Data processing in the employment relationship
Data processing in the employment relationship

The following Employment guidance note provides comprehensive and up to date legal information covering:

  • Data processing in the employment relationship
  • Legislative background and guidance
  • Data protection by design and by default
  • Data protection impact assessments (DPIAs)
  • Processing in the employment context
  • Risks
  • Social media and recruitment
  • In-employment social media screening
  • Monitoring IT usage at the workplace
  • Monitoring IT usage outside the workplace
  • more

Legislative background and guidance

Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR) was directly applicable in the UK from 25 May 2018, and the main provisions of the Data Protection Act 2018 (DPA 2018) came into force on the same date.

For an overview of the key themes of Regulation (EU) 2016/679, GDPR and DPA 2018, and particular issues of relevance to employment lawyers, see Practice Notes:

  1. The GDPR and DPA 2018: key data protection issues for employment lawyers, and

  2. The GDPR and DPA 2018: lawful processing of personal data in employment

The Information Commissioner’s Office (ICO) has published:

  1. a guide to the GDPR, explaining the provisions of Regulation (EU) 2016/679, GDPR, to help organisations comply with its requirements

  2. detailed consent guidance

  3. detailed guidance on automated decision-making and profiling

  4. detailed guidance on the right to be informed

However, the ICO has not yet published a revised version of the Employment Practices Code, which contains guidance on monitoring at work, in particular regarding the monitoring of electronic communications, video and audio monitoring, covert monitoring and in-vehicle monitoring.

In the absence of a revised Employment Practices Code, it is useful to look at guidance from the European Data Protection Board (EDPB) (formerly the Article 29 Data Protection Working Party), which includes representatives of the data protection authorities from each EU Member State, including