Data Protection Law

It is a legal requirement for you as an employer to comply with the Data Protection Act 1998.

You need to process certain information about your employees and other people in order to monitor employment history, performance, achievements, and health and safety etc. However, this information must be collected and used fairly, stored safely and not disclosed to any other personal unlawfully. The Data Protection Act 1998 requires you to comply with a number of principles in relation to the personal data you retain in that it must be:

  • Obtained fairly and lawfully and not processed unless certain conditions are met;
  • Obtained for specified and lawful purposes and not further processed in a manner incompatible for that purpose;
  • Adequate, relevant and not excessive;
  • Accurate and up to date;
  • Kept for no longer than necessary;
  • Processed in accordance with data subjects’ rights;
  • Protected by appropriate security;
  • Not transferred to a country outside the European Community, unless that country has equivalent levels of protection for personal data.

Your employees are entitled to know what personal information you hold about them and the purpose for which it is used, how to gain access to it, how it is kept up to date, and what you are doing to comply with your obligations under the Data Protection Act 1998.

Employees are responsible for certain aspects of data protection, such as checking that any information that they have provided to you in connection with their employment is accurate and up to date. They must also comply with the Data Protection Act when processing personal data in the course of their work. Any breach of data protection policy, whether deliberate or through negligence, may justify you in taking disciplinary action and could in certain cases result in criminal prosecution.

Personal information should be kept in a secure environment, or if it is computerised, be password protected, or be kept only on disk, which is itself kept securely.

Employees have the right to access any personal data that is kept about them, either on computer or in files. If they wish to exercise this right, they should put their request in writing, accompanied by the correct fee. This is known as a Subject Access Request.  You should deal with such access requests as quickly as possible and in any event, you must ensure that a response is provided within 40 days of receipt of the request and payment of the correct fee. There are certain categories of information that you are not obliged to provide, such as plans for promoting an employee and copies of references given to prospective employers.

If your employee is alleging a breach of the Data Protection act, or you simply want more information, Ashby Cohen can help.  Please contact us for an initial free telephone consultation.

Back to previous page or click on another employment topic from the list on the left of this page.