- The Data Protection Act 2018 (DPA) is the UK’s third generation of data protection law, aiming to modernise all laws surrounding data protection
- It is to be read in conjunction with the General Data Protection Regulation (GDPR), which came into force in May 2018
- Under provisions highlighted in both the GDPR and DPA, employees must give consent for their personal data to be processed
- Both the DPA and GDPR apply to organisations that process personal data, providing key instructions on the best company policies that should be adopted to protect key individual rights
- The GDPR instructs upon a significant fine of €20m, or 4% of the company’s annual turnover, for organisations found to be in breach
- Employers should therefore formulate and implement clear company policies on data protection to be followed by management and staff
- The DPA instructs upon six key principles which should be referred to by all organisations that process personal data
- The Act also outlines specified conditions which can be referred to in the absence of employee consent
- Employees maintain the right to make a ‘subject access request’ to view all information that is held on them from their employer
- Employers must seek permission from their employees to request personal medical documents from their relevant health practitioners, as outlined in the Access to Medical Reports Act 1988
- When recruiting, employers should be careful not to use information on the candidate from social media unless there is a clear reason to do so and allow the candidate to make representations in relation to the content
- Data can be shared with third-party organisations, such as the police, if it relates to an ongoing crime or possible fraud
The ICO has released guidance for employers on managing workplace testing for Covid-19 whilst also remaining compliant with employment law. As testing information relates to an identified or identifiable individual, employers will need to make sure that they are processing this data in compliance with the GDPR and the Data Protection Act.
More information is available in our in-depth section - 'Data Protection Law and Coronavirus Testing'.