What Can an Employer Do with your Personal Information?
18 January 2018
Data Protection at Work
Employers in the UK are permitted to keep certain information on employees which is relevant to their employment. The employee has a legal right to be told what information is held on them, how this information is used, whether it is being held confidentially and how it can help with their professional training and development.
If an employee asks their employer for a copy of the personal information that is held on them, then their employer must provide this within 40 days.
What Information Will My Employer Hold on Me?
Information that an employer is allowed to request from their employees includes:
- Date of birth
- National Insurance number
- Tax code
- Education and qualifications
- Work experience
- Details of any known disability
- Emergency contact details.
Employers will also produce and keep additional records, containing information on employees such as:
- The employee’s employment history with the company
- Terms and conditions of employment (i.e. pay, hours, leave, benefits and absence)
- Work-related accidents
- Training that has been undertaken during the employment
- Disciplinary action that has been taken during the employment.
An employer is also allowed to ask an employee to disclose details of their age, sexuality, religion, ethnicity etc. in the interests of equality monitoring. However, the employee is not under any obligation to disclose any of this information if they do not want to.
Data Protection Act 1998
The Data Protection Act of 1998 governs the way in which your personal data is processed and used by organisations, businesses or the Government in the UK. This also applies to employee data that is collected and stored by employers.
Your employer has a legal obligation to ensure that your data is:
- Used fairly and lawfully
- Only used for specific purposes (which have been specified)
- Used in a way that is adequate, relevant to your employment and not excessive
- Not kept for any longer than is necessary
- Handled in accordance with your data protection rights
- Kept safe and secure
- Not transferred outside the European Economic Area (EEA) unless adequate measures have been taken to protect it.
More sensitive personal data has additional protection, with stronger regulations on the way in which it can be used. This includes information such as an employee’s ethnic background, sexual health, religious beliefs, criminal records and political opinions.
Can My Employer Monitor My Emails and Phone Calls?
“Telecommunications” are all communications made by email, phone or other digital means (such as instant messaging services). There are regulations in place in the UK which govern how employers can monitor their employees’ telecommunications while they are at work.
Regulation of Investigatory Powers Act 2000 (RIPA) – This prohibits employers from intentionally intercepting any type of public or private electronic communication that is sent by their employees, unless they have been given consent or have lawful authority to do so.
Lawful authority could be gained in certain circumstances under regulations which allow businesses to intercept messages on their own internal systems without consent. This interception could only be carried out for specific, authorised purposes and the employer has a responsibility to take reasonable steps to inform employees that their communications may be monitored.
Data Protection Act 1998 – Under the Data Protection Act, employers may still be able to monitor their employees’ telecommunications. However, the employer would be obliged to inform employees that this data is being monitored, that it is being processed securely and that the data collected is not excessive or disproportionate.
Can I See What Information my Employer Holds on Me?
All employees have a legal right to know what information their employer holds on them and how this information is being held.
In order to obtain a copy of the information held on you, you will need to submit a Subject Access Request (SAR). This is simply a written request in which you ask your employer for the information to which you are entitled, under section 7 of the Data Protection Act of 1998.
There is no set format that this written request needs to follow. It’s worth noting that there is usually a fee of up to £10 that will need to be paid when submitting the request. This fee would be payable again on any subsequent requests, so it’s important to ensure that your first request clearly specifies the information that you want.
It’s also possible for someone else to submit a Subject Access Request on your behalf, providing this person can prove that they have authority to act on your behalf.
Once your employer has received the request, they will have 40 days to provide you with:
- Details of whether any of your personal data is being processed
- A description of the personal data they hold on you, the reason(s) why it is being processed and whether it will be shared with any other organisations or individuals
- A copy of the information held and details of the source of the data, if this is available.
There are some circumstances in which your employer may be able to refuse a Subject Access Request. For example, they may be allowed to refuse if it would disclose details of an identifiable third person or a proposed pay rise, promotion, transfer, training or redundancy.
What if the Information is Wrong?
If you find that the data held on you is inaccurate, or it it’s likely to cause you significant unwarranted distress or damage, then you are entitled to request that this data is amended or deleted. Once you have made this request, your employer will have 21 days to remove or amend the information.