Data protection


The 1998 Data Protection Act applies to personal data in computerised, manual or any other format. It requires transparency in the use of information as well as its 'proper' use. It also emphasises the need for privacy and access to data held by individuals ('data subjects'). Private filing systems maintained by managers are also included and employers are responsible for the proper usage of data in such systems. The introduction of the General Data Protection Regulations ("GDPR") which come into effect in May 2018 will not make any real practical difference for the majority of organisations processing and using data for HR related issues.

The Act covers all aspects of 'processing' data. This includes the manner in which it is collected, held, accessed, used, disclosed and destroyed. Anyone collecting data needs to consider the reasons for its collection, what it is going to be used for and who will have access to it. 

The DPA includes rules on recruitment and selection, employment records, monitoring at work, and medical information. Employers therefore need to notify (by way of registration) the Information Commissioner that they are collecting, holding and processing data in order to comply with the Act. Registration can be completed on-line by visiting the Information Commissioner's website. The annual fee for registration is £35.00 for organisations with less than 250 staff and whose annual turnover of less than £26m.  The annual fee for larger organisations is £500.00 (unless the organisation falls into an exempt category).  

Key principles

The key principles of the DPA are that personal data must be:

  • Processed fairly and lawfully;
  • Processed for limited purposes and not in any manner incompatible with those purposes;
  • Adequate, relevant and not excessive;
  • Accurate;
  • Not kept for longer than is necessary;
  • Processed in line with data subjects' rights;
  • Secure and must not be transferred to countries that do not protect personal data.

Data subject rights

The data subject has a right to be informed where data is being processed, a description of the data being held, purpose of the processing and the persons to whom the data may be disclosed. The data subject may also make a Data Subject Access Request for copies of personal data about him or her that are held either in a manual filing system or in electronic format. Such requests should be in writing with sufficient detail to enable the data to be identified. Requests of the 'give me copies of everything you have about me' are considered unreasonable and an employer may ask for clarification of what exactly is required and where the person thinks the data is held. An appropriate fee (usually £10) will be charged for responding to such a request and should be paid in advance. The information must be supplied to the individual within 40 days of receipt of the fee and any clarification requested. Certain information is exempt from Subject Access Rights these are:

  • Information on 'management forecasting' (e.g. plans to promote, transfer or make redundant);
  • Information that records the intention of the employer relating to negotiations where disclosure may prejudice the negotiations;
  • Information held for the purposes of detecting a crime, prosecuting offenders or for the assessment or collection of any tax or duty.


Employees are not automatically entitled to see their references. The recipient of a confidential reference can only disclose the reference by complying with the Act's confidentiality rules. The referee who has given a confidential reference for employment, self employment or educational purposes can withhold the reference from disclosure. However, this only applies where the reference is given in confidence. The sample reference form on this site has a check box for the referee to tick to indicate whether the reference is being given in confidence or not.

'Sensitive personal data' 

Some information is defined as being 'sensitive' this includes information on race, religion or belief, Trade Union membership, sexual life, criminal record and health information. There are a number of conditions attached to the processing of Sensitive Personal Data. For example, information relating to ethnicity or race may be processed for legitimate purposes such as statistical analysis to ensure equality of opportunity in employment. However, the processing of medical information, other than for medical reasons, is only allowed with the express consent of the data subject. This naturally raises issues in managing sickness absence or dealing in with disability.

Sending information abroad 

Information may be sent to any country within the European Economic Area and to Hungary and Switzerland. It may only be sent to an organisation in the USA if the organisation concerned has signed up to the Safe Harbour Agreement made with the European Union. In all other cases, an employer needs to be given the consent of the employee before sending information overseas. 


The person responsible for compliance with the Act and who will be liable in the event of a breach is the Data Controller. In most organisations, the organisation itself is classified as the Data Controller. For partnerships or sole traders, it will be the partners or the trader. Where loss is suffered as a result of a breach, the Data Controller will be liable unless he or she can show that he or she has taken reasonable steps to prevent the breach. Preventive steps could include an audit of the systems and data processed, a data policy and procedure, communication and training as well as tying breaches of the DPA into the disciplinary procedure. 

Key action points

  • Organisations should consider the appointment of a person to be in charge of all aspects of personal and sensitive data, including the Freedom of Information Act;
  • Inform employees and customers of your firm's role as a 'data controller' and the purpose of processing their data (this can be achieved through incorporating a Data Protection clause into contracts of employment and including a paragraph on this on application forms and acknowledgements to job applications);
  • Audit information systems - find out who holds what data, and why;
  • Consider why information is collected and how it is used. Issue guidelines for managers about how to gather, store and retrieve data;
  • Eliminate unnecessary data processing;
  • Ensure that all information collected now complies with the Data Protection Act 1998;
  • Check the security of information stored;
  • Monitor retention periods so that data is kept for no longer than necessary;
  • Check the transfer of data outside the European Economic Area;
  • Check the organisation's use of automated decision-making;
  • Establish appropriate contractual arrangements with third-party data processors;
  • Co-ordinate subject access requests and other queries relating to data subject rights;
  • Review policy and practice in respect of references;
  • Review or introduce a policy for the private use of telephones, e-mail and post;
  • Review or introduce a procedure for reporting under the Public Interest Disclosure Act;
  • Brief departmental heads and line managers, as well as workers about their respective obligations under the Act. All employees should be made aware that infringing data protection procedures constitutes a disciplinary offence though liability under the Act will normally rest with the employer.