If you are an employer then you will be subject to personal data protection obligations - in this article we explain the basics of those obligations and how employer should deal with personal data

  1. Understand where the data obligations come from
  2. Understand what personal data is
  3. Check whether you're a data controller or a data processor
  4. Understand what data processing means
  5. Special requirements for certain types of data
  6. Comply with the key principles of data protection
  7. Appoint a Data Protection Officer
  8. Notifying third parties of a data breach
  9. What your liability is if there is a data breach

Employers need to know what the source of data protection in the UK is

Data protection laws in the UK stem from two sources: the General Data Protection Regulation (commonly known as "UK GDPR") and the Data Protection Act 2018. The UK GDPR and Data Protection Act 2018 together set out the rules that govern the processing of personal data in the UK - more accurately, they set out the rules that govern:

-          The processing

-          By controllers

-          Of personal data

-          Relating to data subjects.

In an employment situation an employer is likely to be a "controller" of personal data and an employee a "data subject".

Employers need to understand what their obligations are relating to personal data

What are data controllers and data subjects? (sub-heading)

A "data subject" is "an identified or identifiable living individual to whom personal data relates" (section 3(5) of the DPA 2018). As detailed above, an employee would normally be a data subject in an employment context: they are an identified living individual to whom personal data relates.

A "data controller" is "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data". Employers tend to be data controllers in an employment context, as they control the collection and processing of personal data (whether that is of their clients, potential clients, employees, or other categories of individuals). A "data processor" is someone who processes data on behalf of a "data controller" (e.g. a member of an organisation's human resources department who inputs employee data into the organisation's HR software).

In a nutshell, employers must process the data of employees (as well as, for example, consultants, suppliers, clients, customers etc. - any identified/identifiable individual to whom personal data relates) in a way that complies with the rules set out in the UK GDPR and DPA 2018.

What is personal data?

Personal data is, under the DPA 2018, any information relating to an identified or identifiable living individual. It is enough that the individual can be identified directly or indirectly by any factor (such as their name, location etc.).

Don't forget these obligations do not change when your staff are working remotely.

Understand what data processing means

"Processing" personal data means an operation (or a number of operations) which are performed on personal data - this includes (among other things): the collection of data; the recording of data; variations made to data; the disclosure of data; and the destruction of personal data. Again, and to re-use the example above, if a member of the human resources team makes changes to the personal data of one of the organisation's employee's then this would mean that "processing" of personal data is taking place.

The processing of personal data must comply with the key data protection principles.

Employers need to understand what the key principles of data protection are

The UK GDPR sets out a number of principles that data controllers must comply with when processing personal data, as follows:

  1. Lawfulness, fairness and transparency - the employer must identify valid grounds under the UK GDPR for collecting and using personal data
  2. Purpose limitation - the employer must be clear what the reason for the processing of the personal data is
  3. Data minimisation - employers must restrict the data that they're collecting to the necessary minimum to achieve the stated purpose
  4. Accuracy - employers must ensure that employees' personal data is not misleading or inaccurate
  5. Storage limitation - employers should ensure that personal data is not kept for any longer than is needed
  6. Integrity and confidentiality - appropriate security measures should be put in place by employers to ensure the confidentiality and security of their employees' personal data
  7. Accountability - the employer's need to take responsibility for what they do with personal data

They need to appoint a Data Protection Officer

Employers need to appoint a Data Protection Officer ("DPO") if the following circumstances apply:

  1. The employer is a public authority;
  2. The employer's core activities require them to undertake data processing operations which involve the monitoring of data subjects on a large scale;
  3. The employer's core activities require them to large-scale process special categories of personal data (e.g. criminal convictions or offences, or information relating to race, religion, disability etc.)

What employers should do if there is a data breach

If an employer is hacked, or if the personal data that it is processing is subject to unauthorised disclosure in any way, the employer must document the breach to certain third parties - this would normally include the Information Commissioner's Office ("ICO" as well as any regulatory (for example, solicitors must inform the Solicitors Regulation Authority of any personal data breach) and the individual themselves.

What an employer's liability is if there is a data breach

If an employer breaches the UK GDPR then it could be subject to the following types of sanction or remedies:

  1. The ICO could issue a notice to the employer (such as an information notice, assessment notice or enforcement notice) or fine it (with the maximum fine being £8,700,000 or 2% of the employer's annual worldwide turnover in the previous financial year, whichever is higher);
  2. The employee who has had their personal data breached could sue the employer for compensation under the UK GDPR; or
  3. There could be criminal liability if, for example, an employee knowingly or recklessly discloses personal data without the consent of the employer (the data controller)

For more information visit Redmans Solicitors