Information Commissioner’s Office (ICO)

The regulator that enforces data protection laws in the UK is the Information Commissioner’s Office (ICO). The ICO has published several Codes of Practice on data protection at work on its website, explaining the law and outlining best practice. The Codes are non-statutory. They do not create legal rights and obligations. This means that on its own, a breach of the Code will not make a dismissal unfair (City and County of Swansea v Gayle [2013] UKEAT 0336/12). Despite being non-statutory, the Codes are an important source for reps and employers should not infringe them.

The Codes cover recruitment and selection, employment records, monitoring at work and medical information. There is a separate Code of Practice on CCTV, In the Picture, updated in 2015 to cater for newer devices, such as body cameras.

In May 2018, the UK introduced a mandatory data protection fee payable to the ICO. All organisations and sole traders that process personal data must pay unless they are exempt, for example, because they process data only for staff administration.

This chapter summarises the UK GDPR as it applies in the workplace. There is more detailed guidance on the Information Commissioner’s website and in separate LRD booklets.