• Key issues

Rightly's guide to data protection for employees

Whether it's your your educational history, race and ethnicity, or your bank account details, employers can collect, use and store a large variety of personal data on you as an employee.

By eleanor blackwood

Thu 25 Jun 2020

6 min read

Employer handling pink orb of personal data

Whether it's your educational background, race and ethnicity or bank account details, employers can collect, use and store a large variety of personal data on you as an employee.

At Rightly, we believe that you should be fully informed about what's happening to your personal data. So, we've put together this article about what kind of personal data your employer may hold on you, what this data can be used for, and how you can exercise your rights underGDPR to better protect yourself going forward.

What personal data does your employer have?

Your personal data as an employee can be divided into two camps, information your employer must ask permission to collect, use and store, or ‘process’, and information they aren’t legally required to ask your permission for. Employers only have to ask for your permission when processing ‘sensitive’ data.

Here are the types of personal data employers can store on you, with an example of how this data could be used.

Employers DON’T have to ask your permission for:

  • Name, date of birth and national insurance number e.g. to identify you for background checks or when recording taxes
  • Address e.g. to see if you have an established residence
  • Salary and bank account details e.g. to pay you
  • Sex e.g. used to monitor and ensure the equality of jobs offered to each sex
  • CV, qualifications, and educational background e.g. kept in case an unsuccessful applicant files a discrimination claim (this can usually be done within 3-6 months)
  • The terms and conditions of your employment e.g. to ensure the rights and obligations of both you and the employer, for example your right to be paid the minimum wage
  • Accidents at work e.g. recorded in case you make a claim against the company
  • Any disciplinary action you've been involved e.g. may be kept as evidence in case there's court involvement

Employers DO have to ask your permission for:

  • Health data/medical history e.g. to pay for sick leave, or know if a certain medical condition may affect your ability to do your job
  • Biometrics e.g. to scan fingerprints for attendance
  • Religion e.g. to reasonably accommodate your religion, for example, allow a prayer room to be used
  • Race and ethnicity e.g. to monitor and ensure diversity
  • Trade union membership e.g. to take union subscriptions straight from your pay, or to inform the union of any major changes in the workplace
  • Sexual orientation e.g. incase an employee files a discrimination claim
  • Genetics e.g. monitor the biological effects of toxic substances at work
  • Political membership e.g. consider political views and affiliations when making a job decision

Why should you care about data protection as an employee?

It's important to know how your employer handles your personal data because if, say, your personal data is leaked to a third party, or the information stored on you is incorrect, this data could be used to harm you or infringe on your rights to privacy.

Although GDPR is written in part to ensure companies handle data properly, in reality some employers do mishandle personal data. For example, Harvard Business Review found that only 30% of executives reported being ‘highly confident they are using the data’ they collect on their employees 'responsibly'.

We’d recommend knowing how to protect yourself from being affected by a data breach, such as finding out where your data is, and how to seek compensation if you are.

What is the employer’s responsibility for your data?

Employers are obligated to protect the personal data of their employees, and to only use employee data for lawful purposes. Under mandatory regulation employers must:

  1. Process personal data in a fair and transparent manner.
  2. Only obtain personal data for specific purposes.
  3. Ensure that data gathering is relevant rather than excessive.
  4. Keep employee data secure.
  5. Only keep personal data for as long as necessary.

Organisations need to have at least 1 of the 6 lawful bases for the collection of your personal data (these are consent, contract, legitimate interest, legal obligations, public task, and vital interests), if you’re unsure whether your employer is complying with this rule, the Information Commissioner’s Office (ICO) website has an interactive tool which will assess if a lawful basis exists.

What are your rights as an employee?

GDPR gives employees the right to access any information their current, or previous, employer may be holding on them by submitting a Subject Access Request (for more information scroll down to ‘Making a Subject Access Request (SAR) to an employer’). If personal data is being collected on you at work, you have the right to know what data is being collected, the reason why, and what the data is being used for.

The case of McWilliams v Citibank North America, is a landmark case in terms of the legal history of employee data protection; McWilliams was dismissed due to allegations that she broke the confidentiality agreement, she then made a SAR to Citibank, which they refused, claiming that the request was 'unreasonable'. The dismissal was eventually deemed ‘unfair’ because of Citibank’s failure to respond to the SAR. The Information Commissioner found that because McWilliams was suspended with no access to the documents she needed to adequately defend herself, she had been unfairly dismissed.

Clearly, it’s important to be aware of your data rights as an employee, especially in the case of an unfair dismissal which can be due compensation.

You also have the right to submit a complaint to the ICO and take legal action if you’re worried that your employer is not complying with the GDPR, the ICO will offer an expert opinion on the legality of your employer’s practice.

Making a Subject Access Request (SAR) to an employer

A SAR is a request that you can send, electronically or in written form, to find out what data a company holds on you.

If you would like to send a SAR, you can get started here!

You have the right to make a SAR under Article 15 of the GDPR. It’s an empowering right for employees to exercise, and particularly useful if you are defending yourself in a disciplinary hearing, or experiencing any problem in the workplace where you need to know what has been written about you.

An employer must respond to your SAR within a month from the date of receipt. If they wish to extend this period of time due to complexities, they must give you sufficient reasons why.

Section 53 of the Data Protection Act 2018 allows an employer to refuse, or charge you for a request if the amount of information you are requesting is excessive. If this happens, your employer must again notify you of the reasons why, and make you aware that you can make a complaint with the ICO, or take legal action.

Challenge a redundancy for free

What to do if you suspect your employer has breached your data

Even though a lot of people may only be familiar with employee data breaches when a third party hacker accesses and makes public employee data, a personal data breach can occur when an employee’s personal data has been lost, destroyed, altered, disclosed or accessed without permission.

Once a breach has happened within a company, the company must report it to the ICO within 72 hours if they believe the data breach to pose a risk to employees. Then they should inform anyone affected of the contact details of its data protection officer, a description of the likely consequences of the breach, and the actions the company plans on taking.

If your financial information has been breached, you should immediately check your accounts, notify your bank and change your passwords across your accounts.

You can also claim compensation for both material damage caused by the breach, or non-material damage such as distress.

If you want to pursue a compensation claim, you should:

  1. First make a complaint to the company with reference to your data protection rights as guaranteed by GDPR;
  2. then make a complaint with the ICO;
  3. And finally, make a claim in the small claims court. If the ICO agrees that the data breach caused you material or non-material damage, your claim is more likely to be successful.

Get evidence for an employment tribunal today

How can Rightly help?

If you're worried about your personal data being mishandled by your current employer or previous employer, or simply want to know what they have, you can easily make a request through Rightly to see it. They have to reply by law within 30 days, even if it's just to tell you that they don't have any of your personal data.

Related Articles