Processing of employees’ personal data

Olivia Satchel

Olivia Satchel

Lawyer

Employers collect and process large amounts of personal information about their employees. Data can range from a CV and cover letter that contain contact details, to health and social insurance information, training documents, as well as performance evaluations.

To assist employers with meeting the legal requirements, the Information Commissioner’s Office (ICO) published guidance on how to process employee data at the workplace based on the Data Protection Act 1998. Since introduction of the Data Protection Act 2018 (DPA 2018) and the United Kingdom General Data Protection Regulation (UK GDPR), the guidance has not been updated, but is still recommended for companies.

The ICO is currently working on updates, specifically in regard to the monitoring of employees. The draft Employment Guidance for Monitoring at Work was made public in 2022 and is still open for public consultation. We have summarised the main points of the guidance below.

The special categories of employee personal data

Special categories of data, such as information about race or ethnic origin, biometric data, or data concerning health, are subject to a higher level of protection. In an employment relationship, you are likely to process such sensitive data, e.g. health data when an employee takes off due to illness.

As an employer, you have access to much of your employee’s personal information. The HR department in particular must carefully observe data protection rules whilst processing this data.

Legal basis for processing personal data in the employment context

If employers wish to process an employee’s personal data, they will need to demonstrate legal justification. Art. 6 UK GDPR provides for several possible bases for lawful processing. Employers will need at least one of the following legal bases in order to process the personal data of employees, the most relevant of which are as follows:

  1. Consent: If the employee has given consent to the processing of his/her data for a specific purpose.
  2. Performance of a contract: If the processing is necessary for the performance of, or prior to entering, a contract to which the employee is a party.
  3. Legal obligation: If the processing is necessary for compliance with a legal obligation to which the employer is subject.
  4. Legitimate interest: If the processing is necessary for the legitimate interest pursued by the employer.

In an employment relationship, you are likely to process your employee’s information on a legal basis of necessity to perform a contract, namely an employment contract. For instance, you are allowed to process bank details to pay your employee’s salary, as it is your contractual obligation to do so. Often compliance with a legal obligation to which an employer is subject will constitute a legal basis, such as keeping some information for tax purposes required by national legislation.

Employment Practices Code in the United Kingdom

The ICO published the so-called Employment Practices Code, which contains the ICO’s recommendations on how employers can meet the legal requirements under UK data protection legislation. The guidance’s aim is to provide practical guidance for companies on how to pursue a compliant processing of their employees’ data. Therefore, it is still applicable today, even though it was based upon the DPA 1998.

The current draft guidance on monitoring at work is the ICO’s first step to update this guidance, especially due to the technical improvement over the last years, and to give companies a more user-friendly approach on specific topics when processing their employees’ data.

The main topics of the guidances are as follows:

Understanding the DPA 2018 and UK GDPR

The DPA 2018 and UK GDPR apply to information about identifiable people, including job applicants and employees, full-time or part-time, and regulate the way their data can be collected, handled, and used. Furthermore, the DPA 2018 and the UK GDPR grant individuals rights, including the right to access information about them and the right for compensation in case of data misuse. Lastly, they apply to computerised information and well-structured manual records, such as files about job applicants.

Employment records

Both the DPA 2018 and the UK GDPR generally apply to information that employers keep on file about their employees. They do not prohibit the processing of personal data held during employment. While you will not need your employees’ consent for keeping employment records, data subjects must be able to exercise their rights, including the right to obtain information contained in these records.

In addition, you should keep the number of authorised persons as low as possible, taking into account representation regulations, and make these persons particularly aware of the confidentiality of this data and have them sign non-disclosure agreements (NDAs). Based on the principle of data minimisation and purpose limitation, you should only collect and process the data you need for the fulfilment of the employment contract. Personal data which you no longer need is to be deleted in accordance with the legal retention periods.

Monitoring at work

The draft guidance on monitoring at work is more detailed than the corresponding chapter on this topic in the employment practices code, however, the same principals are provided for. First of all, monitoring at work is allowed, if certain requirements of data protection legislation in the UK are met. The legal basis is the crux of the matter.

Consent can only be a legal basis when given freely by an employee. As your employee is dependent on you and could expect negative impacts on their employment relationship with you from the monitoring, consent can only be considered in very limited instances of monitoring. You have to ensure the consent is given freely and there is no negative impact for the employee.

Other legal bases, especially legitimate interests may be more appropriate. However, so the draft guidance, you should consider conducting a data protection impact assessment (DPIA) to ensure damages to the rights and freedoms of your employees are minimised.

The draft guidance emphasises the consideration of the data protection principles in Art. 5 UK GDPR when monitoring your employees. These principles include fairness, transparency, accountability, the purpose limitation, data minimisation, and accuracy. You therefore are well advised to consider these before monitoring all or some of your employees and to ensure you comply with these core principles.

Further, as already implicated above, the draft guidance highlights the possible necessity of a DPIA and provides examples of when a DPIA should be completed. Such examples are monitoring including special categories of data, covert monitoring, intrusive driver monitoring, monitoring of emails and messages, or video monitoring.

A new topic regarding the employment practices code is international transfers. If using tools or service providers for monitoring personal data which sit outside the UK, you need to comply with Chapter V of the UK GDPR and ensure you have the appropriate safeguards for restricted transfers to countries outside the UK in place.

Employees’ rights

You should consider the guidance given in both documents to ensure you do not receive a UK GDPR fine, which can be up to £17,500,000 or up to 4 % of the total worldwide annual turnover of the preceding financial year. Employees may claim compensation if they suffer due to unlawful processing of their data. Therefore, you should ensure that you treat employees’ data correctly, securely and responsibly.

Employees also have, amongst other rights, a legal right to access information about them or object to its processing. For example, an employee may object to your holding or using information about them. In that case, you should delete the data in question, unless you have a compelling reason or legal basis to continue holding it. If you do not comply with their rights, employees may also claim damages.

Recommendations for employers in the UK

Employment is a crucial part of every company, and for the most part, data protection laws allow you to process the personal data of your employees or applicants to fulfil the requirements of this relationship. However, to ensure the safety of your employees’ personal data you should follow the DPA 2018 and UK GDPR and their principles and obligations. Both the Employment Practices Code and the Draft Employment Guidance for Monitoring at Work give you comprehensive insights on what to consider when processing employee data.

To fully acknowledge the high risk some processing activities hold, such as monitoring your employees in certain circumstances, you should consider conducting a DPIA. To keep track of your obligation to carry out a DPIA, and what information to provide your employees with, you are well advised to keep your records of processing activities up to date.