Data protection

Aims of the policy

The principal aim of a data protection policy is to ensure that employees are aware of their rights and obligations concerning personal data processed by their employer and to set out how the employer intends to comply with its obligations under the Data Protection Act 1998.

Who is it for?

The policy is aimed principally at employees, although it could properly be extended to cover others such as workers, contractors and agency staff, as they are also covered by the Act and employers may want to remind them of their rights and obligations.

Essential elements

The policy should:



  1. Identify the person in the organisation with overall responsibility for ensuring that the employer complies with its data protection obligations.  This should normally be a senior manager in the HR department or someone in a comparable position. Some employers appoint someone specifically to deal with such issues.
  2. Ensure that employees are aware of the information held about them and how this will be used and disclosed. Employers will inevitably process personal data about employees such as salary and pension details held on a computer. They will usually also process some sensitive personal data such as occupational health records. The Act sets out the conditions that employers must satisfy before such data can be processed.
    While an employee’s consent to the processing of his personal data is usually obtained on commencement of his employment by including an appropriate clause in the employee’s contract, in most circumstances employers will not strictly have to rely on such consent as they will be able to rely on one of the other conditions in the Act. A mere statement in a policy that an employee consents to the processing of his personal data will not technically be sufficient, especially in the context of sensitive personal data where explicit consent is required.      
  3. Ensure that employees are aware of the extent to which they will be monitored or required to undergo alcohol and drug testing. This may be achieved by simply referring them to a separate policy dealing with such issues. 
  4. Set out the employees’ rights to access any personal data about themselves ie their right to make a subject access request. The Act allows employees to find out what information is held about them on computers and in some paper records. Employers may charge up to £10 for responding to such a request although some employers make charges only for ‘repeat’ requests. The policy should set out any procedure that employees should follow to obtain such information and how the employer will handle any requests.     
  5. Set out the employees’ responsibilities under the Act, for example when handling information about customers, clients or other employees. As this is a general policy it may be necessary to refer the employees to a separate policy/ guidelines depending on the type of work they carry out, for example if they work in HR and have access to information about other employees or if they work in a call centre or credit checking department and have access to that sort of information about clients/customers.  Employers can minimise the risk of employees breaching the Act by offering appropriate training.  
  6. Ensure that employees are aware that they could be criminally liable if they knowingly or recklessly disclose personal information in breach of the policy and, as a minimum, that serious breaches of the policy will be a disciplinary matter. Employers should consider incorporating such information in the general induction process for new employees and regularly reminding employees of their obligations. 
  7. Set out the employees’ responsibilities to ensure that all personal data provided by them to the employer is accurate and updated when appropriate.  For example, employees should be asked to update their employer when they change address.
  8. Set out the employees’ and employer’s responsibilities to ensure that all personal data is kept secure. Those employees who are required as part of their job to process personal data about other staff or customers/clients etc should receive specific training and guidance on the security of data to ensure that all data is processed fairly and lawfully. Employers should refer employees to any separate rules/guidelines governing, for example, the retention, storage and destruction of records.

A data protection policy would normally be non-contractual as a non-contractual policy is easier to introduce and subsequently change in line with law or good practice.

Key legislation

The key piece of legislation is the Data Protection Act 1998

The Information Commissioner has also produced a Code of Practice which sets out guidance on how employers can comply with their obligations under the Act. 

Useful web links
The Information Commissioner’s Office

This guide is for general guidance only and should not be relied upon without advice on your specific circumstances.