Employers must comply with the UK GDPR and Data Protection Act 2018 (DPA 2018) when handling an employee’s personal data.
Handling Employee Data
If you wish to obtain an employee’s personal data (their name, address and physical, cultural or social identity) you must have a legal basis for doing so. There are 6 legal basis including:
- Consent from the employee- this must be freely given (e.g. consent to having marketing pictures taken)
- Contract with the employee- there must be a need to process data pursuant to a contract (e.g. an employment contract)
- Compliance with a legal obligation- there must be specific legislation which requires certain data to be obtained (e.g. proof of right to work in the UK)
- Vital interests- this typically relates to the health of an individual (e.g. knowledge of allergies)
- Public interests- specific examples of public interests are listed in the DPA (e.g. equality and diversity information)
- Legitimate interest- this is a balancing act between the rights of the employee and what the employer wants to do (e.g. putting tracking software on work laptops)
If you wish to handle special category employee data, you must also have an exemption pursuant to article 9 of the DPA. An employer should therefore exercise caution when handling the following types of data:
- Race and ethnicity
- Religious beliefs
- Political opinions
- Trade union membership
- Genetic data
- Biometrics (e.g. fingerprints used for identification)
- Health
- Sex life or sexual orientation
If you are unable to identify a legal basis (and, for special category data, an article 9 exemption) you will not be able to ask for that type of data from your employee.
Privacy Notices
An employer must give an employee a copy of their privacy notice before any of their personal data is obtained. It is best practice to send this out alongside a job offer. There is no requirement for an employee to acknowledge this privacy notice or read it, the act of sending it out is sufficient.
A privacy notice should set out the legal basis for processing the personal data, as well as the period for which the personal data will be stored and the right to lodge a complaint if personal data is not stored securely.
A privacy notice should also be sent out to any candidates or clients whose personal data you have obtained from another source (e.g. a recruiter). This notice should specify from which source the personal data was retrieved from.
Data Breaches
A data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of/ access to personal data.
If a data breach occurs, you must notify the ICO within 72 hours if the breach will result in risk to individuals and notify individuals affected if the breach is likely to result in high risk to them. An assessment should be made on the ground as to the extent of the risk.
Employers must understand their data protection responsibilities and liabilities, manage data responsibly and keep up to date with data protection developments. If you require further assistance, please contact our Employment Team or one of our HR Consultants at Nockolds on 0345 646 0406 or fill in our online enquiry form and we will be in touch.