15. Data protection, surveillance and monitoring 





Data protection law in the UK is governed by the EU General Data Protection Regulation (GDPR) and by national law, the Data Protection Act 2018. 


The GDPR came into force on 25 May 2018. Whatever the outcome of the UK's plans to leave the EU, the UK must comply with the GDPR in order to be allowed to continue to trade with EU member states and to offer services to EU citizens. This is because any data passing between the UK and the EU must be protected by national law to at least the minimum regulatory standards set by European Commission. The UK has already written the GDPR into national law through the Data Protection Act 2018 (DPA 18). The DPA 18 also contains some UK-specific powers, including new enforcement powers for the ICO. 


The regulator responsible for enforcing data protection laws in the UK is the Information Commissioner’s Office (ICO). The ICO has published several Codes of Practice on data protection at work on the ICO website, explaining the law and outlining best practice. The Codes are non-statutory, so they do not create legal rights and obligations. For example, a breach of the Code will not make a dismissal unfair (City and County of Swansea v Gayle [2013] UKEAT 0336/12/106). Despite being non-statutory, the Codes are an important source for reps and employers should not infringe them. 


The Codes cover recruitment and selection, employment records, monitoring at work and medical information. There is a separate Code of Practice on CCTV, updated in 2015 to cater for newer devices, such as body cameras. 


In May 2018, the UK introduced a mandatory data protection fee payable to the ICO. All organisations and sole traders that process personal data must pay the fee unless they are exempt (for example, because they process data only for staff administration). There is a fine for non-payment. The fee is intended to support the ICO’s work.


This Chapter contains a short summary of the GDPR and the DPA 18 in the workplace. There is more detailed guidance on the Information Commissioner’s website (https://ico.org.uk).