Employers inevitably obtain large amounts of personal data from their employees and job applicants. The Data Protection Act 1998 imposes a wide range of obligations on the employer as to how this information is collected, handled and used as well giving the employee rights to access the information and remedies if something goes wrong. By following these simple steps, you can make sure you comply with these obligations.



One aim of the Act is to strike a balance between an employer’s need to recruit effectively by obtaining necessary information and an applicant’s right to have their private and family life protected. All applicants should be informed on why their data is being collected, what the employer intends on doing with the information and how long it will be stored for (even if the applicant is unsuccessful).


  • Make sure the job advertisement explains how personal details will be processed.
  • Use the information collected at this stage only for recruitment
  • Do not collect more data than you need. Application forms should be created with this in mind.
  • If you need to verify criminal conviction information, only do this by getting a disclosure from the Disclosure and Barring Service (DBS). You should only keep a record of whether the check was satisfactory or unsatisfactory.
  • If storing information from unsuccessful applicants for future vacancies, they must be aware.
  • Do not collect information from all applicants that you only need from the person you go on to appoint e.g. banking details.


Using and Storing Personal data

The Data Protection Act will generally apply to all information you keep about your employees. It does not aim to prevent you from collecting information and keeping records.


  • You must always make sure employees know how you will use their records.
  • Make sure adequate security measures are in place if using an online application form.
  • Include a Data Protection policy in your Staff Handbook to explain how data will be used.
  • Data must not be stored for any longer than is necessary.


Collecting and maintaining records

There must be a clear and necessary need to collect data about employees. All personal data must be up to date and accurate. Employees should be asked regularly to update their information. Once the information has been collected, the employer is responsible for its security.


  • Let your employees check their records periodically to make sure that you are only keeping up to date information.
  • Only keep information where there is a legitimate business aim or there is a legal obligation.
  • Keep workers records secure. This could be by storing them in a password protected file on a computer and making sure only people with authorisation and training can access it.
  • Be very careful when disclosing information in a worker’s employment record. Remember that a person asking for the information may not be who they claim to be.


Health Information

Information about an employee’s medical history constitutes sensitive personal data. This means you must be able to satisfy sensitive data conditions. You must always bear in mind that gathering information about a worker’s health can be intrusive. Workers have the legitimate expectation that you will respect their private and family life.


  • Consider the least intrusive ways to collect the information you need. For example, use a questionnaire rather than medical testing.
  • Only collect medical information where it is relevant to their job and their ability to do their job.
  • Keep medical information particularly safe. Limit the amount of people that can access the information.
  • It is good practice to keep any hard copy medical documents in a sealed envelope.
  • Sickness and injury records should be kept separate from other employee records.


Payroll and employee records

Payroll information will also constitute sensitive information. Employees must be made aware of the nature of any information stored and who it will be disclosed to.


  • Include a Data Protection policy in your Staff Handbook to address how these records are stored and maintained. This policy must be communicated to all members of staff.
  • Records should be accurate and up to date.


Monitoring Staff

The Data Protection Act applies if you are monitoring your workers. This could be through monitoring their internet use, emails and calls or videoing workers to detect a crime. The Act does not prohibit monitoring but it sets out principles for its use.


  • You must make employees aware of any monitoring and the reason for it.
  • Make reference to staff monitoring in your Data Protection Policy.
  • Consider whether monitoring is the most effective way to gather the information required.
  • Be particularly careful when monitoring private calls and emails.
  • Keep the information very secure and do not keep it for longer than necessary.
  • Covert monitoring will only be justified when it has been approved by the highest level in the business and if informing workers will make it difficult to prevent wrongdoing.


Subject Access Requests (‘SARs’)

An employee may make a SAR to access personal information held about them. They can make this in writing accompanied with an admin fee of £10. This allows workers to investigate whether or not their personal information is being processed in accordance with the DPA.


  • You should have an established system to deal with any SARs to ensure that your response is prompt.
  • You should have a checklist of all the places where personal information is kept (digital or hard copies).
  • You have 40 days to comply with the SAR request.


Data Security

Once in possession of personal information, the employer is responsible for its security. You need to establish comprehensive measures to safeguard against unauthorised access, accidental damage or loss of the information.


  • Have a Data Protection policy which makes clear to employees how personal data should be dealt with.
  • Make sure that anyone who has access to personal data receives adequate data protection training, so that they understand the obligations.

Employers need to be aware that workers can bring claims where there has been a breach of the DPA.  By following the above steps, you can minimise the risk to your business.

If you require any advice on any aspect of data protection, please contact me on 0845 287 0939 or complete our online enquiry form.