Data protection principles in employment [Archived]
Data protection principles in employment [Archived]

The following Employment guidance note provides comprehensive and up to date legal information covering:

  • Data protection principles in employment [Archived]
  • Principle 1: Personal data must be processed fairly and lawfully
  • Principle 2: Personal data must be obtained only for specified and lawful purposes
  • Principle 3: Personal data must be adequate, relevant and not excessive
  • Principle 4: Personal data must be accurate and kept up to date
  • Principle 5: Personal data must not be kept for longer than necessary
  • Principle 6: Personal data must be processed in accordance with the rights of data subjects
  • Principle 7: Measures against unauthorised or unlawful processing of personal data
  • Principle 8: Adequate protection for personal data transferred outside the EEA

ARCHIVED: This archived Practice Note provides information on the data protection regime before 25 May 2018 and reflects the position under the Data Protection Act 1998. This Practice Note is for background information only and is not maintained.

FORTHCOMING CHANGE: Regulation (EU) 2016/679, General Data Protection Regulation (GDPR) is due to come into effect in the UK on 25 May 2018. The GDPR introduces a raft of changes to the data protection regime, including: a new standard for consent; a new 'accountability' requirement, under which employers will have to demonstrate compliance with the GDPR; an increase to the territorial scope of EU data protection law; new and extended data subject rights, including enhanced notification requirements and rights to compensation; additional obligations and liabilities for data controllers and data processors; and a transformation of the regulatory regime together with extended powers for supervisory authorities (such as the Information Commissioner's Office).
Under the GDPR, it is even less likely than it was under Data Protection Directive, Directive 95/46/EC that an employer will be able to rely on employee consent as the legal basis for data processing at work and given the serious consequences of failing to comply with obligations under the GDPR, employers should therefore avoid relying on consent as a lawful processing