The main UK legislation governing data protection is the Data Protection Act 2018 (DPA). However, this legislation is being amended in 2024 following Brexit - see below.
The Information Commissioner’s Office (ICO)
The ICO promotes and enforces data protection legislation and is independent from government. It provides guidance to aid DPA compliance and takes action where needed. From 2024, the ICO will undergo some structural changes and be given additional duties and powers to promote innovation and competition and will be able to compel certain documents, reports and interviews, and will have increased ability to reject complaints. There's more detail on the ICO website.
The General Data Protection Regulation (GDPR)
The GDPR gives people the right to access information held about themselves. In addition, there are obligations regarding data management and a regime of fines.
New data protection legislation in 2024 introduces changes in the UK whilst attempting to be sufficiently GDPR compliant, bearing in mind that the UK’s adequacy status will be reviewed in 2025. In summary, organisations which only do UK business can decide whether to only comply with the DPA as amended, or to continue complying with current GDPR requirements in case their business wishes to offer goods or services to EU-based customers, which requires an EU compliant data protection strategy. Organisations that already conduct business within the EU will likely hold data on EU citizens and must continue to comply with both the DPA and GDPR frameworks.
USA regulations
Organisations conducting business with the USA can transfer personal data to US businesses certified under the UK-US Data Bridge without the need to implement further transfer safeguards, following the Data Protection (Adequacy) (United States of America) Regulations 2023, which came into effect from 12 October 2023.
The Data Protection Act 2018 (DPA)
The DPA and GDPR contain rights about processing of personal data held in either a computerised format as part of a database or as manual records in a filing system. From 2024, new legislation will amend the DPA in a number of respects, for example the UK data protection regime will reduce the requirements for record keeping and data protection impact assessments which, going forwards, will be restricted to businesses that carry out high risk processing. The definitions of personal data and legitimate interests will also change. Data protection officer and subject access request requirements will also be redefined.
DPA: Key principles
In essence, those who decide how and why personal data is processed (data controllers) must comply with certain principles. Those individuals whose data is held or processed (data subjects) have rights, for example in relation to accessing that data. In an employment context, employers will generally be data controllers and employees, workers, ex-employees and applicants will be data subjects. Most HR and employment files and records are covered by the DPA.
Personal and sensitive data
Personal data relates to someone who can be identified, directly or indirectly, by an ‘identifier’ such as their name or an identification number. It includes online data, such as HR records about sickness absence, performance appraisals and recruitment notes. Under the imminent changes to the data protection regime, data protected by appropriate technical or organisational measures preventing risks of unauthorised third-party access may not be classed as personal data.
When handling personal data, organisations must tell employees why the organisation is collecting the information, what will happen to it and who will see it.
Sensitive personal data includes information about an individual’s race, ethnicity, politics, religion or beliefs, trade union status, health, or sexual orientation. It's legitimate to process ‘sensitive personal data’ where necessary to carry out an obligation under an employment contract or collective agreement.
Criminal records are also sensitive data. Employers can carry out criminal record checks for roles that involve working with children or vulnerable adults but not on a routine basis.
Health information is special category personal data and warrants additional protection. It should only be held with explicit consent from the individual. Processing medical records may be permissible in certain circumstances, for example assessing working capacity or confirming diagnoses. In 2023, the ICO published specific guidance on workers' health, to assist employers in understanding their data protection obligations when processing workers' health data. Under the guidance, worker status is broadly defined to include employees and workers such as those working in the gig economy. The guidance covers legal requirements and good practice regarding UK data protection laws and processing of workers’ health information and handling records of absence and sickness. There are also checklists as quick reference guides for data protection and health records.
Processing data
Processing data includes obtaining, holding, retrieving, consulting and using data by carrying out any operation on it. There are seven general key principles which apply, for example that data must be processed fairly and collected for specified and legitimate purposes.
Data protection impact assessments should be undertaken help identify and minimise data protection risks. Currently, impact assessments are needed for processing that is likely to result in a high risk to individuals. From 2024, the language changes to require assessments only for high-risk processing. From 2024, legitimate interests for processing will include:
- Communicating advertising or marketing material to particular individuals.
- Intragroup transmissions of personal data for internal administration.
- Processing for security of network and information systems.
From 2024 a new concept of recognised legitimate interests means that certain processing will be deemed legitimate, for example, if there is an important public interest (e.g. safeguarding vulnerable individuals). This means no balancing test against individuals' rights will be necessary.
Data subjects have individual rights including the right to be informed about the processing of personal data and to be forgotten by having data deleted where there’s no compelling reason for it to be processed.
The full list of these rights is on the ICO website.
Enforcement
Substantial penalties may be imposed if an employer doesn’t follow the data protection principles and fails to remedy issues in an enforcement notice or to co-operate with an inspection.
CIPD members should see the more detailed information on enforcement of the DPA and the GDPR in our Data protection law Q&As.