Data Protection – a quick guide
What is data protection?
Data protection is a law designed to protect and safeguard your personal information.
The Data Protection Act 2018 controls how your personal information is used by organisations, businesses and the government. The main purpose of this Act is to prevent people and organisations from holding and using inaccurate information on individuals.
The Data Protection Act 2018 was updated in accordance with GDPR in May 2018.
The principles of data protection
The Data Protection Act 2018 adopted the following seven principles for the use of personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality; and
What are my rights as an employee under GDPR?
Employees have a number of rights under GDPR including:
- Right to be informed about the collection and processing of their personal data
- Right to have access to the personal data held about them by the data controller
- Right to rectification by restricting their data being processed
- Right to erasure of their personal data
- Right to data portability by allowing them to get the data and reuse it
- Right to object for their personal data to be processed for marketing or research
- Right in relation to automated decision making and profiling.
What types of data are covered by data protection?
The Data Protection Act covers data that is held electronically and in hard copy.
Personal data is about individuals such as:
- Medical details
- Banking details
Sensitive personal data is also about individuals but includes one or more details such as:
- Genetic or biometric data
- Racial or ethnic origin
- Religious beliefs
- Health data
- Sexual orientation
- Criminal records
- Political opinion
What is data protection in the workplace?
Data protection in the workplace is information that is commonly stored by organisations such as (among other things): employee records; details of employees; and transactions. Organisations should protect the personal data that they hold – whether this is the date of employees, suppliers, customers, or otherwise – in order to ensure that it isn’t inappropriately communicated to, or misused by, third parties. This is intend to prevent, for example, third parties misusing personal data to engage in fraud, theft or scams.
Organisations should ensure that they have a data protection policy in place which details what data is collected, how it is collected, and how the data is stored; employees must be informed of the purpose of the collection of their data, what uses it is put to, and how it is treated. Ultimately, organisations must (unless in exceptional circumstances) comply with the requirements of the Data Protection Act 2018.
Should my employer have a data protection policy in place?
A Data Protection Policy is an internal policy which sets out, broadly, what policies and procedures an organisation follows in order to protect the personal data of its employees. It is, essentially, a set of principles and rules that ensure there is compliance with data protection laws. Data protection policies differ to privacy notices as privacy notices do not inform individuals as to how their data is used.
Whilst it is not mandatory for employers to have a data protection policy, it is encouraged for them to do so in order to meet their obligations under the law: a data protection policy will allow both the employer and the employee to understand what obligations there are in relation to the collection, storage, use, and communication of personal date. In some circumstances it may be mandatory for an organisation to implement a data protection policy.
Your organisation most probably already has policies in place relating to record management and retention, duty of confidentiality, risk management, information security and IT systems.
A Data Protection Policy must include the following five policies;
- Encryption policies
- acceptable use policies
- password policies
- email policies and
- data processing policies
Subject access requests
How do I make a subject access request?
As an employee, you have the right to request the data that your employer may hold about you – this is known as a “subject access request” (commonly also known as a “SAR”).
You do not have to make a subject access request in a specific manner (i.e. there is no mandatory wording), but the subject access request must make it clear that you are requesting copies of your personal information held by your employer.
You can make a request for personal information verbally or in writing, however it is normally recommended that you make the request in writing (so that you can prove what you requested and when). It is also recommended that you send a subject access request to your employer by email, so that you can prove when you sent the subject access request and to whom it was sent.
How should my employer respond to a subject access request?
Your employer should respond to the subject access request by providing the personal data that you have requested within a specified period of time after you have made the request, without (generally) charging a fee. There are certain exceptions to this, as explained below.
How long should it take my employer to respond to a subject access request?
Your employer generally must respond to a subject access request within one month of receipt of the request.
Employers can extend this deadline by up to a further two months if the requests are particularly complex or if you have made numerous requests for your personal data.
Do I have to pay a fee to make a subject access request?
An employer should in normal circumstances not charge for providing personal data.
However, if an employer receives a request that is ‘manifestly unfounded or excessive, particularly if it is repetitive’, employers may charge a reasonable fee to deal with the request. Any fee must be based on what it costs the employer administratively to deal with retrieving the information and providing it to you.
Can my employer refuse to comply with my subject access request?
Your employer can refuse to respond to unwarranted requests. However, if your employer intends to reject a subject access request that you have made then it will need to explain:
- Why it is refusing to comply with the subject access request; and
- Your right to complain to the Information Commissioner
It will usually be difficult for employers to justify why a subject access request cannot be met.
Additionally, if you are complaining about discrimination in the workplace a refusal by your employer to deal with a subject access request that you have made could be argued to be a further act of discrimination or victimisation.
Data protection rights for job applicants
What data am I entitled to if I have applied for a job?
If you have applied for a job then your prospective employer might have retained your personal information – this could include, for example, keeping your contact details or your CV on file in case any vacancies arise in the future.
If you have applied for a job then your prospective employer should inform you: why your data is being processed; what use it is being put to; who will have access to your data; how it protects your data against inappropriate communication to third parties and/or misuse; and what rights you have relating to your data.
Data protection rights for former employees
What data am I entitled to as a former employee?
Your previous employer can retain the personal data of a previous employee only if one of the legal exceptions for continuing to process the data applies – those exceptions can include: processing for tax purposes, or keeping your information in order to comply with a legal obligation.
It should be noted, however, that your employer must only keep such personal data as may be necessary in order to comply with that exception (for example, if your employer is keeping pay data for tax reasons then they can only keep information relating to your pay for that specific purpose, and they can’t keep any other information (they couldn’t retain your entire personnel file in that circumstance).
Organisations must keep a system in place in order to allow them to identify:
- What personal information should be kept regarding former employees;
- What purpose the information is being kept for and the legal basis for its retention;
- How long the information should be kept for; and
- When the personal information should be deleted
Organisations must ensure that personal information is deleted once its ‘expiry date’ has passed.
If you think that your former employer still holds your personal information then you can ask your employer to delete it. If your former employer is holding your personal data, and no longer has a requirement to retain your personal information, then it should delete the information.
Can I get sacked for breaching data protection?
Whilst it is uncommon to be dismissed from your job for breaching data protection, it is not impossible, and it all depends on the seriousness of the breach (and may lead to gross misconduct).
Data protection is very important and employers have many obligations to ensure that the data protection legislation is followed. Litigation and reputational risks are increasing therefore employers are disciplining their employees for a breach of data, by way of gross misconduct.
There are many ways to avoid breach of data protection. Employers can use modern security software to keep their organisation safe and up to date, risk assessments should be conducted, and clear communicated policies should be produced. Additionally, regular and adequate training should be provided, personal data across computers and devices should be encrypted/password protected and high standards of security should be maintained.
If you have been sacked for breaching data protection guidelines then you might have a claim for unfair dismissal.
What data protection issues arise in employment?
It is inevitable that organisations handle data coming in such as personal data, and in particular sensitive personal data (when managing sickness absence, employee benefits etc). Employers are required to get clear consent in order to safeguard health and safety and to avoid disability discrimination.
Furthermore, during the recruitment process, employment checks are carried out therefore it is important not to collect more information than required as an organisation should not retain information any longer than necessary.
Some employers monitor emails and other IT use or have CCTV in the workplace. This is permitted but employees must be informed of such procedures. Employers must also get consent in order to access an employee’s computer or personal account (this could lead to serious legal consequences if prior consent is not obtained).
Similarly, using information from employees’ personal social media also raises issues of discrimination, privacy and data protection.
In relation to the transfer of data, there should be a clear basis for collecting and processing data. Data and information regarding health must be kept confidential and secure. The transfer of data outside the UK, requires special safeguard measures in place (you should also note, drug and alcohol testing is only permitted for health and safety reasons).
Organisations that engage in international transfers must ensure they implement specific lawful data transfer mechanisms in order to be compliant.
What are the key differences between the GDPR and the Data Protection Act?
The General Data Protection Regulation (EU) 2016/679 (GDPR) became enforceable on 25 May 2018. There are some differences which my impact the UK’s relationship with the EU now (post Brexit). The Data Protection Act 2018 (DPA) enacts the GDPR into UK law which has resulted in a few key differences:
Definition of personal data: DPA only relates to information used to identify an individual or their personal data whereas GDPR expands the definition of ‘personal data’ and broadens the scope to include genetic information, location data and more.
Geographic scope: DPA requires for data protection through national legislation whereas GDPR applies to all EU nations and companies holding data on EU citizens.
Consent: DPA doesn’t require an opt in for data collection whereas, under GDPR individuals must be provided with privacy notices allowing them to be informed of their data; and requires for them to provide their consent to allow their data to be stored and used.
Data breach: Under DPA, organisations are under no obligation to report a data breach, although they are encouraged to do so; under GDPR breaches have to be reported to the relevant authorities.
Criminal data. DPA does not require the processing of criminal data to have official authority whereas GDPR does.
Child consent: Under DPA, a child can consent at the age of 13 whereas under the GDPR the consent age to data processing is age 16.
Data subject rights– Under DPA, data subject rights can be waived if they significantly inhibit an organisations need to process data, whereas the GDPR protects data subjects to personal data processing.
The above are a few differences between the DPA 2018 and GDPR though now post Brexit, the GDPR no longer applies to the processing of UK residents’ personal data. This does however apply to UK organisations that process the data of EU citizens.