In the digital age, the protection of personal data has become increasingly crucial. This Data Protection Day, it is essential to understand the rules governing how employers handle their employees’ sensitive information.
The Data Protection Act 1998 outlines the principles that businesses and organisations must adhere to when processing personal data. Employers are required to ensure that data is collected and used fairly and lawfully, for specified and legitimate purposes, and is accurate, up-to-date and kept secure.
Employers are permitted to maintain computerised or paper records of their employees’ names, addresses, dates of birth, gender, education and qualifications, National Insurance numbers, and any known disabilities. They can also keep details about employment history, terms and conditions, training and appraisals, as well as any grievance or disciplinary matters.
However, sensitive personal data, such as information about an employee’s health, race, religion, sexual orientation or criminal history, should not be held without the individual’s consent. Employees have the right to be informed about the records kept and how they are used.
Under the Act, workers have the legal right to access the personal data their employer holds about them. This “subject access request” must be made in writing, usually with a £10 fee, and the employer has up to 40 days to respond. The employee must be informed whether any personal data is being processed, given a description of the data and the reasons for its processing, and provided with a copy of the information.
Employers are not obliged to comply with a subject access request in certain circumstances, such as if it would involve disclosing information about a third party or revealing details of a proposed pay rise, promotion, transfer, training or redundancy.
If an employee believes the data stored is inaccurate, they have the right to request that it be amended or deleted. The employer then has 21 days to remove the information, failing which the employee can apply for a court order or contact the Information Commissioner’s Office.
When an employee leaves the organisation, the employer can retain records related to income tax or health and safety, but should eliminate any personal information that is no longer relevant.
Maintaining the confidentiality and security of employee data is not only a legal requirement but also a moral obligation. As the digital landscape continues to evolve, it is crucial that employers stay informed and vigilant in their data protection practices.