's Officer (ICO).

How can an employee make a subject access request?

An employee has the right to request the data that their employer holds about them. This request is referred to as a subject access request (SAR) or data subject access request (DSAR).

There is no prescribed format for making a valid subject access request, although some employers may have a prescribed form.

There is no particular language that is required for a valid SAR, provided that an employee makes it clear that they are asking for personal information about them and not others.

If help is required in making or responding to a SAR, Marjon Law is here to advise you.

What are the time limits for an employer to respond to a subject access request?

An employer must respond to a subject access request ‘without undue delay and in any event within 1 month of receipt of the request.’

An employer is, however, allowed to extend the deadline by up to 2 months (ie 3 months in total) where requests are particularly ‘complex or numerous.’ If this is the case, the employer must inform the employee of this within inform 1 month of the employee making the request providing reasons why an extension is necessary.

Is there a fee to make a subject access request?

The information must generally be provided free of charge, however, employers may charge a ‘reasonable’ fee if the request is ‘manifestly excessive or unfounded, particularly if it is repetitive.’ Any such fee must be based on the administrative costs involved of retrieving the information.

Can an employer refuse to comply with the request?

Employers can only refuse to respond to unwarranted requests, although an employer would need to explain why, and also inform an employee of their right to complain to the ICO without undue delay.

The ICO’s guidance states an employer can reject a subject access request as 'manifestly unfounded' where the request is 'malicious in intent and is being used to harass an employer with no real purpose other than to cause disruption'. The ICO would need to decide on the facts of the case if an employer has unreasonably refused to comply with the request.

Can a settlement agreement restrict an employee from making a subject access request?

An employee can agree to such a term in a settlement agreement that prevents him/her from making a subject access request in the future. However, the ICO's guidance states that any limits imposed on an person's right of access would mean that this clause in a settlement agreement would be unenforceable under data protection legislation.

Can a settlement agreement provide for a withdrawal of a subject access request or make a complaint to the ICO?

Frequently there will be such a term in a settlement agreement not to proceed with an 'existing' subject access request or make a complaint to the ICO, sometimes as part of an agreement not to proceed with a grievance . This is likely to be enforceable but it would not prevent the employee from raising a further subject access request in the future.

The material contained in this web page is provided for general purposes only and does not constitute legal or other professional advice. Appropriate legal advice should be sought for specific circumstances and before action is taken.