Human resources at a click
Login
0

Facts employees should know about their personal data

  • HR Article
  • Data Protection

We previously published an article on facts an employer should know about holding personal data, so it is only fair that we also write about the other side of the coin – facts employees should know as individuals whose personal data is held by their employer.

But first thing’s first, what is personal data?

This is any information relating to a particular person which can be used to identify said person, whether directly or indirectly.

Employers generally hold large amounts of personal data about each of their employees, such as their name, address, date of birth, sex, education and qualifications, National Insurance number, employment history, their current employment contract containing details of the employee’s hours of work, pay, benefits, etc.

The facts to know

1. Protecting personal data

Employees’ personal data held by their employer must be kept secure and not be susceptible to data breaches. Employee data breaches are serious and employers have strict obligations when it comes to protecting employees’ personal data. If the breach causes actual harm to the data subjects/employees, it may be that the employee chooses to report the matter to the ICO and could decide to progress this further by pursuing court proceedings.

2. Special category data

There are various types of personal data which belong to this category as they are considered to be ‘sensitive’, such as race and ethnicity, religion, medical conditions and sexual orientation. Employers usually require an employee’s consent before being able to process such personal data. Another point to note is that the employer will require a particular purpose to process such personal data. As an employee you should be aware that employers are required to ensure that additional safeguards are in place to protect this type of data due to the sensitive nature of it.

3. References

Unless a relevant exemption applies, for example, if the job reference contains another individual’s personal data, as an employee you may be able to obtain a copy of your job reference from your current employer.

4. Data subject access requests (DSARs)

DSARs are requests made by individuals to organisations which hold their personal data, to access this personal data. Organisations must respond without undue delay, and in any case, within one month of a DSAR being made unless this is not possible and an extension is required (the maximum to 3 months). Employees can make DSARs to their employers at any time, and the request does not only have to relate to receiving copies of your personal data, but also includes other requests, such as a request to delete your personal data and find out if any automated processing is involved in processing your personal data.

 

Employers are considered to be data processers, and there are six lawful reasons for processing data

5. Data processing in general

Employers are considered to be data processers, and there are six lawful reasons for processing data. In an employment context, these are the following:

  • The employee consents to the data processing
  • There is a contractual reason for the data processing
  • The employer is processing data to comply with a legal obligation
  • The employer is processing data to protect the vital interests of people
  • There is a public interest reason or the employer is carrying out its official functions
  • The employer is processing data for its legitimate business interests, as long as these interests are not overridden by the employee’s legitimate interests

6. Data processing using artificial intelligence (AI)

There are limitations on an employer’s use of AI in the processing of employee personal data. AI should not be used in making employment decisions without any human scrutiny as this would fall within the restricted area of “solely automated decision”. This is a crucial data protection right in the UK GDPR, and if you are an employee who suspects that your employer has breached this, by for example, dismissing you based on an automated system, you could have grounds to pursue a claim for unfair dismissal.

7. Data retention

As an employee you have a right to your data not being kept for longer than is necessary. So if you’ve left your employment, your previous employer should delete from its records your personal data which it is unlikely to need again. Examples of such data could be emergency contacts or previous addresses. Please note that some statutory provisions apply in respect of certain amount of records, for example, pay and tax records, and the retention periods will also be subject to your employer’s retention policy.

8. Challenging the accuracy of personal data

Any data subject can challenge the accuracy of personal data held by an organisation and ask that it is corrected. As an employee you can therefore ask your employer to rectify or delete personal data it holds on you. For example, this could relate to updating your address or bank details. Keep in mind, however, that opinion data is not the same as personal data, so if the data you seek to “correct” is an opinion about you, and the record is clear that the data is an opinion, it is difficult to argue that this is inaccurate and needs correcting.

If you have any data protection concerns, please do not hesitate to contact our Data Protection lawyers who would be happy to help.

 

 

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking professional and legal advice. Please refer to the full General Notices on our website.

Louise_Keenan
Louise Keenan
Associate

FAQs

A redundancy situation arises when an employee is dismissed in one of three circumstances:

  • Where the employer ceases, or intends to cease, to carry out the business for the purposes of which the employee was employed (a business closure);
  • Where the employer ceases, or intends to cease, to carry on that business in the place where the employee was employed (a workplace closure); or
  • Where the requirement for employees to carry out work of a particular kind (or work of a particular kind in the place where they were employed) has ceased or diminished

If an employee suspects that this is not a genuine redundancy, they could let the employer know that they will be claiming unfair dismissal if the settlement payment is not increased. If the redundancy is genuine, however, the employee could simply ask the employer to be more generous.

Some employees prefer to negotiate themselves, by trying to convince the employer to budge on certain aspects of the agreement, for example, increasing an ex-gratia payment.

The employee can alternatively negotiate through their solicitor, particularly where there are complex legal arguments to put forward. Obtaining independent legal advice is a requirement of a settlement agreement because the employee will be waiving their rights to bring or continue any claims against their employer. A solicitor would be advising the employee on the strengths of a potential case they may bring and explain on that basis which terms in the agreement are more easily negotiable. The solicitor would also advise on which terms are standard and may be difficult to convince the employer to change.

Yes, it is important to count the number of employees affected by a redundancy situation as there are collective consultation rules and obligations that will apply if the employer is proposing to dismiss 20 or more employees at one establishment within a period of 90 days or less.

Related Articles

View all
CCTV cameras on a grey wall
  • Data Protection

Can an employer monitor employees at work?

Can an employer lawfully monitor their employee, without their knowledge, if they suspect wrongdoing? Can employers monitor employees? It’s worth...

Recent data breaches and their impact on organisations
  • Data Protection

Recent data breaches and their impact on organisations

Organisations of all sizes are susceptible to data breaches and the damage caused by these breaches, both reputationally and financially,...

laptop with hands holding a mobile phone
  • Data Protection

Cookies and Consent: the ICO’s Cookie Review

In the digital age, cookies play a crucial role in how websites operate and interact with users. Companies use cookies...

Related Resources

View all

Social media policy

This social media policy covers the use of all forms of social media by employees for both business and private...

  • Policies
  • Data Protection

What is Personal Data?

This factsheet provides an overview of what is personal data. Introduction The Data Protection Act 2018 (DPA) applies to ‘Personal...

  • Factsheets
  • Data Protection

Monitoring policy

This monitoring policy provides a brief overview of how a company should approach monitoring in the workplace. Employees and other...

  • Policies
  • Data Protection

Not a member? Start your membership today!

Sign up
HR Services
Insights
Employmentbuddy
Contact us
Follow us
Find us
London

5th Floor, Chancery House, 
53-64 Chancery Lane, London
WC2A 1QS

Reading

5th Floor, Thames Tower,
Station Road, Reading
RG1 1LX

Find us
London

41-44 Great Queen Street,
London, WC2B 5AD

Reading

5th Floor, Thames Tower,
Station Road, Reading RG1 1LX

Follow us
Clarkslegal is a limited liability partnership registered in England and Wales. Registered number OC308349. Regulated by the Solicitors Regulation Authority (SRA no. 403601)
Human resources at a click
Login