Understanding how employment and data protection law intersect is essential for any business handling employee information. From recruitment to remote working, your obligations under data protection regulations affect every stage of the employment lifecycle.
Our data protection solicitors regularly advise businesses on practical ways to stay compliant and reduce legal risk – whether that’s helping you draft clear privacy notices, reviewing your recruitment practices, or advising on how to monitor remote staff lawfully. This article answers some of the most frequently asked questions from HR professionals and business owners, including the handling of CVs, employee emails, whistleblowing, and the implications of hybrid working.
Contents:
- How does data protection apply to employee emails?
- How does data protection affect recruitment and interviews?
- What are the rules on keeping CVs for future roles?
- What are the data protection considerations for whistleblowing?
- What data protection issues arise with remote working?
- What support is available to help you meet your obligations?
How does data protection apply to employee emails?
Employee email addresses (personal or corporate) constitute personal data. As you will store the email address, you are processing and storing the data.
To ensure you do not breach your obligations, you should ensure the data is stored safely and is not vulnerable or at risk of being lost or stolen. To uphold the 6 principles of data protection, you should also ensure you only store the email address for as long as necessary and that the email address is up-to-date. It is also important to inform your employees of the reason you need to store their email addresses.
You should also ensure employees are aware of their duties under data protection law. In particular, employee emails containing personal data about customers must be protected. One way to achieve this is to establish a business policy that encourages the inclusion of minimal personal data in emails.
How does data protection affect recruitment and interviews?
Recruiting and interviewing potential job candidates will require you to collate and process personal data, including both sensitive and non-sensitive information. It is therefore crucial to take measures to ensure that you do not breach your data protection obligations.
Discharging your obligations begins when you advertise a job role. The potential job candidate must be aware that you will be processing the personal data they provide. Such clarity is essential if you recruit through an agency, as the potential job candidate will need to know that you will process the information provided to the agency.
When requesting details about criminal convictions, consider whether you can limit the amount of information you request. For example, you may only seek information about any criminal convictions which relate directly to the job.
If your application procedure is online, it is also recommended that you use an encryption-based software. This means any personal data transmitted by the potential job candidate is protected and not vulnerable to theft.
You should also inform interviewers how to store any information and personal data recorded during the interview. Once a reasonable amount of time has passed, this information should be disposed of properly.
For more details on how to take measures on compliance with data protection regulations during recruitment and interviewing, read the ICO's guidance about keeping employment records and recruitment and selection draft guidance.
What are the rules on keeping CVs for future roles?
An employer can keep CVs and other details of unsuccessful candidates on file if it complies with its duties under the GDPR. An employer may find it helpful to adhere to a data retention policy, which can define how long they may keep CVs on file for unsuccessful candidates.
Candidates must be provided with a privacy notice and be fully aware of how long their data will be kept and how their personal data will be used, including explicit mention if CVs are being held for future vacancies. The employer should have a process in place to ensure that this actually happens and that personal details are not kept for longer than necessary for the business purposes for which they were collected.
There must be a legal basis for holding the personal data, such as that the employer has a legitimate interest. The employer must either inform candidates that they have the right to object to the processing or request written consent from candidates to hold their data.
What are the data protection considerations for whistleblowing?
Any worker who makes a protected disclosure in the correct manner will be protected from dismissal or any other disadvantage as a result of the disclosure.
A disclosure must be made to an appropriate recipient and must be in respect of one of the following:
- The commission (or likely future commission) of a criminal offence; or
- A breach (or likely future breach) of a legal obligation, where this has been (or is likely to be) deliberately concealed
A disclosure will not qualify if a worker commits an offence by making it, or if the information is subject to legal professional privilege. For the whistleblowing provisions to apply, whistleblowers must reasonably believe that the information they are disclosing is accurate and must act in good faith. Disclosures should first be made under a whistleblower’s employer’s whistleblowing policy, if they have one; therefore, as a business, you have an extra layer of protection afforded to you if this can be dealt with internally first. If you would like help in drafting a Whistleblowing policy for your business, our specialist employment solicitors can assist.
Provided that whistleblowing has been conducted correctly, the information collected will remain confidential and will be disclosed only to the extent necessary to investigate the complaint. Organisations such as the ICO, which may receive reports of wrongdoing, have a duty of confidence and to protect the data of the organisations they regulate and are legally prevented from sharing much of the information they hold about them. Whilst the ICO publishes information about the actions it takes as a result of disclosures made by whistleblowers in a yearly report, this won’t contain information that identifies individual whistleblowers or their employers (including former employers).
Under the GDPR, where a Data Protection Officer is appointed, the central advisory body on EU data protection regulations has made clear how vested the DPO role is in preventing breaches, not just reporting them. There was concern that the creation of the DPO role would create a data protection whistleblower within each organisation. Communication to the DPO must be confidential for the role to function; so, the idea that the officer might act as a whistleblower is improbable. The DPO is far more likely to want to build trust with employees and prevent a potential data breach from happening than report it afterwards through whistleblowing. The DPO is responsible for conducting data protection impact assessments and data protection-related audits, serving as the primary point of contact for individuals regarding the processing of their data and exercising their rights under the GDPR. This means that their role is not just that of an independent whistleblower. Their position should not be seen negatively; the introduction of the GDPR will promote accountability, enhancing the trustworthiness of data processing within organisations.
What data protection issues arise with remote working?
There are several additional challenges related to data protection and remote employees. For example, personal data is likely to be stored on mobile devices, which can be easily mislaid or stolen. An employer cannot prevent this, but can mitigate any damage by setting strict access rights and encrypting or pseudonymising (or both) data, so that less of the company’s personal data can be viewed by anyone who should not be viewing it. Since the pandemic, working from home has become the norm, and businesses must ensure that they have conducted risk assessments to minimise risk as they transition their business away from office-based work.
To protect work laptops and devices from misuse, organisations may be tempted to implement software to track how employees (or criminals) use the device. There’s plenty of software that can log keystrokes or track mouse movements, but this poses problems with complying with the GDPR, as remote employees may keep irregular hours and use their devices for both personal and work purposes, making it difficult to differentiate between monitoring an employee’s work and private life. We discuss the difficulties in finding a lawful basis to process data and the key action points for employers to stay compliant in our guide to data protection and monitoring staff.
What support is available to help you meet your obligations?
Managing employee data properly isn’t just about ticking boxes – it’s about protecting your people, your business, and your reputation. From setting up compliant recruitment processes to managing whistleblower disclosures or protecting data when staff work remotely, we can help you stay ahead of your legal responsibilities.
If you need clear, commercial guidance tailored to your business, speak to our data protection solicitors who can support you in building compliant policies and responding confidently to any data protection concerns that arise in the workplace.
