Data Protection at Work UK: Your Rights Under UK GDPR

Your employer holds significant amounts of personal data about you — your salary, bank details, health records, disciplinary history, performance appraisals, and more. Under UK GDPR and the Data Protection Act 2018, you have rights over this data, and your employer has strict obligations in how they handle it.

---

The Legal Framework

Personal data in the employment context is governed by:

• UK GDPR (the retained version of EU GDPR, now domestic UK law)
• Data Protection Act 2018 (DPA 2018) — implements UK GDPR and provides additional rules for employment data
• ICO (Information Commissioner's Office) — the UK's data protection regulator

---

What Data Can Your Employer Process?

Employers routinely process personal data for legitimate purposes, including:

• Payroll and tax — name, address, bank details, NI number
• HR management — employment history, performance appraisals, absence records
• Health and safety — accident reports, health monitoring where justified
• Pension and benefits — enrolment, contributions
• Monitoring and security — where proportionate and disclosed

Special Category Data

Some data requires additional justification to process — called special category data under Article 9 UK GDPR:

• Health and medical data
• Trade union membership
• Racial or ethnic origin
• Religious or philosophical beliefs
• Sexual orientation
• Biometric data used for identification
• Criminal convictions data (Article 10)

For special category data, employers need a lawful basis plus an additional Article 9 condition. In employment, this is usually:

• Employment law obligations (Article 9(2)(b)) — e.g. processing health data for sick pay or reasonable adjustments
• Explicit consent (Article 9(2)(a)) — though relying on employee consent is problematic given the power imbalance

---

Lawful Bases for Processing

Employers must have a lawful basis under Article 6 UK GDPR for every category of data they process. In employment, the most common bases are:

• Contract (Article 6(1)(b)) — processing necessary for the employment contract (payroll, performance management)
• Legal obligation (Article 6(1)(c)) — processing required by law (HMRC reporting, right to work checks)
• Legitimate interests (Article 6(1)(f)) — processing that is necessary for the employer's legitimate business interests and not overridden by your interests (some monitoring, fraud prevention)

Consent is rarely a valid basis in employment — genuine consent requires free choice, and the power imbalance between employer and employee means consent is often not freely given.

---

Your Rights as an Employee

1. Right of Access (Subject Access Request)

You can ask your employer for a copy of all personal data they hold about you. Your employer must respond within one month (with possible extension to 3 months for complex requests). The response must be free of charge in most cases.

What you can request: performance reviews, emails mentioning you, HR notes, investigation records, disciplinary files, occupational health reports — any personal data.

Some data is exempt: references given in confidence, data protected for legal professional privilege, crime prevention data in some cases.

2. Right to Rectification

If your employer holds inaccurate or incomplete data about you, you can request it be corrected.

3. Right to Erasure ("Right to be Forgotten")

In limited circumstances, you can request deletion of your data — e.g. if processing is no longer necessary, or if consent was the lawful basis and you withdraw it.

In employment, this right is limited — employers can usually rely on legal obligations or legitimate interests to retain records even after employment ends.

4. Right to Restrict Processing

You can request that processing of your data is limited while accuracy is contested, or if processing is unlawful but you prefer restriction over erasure.

5. Right to Object

You can object to processing based on legitimate interests — your employer must stop unless they can demonstrate compelling legitimate grounds that override your interests.

---

Monitoring at Work

Employers can monitor employees — but monitoring must be:

• Proportionate to the legitimate aim
• Disclosed to employees (in a monitoring policy)
• Based on a lawful basis under UK GDPR

Covert monitoring (hidden cameras, secret email surveillance) is only lawful in very limited circumstances (e.g. suspected criminal activity) and must be proportionate.

---

How to Enforce Your Rights

1. Submit a Subject Access Request — in writing (email is fine) to your employer's HR or data protection officer
2. Raise a complaint with the ICO — at ico.org.uk — if your employer fails to respond or responds inadequately
3. Bring a civil claim in the courts for distress caused by data protection breaches

---

Key Takeaways

• Your employer must have a lawful basis for every category of personal data they process
• Health and trade union data are special categories requiring additional justification
• Consent is rarely a valid basis in employment — employers cannot rely on it for core HR processing
• You have a right of access to all your personal data — your employer must respond within one month
• Monitoring must be disclosed, proportionate, and based on a valid lawful basis
• Report breaches to the ICO if your employer fails to comply