15. Data protection, surveillance and monitoring


Data protection law governs how employers collect, use, and store personal information about their workers. It balances the employer’s rights to process data for necessary or legitimate purposes with the worker’s right to be informed about what personal data is being processed, why, and how.


This is done through the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 18). The UK GDPR operates by imposing duties on those responsible for processing data (“data controllers” and “data processors” — which include employers and trade unions, or those acting on their instructions) and giving rights to individuals whose personal data is processed (“data subjects” — individuals including workers and employees). The DPA 18 contains additional provisions to ensure that it functions in domestic law. For example, it defines public authorities and public bodies and contains provisions for the enforcement of data protection law and the appointment of the Information Commissioner. It also regulates data processing for law enforcement and intelligence services.


The Data (Use and Access) Act 2025 (DUAA) came into force on 19 June 2025. It amends UK GDPR and the DPA 18. However, not all its provisions entered into force on that date, and many will come into force in phases via secondary legislation.