• Privacy
  • Blog

What can your employer do with your data

Employers hold a lot of information on employees and they should follow good practice to make sure they are only capturing what they need and that employees understand what happens to their data.

By Rightly

Wed 30 Nov 2022

6 min read

Employee data blog Blog

Employers hold a lot of personal information about their employees, from whether or not they have a medical condition to their salary and bank account details. That’s why in the workplace it’s important to develop a culture of respect for private life, data protection, security and confidentiality.

What do you mean by employee personal data?

By personal data we mean any information that can be used to identify a certain employee.

This may include:

  • Name
  • Financial details
  • Address
  • Relationship status
  • Health records

Personal data also includes emails involving a named employee and sick leave records. This includes automated and computerised personal information, paper records or any organised ‘well structured’ filing system.

By ‘employee’, we mean:

  • Potential employees (job applicants)
  • Current and former employees
  • Agency staff
  • Casual or part-time staff
  • Contractors

What should employers do to protect employee data?

Where an employer implements good data protection policies and practices in the workplace, they can expect:

  • Increased trust in the company as a result of a more transparent environment
  • Increased efficiency by deleting out-of-date information and freeing up filing systems so that important information is easy to find
  • To avoid legal action by protecting themselves and their employees by making them aware of the importance of data protection

What data can an employer process without your permission?

Employers can collect:

  • Name, date of birth and National Insurance number to identify employees for background checks or when recording taxes
  • Address
  • Bank account details (so they can pay you!)
  • Terms and conditions of employment like salary, leave, benefits and hours
  • Gender to monitor and ensure the equality of jobs offered to each sex
  • Education and qualifications in case an unsuccessful applicant files a discrimination claim for example
  • Accidents at work for your records and in case someone makes a claim against the company
  • Any disciplinary action the employee has been involved in as evidence, in case the employee takes the case to court
  • Emergency contact details
  • Any training that has occurred during employment

What data can't an employer process without your permission?

Some data can be sensitive and so employers can’t play fast and loose with information they have on employees. Employers need to have employee consent before processing:

  • Health data
  • Biometrics
  • Religion
  • Race and ethnicity
  • Trade union membership
  • Sexual orientation
  • Genetics
  • Political membership

Keep in mind that while an employer is allowed to ask an employee to disclose details of their age, sexuality, religion and more in the interests of equality monitoring, the employee is not under any obligation to disclose any of this information if they don’t want to.

Five golden rules for employers to follow

  • Process an employee's data in a fair and transparent way
  • Only collect personal data for specific purposes, don’t use it for any other purpose than specified to the employee
  • Ensure that data gathering is relevant rather than excessive
  • Keep employee data secure
  • Only keep personal data for as long as necessary

The do’s and don’ts you should expect from employers


Employers must meet at least one of these six lawful bases for processing set employee data:

  • Consent: the employee has given clear consent for a specific purpose
  • Contract: it’s necessary to process data because of a contract with the employee
  • Legal obligation: you need to process in order to comply with the law
  • Vital interests: processing is needed in a life or death situation
  • Public task: processing is needed in the interest of the public
  • Legitimate interests: processing is necessary for your own legitimate interests (unless there’s good reason to believe the employee’s personal interests override these legitimate interests)


Good practice when looking for and hiring a new employee

  • When advertising for a candidate, employers should always identify the name of their organisation. They should tell candidates what data they’ll collect on them, and only ask relevant questions to the application
  • Inform all employees or applicants if an automated system is being used, for example, to shortlist candidates, how they can appeal any decisions made and always keep the system under review
  • Vetting should be done minimally and in the least intrusive way. Make sure vetting records are deleted after six months.

Collect and store employee records carefully

It’s important for employers to notify their employees of the measures in place to secure records.

  • Consent isn’t usually needed to keep records but employers should let employees know that records are being kept, and remind them of their rights under GDPR.
  • When monitoring equality in the workplace employers should ensure that sensitive data isn’t used for any other purposes
  • When detecting fraud, employers should inform trade unions or other representatives of proposed data matching exercises, explain how fraud prevention works to any new employees and don’t hand over worker data to outside organisations unless disclosing it would prevent a crime
  • When giving references employers should make sure staff know how much information to give out
  • Employers must ensure that all data requests are valid. To be safe, check the identity of any person making a subject access or deletion request.

Security measures

If there’s a data breach, or a loss or destruction of employee data, employers should put in place security standards set out in BS 7799: 1995 ahead of time. Also, they should:

  • Store and transfer any data securely, for example, using encryption-based software and making sure access to employee data is limited to only those who need to see it
  • Set strong and unique passwords and make sure employees do this
  • Keep track of work devices by warning employees not to leave devices unattended, and encourage them to report lost or stolen mobile devices straight away so you can address it

Do it right

Employers should make sure all employees are aware of the importance of data protection. They should:

  • Carry out background checks on staff that have access to employee data
  • Warn employees not to send personal emails (not related to work) or emails containing rude matters in case they receive a SAR (Subject Access Request)
  • Train employees well with GDPR. Make sure they know who their Data Protection Officer (DPO) is, their contact details and what to do if there’s a breach
  • Inform interviewers that a candidate may have the right to see their interview notes, and how to store this data
  • Inform staff that when accessing sickness and injury absence records that they don’t need to access the full record

Health data

Health data, that can include maternity leave, disability records or even the results of an eye-test conducted at work using display screens is extremely sensitive. It’s important that employers only collect what they need.

In general, health information should only be collected if it’s needed to:

  • Protect health and safety
  • Prevent discrimination
  • For any other legal obligations

Explicit consent must be given by employees. Consent should be ‘explicit’ by being clear about exactly what health data is collected, why and who it will be shared with.

Don’t be excessive

Employers can’t be excessive about employee data collection. For example, if an employer randomly opens up individual workers’ emails or listens to their voicemails to look for evidence of malpractice, this can be very invasive to an employee’s privacy.

So, if you’re an employee, you should expect to be made aware of the rules and standards of monitoring and why the employer is doing it.

Expect an ‘impact assessment’

As you might think, collecting employees’ health data and monitoring them can be extremely invasive. Employers can't just do it for ‘business’ purposes, they need to make sure that the need for doing this processing outweighs an employee’s rights to privacy.

To do this, the employer should carry out an impact assessment:

  • Identify the reason and benefits for collecting health information/monitoring employees
  • Identify any negative impacts of collecting and storing this information
  • Consider any alternatives to collecting health information/monitoring employees
  • Weigh the benefits against the negative impacts and making a final judgement

You can request that your personal data be deleted at any time. You might want to do that in particular if you have left an organisation. Rightly Protect can help you find out what any company knows about you and get that data deleted, quickly and for free.

Related Articles