Employer responsibilities under UK-GDPR data protection law

Employers are one of the biggest processors of personal and sensitive data.

This means that data protection laws have a huge impact on how data is obtained, stored and managed during everyday HR employment practices including;

• recruitment and selection,
• employee record keeping,
• performance monitoring,
• employee health and sickness, and more.

The UK Data Protection Act 2018 was amended to be read in conjunction with the new UK-GDPR (the United Kingdom General Data Protection Regulation) that took effect on January 31, 2020, in light of the UK leaving the European Union.

Before this time, the EU’s GDPR rules were in place from May 2018 when the legislation was significantly changed from its 1998 version in light of new technologies impacting how data was managed and stored.

The UK-GDPR now mirrors the GDPR in its substance and scope and legislates the consent needed and how businesses may store and use any personal data

Read on for our simple overview of what you need to know in regards to your responsibilities and liabilities under data protection law. 

What Is Data Protection?

Data protection refers to laws that protect individuals from having information about them misused and the legislation also gives individuals more control over this personal data and how it is used.

Data protection laws legislate how organisations must process personal information that they hold in a lawful, fair and proper way, and sets out the criminal penalties for failing to do so.

What Is Personal Data

Personal data is at the centre of data protection laws and relates to any information that can identify a living person.

This could be as obvious as something like their name and address to more obscure identifiers such as an IP address, ID number, or a cookie identifier when using a website.

The simple rule is that, if anyone could identify an individual directly or indirectly from the information you are processing, then that information may be personal data and should be treated accordingly.

The legislation applies to personal data whether it’s stored automatically, in a computer filing system, on paper, or held in any relevant filing system either currently or with the intention that it will be.

How Can Personal Data Be Processed At Work?

Your role as an employer gives you access to lots of personal data for current employees, leavers and recruits, so it’s important to know your responsibilities on how this can lawfully be processed.

Under the Act, the term ‘processing’ covers obtaining the information, the retention of it, how it’s used, how access is given, its disclosure and eventual disposal.

This means that as an employer, you must keep the personal data for those that work with you safely, secure and up to date, and it must be processed lawfully and fairly subject to the consent given or another specified legal basis.

Data protection laws don’t just cover employees though, so you need to consider data held about current and former job applicants (successful and unsuccessful), agency staff, casual staff, contract staff, volunteers and work experience placements too.

As HR spans large areas of the employer/employee relationship, it can be helpful to break down and review your data protection responsibilities into; recruitment and selection, employment records, monitoring at work, and workers' health.

Employer Priorities On Data Management

• You must be able to demonstrate your data protection compliance and that you manage personal data responsibility through training, auditing procedures, filing and processing activities and HR policy updates.
• A data protection office (DPO) should be appointed as the responsible person for ensuring that Data Protection laws are upheld, or steps are taken to ensure compliance in your organisation
• You must tell your employees and workers what information you’re collecting, why, what will happen to it, and who will see it.
• Check and ensure proper security of information stored - both physical and electronically
• You should audit your systems to establish where data is held, who by, and why
• You should share guidance on the correct use and storage of data
• Review and share policies relating to telephones, email and post where personal data may be shared
• Commit to monitoring and reacting to data compliance
• You can’t keep data any longer than is necessary and must ensure that any data you do hold meets the rules set out by The Data Protection Act and the UK GDPR.
• You must keep up-to-date with data protection law and developments in it
• You must provide a copy of all information held about an employee within 30 days of request by the employee

What Data Can I Store?

Employers can lawfully keep the following data about their employees without their permission:

• name
• address
• date of birth
• sex
• education and qualifications
• work experience
• National Insurance number
• tax code
• emergency contact details
• employment history with the organisation
• employment terms and conditions (eg pay, hours of work, holidays, benefits, absence)
• any accidents connected with work
• any training taken
• any disciplinary action

Examples of information that is likely to be covered by the act include;

• Employee salary information and bank account information
• An individual worker’s personnel file
• An email about an incident involving a named worker
• A supervisor’s notebook containing information on a worker where there is an intention to put that information in that worker’s computerised personnel file

What Data Do I Need Permission To Store?

Sensitive data such as the following information must be kept more securely and requires the employees’ permission for you to collect and store this.

As an employer, you have a legitimate reason to process ‘sensitive personal data if necessary to carry out an obligation under an employment contract or collective agreement.

• race and ethnicity
• religion
• political membership or opinions
• trade union membership
• genetics
• biometrics, for example, if your fingerprints are used for identification
• health and medical conditions
• sexual history or orientation
• Criminal records

What Are The Penalties?

With plenty of high-profile companies publicly being caught out by failures in their data protection responsibilities including Morrisons, Quora, LinkedIn and Sage, all organisations must take steps to assess and mitigate the risks involved in proper data storage at their places of work.

Whilst most companies don’t intentionally disregard their responsibilities under data protection laws, the cost of doing so can be significant.

If you are reported and fail to fix any issues identified by an enforcement notice or inspection, then the fines you can face will be linked to your turnover.

Although extremely rare, the maximum fines are currently set at 4% of global annual turnover or £17.5million, whichever is greater.

Further Guidance And Next Steps

Data protection is a complex topic that is far-reaching and can be difficult to understand.

We hope this article has provided a starting point for understanding your employer role and responsibilities when it comes to complying with the Data Protection Act and UK GDPR across HR processes at your workplace.

If you need further guidance on adopting good practices around storing and managing information to uphold the legislation in your organisation, please speak to your Neathouse Partners contact for advice.

The following resources also provide an opportunity to check the main points that apply to your organisation and what action you may need to take.

• Information Commissioner’s Office – for organisations
• The Data Protection Act 2018 (DPA)
• GOV.UK - personal data an employer can keep about an employee