Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Recruitment & retention
    • Wellbeing
    • Occupational Health
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Recruitment & retention
    • Wellbeing
    • Occupational Health
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise

Employment lawData protection

Data protection

by Personnel Today 22 Jun 2006
by Personnel Today 22 Jun 2006

Aims of the policy

The principal aim of a data protection policy is to ensure that employees are aware of their rights and obligations concerning personal data processed by their employer and to set out how the employer intends to comply with its obligations under the Data Protection Act 1998.

Who is it for?

The policy is aimed principally at employees, although it could properly be extended to cover others such as workers, contractors and agency staff, as they are also covered by the Act and employers may want to remind them of their rights and obligations.

Essential elements

The policy should:



  1. Identify the person in the organisation with overall responsibility for ensuring that the employer complies with its data protection obligations.  This should normally be a senior manager in the HR department or someone in a comparable position. Some employers appoint someone specifically to deal with such issues.
  2. Ensure that employees are aware of the information held about them and how this will be used and disclosed. Employers will inevitably process personal data about employees such as salary and pension details held on a computer. They will usually also process some sensitive personal data such as occupational health records. The Act sets out the conditions that employers must satisfy before such data can be processed.
    While an employee’s consent to the processing of his personal data is usually obtained on commencement of his employment by including an appropriate clause in the employee’s contract, in most circumstances employers will not strictly have to rely on such consent as they will be able to rely on one of the other conditions in the Act. A mere statement in a policy that an employee consents to the processing of his personal data will not technically be sufficient, especially in the context of sensitive personal data where explicit consent is required.      
  3. Ensure that employees are aware of the extent to which they will be monitored or required to undergo alcohol and drug testing. This may be achieved by simply referring them to a separate policy dealing with such issues. 
  4. Set out the employees’ rights to access any personal data about themselves ie their right to make a subject access request. The Act allows employees to find out what information is held about them on computers and in some paper records. Employers may charge up to £10 for responding to such a request although some employers make charges only for ‘repeat’ requests. The policy should set out any procedure that employees should follow to obtain such information and how the employer will handle any requests.     
  5. Set out the employees’ responsibilities under the Act, for example when handling information about customers, clients or other employees. As this is a general policy it may be necessary to refer the employees to a separate policy/ guidelines depending on the type of work they carry out, for example if they work in HR and have access to information about other employees or if they work in a call centre or credit checking department and have access to that sort of information about clients/customers.  Employers can minimise the risk of employees breaching the Act by offering appropriate training.  
  6. Ensure that employees are aware that they could be criminally liable if they knowingly or recklessly disclose personal information in breach of the policy and, as a minimum, that serious breaches of the policy will be a disciplinary matter. Employers should consider incorporating such information in the general induction process for new employees and regularly reminding employees of their obligations. 
  7. Set out the employees’ responsibilities to ensure that all personal data provided by them to the employer is accurate and updated when appropriate.  For example, employees should be asked to update their employer when they change address.
  8. Set out the employees’ and employer’s responsibilities to ensure that all personal data is kept secure. Those employees who are required as part of their job to process personal data about other staff or customers/clients etc should receive specific training and guidance on the security of data to ensure that all data is processed fairly and lawfully. Employers should refer employees to any separate rules/guidelines governing, for example, the retention, storage and destruction of records.

A data protection policy would normally be non-contractual as a non-contractual policy is easier to introduce and subsequently change in line with law or good practice.

Key legislation

The key piece of legislation is the Data Protection Act 1998. 

The Information Commissioner has also produced a Code of Practice which sets out guidance on how employers can comply with their obligations under the Act. 

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

Useful web links
The Information Commissioner’s Office

This guide is for general guidance only and should not be relied upon without advice on your specific circumstances.

Personnel Today

Personnel Today articles are written by an expert team of award-winning journalists who have been covering HR and L&D for many years. Some of our content is attributed to "Personnel Today" for a number of reasons, including: when numerous authors are associated with writing or editing a piece; or when the author is unknown (particularly for older articles).

previous post
Recruitment agents’ body answers union criticisms of local authority use of temporary staff
next post
Unison bans all talk of equal pay at annual conference to protect legal case

You may also like

Reshuffle sparks fears over Employment Rights Bill

8 Sep 2025

Jaguar Land Rover staff sent home after cyber...

5 Sep 2025

‘Terrible’ Employment Rights Bill returns to Commons

4 Sep 2025

New ‘failure to prevent fraud’ law a ‘game-changer’

2 Sep 2025

Business confidence grows to post-Budget peak

1 Sep 2025

P&O Ferries boss who steered 800 sackings steps...

29 Aug 2025

Council clerk sacked after trying to ensure his...

29 Aug 2025

Day one rights in the Employment Rights Bill...

28 Aug 2025

EHRC acts on policies flouting law on single-sex...

28 Aug 2025

FCA issues clarity on workplace savings schemes to...

27 Aug 2025

  • Work smart – stay well: Avoid unnecessary pain with centred ergonomics SPONSORED | If you often notice...Read more
  • Elevate your L&D strategy at the World of Learning 2025 SPONSORED | This October...Read more
  • How to employ a global workforce from the UK (webinar) WEBINAR | With an unpredictable...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits Live
Employee Benefits
Forum for Expatriate Management
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Recruitment & retention
    • Wellbeing
    • Occupational Health
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise