In the UK, there is no separate regime governing the protection of data relating to employees, although the UK Information Commissioner’s Office (ICO) has produced guidance regarding the application of the UK Data Protection Act 1998 (DPA) in the employment arena. This guidance — the Employment Practices Data Protection Code (Code) — does not have legal force, but will be relevant to any consideration of the reasonableness of an employer’s actions.
UK law makes a distinction between the level of protection applied to “personal data,” being data concerning an individual who may be identified, and the greater level of protection given to “sensitive personal data,” which includes diversity monitoring data and healthrelated information.
Data Protection Obligations
Businesses in the UK which process personal and sensitive personal data must “notify” (or register with) the ICO before processing personal data. Failure to notify is a criminal offense.
The DPA is a principles-based piece of legislation with which “data controllers” (in this context, employers) must comply in order to lawfully collect, hold and process personal and sensitive personal data. The definition of “processing” is extremely wide, and includes recording, using, disclosing and erasing data. These principles are broadly drafted, e.g., “personal data shall be obtained only for one or more specified and lawful purposes,” and “personal data shall not be transferred to a country or territory outside the European Economic Area [EEA] unless that country or territory ensures an adequate level of protection for the rights and freedoms of [employees] in relation to the processing of personal data.” The substance of the law comes from looking at the reason why a person wants to use personal data, and determining if that reason is one that provides sufficient justification for doing do. The reason must be more compelling to justify using sensitive personal data.
Consent is often the simplest justification for data processing. However, in the employment context, the ICO may question whether consent is “freely given,” therefore it is important that there is no obligation on an employee to consent, and that they may withdraw their consent at any time. For consent to justify the processing of sensitive personal data, that consent must be actively given (rather than assumed).
The ICO enforces the DPA, and is empowered to:
- Serve enforcement notices to require compliance
- In limited circumstances, inspect and seize documents and equipment
- Impose a fine of up to £500,000 for serious and intentional breaches
Alternatively, individuals can seek a court order for the rectification or destruction of inaccurate data or compensation for breach of the DPA. Directors or other officers of companies which have committed offenses may be liable to prosecution if the company’s offence was committed with their consent.
What This Means in Practice
The Code provides helpful guidance for employers, and comprises four parts: (i) recruitment and selection, (ii) employment records, (iii) employee monitoring and (iv) medical records. Key principles of the Code are summarized below.
Recruitment and Selection
- Employers should ask for the minimum information necessary to carry out the selection process and must inform applicants of how their personal data may be processed during the application process (e.g., their application may be forwarded to other group companies).
- UK employment contracts often contain consent to permit the employer to collect, hold and process personal data, including sensitive personal data, and to allow the employer to transfer that data to other group entities and third parties, including those located outside the EEA.
- Any employee personal data must be kept up-todate and not retained for any longer than is necessary based on the business need of that particular employer.
- Employers must ensure that all personal data is subject to appropriate confidentiality restrictions.
- Employers should have in place a “data protection and retention” policy that informs employees of the purposes for which they process data, how long the information will be retained and in what circumstances it will be disclosed to third parties.
- Employers may wish to monitor employees to ensure that they are acting appropriately in the workplace, not exposing the employer to liability and that they are dedicating their working time solely to work. Employees must be notified if they are to be monitored except in exceptional cases, for instance, where it would interfere with a criminal investigation. Employer email monitoring and internet use is usually described in an “IT acceptable use” policy.
- Monitoring of employees must be proportionate, i.e., the reason for monitoring must be sufficient to justify the violation of the employee’s privacy.
- Employers must ensure that there are a limited number of staff who have access to information obtained from monitoring, and that they have received appropriate training.
- Medical records (which amount to sensitive personal data) should only be disclosed to third parties where there is a legal obligation to do so.
- Employers should only request employee medical information where that information is absolutely necessary.
Upon Termination of Employment
An employer may be asked to give a reference regarding an employee to a potential future employer. The current employer should ensure that it has a record of the employee’s consent to include the employee’s personal data in a reference.
Following termination of employment, other than anonymized equal opportunities data, employers should consider how long they should retain an employee’s data, taking into account any legal requirements and any potential need to defend a claim from a former employee. Employers should therefore categorize different types of employee data and be able to objectively justify the period of retention of each category and should anonymize that data where possible.
Data Subject Access Requests
An employee has the right to require his or her employer to inform the employee of any data it holds in relation to them in response to a “data subject access request.” The employee must submit this request in writing and pay a £10 fee. These requests often precede employee claims and commonly involve significant time and resources in compliance.
The UK government is currently being investigated from the European Commission (Commission) as to whether it has fully implemented the Data Protection Directive. The Commission has questioned whether the ICO has sufficient powers to properly ensure compliance with the Directive and the ICO is currently liaising with the government in providing a response. In addition, the Commission has also referred the UK to the European Court of Justice regarding inadequate implementation of the rules on the confidentiality of electronic communications, and in particular, inception of those communications. This may mean that the ICO’s powers are enhanced in the future.