Definition
The application of the UK General Data Protection Regulation and Data Protection Act 2018 to the processing of employee personal data. HR departments handle sensitive personal data including health records, bank details, and diversity information, all of which must be processed lawfully.
UK Context
The UK GDPR (retained from EU GDPR post-Brexit) and the Data Protection Act 2018 govern data processing. The Information Commissioner's Office provides specific guidance for employers on processing employee data, including employment records, monitoring, and data subject access requests.
Best Practices
- Maintain a clear privacy notice for employees explaining what data is collected, why, and how long it is retained
- Conduct Data Protection Impact Assessments before implementing new HR systems or monitoring tools
- Train all HR staff on data protection principles and ensure data is accessed on a need-to-know basis
Frequently Asked Questions
What lawful basis should HR use for processing employee data?
The most common lawful bases for HR are contract (necessary for the employment contract), legal obligation (such as payroll and tax), and legitimate interests (such as performance management). Consent is generally not appropriate due to the power imbalance.
How long should employee records be kept?
There is no single retention period. HMRC requires payroll records to be kept for 6 years. Other records should be kept for as long as necessary. A typical retention schedule might keep recruitment records for 6 to 12 months and employment records for 6 years after leaving.