Home > Employment Relations > GDPR: Your Data, Your Employee Rights

GDPR: Your Data, Your Employee Rights

By: Abigail Taylor - Updated: 15 Jul 2018 | comments*Discuss
 
Gdpr Employee Data Access Records Breach

So by now, pretty much everyone who reads the paper, listens to the radio or watches the news will have heard of GDPR, but what actually is it? And what does it mean for you?

What is GDPR?

The General Data Protection Regulation ("GDPR") is essentially a new piece of legislation which tells everyone how they have to deal with and look after data. GDPR came into force on 25 May 2018 and replaces the Data Protection Act.

GDPR applies to any organisation that handles personal data, and it is mandatory to comply with the new rules.

What is 'personal data'?

Personal data is any information that can identify an individual. This might be an employee, volunteer, customer, trade partner etc - literally anyone!

Personal data will include:

  • Payroll details
  • Staff number
  • Personnel file including disciplinary records
  • Occupational health records or any medical details
  • Staff photos
  • Customer address, phone number or email

Sounds obvious… but what about information that organisations may hold without ever having direct contact with a person:

For example - Mrs X contacts her local florist and tells them that Mrs W has recently fallen and broken her leg. She wants to send Mrs W flowers, but asks that they are left in the porch as Mrs W isn't very mobile and so will struggle to answer the door. The florist writes it all down.

Does the florist hold personal data?

Yes! The florist will have Mrs W's personal data, as they know her name and address. They also hold "sensitive personal data" (a category of personal data that holders must take extra care with) as they have details of her current medical condition. The florist must therefore follow the new GDPR rules.

What are the new GDPR rules?

GDPR sets out 6 principles which must be followed:

  1. Data must be processed fairly, lawfully and in a transparent manner
  2. Data must be obtained for a specific lawful reason and only processed for that reason
  3. Data obtained must be adequate, relevant and not excessive
  4. Data must be accurate and kept up to date
  5. Data must not be kept longer than necessary
  6. Data must be kept securely

Example breaches:

A - ABC Company Ltd has an HR file for all their employees. They are kept just in a pile on the floor in the corner of a meeting room.

" This is a breach of principle 6, to keep data securely. HR records should normally be kept in a locked filing cabinet, or even better, paperless on a secure server requiring password access.

B - Bob's Building Company Ltd gets all employees to fill in their address and next of kin details upon joining the company. Bob knows that one of his employee's wife sadly died last year, and that two recently moved house. The records have not been updated. " This is a breach of principle 4, to ensure data is accurate and kept up to date.

Rights of employees (or anyone data is held about) under GDPR

GDPR has given, or clarified, a person's rights to data held about them. Focusing specifically on employees, these rights include:

1. The right to view

Employees have the right to see a copy of all personal data held by an employer about them. You simply need to make a request to your employer (see below re how to request).

2. The right to be informed

An employer must confirm to employees how they intend to process personal data. This must be in a concise, easily accessible format, and be written in plain English.

3. The right to rectification

An employee has the right to demand that any information held about them is corrected if it is incomplete or inaccurate (for example your address is incorrect). Any information must be rectified within 1 month of a request to rectify being made, though this can be extended to 2 months from the date of request if the process of updating all the required data is particularly complex.

If the employer has needed to pass on that information to a third party (for example to a separate payroll company), they must update the third party company with the correct information.

4. The right to be forgotten

An employer must securely destroy or delete data if:
  • It is no longer required for the purpose it was collected
  • The employee withdraws consent to process their data and there are no other legal grounds to do so
  • The employee objects to their data being processed and there is no other legitimate business reason to override that objection

The employer does not however have to erase any data that they require in order to comply with legal obligations, or to pursue/defend claims. In reality, this is likely to mean that companies will refuse to delete any data about employees that is under 3 years old (being the general time limit for injury claims to be brought, and the HMRC minimum required time to keep payroll records).

How to request to see the data held about you by your employer

1. Simply speak to your employer. They will usually be able to quickly and easily provide you with a copy of what you require.

2. If your employer is unable or unwilling to provide you with a copy on an informal basis, make a subject access request. Essentially you just need to write to your employer including your name, address, contact information and any identifying payroll or work ID number, and set out what information you want to see with any relevant dates (e.g. any disciplinary records from 2014 to date).

3. Your employer must then deal with the request within 1 month of receipt. There should be no charge for dealing with your request unless the request is 'manifestly unfounded or excessive, in particular because of its repetitive character'.

Top tip:

In order to get information quickly, and maintain a good relationship with your employer, be as specific as you can about what information you require (or don't require).

For example you may only want a copy of your pay slips from the last 3 months (for example to show a rental agent), and not require all payslips since you started at the company 5 years ago!

Independent help

If your employer is refusing to comply with a GDPR request or you have any concerns, you can seek help from one of the following:

- Your trade union
- A local Citizens Advice Bureau or lawyer
- ACAS
- The ICO

You might also like...
Share Your Story, Join the Discussion or Seek Advice..
I work in a Custody environment. People arrested get risk assessed and on that information it is decided whether I make a telephone call to a third party organisation (G4S) where I am asked quite personal details about the detained person. None of this information has been approved by the detainee who is not present for the call. I find the questions quite invasive myself and am concerned that much of what they ask is not relevant at all. Are they breaking the new GDPR legislation? All I require off them is a number which our HCP after seeing the detainee then calls the call centre back and cross references and closes down the case having reviewed the DP.
nigeats - 15-Jul-18 @ 8:58 AM
I work in a Custody environment. People arrested get risk assessed and on that information it is decided whether I make a telephone call to a third party organisation (G4S) where I am asked quite details about the detained person. None of this information has been approved by the detainee who is not present for the call. I find the questions quite invasive myself and am concerned that much of what they ask is not relevant at all. Are they breaking the new GDPR legislation? All I require off them is a number which our HCP after seeing the detainee then calls the call centre back and cross references and closes down the case having reviewed the DP.
nigeats - 15-Jul-18 @ 8:57 AM
How Can I apply working visa for indians
Sai - 29-Jun-18 @ 11:41 PM
Share Your Story, Join the Discussion or Seek Advice...
Title:
(never shown)
Firstname:
(never shown)
Surname:
(never shown)
Email:
(never shown)
Nickname:
(shown)
Comment:
Validate:
Enter word:
Latest Comments
  • Dee
    Re: Should He Be Allowed to Work Alone at Night?
    I work lone nights in a semi independent living accommodation , currently with 4 17 - 19 year old residents .…
    18 May 2019
  • Carlos
    Re: Sickness: Your Rights
    Hi it’s it normal practice to be asked twice to ring into work on first day of sickness thanks
    17 May 2019
  • Tag
    Re: Sickness: Your Rights
    Hi, my employer sent an office staff to my home unannounced on the 7th day of my sick leave due to mental health problems with a letter to…
    16 May 2019
  • Kate
    Re: Safe Working Temperatures
    Hi I am working for law company as a cleaner and preparing hot drinks for meetings.I am working in small kitchen without AC and the…
    14 May 2019
  • Ronnie
    Re: Safe Working Temperatures
    I work in a school I work in the swimming area and the thermometer says 36 degrees it is so hot, what are my rights to this? Thanks…
    14 May 2019
  • Keke
    Re: Employer Has Changed My Shifts: What Are My Rights?
    Can my boss change my availability.When I started I put down 8-4.30 due to my son in school.now they…
    13 May 2019
  • fox
    Re: Holiday Pay & Overtime: The Changes
    Worked for the same company 9-4.30 5 days a week for 5 years. They said that they couldn't afford a payroll system…
    12 May 2019
  • Laurie
    Re: Violence at Work
    I am a new server, I was working my shift in the Morning a Guest looked at a high chair and asked if the high chair was to Kill and Bury a Server?…
    12 May 2019
  • Nick
    Re: When Your Employer Changes Your Working Hours
    Our work demands that we are available for work as they see fit. We have minimum 40 hours gauranteed over 6…
    12 May 2019
  • Salam
    Re: Driving at Work
    I work for a skip company, we get payed for a day base rate and after 7 jobs done we get a bonus, but I don't thinks is ok. The drivers just rush…
    11 May 2019