Your personal data is any information from which you can be identified, either on its own or taken together with other information your employer holds about you, and which affects your privacy, either in your personal or family life or in your working life. Occasional references to you in a set of minutes from a team meeting, for example, are unlikely to count as personal information under the Data Protection Act. Anonymised information about the workforce, where it is impossible to identify any individual workers, will not count as personal information.
All computerised personal data is covered, including work emails about you. So is personal information on paper or microfiche, so long as it is held in a structure filing system, so that this personal information about you can be easily located.
The General Data Protection Regulation (GDPR) has expanded the definition of personal data to reflect changes in technology and the way organisations collect and hold information about people to include a wide range of personal identifiers, including identification numbers, location data or online identifiers, as long as you can be identified.
Examples of personal information in a work context include:
- details of your date of birth, salary, national insurance number, address and bank account;
- your payroll deduction information;
- information about your trade union subs;
- an email about an incident involving you;
- minutes of a disciplinary or grievance meeting involving you;
- your disciplinary record;
- your staff appraisal;
- redundancy selection material about you, including your scores and written comments about you on a redundancy selection matrix;
- a supervisor's notebook containing sections about you;
- your image on a CCTV or bodycam recording;
- your voice on a digital recording device;
- your employer’s opinion of your performance, expressed in a reference and sent to another organisation; and
- a set of completed application forms.
The law does not allow workers to access data about management planning that could prejudice the future conduct of the business, for example documents recording future plans about redundancy or reorganisation.
There is extra protection under the law for ‘sensitive data’ (which the General Data Protection Regulation calls ‘special categories of personal data’). Special categories of personal data is information concerning an individual's:
- racial or ethnic origin;
- political opinions;
- religious beliefs or other beliefs of a similar nature;
- trade union membership;
- genetic data;
- biometric data where processed to uniquely identify and individual;
- physical or mental health or condition;
- sexuality or sexual life; and
- commission or alleged commission of any offence, or proceedings for any offence committed or alleged to have been committed.
Personal data relating to criminal convictions and offences is not included in the definition of special categories of data, but nevertheless the law provides the same kinds of safeguards.
Your employer can hold and use special category data about you in limited circumstances only. For example:
- where your employer is required by law to hold and use the information (e.g. for health and safety reasons);
- to make sure they are not discriminating on grounds of race, religion, sex or sexuality;
- to keep records of Statutory Sick Pay, etc.; or
- you have given your employer explicit permission to do so – preferably in writing – for a specified and lawful process, knowing fully what is involved, and no pressure has been put on you to give that permission.
The GDPR has tightened up the rules as far as relying on consent is concerned, for all types of personal information, not just sensitive data. In particular, employers who rely on consent must be able to demonstrate that you have positively ‘opted in’. This means that consent based on, for example, pre-ticked boxes, is not allowed. The consent you give must be absolutely clear and in writing, and your employer must not ask for your consent as part of another document, such as a contract of employment, or in a situation of unequal power, for example when you are accepting a job offer. The consent document should clearly explain the uses for which you are giving your consent. You must be allowed to withdraw your consent and should be told how to do this.