LRD guides and handbook June 2016

Law at Work 2016

Chapter 4

Data Protection at work


[ch 4: pages 129-131]

The Data Protection Act 1998 (DPA 98) regulates the processing of personal data about individuals in the workplace and is enforced by the Information Commissioner (ICO). There is a useful Employment Practices Data Code of Practice available online from the ICO website. The Code is in four parts, covering recruitment and selection, employment records, monitoring at work and medical information. There is a separate Code of Practice on CCTV, updated in 2015 to cover other technological devices used at work, such as body cameras. The Code of Practice is not a statutory Code. This means that tribunals are not required to take it into account and breach of the Code will not necessarily make a dismissal unfair (City and County of Swansea v Gayle [2013] UKEAT 0336/12/106). 


What follows is a summary of the basic position. More detailed information can be found in LRD’s booklet, Monitoring and surveillance at work — a practical guide for trade union reps, November 2015.


In the DPA statutory regime, the employer is known as a “data controller”. “Personal data” is any information from which the worker can be identified, either on its own or when viewed alongside other information held by the employer. It can be on paper, stored on a computer or processed through email and it must be easy to find. The DPA is aimed at computer records and electronic filing systems, but it will cover a manual filing system as long as it is organised in a logical way that makes it easy to extract information quickly with minimum effort.


Common examples of personal data held by an employer include:


• information on a job application form;


• salary and bank account details;


• payroll deduction information;


• an email about an incident involving you;


• your disciplinary record;


• your staff appraisal;


• your redundancy selection scores;


• your image on a CCTV recording; and


• your employer’s opinion of your performance expressed in a reference.


There is a separate category under the DPA known as sensitive personal data. This is information so private that the employer must meet a higher standard of protection. Clear and express informed consent is needed before an employer can process sensitive personal data. This is information about someone’s racial or ethnic origins, politics, religion, trade union membership, physical or mental health, sex life, sexual orientation or criminal (or alleged criminal) activities, proceedings or convictions.


The Eight Data Protection Principles 


The DPA is built around eight core data protection principles which the employer must comply with to avoid breaking the law. For sensitive personal data, the employer must also have the worker’s express unpressured informed consent. Here are the eight core principles.


1. Data can only be processed for one of the following purposes:


◊ For the performance of the worker’s contract (for example, salary payments);


◊ To meet any non-contractual employment obligation (for example, accident reporting);


◊ To protect a worker’s vital interests (for example, health);


◊ For the administration of justice (for example, to defend a tribunal claim, or to share information with investigators when employee fraud is suspected);


◊ To protect the legitimate interests of the employer or third parties to whom the information is disclosed, as long as this does not prejudice the worker’s own legitimate interests;


2. Data must be obtained and processed only for specified and lawful purposes;


3. Only adequate, relevant and not excessive data must be held, taking into account its stated purpose;


4. Stored data must be kept accurate and up to date;


5. Data must not be kept longer than necessary;


6. Data must be processed in accordance with the rights of individuals;


7. Appropriate measures must be taken to keep data safe from harm or accidental loss and to avoid unauthorised or unlawful processing;


8. Data must not be transferred outside the European Economic Area without ensuring adequate measures have been put in place to ensure protection.


Workers have a right to access their data by making a written request known as a “data subject access request” and paying a maximum of £10. Employers must comply promptly and in any event within 40 days. There are some exceptions to the right of access, for example, legally privileged documents are excluded, as are documents that reveal the employer’s plans in any situation where they are negotiating with the worker. There is no right to data processed for management planning purposes, such as strategic redundancy or reorganisation proposals affecting the workforce as a whole. A request can be rejected if complying with it would be “onerous” or “excessive”. During 2016, the Court of Appeal is to rule as to what amounts to an “onerous” or “unreasonable” request, in the case of Dawson-Damer v Taylor Wessing [2015] EWHC 2366. 


Part 3 of the Data Protection Code of Practice includes important guidance on when covert monitoring at work is permitted (see also Chapter 10, page 330). The Code says that covert monitoring can “rarely be justified”, must be authorised at the highest level and there must be grounds for suspecting criminal activity or equivalent malpractice which would be difficult to prevent or detect if staff were told about the monitoring.


The duty to keep data safe includes, for example, a duty to keep workers’ payroll information, such as dates of birth, national insurance number, salary, address and so on, secure and free from risks such as negligent loss or theft, hacking or identity theft, including where that data is administered by an outside organisation, such as a payroll company. 


LRD booklet: Monitoring and Surveillance at work (www.lrdpublications.org.uk/publications.php?pub=BK&iss=1800).