Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Employment lawData protection

Data protection

by Personnel Today 22 Jun 2006
by Personnel Today 22 Jun 2006

Aims of the policy

The principal aim of a data protection policy is to ensure that employees are aware of their rights and obligations concerning personal data processed by their employer and to set out how the employer intends to comply with its obligations under the Data Protection Act 1998.

Who is it for?

The policy is aimed principally at employees, although it could properly be extended to cover others such as workers, contractors and agency staff, as they are also covered by the Act and employers may want to remind them of their rights and obligations.

Essential elements

The policy should:



  1. Identify the person in the organisation with overall responsibility for ensuring that the employer complies with its data protection obligations.  This should normally be a senior manager in the HR department or someone in a comparable position. Some employers appoint someone specifically to deal with such issues.
  2. Ensure that employees are aware of the information held about them and how this will be used and disclosed. Employers will inevitably process personal data about employees such as salary and pension details held on a computer. They will usually also process some sensitive personal data such as occupational health records. The Act sets out the conditions that employers must satisfy before such data can be processed.
    While an employee’s consent to the processing of his personal data is usually obtained on commencement of his employment by including an appropriate clause in the employee’s contract, in most circumstances employers will not strictly have to rely on such consent as they will be able to rely on one of the other conditions in the Act. A mere statement in a policy that an employee consents to the processing of his personal data will not technically be sufficient, especially in the context of sensitive personal data where explicit consent is required.      
  3. Ensure that employees are aware of the extent to which they will be monitored or required to undergo alcohol and drug testing. This may be achieved by simply referring them to a separate policy dealing with such issues. 
  4. Set out the employees’ rights to access any personal data about themselves ie their right to make a subject access request. The Act allows employees to find out what information is held about them on computers and in some paper records. Employers may charge up to £10 for responding to such a request although some employers make charges only for ‘repeat’ requests. The policy should set out any procedure that employees should follow to obtain such information and how the employer will handle any requests.     
  5. Set out the employees’ responsibilities under the Act, for example when handling information about customers, clients or other employees. As this is a general policy it may be necessary to refer the employees to a separate policy/ guidelines depending on the type of work they carry out, for example if they work in HR and have access to information about other employees or if they work in a call centre or credit checking department and have access to that sort of information about clients/customers.  Employers can minimise the risk of employees breaching the Act by offering appropriate training.  
  6. Ensure that employees are aware that they could be criminally liable if they knowingly or recklessly disclose personal information in breach of the policy and, as a minimum, that serious breaches of the policy will be a disciplinary matter. Employers should consider incorporating such information in the general induction process for new employees and regularly reminding employees of their obligations. 
  7. Set out the employees’ responsibilities to ensure that all personal data provided by them to the employer is accurate and updated when appropriate.  For example, employees should be asked to update their employer when they change address.
  8. Set out the employees’ and employer’s responsibilities to ensure that all personal data is kept secure. Those employees who are required as part of their job to process personal data about other staff or customers/clients etc should receive specific training and guidance on the security of data to ensure that all data is processed fairly and lawfully. Employers should refer employees to any separate rules/guidelines governing, for example, the retention, storage and destruction of records.

A data protection policy would normally be non-contractual as a non-contractual policy is easier to introduce and subsequently change in line with law or good practice.

Key legislation

The key piece of legislation is the Data Protection Act 1998. 

The Information Commissioner has also produced a Code of Practice which sets out guidance on how employers can comply with their obligations under the Act. 

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

Useful web links
The Information Commissioner’s Office

This guide is for general guidance only and should not be relied upon without advice on your specific circumstances.

Personnel Today

Personnel Today articles are written by an expert team of award-winning journalists who have been covering HR and L&D for many years. Some of our content is attributed to "Personnel Today" for a number of reasons, including: when numerous authors are associated with writing or editing a piece; or when the author is unknown (particularly for older articles).

previous post
Recruitment agents’ body answers union criticisms of local authority use of temporary staff
next post
Unison bans all talk of equal pay at annual conference to protect legal case

You may also like

Bereavement leave to extend to miscarriages before 24...

7 Jul 2025

Company director wins £15k after being told to...

4 Jul 2025

How can HR prepare for changes to the...

3 Jul 2025

Government publishes ‘roadmap’ for Employment Rights Bill

2 Jul 2025

Employers’ duty of care: keeping workers safe in...

27 Jun 2025

When will the Employment Rights Bill become law?

26 Jun 2025

Seven ways to prepare now for the Employment...

20 Jun 2025

The employer strikes back: the rise of ‘quiet...

13 Jun 2025

Lawyers warn over impact of Employment Rights Bill...

13 Jun 2025

Racism claims have tripled and ‘Equality Act is...

12 Jun 2025

  • Empowering working parents and productivity during the summer holidays SPONSORED | Businesses play a...Read more
  • AI is here. Your workforce should be ready. SPONSORED | From content creation...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+