Category: GDPR

Categories
Anna Denton-Jones Data Protection Act 2018 Data Subject Access Requests Data Use and Access Act 2025 Employment Law GDPR

The Data Use and Access Act 2025 (DUAA) has passed – What does it mean for employers?

View of the British Houses of Parliament from the river Thames, where the Employment Rights Bill is being debated

This new Act of Parliament updates existing data protection laws and paves the way for things like artificial intelligence. It is supposed to make things easier for organisations but still protect people and their rights.

The changes will be phased between June 2025 and June 2026 so there is nothing to do immediately.

I think it will change two things for employers:

The first is that it makes clear that when dealing with a Subject Access Request, you only have to make “reasonable and proportionate searches” when someone asks for access to their personal information.

The current guidance says “You should perform a reasonable search for the requested information”.

I hear you all saying ‘but what does a reasonable and proportionate search’ look like? Ultimately we don’t know until a court tells us, but the Information Commissioner’s office will be updating their guidance in due course, which will give us clues.

A reasonable search is likely to include using IT search tools to retrieve data. It probably isn’t reasonable to expect you to search archived data which would take you time and money to restore eg:- from tapes.

Is this likely to change much in real life? Probably not – we try our best to retrieve as much as we can when searching and if doing it properly are probably acting reasonably and proportionately already. If the request is ‘manifestly excessive’ we already have an existing pathway to charge a fee.

The second implication is that if you don’t already, you will need a data protection complaints process.

The DUAA requires you to take steps to help people who want to make complaints about how you use their personal data such as providing an electronic complaints form. You also have to acknowledge complaints within 30 days and respond to them ‘without undue delay’.   At the moment, we tend to bury information about how to complain in the small print of privacy notices and at the back of policies. We probably need to put this a bit more front and centre going forward.

Anna Denton-Jones
Refreshing Law

Categories
Anna Denton-Jones Data Protection Act 2018 Data Subject Access Requests Employment Law GDPR Privacy

Updating your GDPR Privacy Notice

Data use shown on mac screen

It’s hard to believe that it’s 7 years ago since the GDPR came into force on 1st May 2018. I’d hazard a guess that many of us haven’t given our privacy notices any thought since then and have just been wheeling them out.

Given that the world is moving at pace, you may need to update your recruitment candidate privacy notice to inform the candidate about any automated shortlisting software that you are using, or indeed that your recruitment agents are using on your behalf. The privacy notices would need to describe the software that you are using and what it does, and highlights to the candidate their right to have a human review the output.

You will recall that your privacy notice lists out the ways in which personal data of an employee might be used. There is also likely to be a section where you describe what third parties might have access to data and the purposes for which they do so. This probably covers things like accountants but you may not have covered off litigation. Clearly if somebody is suing the organisation then an individual’s personal data may be used, for example, in the disclosure documents for that case. This need not necessarily be the data subject themselves bringing the legal action because they could be being used as a comparator, for example, in an equal pay claim, or when showing consistency of treatment, for example in a disciplinary scenario.

Another legal use might be where a TUPE transfer is occurring or the organisation is, for example, undergoing a round of investment or a sale or merger process. Personal data might well be shared at some point with investors, potential buyers etc. At initial stages of such processes, employee spreadsheets for example are normally anonymised so there is nothing to worry about but further down the due diligence process, questions might be asked which would reveal personal data when answered.

Anna Denton-Jones
Refreshing Law

Categories
Anna Denton-Jones Anonymity Data Protection Act 2018 Data Subject Access Requests Data Use and Access Act 2025 Duty of Care Employment Law Employment Rights Act 1996 GDPR

Loss of an employee’s records — A data breach claim

Royal Courts of Justice, London

An employee who worked for Tesco settled her data breach claim for £3,000. She had requested copies of the information that Tesco held on her, using the subject access request mechanism that you are probably familiar with. She had, during a period of over 15 years working for her employer, given them a significant amount of ‘sensitive personal data’ in the old data protection jargon, now called ‘special category data’. This included details about counselling she had received in relation to her mental health, details of post-natal depression and the management of those health conditions. Most employers will have this sort of ‘special category data’ even if they don’t collect other data like criminal records.

It appears that Tesco could not lay their hands on this information, presumably in a physical format and there was a delay because the file had been lost at some point in the past, perhaps when there was a move of offices.

Tesco had written to her explaining that they had looked for her employment records but couldn’t find them. This then triggered her putting in her data breach claim, which would be to a Court and not an Employment Tribunal.

Tesco settled the case for £3,000 and it has been reported in the local press. The publicity surrounding these events is bound to give other employees ideas. It shows that the loss of data can be just as problematic as retaining historic data that you don’t really need to and can’t justify retaining.

Anna Denton-Jones
Refreshing Law