Employee Data Protection

It is a legal requirement for your employer to comply with the Data Protection Act 1998 which governs how personal data must be collected, used fairly, stored safely and not disclosed unlawfully to any other person.

The Data Protection Act 1998 requires your employer to act in accordance with a number of principles in relation to retaining your personal data, in that it must be:

  • Fairly and lawfully obtained and not processed unless certain conditions are met.
  • Collected for specified and lawful purposes and not further processed in a manner incompatible for that purpose.
  • Relevant, adequate and not excessive.
  • Accurate and up to date.
  • Only kept for as long as necessary.
  • Processed in line with data subjects' rights.
  • Protected by proper security.
  • Not transferred to a country outside the European Community, unless that country has comparable levels of protection for personal data.

Your employer must act in accordance with these principles when processing certain information about you and your colleagues for example when monitoring your employment history, performance, achievements,  or your health and safety.  If you want to know what personal information your employer holds about you, you’re perfectly entitled to find out. This includes learning what the date is used for, how to gain access to it, how it’s kept up to date and what they’re doing to comply with  Data Protection Act obligations.

Understand Your Responsibilities

Importantly, there are also certain aspects of data protection for which you, as an employee, are responsible. This includes checking that any information you’ve provided to your employer in relation to your employment is accurate and up to date.

In addition, you must also comply with the Data Protection Act when processing personal data in the course of your work, as any breach of data protection policy, whether deliberate or through negligence, may justify your employer taking disciplinary action against you. In certain cases, this could result in criminal prosecution.

Indeed, personal information should be kept in a secure environment or, if it’s computerised, be password protected or kept only on disk, which should also be kept securely.

A Subject Access Request

If you wish to gain access to any of your personal data kept by your employer, either on computer or in files, your request must be put in writing, accompanied by the correct fee.

This access request should be dealt with by your employer as quickly as possible and they must ensure you’re provided with a response within 40 days of receiving your request and payment of the fee.

However, your employer is not obliged to provide certain categories of information, such as plans for promoting you and copies of references given to prospective employers.

If you consider that there’s been a breach of the Data Protection Act in respect of your personal data, initially you should raise the matter with the person responsible for dealing with data control.

If the matter is not resolved, it may be taken further in accordance with your employer’s grievance procedures and/or you can make a complaint to the Information Commissioner.

Alternatively, if you require expert advice about your situation, please get in touch with a member of our team today for your initial free consultation.