Home Legal Services Employment and HR
Learn how to handle employee data protection in the workplace. Our practical guide covers UK GDPR compliance, subject access requests, monitoring rules, and your obligations as an employer.
Written by: Rachel Ford-Evans, Employment Law Partner, Darwin Gray | Last updated: 21/04/2026 | Reviewed by: Rachel Ford-Evans
Handling employee data is part and parcel of running a business. From the moment someone applies for a job to long after they’ve left, you’re collecting, storing, and processing their personal information. Pay details, performance reviews, sickness records, emergency contacts, even CCTV footage from the office car park. It all counts as personal data, and it all needs protecting.
Get it wrong, and you’re looking at more than just a slap on the wrist. The Information Commissioner’s Office (ICO) has ramped up enforcement significantly in recent years, with average fines jumping to over £2.8 million in the first half of 2025 alone. Beyond the financial penalties, a data breach can damage employee trust, derail tribunal cases, and harm your reputation with clients and partners.
This guide walks you through what UK employers actually need to know about data protection in the workplace. We’ll cover your legal obligations, practical steps for compliance, how to handle subject access requests, and what the rules say about monitoring your workforce. No jargon where we can avoid it, and straight answers where you need them.
Data protection is about safeguarding personal information and making sure it’s used properly and lawfully. In an employment context, that means handling everything you know about your workers with care, from their name and address to their medical history and performance records.
The rules come from two main pieces of legislation: the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Together, they create a framework that governs how employers can collect, use, store, and share employee data.
You might be surprised how much information accumulates in HR files and across business systems. Common examples include:
Some of this qualifies as “special category data” under the UK GDPR. This includes information about health, race or ethnicity, religious beliefs, trade union membership, and sexual orientation. Special category data needs extra protection and stronger justification for processing.
Beyond avoiding fines, there are solid business reasons to take data protection seriously.
Employee trust sits at the heart of any healthy workplace. People share sensitive information with their employers, from health conditions that affect their work to personal circumstances that might require flexible arrangements. If they don’t trust you to handle that information properly, they’re less likely to be open about issues that could affect their performance or wellbeing.
Data protection failures also create legal exposure beyond ICO enforcement. Employees can bring legal claims if data breaches cause them distress or financial loss. Subject access requests often surface during disputes, and poor record-keeping can undermine your position in employment litigation.
The UK GDPR originated as EU law but was incorporated into domestic legislation after Brexit. It works alongside the Data Protection Act 2018 (DPA 2018), which fills in the details and creates specific rules for employment situations.
Every employer needs to understand and apply these principles when handling employee data:
Lawfulness, fairness, and transparency – You must have a valid legal basis for processing personal data. You need to be open with employees about what data you collect and why.
Purpose limitation – Data should only be collected for specified, explicit, and legitimate purposes. You can’t hoover up information “just in case” it might be useful later.
Data minimisation – Only collect what you actually need. If you don’t need someone’s date of birth to do the job, don’t ask for it.
Accuracy – Personal data must be accurate and kept up to date. This means having processes for employees to correct their information.
Storage limitation – Don’t keep data longer than necessary. Different retention periods apply to different types of information.
Integrity and confidentiality – You must protect personal data against unauthorised access, accidental loss, destruction, or damage.
Accountability – You need to demonstrate compliance, not just claim it. That means documenting your processes and decisions.
You can’t process personal data without a lawful basis. For employment purposes, the most relevant bases are:
Contract – Processing is necessary for the employment contract. Paying wages, managing leave, and administering benefits all fall here.
Legal obligation – You’re required by law to process the data. Examples include PAYE reporting, pension auto-enrolment records, and right-to-work checks.
Legitimate interests – Processing is necessary for your legitimate interests, provided it doesn’t override the employee’s rights. This might cover things like business security or performance management, but you need to conduct a balancing test.
Consent – The employee has given clear consent. But be careful here. Consent is tricky in employment relationships because of the power imbalance. The ICO says consent shouldn’t normally be relied on for processing many types of employee data since workers might feel pressured to agree.
For special category data (health information, trade union membership, etc.), you need an additional condition under Article 9 of the UK GDPR. In employment contexts, this often means the processing is necessary for carrying out your obligations and exercising specific rights in employment.
The Data (Use and Access) Act 2025 made several amendments to the UK data protection framework. Key changes affecting employers include:
The ICO has confirmed it will issue further guidance on these changes throughout 2026.
Link to ICO guidance: https://ico.org.uk/
You must tell employees what personal data you collect and why. A privacy notice should explain:
The notice should be written in plain language that people can actually understand. Give it to new starters at the beginning of their employment and make sure existing employees know where to find it.
Every organisation needs a clear data protection policy that staff understand and follow. This should cover:
Training matters too. Staff who handle personal data need to know their responsibilities. Managers dealing with sensitive information about their teams need particular guidance on confidentiality and appropriate use.
You must appoint a Data Protection Officer (DPO) if you’re a public authority or if your core activities involve large-scale processing of special category data. Many private employers don’t need one, but it’s good practice to designate someone with responsibility for data protection compliance, even informally.
A Data Protection Impact Assessment (DPIA) is a formal process for identifying and minimising data protection risks. You must conduct a DPIA when processing is likely to result in high risk to individuals’ rights.
In employment contexts, this typically means DPIAs for:
The ICO recommends doing DPIAs more broadly as good practice, even when not strictly required.
The UK GDPR requires you to maintain records of your processing activities. These records should include:
For organisations with 250 or more employees, this record-keeping is mandatory. Smaller employers only need records if their processing is likely to result in a risk to rights and freedoms, isn’t occasional, or includes special category data or criminal conviction data. In practice, most employers should keep these records regardless of size.
A data subject access request (DSAR) is a request from an individual to see the personal data an organisation holds about them. Employees, former employees, and job applicants all have this right, and they can exercise it at any time.
DSARs don’t need to follow any particular format. An employee doesn’t need to use specific words like “subject access request” or cite the UK GDPR. If someone asks to see their personal data, that’s a DSAR.
Examples of valid requests:
Train managers and HR staff to recognise these requests so they’re handled promptly.
You must respond to a DSAR within one month of receiving it. If the request is complex or you’ve received multiple requests from the same person, you can extend this by up to two months, but you must tell the requester within the first month and explain why.
If you need to verify someone’s identity or clarify what they’re asking for, the clock pauses until you receive what you need.
A valid response to a DSAR should include:
The data should be provided in an accessible, commonly used format.
You can refuse a DSAR if it’s “manifestly unfounded or excessive.” But this threshold is high. The ICO has made clear that a request isn’t excessive just because it’s inconvenient or involves a lot of data.
You might legitimately refuse if:
Even during ongoing litigation or tribunal proceedings, you can’t refuse simply because you believe the employee is trying to get documents for their case. Each request must be considered on its own merits.
DSAR responses often contain information about other people. You need to balance the requester’s right of access against other individuals’ privacy.
If providing the data would mean disclosing someone else’s personal information, you can only do so if that person consents or it’s reasonable to provide it without consent. Factors to consider include the other person’s reasonable expectations, any confidentiality duties, and whether they’ve expressly refused consent.
Witness statements from disciplinary investigations are common flashpoints. You don’t automatically have to redact every mention of other employees, but you do need to think carefully about what’s appropriate to disclose.
Workplace monitoring has increased significantly with remote and hybrid working. From email tracking to productivity software to CCTV, employers have more tools than ever to keep tabs on their workforce.
Data protection law doesn’t prohibit monitoring. But it does require you to do it lawfully, fairly, and proportionately.
The ICO published comprehensive guidance on workplace monitoring in October 2023, reflecting the growth in remote working and new monitoring technologies. Key points include:
Monitoring must be justified. You need a clear, documented reason for monitoring and a lawful basis under the UK GDPR. “We might need it someday” isn’t good enough.
Proportionality matters. The guidance emphasises using the least intrusive means to achieve your objectives. If you’re worried about productivity, tracking every keystroke is likely disproportionate compared to, say, reviewing output and having regular check-ins.
Employees have higher privacy expectations at home. Remote workers expect more privacy than they would in an office. Monitoring that might be acceptable in a workplace could be unjustified when it extends into people’s homes, where there’s greater risk of capturing family and private life information.
Avoid “function creep.” Don’t expand monitoring beyond its original purpose. If you installed CCTV for security, you shouldn’t start using it to track bathroom breaks.
Involve workers. The ICO recommends consulting with staff or their representatives before implementing monitoring, and including them in reviews.
Before monitoring employees, you should:
Some monitoring inevitably captures sensitive information. Email monitoring might reveal health appointments or trade union communications. Video surveillance could record information about disabilities or religious dress.
If your monitoring is likely to capture special category data, even incidentally, you need a lawful basis under both Article 6 and Article 9 of the UK GDPR. Plan for this from the outset.
Covert monitoring, where employees don’t know they’re being watched, is only justified in exceptional circumstances. The ICO says it should be limited to situations where:
Even then, covert monitoring should be time-limited and targeted. Blanket covert surveillance of all staff is unlikely to be justified under any circumstances.
ICO-commissioned research found that 70% of people would find workplace monitoring intrusive. Only 19% said they’d feel comfortable taking a job where they knew they’d be monitored. These figures should give employers pause. Excessive monitoring can damage trust, affect morale, and ultimately harm productivity, the very thing it’s often meant to improve.
A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data. In employment contexts, breaches might include:
You must report a breach to the ICO within 72 hours of becoming aware of it if it’s likely to result in a risk to individuals’ rights and freedoms. Not every breach meets this threshold, but when in doubt, it’s better to report.
If the breach is likely to result in a high risk to affected individuals, you must also notify them without undue delay.
Failing to report when required can result in fines of up to £8.7 million or 2% of global turnover.
Recent enforcement trends show the ICO focusing on systemic failures rather than one-off mistakes. Cases attracting the largest fines in 2025 involved:
The message is clear: having documented processes, evidence of continuous improvement, and clear accountability matters more than claiming you “take security seriously.”
Every employer should have a plan for responding to data breaches. This should cover:
Test the plan periodically. An untested incident response process often fails when it’s needed most.
The storage limitation principle requires you to keep personal data only as long as necessary. But “necessary” varies depending on what data you’re talking about and why you need it.
The ICO advises against a one-size-fits-all approach to retention. Different types of employee data have different justifications for keeping them:
| Data Type | Typical Retention Period | Reasoning |
|---|---|---|
| Recruitment records (unsuccessful candidates) | 6-12 months | Potential discrimination claims |
| Payroll and tax records | 6 years after employment ends | HMRC requirements |
| Health and safety records | 3 years minimum, longer for certain incidents | Limitation periods for claims |
| Pension records | Potentially indefinitely | Ongoing benefit calculations |
| Disciplinary records | Depends on outcome; often 6-12 months for warnings | Workplace management |
| General personnel files | 6 years after employment ends | Employment tribunal claims |
These are general guidelines. You need to assess retention based on your specific circumstances and document your reasoning.
When retention periods expire, data should be securely destroyed. For paper records, that means shredding or confidential waste services. For electronic data, it means properly deleting files and ensuring they’re removed from backups.
Simply deleting an email doesn’t necessarily destroy the data if it remains on servers or in archives. Your IT team should understand what “secure deletion” actually requires in your systems.
Consent requires a genuine choice. In employment relationships, where there’s an inherent power imbalance, employees may feel they can’t freely refuse. The ICO recommends using other lawful bases for most employment processing.
Too many privacy notices are either buried in induction paperwork where they’re never read, or written in such dense legal language that they’re incomprehensible. Your notice should be accessible and actually tell people what they need to know.
Employee circumstances change. Addresses, emergency contacts, health conditions. Without processes for staff to update their information, and prompts to do so regularly, records become inaccurate.
Keeping everything forever “just in case” creates unnecessary risk. The more data you hold, the more there is to protect and the more serious any breach becomes.
HR systems aren’t the only place personal data lives. Managers keep notes in notebooks, on their desktops, in emails. Staff discuss colleagues on WhatsApp. Controlling this data is difficult but ignoring it creates blind spots.
Some employers become defensive when employees make subject access requests, particularly during disputes. But a DSAR is a legal right. Treating it as an attack rather than a legitimate request increases the risk of getting the response wrong.
Monitoring some staff but not others, or monitoring different teams to different degrees without clear justification, can create discrimination risks alongside data protection issues.
You don’t need consent for most employment-related data processing. You can keep data necessary for the employment contract, legal compliance, or your legitimate interests as an employer. This includes things like name, address, date of birth, National Insurance number, bank details for payroll, emergency contacts, and records related to performance and conduct. The key is having an appropriate lawful basis, not necessarily consent.
You must appoint a DPO if you’re a public authority, or if your core activities involve large-scale processing of special category data or regular and systematic monitoring of individuals. Most private sector employers don’t meet these thresholds. But having someone responsible for data protection, even without the formal DPO title, is good practice.
Most employers retain unsuccessful applications for 6-12 months. This allows time for potential discrimination claims and provides a pool of candidates if similar vacancies arise. Beyond this, there’s rarely justification for keeping the data. Some employers ask unsuccessful candidates if they’d like their details kept on file for longer.
Employees have a right to erasure (the “right to be forgotten”) in certain circumstances, but this isn’t absolute. You can refuse if you need to keep the data for legal claims, legal obligations, or other specified purposes. After employment ends, you’ll likely have legitimate reasons to retain much of the data for the relevant retention periods.
You must still respond to the DSAR. Ongoing litigation doesn’t exempt you from the requirement. Handle the DSAR separately from the litigation process, applying normal exemptions where appropriate (such as legal professional privilege). The mere fact that someone is bringing a claim doesn’t make their DSAR “manifestly unfounded.”
Yes, but you need to be more careful. Employees have higher privacy expectations at home. There’s greater risk of capturing family and private information. You should conduct a DPIA, use the least intrusive monitoring necessary, be transparent about what you’re doing, and ensure monitoring is proportionate to your legitimate aims.
Yes. You must be transparent about CCTV surveillance. Signs should be clearly displayed in monitored areas, and information about CCTV should be included in your privacy notice. If CCTV covers areas where employees work, they should know about it.
For data processing essential to the employment relationship, refusal may not be practical. You can’t pay someone without their bank details, for instance. Where consent is the lawful basis (which should be rare for employment data), employees can withdraw consent. Where processing relies on other bases, the employee’s objection is one factor to consider but doesn’t necessarily prevent processing.
It depends on why and how. Sharing basic professional details (name, job title, contact information) with clients may be necessary for your legitimate interests. Sharing more sensitive information requires careful consideration. In some industries, clients may need specific information for regulatory reasons. Always ensure sharing is proportionate and covered by your privacy notice.
The ICO can fine organisations up to £17.5 million or 4% of global annual turnover, whichever is higher. Lower penalties apply to certain types of breach (up to £8.7 million or 2% of turnover). Beyond fines, the ICO can issue enforcement notices, reprimands, and orders to stop processing. Individuals can also claim compensation through the courts if they suffer damage or distress from data protection failures.
| Term | Definition |
|---|---|
| Data controller | The organisation that determines how and why personal data is processed. In employment contexts, this is usually the employer. |
| Data processor | An organisation that processes personal data on behalf of the controller. Payroll providers and cloud software suppliers are common examples. |
| Data subject | The individual whose personal data is being processed. Employees, workers, and job applicants are data subjects. |
| DPIA | Data Protection Impact Assessment. A process for identifying and minimising data protection risks before processing begins. |
| DSAR | Data Subject Access Request. A request from an individual to see the personal data an organisation holds about them. |
| ICO | Information Commissioner’s Office. The UK’s data protection regulator. |
| Lawful basis | The legal justification for processing personal data. The six bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests. |
| Personal data | Any information relating to an identified or identifiable living person. |
| Processing | Anything done with personal data, including collecting, storing, using, sharing, and deleting it. |
| Special category data | Sensitive personal data requiring extra protection, including health information, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, and data about sex life or sexual orientation. |
| UK GDPR | The UK General Data Protection Regulation, the primary data protection legislation in the UK. |
Data protection compliance can feel overwhelming, particularly when you’re dealing with a difficult subject access request, planning new monitoring arrangements, or responding to a breach. We’re here to help.
Our employment team works with businesses across Wales and England on all aspects of workplace data protection. You’ll work directly with the solicitor handling your matter, no layers of gatekeepers, and get practical advice you can actually use.
We can help you with:
As Wales’ leading Welsh language commercial law firm, we can provide all of this in Welsh or English, whichever works best for you.
Ready for a conversation? Contact us for a free, no-obligation chat about how we can help.
To speak to one of our experts today, please contact us on 02920 829 100 or by using our Contact Us form for a free initial chat to see how we can help.
02920 829 100 
