What are the General Data Protection Regulations?
The General Data Protection Regulations (GDPR) came into force in May 2018. They set out rights of individuals (such as employees and students) and the obligations of employers and organisations (such as schools and local authorities) in relation to personal information.
The GDPR set out six principles that data controllers (such as schools, colleges, universities and local authorities) should follow when using personal information (e.g., collecting, storing, retrieving, disclosing or destroying this information).
The GDPR also provides for individuals' right of access to personal data held about them.
The Information Commissioner's Office (ICO) produces helpful guidance on data protection issues, including a code of practice for the workplace.
Obtaining personal information
GDPR gives you the right (subject to some exceptions) to see most personal information held about you by your employer, businesses and organisations in the public and private sectors.
Making a request
An organisation may refuse your subject access request if your data includes information about another individual. In deciding this, the organisation will have to balance your right to access your data against the other individual’s rights regarding their own information.
The organisation can also refuse your request if it is considered “manifestly unfounded or excessive”.
The organisation will need to tell you and justify its decision.
Getting information about other people and others getting information about me
You can only access other people's personal information if you are acting on their behalf and if they have given their permission to the employer for the information to be disclosed to you. This means that your employer may not discuss your concerns with your spouse, partner, friend or trade union representative until you give permission.
Can information about me be used or disclosed without my consent?
Data must be processed lawfully under the GDPR. The ‘data subject’ can give consent to the processing of their data and that is a lawful basis. Consent must be given by a “clear and affirmative act”. This means that the individual must opt in to consent, rather than opt out. Consent can also be withdrawn at any time.
A data controller can rely on other lawful reasons for processing data.
Except in exceptional circumstances, such as a police investigation, the general rule is that you should be aware that personal data about you has been, or is going to be, shared with others, even if your consent to such sharing is not needed.
Do I have a right to see emails about me?
You may be entitled to make a data subject access request for copies of emails held about you. You have to be identifiable from the data and it must relate to you. This means, for example, that an email about your conduct or performance will almost certainly have to be provided.
Can my manager publish my sick record?
Your employer can publish totals of sickness absence as long as individual employees are not identifiable.
How long can my employer keep information about me?
There is no specific period given in the GDPR. It is left to the employer to set retention periods. As far as possible, standard retention times should be set out in a school/local authority/college policy.