Go to page content

Employers, here’s what you can and can’t do with employee data

Employer going through filing cabinet of employee's personal data for information

As an employer, you may hold a lot of personal information about your employees, from whether or not they have a medical condition to their salary and bank account details. And, some might say, with great information comes great responsibility.

That’s why it’s important to develop a culture in the workplace of respect for private life, data protection, security and confidentiality.

Not only will keeping inline with GDPR and data protection improve trust, we'd also say that it's great for improving your business more broadly, but we'll come onto that later!

In this article, we’ll let you know how to properly take care of your employee records and get all the benefits from good data protection practices.

What do you mean by employee personal data?

By their personal data we mean any information that can be used to identify a certain employee.

This may include:

  • Name
  • Financial details
  • Address
  • Relationship status
  • Health records

N.B. Personal data also includes emails involving a named employee and sick leave records. This includes automated and computerised personal information, paper records or any organised ‘well structured’ filing system.

By ‘employee’ in this article we’ll be referring to:

  1. Potential employees (job applicants)
  2. Current and former employees
  3. Agency staff
  4. Casual or part-time staff
  5. Contractors

What are the benefits of protecting employee data?

If as an employer, you implement good data protection policies and practices in the workplace, you can expect:

  • Increased trust in you and the company as a result of a more transparent environment
  • Increased efficiency by deleting out-of-date information and freeing up filling systems so that important information is easier to find
  • To avoid legal action by protecting yourself and your employees by making them aware of the importance of data protection

What data can I process without my employee’s permission?

You can collect:

  • Name, date of birth and National Insurance number to identify employees for background checks or when recording taxes
  • Address
  • Bank account details to pay them
  • Terms and conditions of employment like salary, leave, benefits and hours
  • Gender to monitor and ensure the equality of jobs offered to each sex
  • Education and qualifications in case an unsuccessful applicant files a discrimination claim for example
  • Accidents at work for your records and in case someone makes a claim against the company
  • Any disciplinary action they've been involved in as evidence in case the employee takes the case to court
  • Emergency contact details
  • Any training that has occurred during employment

What data can't I process without my employee’s permission? ⚠️

You need employee consent before processing any of the following. Usually this is because this data is sensitive and could be used to negatively impact or discriminate against them.

  • Health data
  • Biometrics
  • Religion
  • Race and ethnicity
  • Trade union membership
  • Sexual orientation
  • Genetics
  • Political membership

Keep in mind that while an employer is allowed to ask an employee to disclose details of their age, sexuality, religion and more in the interests of equality monitoring: the employee is not under any obligation to disclose any of this information if they do not want to.

The dos and don'ts of handling employee data

Generally speaking, how you should process employee data is outlined in these five rules:

  1. Process your employee's employee’s data in a fair and transparent way
  2. Only collect personal data for specific purposes, don’t use it for any other purpose than specified to the employee or in the handbook
  3. Ensure that data gathering is relevant rather than excessive
  4. Keep employee data secure
  5. Only keep personal data for as long as necessary

More specifically, here are the dos and don'ts:

1) DO meet at least one lawful basis for processing

As an employer, it’s crucial that you make sure you meet at least one of these six lawful bases for processing set out in Article 6 of the GDPR.

  1. Consent: the employee has given clear consent for a specific purpose
  2. Contract: it’s necessary to process data because of a contract with the employee
  3. Legal obligation: you need to process in order to comply with the law
  4. Vital interests: processing is needed in a life or death situation
  5. Public task: processing is needed in the interest of the public
  6. Legitimate interests: processing is necessary for your own legitimate interests (unless there’s good reason to believe the employee’s personal interests override these legitimate interests)

2) Do follow these tips when hiring a candidate

Here are three things you should do when looking for and hiring a new employee:

  1. When advertising for a candidate always identify the name of your organisation, if it's not obvious inform them of what data you will collect on them, and only ask relevant questions to the application.
  2. Inform all employees or applicants if an automated system is being used e.g. to shortlist candidates, how they can appeal any decisions made and always keep the system under review.
  3. Vetting should be done minimally and in the least intrusive way. Make sure vetting records are deleted after six months.

3) DO collect and store employee records carefully

This is where the heavy lifting comes in! At work you may be looking after more data than you realise. It’s important to notify your employees of the measures you have in place to secure these records, and below are some tips for what you can do to better protect them.

  1. Consent isn’t usually needed to keep records but notify employees that records are being kept, and remind them of their rights under GDPR.
  2. When monitoring equality in the workplace ensure the sensitive data isn’t used for any other purposes and that employees have a good range of options in a form e.g. for ethnicity monitoring, to accurately identify themselves.
  3. When detecting fraud inform trade unions or other representatives of proposed data matching exercises, explain how fraud prevention works to any new employees and don’t hand over worker data to outside organisations unless you think disclosing it would prevent a crime.
  4. When giving references make sure your staff know how much information to give out.
  5. Ensure that all data requests are valid. To be safe, check the identity of any person making a subject access or deletion request.

4) DO have good security measures in place

In the unfortunate case of a data breach, loss or destruction, make sure you put in place the security standards set out in the BS 7799: 1995 ahead of time. You can read more about exactly what your company should do for security in the code of Practice for Information Security Management guide, but generally it’s good practice to do the following:

  • Store and transfer any data securely e.g. using encryption-based software and making sure access to employee data is limited to only those who need to see it
  • Set strong and unique passwords for yourself and make sure your employees do this, you can use a password manager
  • Keep track of work devices by warning employees not to leave devices unattended, and encourage them to report lost or stolen mobile devices straight away so you can address it

5) Do make sure that your employees handle their own and their colleagues' data well

It’s easy to focus on your own data responsibilities, but in reality your employees themselves handle a lot of personal information too. It’s really good practice to make sure all of your employees are aware of how important data protection is. Here are a few tips on how to do this:

  • Carry out background checks on staff that have access to employee data e.g. by checking references
  • Warn employees not to send personal emails (not related to work) or emails containing rude matters in case they receive a SAR (Subject Access Request). There was one embarrassing instance in a government law office where an employee had to stand up in court and formally admit to sending out emails on their work account that included insulting remarks about another employee. Try and avoid this!
  • Train employees well with GDPR. Make sure they know who the DPO is, their contact details and what to do if there’s a breach
  • Inform interviewers that a candidate may have the right to see their interview notes, and how to store this data
  • Inform staff that when accessing sickness and injury absence records that they don’t need to access the full record

6) DON’T collect excessive information related to employee’s health

Health data, that can include maternity leave, disability records or even the results of an eye-test conducted at work using display screens is extremely sensitive. It’s important that you only collect what you need.

In general, only collect health information if it’s needed to:

  • Protect health and safety
  • Prevent discrimination
  • For any other legal obligations

Explicit consent must be given by employees. To clarify, consent needs to be ‘freely given’, this can be pretty difficult in a workplace because of the power imbalance between you and the employee, but essentially the employee should be able to say ‘no’ without penalty and be able to withdraw consent whenever they want. Consent should be ‘explicit’ by being clear about exactly what health data is collected, why and who it will be shared with.

7) DON’T collect excessive information when monitoring employees

If you, for example, randomly open up individual workers’ emails or listen to their voice-mails to look for evidence of malpractice, this can be very invasive to your employee’s privacy.

So, make sure your employees are aware of the rules and standards of your monitoring and why you are doing it. Also, don’t keep information you collect from monitoring for more than 6 months if possible. The important thing to do is to conduct an impact assessment, which we’ll explain next!

8) DO carry out an ‘impact assessment’ when collecting health data or monitoring employees

As you might think, collecting employees’ health data and monitoring them can be extremely invasive. You can't therefore just do it for ‘business’ purposes, you need to make sure, to a reasonable extent, that the need for doing this processing outweighs your employee’s rights to privacy.

To do this, you need to conduct an impact assessment:

  • Identify the reason and benefits for collecting health information/monitoring employees
  • Identify any negative impacts of collecting and storing this information
  • Consider any alternatives to collecting health information/monitoring employees
  • Weigh the benefits against the negative impacts and making a final judgement

Page 60-63 of the ICO’s code has a more in-depth outline of how to conduct an impact assessment. It also tells you why you usually can’t rely on employee consent when monitoring them (in this context consent being able to be withdrawn at any time makes this practice difficult).

Get data advice from Rightly today

Final thoughts 💡

The key thing to take away from this blog is the absolute importance of respecting your employees’ right to privacy, and demonstrating this by ensuring the data you collect about them is necessary and securely stored.

If you have any more questions about this topic please get in touch- we’d love to hear from you!