What counts as personal information for the purposes of monitoring at work?

Your personal data is any information from which you can be identified, either on its own or taken together with other information your employer holds about you, and which affects your privacy, either in your personal or family life or in your working life. Occasional references to you in a set of minutes from a team meeting, for example, are unlikely to count as personal information under the Data Protection Act. Anonymised information about the workforce, where it is impossible to identify any individual workers, will not count as personal information.

All computerised personal data is covered by the Data Protection Act. It also covers personal information on paper or microfiche, so long as this is held in a 'relevant filing system'. A ‘relevant filing system’ essentially means a structured filing system, so that the information about you can be easily located.

An email folder can be a relevant filing system.

Examples of personal information include:

  • details of your date of birth, salary, national insurance number, address and bank account;
  • your payroll deduction information;
  • an email about an incident involving you;
  • minutes of a disciplinary or grievance meeting involving you;
  • your disciplinary record;
  • your staff appraisal;
  • redundancy selection material about you, including your scores and written comments about you on a redundancy selection matrix;
  • a supervisor's notebook containing sections about you;
  • your image on a CCTV recording;
  • your employer’s opinion of your performance, expressed in a reference and sent to another organisation; and
  • a set of completed application forms.

The Data Protection Act does not allow workers to access data about management planning that could prejudice the future conduct of the business, for example documents recording future plans about redundancy or reorganisation.

There are additional rules in the Data Protection Act governing 'sensitive data', which is information concerning an individual's:

  • racial or ethnic origin;
  • political opinions;
  • religious beliefs or other beliefs of a similar nature;
  • trade union membership;
  • physical or mental health or condition;
  • sexuality or sexual life; and
  • commission or alleged commission of any offence, or proceedings for any offence committed or alleged to have been committed.

Your employer can hold and use sensitive information about you in limited circumstances only. For example:

  • where your employer is required by law to hold and use the information (e.g. for health and safety reasons; to make sure they are not discriminating on grounds of race, religion, sex or sexuality; to keep records of Statutory Sick Pay, etc.); or
  • you have given your employer explicit permission to do so – preferably in writing – knowing fully what is involved, and no pressure has been put on you to give that permission. You must also be able to withdraw your permission at any time.

It is a criminal offence to require a job applicant or existing worker to produce a copy of their criminal record using a data subject access request.

Note: This content is provided as general background information and should not be taken as legal advice or financial advice for your particular situation. Make sure to get individual advice on your case from your union, a source on our free help page or an independent financial advisor before taking any action.