If you employ someone, you'll receive personal information from them. For example, you'll ask for their name and their age. You'll also need their bank details so that you can pay them and their National Insurance Number, so that you can pay their tax appropriately; they may tell you about a health condition that affects their work (which may necessitate reasonable adjustments), and you may have a disciplinary file relating to them.
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 govern your obligations in relation to this data, in particular: how you collect, use and store it, and what you tell the individuals concerned about your processing of the data. These information rights are enforced in the UK by the Information Commissioner's Office (ICO).
Here we summarise some of the key parts of data protection law that relate to employment using the following terms:
The General Data Protection Regulation (GDPR) applied to all EU member states (including, at that time, the UK) from 25 May 2018 onwards.
The Data Protection Act 2018, introduced at the same time as the GDPR, supplemented the GDPR requirements and standards, set out UK-specific exemptions and covered areas not dealt with by the GDPR.
Since 1 January 2021 (the end of the Brexit transition period), the contents of the GDPR were amended to create the UK GDPR; the GDPR that continues to apply within the EU is now known in the UK as the EU GDPR.
This means that if you process data in the UK for UK data subjects, you must now comply with the UK GDPR and the Data Protection Act 2018.
If you complied with the EU GDPR before 1 January 2021, it's likely that you're still compliant with the UK GDPR and the Data Protection Act 2018.
To lawfully process data:
1. You must obtain it for a clear purpose.
2. It must be adequate and relevant for that purpose - there must be a rational link to the purpose and the amount of data you obtain must be no more than is necessary for you to achieve it.
3. You must have one of the following justifications/reasons for processing it:
Your justification will most often relate to performance of a contract, legal obligations or legitimate interests.
Even if you have a valid justification for processing the data, there are more obligations that you must follow. Most importantly, you must tell the data subject about your processing and you must keep the data secure.
This is the most flexible of the justifications. It will often be appropriate if the processing is important and clearly in everyone's interest, but no other justification applies. However, to use this justification you must balance your interest in processing the data against the rights of the data subject.
It's also lawful to process data if the data subject agrees (consents) to it. However, you should avoid relying solely on consent. This is because in an employer-employee relationship there is a natural imbalance of power, meaning that consent won't be truly free, except in a few situations. Note that a data subject can change their mind at any time and withdraw their consent, requiring you to immediately stop processing their data.
Certain classes of data are protected more strictly. This applies to data relating to criminal convictions or offences, and several 'special categories' of data.
The special categories are: data that reveals racial or ethnic origins, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the purpose of uniquely identifying individuals, data relating to health or data relating to someone's sex life or sexual orientation. If you process data in one of these special categories, extra rules will apply. For example, if you rely on consent as your justification, the data subject has to have given explicit consent – for other types of data, consent can sometimes be inferred from clear affirmative action.
If you have an appropriate policy document in place, such as a data protection policy, you're allowed to process criminal convictions and special categories of data if it's necessary for existing legal obligations or rights associated with employment, social security or social protection.
Performance of their contract
Paying staff - without their bank details you won't be able to pay them and comply with your obligation.
Note that this is justification is unlikely to be relevant during the recruitment process until you decide on the successful candidate, as you won't have a contract with the applicant.
Legal obligations
Legitimate interests
Legitimate interest can be used when recruiting. During recruitment, until the candidate has been chosen, there will be no contract with that applicant and there'll rarely be a legal obligation to process information about them. Accordingly, legitimate interest will normally be your justification – the legitimate interest being finding the most suitable person for the job. You'll have to balance this interest against the candidate's rights and interests, but given that they also want the job, as long as you only ask for information that is relevant to the role, your action should be justified.
For example, information given in the application form: it might appear at first that you're relying on consent – they've applied and given the information voluntarily. However, the issue is about how you store and process the information (e.g. by reading it) – consider processing it insofar as it's necessary in your interests to recruit the right person, rather than asking whether they consent.
If you ask that they consent to you processing it in certain ways, they'll probably say yes because they need the job. As with consent in the employment context more generally, it might not be freely given.
Legitimate interest can also be used for certain 'extra-curricular' roles in the business. For example if an employee can apply to be an employee representative for collective redundancy or for the transfer of an undertaking of service. If an employee stands for election to be a representative in that situation, you'll have a legitimate interest in sharing and processing certain information about them.
In this situation, you could probably also rely on consent – they're free not to apply for that position. However, legitimate interest may be preferable in case they change their mind and withdraw consent.
For more information see the ICO's Guide to the UK GDPR.
The UK GDPR says that if you process data, you must do so transparently. It also says that when you collect personal data from individuals you should provide certain information to them about the processing. This is often referred to as a privacy notice – however, some people use other terms such as privacy policy or privacy statement.
The obligation to provide a privacy notice applies whichever justification for processing the data you're relying on. For example, before requesting an employee reference you must tell the candidate that you intend to request it and that you intend to store and use the information.
You should provide different privacy notices at the application stage and at the employment stage, as you'll collect different information for different purposes.
The general rules are as follows:
1. Use clear, concise and accessible language.
2. Identify who controls the data – e.g. yourself if you're a sole trader, or the company you work through. If you have a data protection officer, give their contact details.
3. Explain your purpose for holding and using the data, and the legal justification for it – e.g. performance of a contract, legal obligation or legitimate interests.
4. Identify any other entity that the data might be sent to. Also, if you receive data indirectly from another organisation, state the source of it.
5. Say if you intend to transfer the information to other organisations in third countries (i.e. those outside of the UK), including documenting the transfer mechanism safeguards in place.
6. Say for how long the information will be stored, or how you'll decide. For example, 'until the end of the employment'.
7. Explain people's right:
8. Say if you use automated decision-making in relation to their data and explain its logic.
You should also outline in this notice the steps you take to keep the information secure. For example, if you remove the parts of the data that enable you to identify the data subject, you should say that. Destroying that identifying information, so that it can't be reassembled, will no longer count as personal data and the UK GDPR wouldn't apply. However, if it would be possible to reassemble the information, it would still be personal information, though it would be more secure.
The ICO recommends using a 'layered approach' to privacy notices, otherwise they're unlikely to be concise, clear and comprehensive. For example, in an online application form when you ask for each item of information, explain very briefly why you need it and how you intend to process it, and provide a link to a fuller privacy notice. You can use our document Privacy notice for employers to create one.
In addition to telling data subjects about the data of theirs that you hold, you should have an internal policy explaining to staff how they should approach other people's personal information – i.e. that they should take the matter very seriously. You can refer to this as a privacy or data protection policy.
This is important for at least 2 reasons:
1. Some justifications for using data require you to have an appropriate policy in place, which a privacy/data protection policy will achieve.
2. You may be vicariously liable if a member of staff unlawfully discloses personal information that they've come into possession of through work.
It should cover similar matters to the privacy notice, but from a different perspective. In particular, it should provide practical advice to staff on what to do and how to process data to comply with data protection laws. For example, what to do if they receive a data subject access request. There should be a way for them to escalate the matter so that it can be dealt with efficiently by the organisation at the appropriate level of seniority.
Staff have a right of access to their personal information. That means that you may receive a request by an individual to see all the personal information relating to them that you possess. This right can be made verbally or in writing and can be used by former staff members if they consider bringing a claim in an employment tribunal.
Unless the request is manifestly 'unfounded, excessive or repetitive', you must provide this information free of charge. You have a month from receipt of the request to provide the information, though this can be extended by a further 2 months if requests are complex or you receive a number of requests from the same individual.
For more information, see the Information Commissioner's Office's guidance.
Under the EU GDPR, a transfer of personal data to a 'third country' (a country outside the European Economic Area) is allowed if the European Commission has decided that the third country ensures an adequate level of protection (this is known as an adequacy decision). Similarly, transfers out of the UK under the UK GDPR are allowed if the UK has made an adequacy decision.
If there's no adequacy decision, you're only allowed to transfer the data if there are:
Appropriate safeguards may include alternative data transfer mechanisms, like:
Standard contractual clauses contain contractual obligations on you (the data exporter) and the receiver (the data importer), and rights for people whose personal data is transferred - they can enforce these against both of you.
On 4 June 2021, the European Commission issued new standard contractual clauses. These aren't valid for transfers out of the UK under the UK GDPR (restricted transfers). Instead, organisations can now choose to use either the International Data Transfer Agreement (IDTA) or the UK Addendum.
The UK Addendum incorporates and modifies the EU standard contractual clauses. It's most likely to be used by organisations whose restricted transfers are subject to both the UK GDPR and the EU GDPR.
The IDTA is an all-in-one agreement, that in effect replaces the EU standard contractual clauses. It has tables to complete and a tick-box system to differentiate between different processing relationships. It's most likely to be useful to organisations making restricted transfers under the UK GDPR only.
When using either the IDTA or the UK Addendum, you must complete them properly with information about the restricted transfers.
Since 21 September 2022, you're no longer allowed to enter new contracts based on the old EU standard contractual clauses (i.e. those in force before the new EU standard contractual clauses issued by the European Commission on 4 June 2021) or the UK versions of the old EU standard contractual clauses - both Controller-to-controller and Controller-to-processor - created (with guidance) by the ICO.
Contracts based on the old EU standard contractual clauses that were entered into prior to 21 September 2022 will continue to provide appropriate safeguards for the purpose of the UK GDPR until 21 March 2024. After that, if your restricted transfers continue, you must agree a contract on the basis of the IDTA or the UK Addendum, or find another way to make the restricted transfer under the UK GDPR.
You can't, though, continue to rely on the old EU standard contractual clauses if:
See the ICO website page for more on this.
In 2016, the European Commission, in collaboration with the US government, established the 'Privacy Shield' framework as a method of providing adequate protection for data transfers to companies in the US, which had signed up to agreed principles.
This was invalidated by a decision of the Court of Justice of the European Union, essentially because US public authorities had too much power to access and use personal data.
However, on 10 July 2023, the European Commission made an adequacy decision in relation to the EU-US Data Privacy Framework.
And on 12 October 2023, a UK adequacy decision came into effect in relation to a UK-US Extension to the EU-US Data Privacy Framework (UK-US data bridge). This means that data may be transferred to the USA without further safeguards, but only to eligible organisations in the USA that have certified their commitment to comply with the UK-US data bridge and that appear on the Data Privacy Framework list.
The EEA includes all EU countries plus Iceland, Norway and Liechtenstein.
There are currently no restrictions for data going to the EEA as the UK GDPR provides that EEA countries are deemed by the UK to have an adequate level of data protection. The government will keep this under review.
All adequacy decisions (see above) made by the EU have been adopted by the UK. This means personal data may be freely transferred to these countries without any extra safeguards being required.
You can check to see the countries that have been granted an adequacy decision here.
To send personal data to countries where there is no adequacy decision, you must put extra safeguards in place.
If you want to use standard contractual clauses or binding corporate rules to lawfully transfer personal data to any country where there is no adequacy decision (which includes transfers to US organisations that have not certified their commitment to comply with the UK-US data bridge), you must make an equivalence assessment - i.e. you must assess, on a case-by-case basis, whether the country/organisation provides a level of protection that's essentially equivalent to that guaranteed within the UK/EU.
This equivalence assessment must consider:
Extra safeguards may be needed.
The ICO has issued guidance on ICO on transfer risk assessments for the UK GDPR, as well as a transfer risk assessment tool.
This is a very complicated issue; you should get legal advice if you're unsure.