Protecting your employee brand: Protecting employee data 

May, 2024 - Shoosmiths LLP

HR teams have a lot on their plate, but a key priority for 2024 is undoubtedly protecting the employee brand proposition. Our 2024 online programme is focused on supporting HR teams to do just this, equipping them with the tools they need to protect the employee brand proposition of the organisations they work for.

Our latest webinar focused on what organisations need to do to protect their employee data. The key takeaway points are set out below:

Complying with data protection principles

  • There are 8 fundamental pillars of the data protection regime that employees need to keep in mind when processing the data of their employees or workers. These include accountability, fair and lawful processing, purpose limitation, storage limitation, data minimisation, maintaining integrity and confidentiality, accuracy and transparency.
  • To assist employers, the ICO is updating its guidance and has already replaced the Employment Practices Code with guides on Employment practices and data protection: monitoring employees and Information about Workers Health. In addition, the ICO has also issued additional guidance on the use of AI and Biometric Data.

Monitoring employees

  • There are many reasons why employers may want to monitor workers but before any monitoring is carried out, they should consider their legal obligations and worker’s rights.
  • For example, employers should identify and be clear about why they want to carry out the monitoring, what lawful basis they are relying on to do so, how they will ensure the processing is fair, lawful and transparent. Remember that if biometric data is to be used then as well as a lawful basis, employers will need to meet one of the separate conditions for processing special category data.
  • Employers should complete a Data Protection Impact Assessment before implementing any monitoring to ensure the correct balance is achieved between the needs of the employer and the rights of the workers being monitored.
  • Critically, employers must inform workers of what monitoring is to be carried out before any such monitoring takes place.

Handling employee DSARs effectively

  • Make sure managers are trained to recognise requests and understand the process and timescales involved once a request is received.
  • Consider the scope of the request and whether further clarification is needed to limit the scope of the searches which you will need to carry out to locate the data e.g. in terms of dates, type of data and sender/recipient. Remember that individuals are only entitled to their own personal data, that is any information from which they can be identified.
  • Remember to include in your search instant messages on work devices and documents held on servers and search against all iterations of the individual’s name, including initials or nicknames.
  • Keep an eye on timings and ensure that internal processes are completed within the specified time limits. Requests should be responded to without undue delay and in any event within 1 month, although it is possible to extend this deadline by a further 2 months for complex requests.
  • Consider how to deal with third-party data. It may be that it is reasonable to disclose this data or the third-party consents to the disclosure. If not, any third-party data would need to be redacted before being included in the response.
  • Check whether any of the exemptions apply which might mean that you don’t have to respond to a DSAR, and, if so, keep a written record of the reasons for reliance on an exemption. Typically, for employers, they are likely to seek to rely on the exemptions for: legal advice and proceedings, management information, confidential references and negotiations with the requestor.
  • Provide the requested information in a concise, transparent, intelligible and easily accessible form. Remember to include not just the data itself but the accompanying information including the purposes for which it is processed, the recipients of the data and for how long it is intended to be kept.
  • Generally, try to reduce the data you hold so there is less to disclose! Effective data cleansing and retention protocols are critical to this.
  • Have a clear DSAR policy in place and a standard request form which employees are encouraged to use.
  • Remember that a failure to respond to a DSAR can amount to a data breach.

Controlling the use of social media

  • Have a clear social media policy and make sure that this links in with other relevant policies such as your data protection policy, IT policy and disciplinary policy.
  • Consider what is and is not acceptable within the workplace in terms of the use of social media. For example, will all personal use be prohibited during working hours?
  • If employees are required to use social media for business purposes and can use their own devices for this, ensure you have the right to access any messages or to inspect any device from which messages are sent.


Link to article


WSG Member: Please login to add your comment.