Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Employment lawData protection

Data protection

by Personnel Today 22 Jun 2006
by Personnel Today 22 Jun 2006

Aims of the policy

The principal aim of a data protection policy is to ensure that employees are aware of their rights and obligations concerning personal data processed by their employer and to set out how the employer intends to comply with its obligations under the Data Protection Act 1998.

Who is it for?

The policy is aimed principally at employees, although it could properly be extended to cover others such as workers, contractors and agency staff, as they are also covered by the Act and employers may want to remind them of their rights and obligations.

Essential elements

The policy should:



  1. Identify the person in the organisation with overall responsibility for ensuring that the employer complies with its data protection obligations.  This should normally be a senior manager in the HR department or someone in a comparable position. Some employers appoint someone specifically to deal with such issues.
  2. Ensure that employees are aware of the information held about them and how this will be used and disclosed. Employers will inevitably process personal data about employees such as salary and pension details held on a computer. They will usually also process some sensitive personal data such as occupational health records. The Act sets out the conditions that employers must satisfy before such data can be processed.
    While an employee’s consent to the processing of his personal data is usually obtained on commencement of his employment by including an appropriate clause in the employee’s contract, in most circumstances employers will not strictly have to rely on such consent as they will be able to rely on one of the other conditions in the Act. A mere statement in a policy that an employee consents to the processing of his personal data will not technically be sufficient, especially in the context of sensitive personal data where explicit consent is required.      
  3. Ensure that employees are aware of the extent to which they will be monitored or required to undergo alcohol and drug testing. This may be achieved by simply referring them to a separate policy dealing with such issues. 
  4. Set out the employees’ rights to access any personal data about themselves ie their right to make a subject access request. The Act allows employees to find out what information is held about them on computers and in some paper records. Employers may charge up to £10 for responding to such a request although some employers make charges only for ‘repeat’ requests. The policy should set out any procedure that employees should follow to obtain such information and how the employer will handle any requests.     
  5. Set out the employees’ responsibilities under the Act, for example when handling information about customers, clients or other employees. As this is a general policy it may be necessary to refer the employees to a separate policy/ guidelines depending on the type of work they carry out, for example if they work in HR and have access to information about other employees or if they work in a call centre or credit checking department and have access to that sort of information about clients/customers.  Employers can minimise the risk of employees breaching the Act by offering appropriate training.  
  6. Ensure that employees are aware that they could be criminally liable if they knowingly or recklessly disclose personal information in breach of the policy and, as a minimum, that serious breaches of the policy will be a disciplinary matter. Employers should consider incorporating such information in the general induction process for new employees and regularly reminding employees of their obligations. 
  7. Set out the employees’ responsibilities to ensure that all personal data provided by them to the employer is accurate and updated when appropriate.  For example, employees should be asked to update their employer when they change address.
  8. Set out the employees’ and employer’s responsibilities to ensure that all personal data is kept secure. Those employees who are required as part of their job to process personal data about other staff or customers/clients etc should receive specific training and guidance on the security of data to ensure that all data is processed fairly and lawfully. Employers should refer employees to any separate rules/guidelines governing, for example, the retention, storage and destruction of records.

A data protection policy would normally be non-contractual as a non-contractual policy is easier to introduce and subsequently change in line with law or good practice.

Key legislation

The key piece of legislation is the Data Protection Act 1998. 

The Information Commissioner has also produced a Code of Practice which sets out guidance on how employers can comply with their obligations under the Act. 

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

Useful web links
The Information Commissioner’s Office

This guide is for general guidance only and should not be relied upon without advice on your specific circumstances.

Personnel Today

Personnel Today articles are written by an expert team of award-winning journalists who have been covering HR and L&D for many years. Some of our content is attributed to "Personnel Today" for a number of reasons, including: when numerous authors are associated with writing or editing a piece; or when the author is unknown (particularly for older articles).

previous post
Recruitment agents’ body answers union criticisms of local authority use of temporary staff
next post
Unison bans all talk of equal pay at annual conference to protect legal case

You may also like

Fire and rehire: the relocation question

22 May 2025

Minister defends Employment Rights Bill at Acas conference

16 May 2025

CBI chair Soames accuses ministers of not listening...

16 May 2025

EHRC bows to pressure and extends gender consultation

15 May 2025

‘Polygamous working’ is a minefield for HR

14 May 2025

Contract cleaner loses EAT race discrimination appeal

14 May 2025

Construction workers win compensation claim against defunct employer

9 May 2025

Zero-hours workers’ rights to be extended from beyond...

8 May 2025

Employment tribunal backlog up 23% in a year

7 May 2025

Ministers urged to outlaw misuse of NDAs

7 May 2025

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+