employee data

The Data Protection Act does not always define employee information as personal data, so it is worth checking how your employee details would be classified in order to determine whether it would fall under the Act's remit. In deciding if it is classed as data, and therefore personal data, you should take into account how the data is held (e.g. in a manual, a paper-based system or electronically).

Having done this, and assuming your employee data is personal data, the following should be considered:

• the purposes for which it is being held, and therefore processed;
• how long it is kept for (is it being kept only for as long as necessary, or are you keeping some data even when no longer required without adequate grounds to do so?);
• is it accurate and up to date?

If your employee data is stored in such a way that it would be defined as personal data under the Act, it is important that anyone dealing with this information has adequate training to do so, and that they process it in a responsible and lawful manner. Do you have a policy in place that covers this kind of data processing? It may be a sensible idea to implement a separate policy for the handling of employee data, and another for anyone else whose data you may hold on your systems, e.g. customers, clients, sub-contractors and agency staff.

In some cases, you may hold employee details that could be classified as sensitive personal data under the Act, in which case there are further conditions which must be satisfied before this information can be processed.