15. Data protection, surveillance and monitoring 




Data protection law is changing. A new EU law, the General Data Protection Regulation (GDPR), applies in the UK from 25 May 2018. The GDPR directly binds all EU member states from that date, including the UK. The UK is also bringing the GDPR into national law with a new Data Protection Bill, before parliament as Law at Work goes to press. The Bill will ensure that the UK’s data protection laws remain fully compliant with EU law after Brexit. The Bill also contains some UK specific powers, including new enforcement powers for the ICO. It closely follows the principles of the Data Protection Act 1998 (DPA 98). 


The regulator in charge of enforcing data protection laws in the UK is the Information Commissioner’s Office (ICO). The ICO has published several Codes of Practice on data protection at work, explaining the law and outlining best practice. These are available on the ICO website. The Codes are non-statutory, so they do not create legal rights and obligations. For example, a breach of the Code will not make a dismissal unfair (City and County of Swansea v Gayle [2013] UKEAT 0336/12/106). Even so, the Codes are an important source for reps, and employers should not infringe them. The current Codes cover recruitment and selection, employment records, monitoring at work and medical information. There is a separate Code of Practice on CCTV, updated in 2015 to address newer devices used at work, such as body cameras. The Codes have not yet been updated to take account of the GDPR.


Below is a summary of the new GDPR and Data Protection Bill. There is detailed guidance available on the Information Commissioner’s website and more information in the LRD booklet: The General Data Protection Regulation — a practical guide for trade unionists .