Home > Employment Relations > GDPR: Your Data, Your Employee Rights

GDPR: Your Data, Your Employee Rights

By: Abigail Taylor - Updated: 15 Jul 2018 | comments*Discuss
 
Gdpr Employee Data Access Records Breach

So by now, pretty much everyone who reads the paper, listens to the radio or watches the news will have heard of GDPR, but what actually is it? And what does it mean for you?

What is GDPR?

The General Data Protection Regulation ("GDPR") is essentially a new piece of legislation which tells everyone how they have to deal with and look after data. GDPR came into force on 25 May 2018 and replaces the Data Protection Act.

GDPR applies to any organisation that handles personal data, and it is mandatory to comply with the new rules.

What is 'personal data'?

Personal data is any information that can identify an individual. This might be an employee, volunteer, customer, trade partner etc - literally anyone!

Personal data will include:

  • Payroll details
  • Staff number
  • Personnel file including disciplinary records
  • Occupational health records or any medical details
  • Staff photos
  • Customer address, phone number or email

Sounds obvious… but what about information that organisations may hold without ever having direct contact with a person:

For example - Mrs X contacts her local florist and tells them that Mrs W has recently fallen and broken her leg. She wants to send Mrs W flowers, but asks that they are left in the porch as Mrs W isn't very mobile and so will struggle to answer the door. The florist writes it all down.

Does the florist hold personal data?

Yes! The florist will have Mrs W's personal data, as they know her name and address. They also hold "sensitive personal data" (a category of personal data that holders must take extra care with) as they have details of her current medical condition. The florist must therefore follow the new GDPR rules.

What are the new GDPR rules?

GDPR sets out 6 principles which must be followed:

  1. Data must be processed fairly, lawfully and in a transparent manner
  2. Data must be obtained for a specific lawful reason and only processed for that reason
  3. Data obtained must be adequate, relevant and not excessive
  4. Data must be accurate and kept up to date
  5. Data must not be kept longer than necessary
  6. Data must be kept securely

Example breaches:

A - ABC Company Ltd has an HR file for all their employees. They are kept just in a pile on the floor in the corner of a meeting room.

" This is a breach of principle 6, to keep data securely. HR records should normally be kept in a locked filing cabinet, or even better, paperless on a secure server requiring password access.

B - Bob's Building Company Ltd gets all employees to fill in their address and next of kin details upon joining the company. Bob knows that one of his employee's wife sadly died last year, and that two recently moved house. The records have not been updated. " This is a breach of principle 4, to ensure data is accurate and kept up to date.

Rights of employees (or anyone data is held about) under GDPR

GDPR has given, or clarified, a person's rights to data held about them. Focusing specifically on employees, these rights include:

1. The right to view

Employees have the right to see a copy of all personal data held by an employer about them. You simply need to make a request to your employer (see below re how to request).

2. The right to be informed

An employer must confirm to employees how they intend to process personal data. This must be in a concise, easily accessible format, and be written in plain English.

3. The right to rectification

An employee has the right to demand that any information held about them is corrected if it is incomplete or inaccurate (for example your address is incorrect). Any information must be rectified within 1 month of a request to rectify being made, though this can be extended to 2 months from the date of request if the process of updating all the required data is particularly complex.

If the employer has needed to pass on that information to a third party (for example to a separate payroll company), they must update the third party company with the correct information.

4. The right to be forgotten

An employer must securely destroy or delete data if:
  • It is no longer required for the purpose it was collected
  • The employee withdraws consent to process their data and there are no other legal grounds to do so
  • The employee objects to their data being processed and there is no other legitimate business reason to override that objection

The employer does not however have to erase any data that they require in order to comply with legal obligations, or to pursue/defend claims. In reality, this is likely to mean that companies will refuse to delete any data about employees that is under 3 years old (being the general time limit for injury claims to be brought, and the HMRC minimum required time to keep payroll records).

How to request to see the data held about you by your employer

1. Simply speak to your employer. They will usually be able to quickly and easily provide you with a copy of what you require.

2. If your employer is unable or unwilling to provide you with a copy on an informal basis, make a subject access request. Essentially you just need to write to your employer including your name, address, contact information and any identifying payroll or work ID number, and set out what information you want to see with any relevant dates (e.g. any disciplinary records from 2014 to date).

3. Your employer must then deal with the request within 1 month of receipt. There should be no charge for dealing with your request unless the request is 'manifestly unfounded or excessive, in particular because of its repetitive character'.

Top tip:

In order to get information quickly, and maintain a good relationship with your employer, be as specific as you can about what information you require (or don't require).

For example you may only want a copy of your pay slips from the last 3 months (for example to show a rental agent), and not require all payslips since you started at the company 5 years ago!

Independent help

If your employer is refusing to comply with a GDPR request or you have any concerns, you can seek help from one of the following:

- Your trade union
- A local Citizens Advice Bureau or lawyer
- ACAS
- The ICO

You might also like...
Share Your Story, Join the Discussion or Seek Advice..
I work in a Custody environment. People arrested get risk assessed and on that information it is decided whether I make a telephone call to a third party organisation (G4S) where I am asked quite personal details about the detained person. None of this information has been approved by the detainee who is not present for the call. I find the questions quite invasive myself and am concerned that much of what they ask is not relevant at all. Are they breaking the new GDPR legislation? All I require off them is a number which our HCP after seeing the detainee then calls the call centre back and cross references and closes down the case having reviewed the DP.
nigeats - 15-Jul-18 @ 8:58 AM
I work in a Custody environment. People arrested get risk assessed and on that information it is decided whether I make a telephone call to a third party organisation (G4S) where I am asked quite details about the detained person. None of this information has been approved by the detainee who is not present for the call. I find the questions quite invasive myself and am concerned that much of what they ask is not relevant at all. Are they breaking the new GDPR legislation? All I require off them is a number which our HCP after seeing the detainee then calls the call centre back and cross references and closes down the case having reviewed the DP.
nigeats - 15-Jul-18 @ 8:57 AM
How Can I apply working visa for indians
Sai - 29-Jun-18 @ 11:41 PM
Share Your Story, Join the Discussion or Seek Advice...
Title:
(never shown)
Firstname:
(never shown)
Surname:
(never shown)
Email:
(never shown)
Nickname:
(shown)
Comment:
Validate:
Enter word:
Latest Comments
  • Stevie
    Re: Working At Night
    Are night workers able to work 12 nights in a row, doing a 12 hour shift. With only one night off.
    4 March 2021
  • kags
    Re: Employer Has Changed My Shifts: What Are My Rights?
    I work on a rolling rota and look after 2 grandsons on days off ..my employer and changed my shift…
    4 March 2021
  • Tonto
    Re: Working with Dangerous Substances
    Hi work on the highways and we work both days and nights, although we are busy throughout the year on both and the company…
    3 March 2021
  • Kristen
    Re: Sexual Harassment at Work
    I was extremely short of breath and constantly tired due to my Emphysema, I was introduced to VineHealth Center and their COPD Herbal…
    26 February 2021
  • Kristenchavez50
    Re: COPD: Chronic Obstructive Pulmonary Disease Causes
    I was extremely short of breath and constantly tired due to my Emphysema, I was introduced to…
    26 February 2021
  • Ginger
    Re: Sickness: Your Rights
    Question about filling in a SSP note.I have been diagnosed with osteoarthritis and this week have taken a week of work with severe pain and…
    22 February 2021
  • Pedro
    Re: Working At Night
    Hi , we work 19 days straight on a 6:00 - 14:00 then 12 hour days on the weekend then 14:00 - 22:00 for the week the do 12 hour nights that…
    21 February 2021
  • arsenal 65
    Re: Employer's Duty of Care
    my boyfriend is an engineer working on different lift's from passenger disabled kids space hotels and dumb waiter's and OAP he's got an…
    21 February 2021
  • Dougie
    Re: Working At Night
    Hi can I work 7 nightshift on and seven off.? Is there any law that say I can't?
    19 February 2021
  • Rods
    Re: Employer Has Changed My Shifts: What Are My Rights?
    I use to work a 3 shift patern but for the last 3 months i rotate from normal 8 hour shifts to 12…
    18 February 2021