< Back

Share |

Employee data protection policies

May 2013

All employers will collect and use personal data belonging to job applicants, employees or workers and, as a result, are required to comply with laws which are designed to protect the processing of this data in the United Kingdom. By having an employee data protection policy, an employer can reduce the risk of claims for failing to comply with these laws and give itself greater flexibility to monitor an employee's use of email, the internet and other devices where necessary.

The laws on data protection are mainly contained within the Data Protection Act 1998 (DPA) which requires that an employer must have a lawful reason for collecting and using personal data and ensure that this is processed fairly, for a limited period of time and kept accurate and secure. Personal data is information that relates to a living person who can be identified from that data. This includes an individual's personal details and personnel file and any expression of opinion about or understanding of facts concerning the individual but, generally, does not include day to day business correspondence to, from or copying the individual where normal work activities are being carried out. 

Lock and CDThe protection of employee data by employers is required throughout the employment relationship. For example, employers will collect personal data when recruiting employees by requesting or receiving personal data in job application forms and CVs; during employment in relation to salary and benefits entitlements, performance reviews and disciplinaries and grievances; and after employment where employers have obligations to retain data for certain periods of time such as statutory sick pay payments which must be kept for up to three years. In addition, from time to time, as part of routine checks or a specific investigation, an employer may wish to monitor or check an employee's emails and internet usage which will inevitably result in the employer accessing or using his or her personal data.

The purpose of a data protection policy is to set out the conditions under which the employer will process personal data and ensure that everyone in the business is aware of their individual responsibilities and the employer's expectations regarding privacy. Not all employers will choose to have data protection policies but those who do will be best placed to ensure internal compliance with the DPA and avoid potential civil and criminal liabilities as well as negative publicity.  For example, if an individual suffers damage caused by an employer's breach of its obligations, he or she could potentially bring claims for breach of contract, constructive unfair dismissal and any distress suffered. The individual could also report the matter to the Information Commissioner (IC), the regulatory body responsible for enforcing the data protection regime in the UK, which could investigate and, potentially, commence a criminal prosecution against the employer. 

A data protection policy should be tailored to an employer's business to take account of the structure of its organisation, resources and particular personal data which it may process. A policy must then be communicated to staff and monitored in practice (simply writing a policy and not drawing this to an employee's attention is not enough).

File with notesIdeally, a policy should identify a compliance manager who is responsible for reviewing, implementing and monitoring compliance with the policy. A policy should recognise that job applicants and current and former employees and workers are covered by data protection requirements. In addition, a policy should explain what amounts to personal data; where and what type information may be held; and how this may be processed and acknowledge that this will occur only if the employee has given consent. This should be obtained by including a clause that confirms that the employee consents to the processing of personal and sensitive personal data in connection with their employment. The policy should also briefly set out the measures taken by the employer to ensure that there are appropriate security measures in place to safeguard employee data and address how this will be protected if the employer intends to transfer employee data outside of the European Economic Area to a country that has no or a limited data protection regime.

A forward thinking employer can put itself in a strong position to check and investigate facts for legitimate business reasons, including investigating grievances and potential incidents of poor performance or misconduct, by having a policy statement on employee monitoring either as part of a data protection policy or an IT user policy. In particular, the statement should explain that the use of its IT systems, including email, internet, telephones and mobile devices, may be monitored from time to time and employees should not expect privacy. In addition, an employer should also include a contractual right to monitor as part of a data protection clause in an employment contract. Although an employer will always be required to act reasonably in a manner that does not damage trust and confidence in employment, this statement and clause will set out the employer's expectations and may enable a more robust investigation to be carried out with reduced risk.

EUA number of several high profile breaches of the DPA have hit the headlines recently and additional funding and enforcement powers have been given to the IC as part of an overall strengthening of the data protection regime in the EU. As a result, now more than ever, it is important that all employers consider putting in place a data protection policy if none exists or review existing policies to ensure these remain relevant and effective.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Papercut people
Christopher Cooper

Christopher Cooper      


Chris sets out the benefit of employee data protection policies.

"Now, more than ever, it is important that all employers consider putting an up-to-date data protection policy in place."