We often hear stories in the news about people’s personal data being leaked or hacked into. This section looks to guide you through some of the fundamental basics around Data Protection that you need to be aware of.
Data refers to any information held about any person, whether an employee, a job candidate, a freelancer or customer. This could include but is not limited to:
The data protection act has eight key principles that must be adhered to.
Every business must have a Data Controller. A data controller is a nominated person in a compnany who applies to the data commissionner fo permission to store and use personal data. The data controller must keep to the eight key principles.
You will need to nominate a Data Controller and register your Data Controller with the Information Commissioners office. More information can be found in Next Steps at the end of this article.
As a small business owner you will be storing and processing information about your customers, suppliers and staff on a regular basis. Under the Data Protection Act you are legally obliged to protect all this information securely. Scroll through the carousel images below to find out more.
When placing a job advert, your company name should be clearly identified. Applicants should be made aware of what information is being collected about them and what it will be used for. All CVs and application forms, as well as notes made about candidates, must be kept securely and you should only keep CVs and application forms for as long as there is a commercial business need to have that information. Consent must be obtained to keep candidate details on file. You must not use their information for anything other than recruitment for the job they have applied for and should not be asking for information you don’t need – i.e. information you would only want once you have offered the role to someone (e.g. bank details).
This may include their employee file, with their original recruitment applications, their contract of employment, next of kin forms, medical records, disciplinary records, appraisals and bank details. Basically it’s all the information you have on your employees. Investigation notes, results of the hearings and possible copies of written warnings related to disciplinaries and grievances should all be kept securely. It is important that the employee file is kept up-to-date and that the information is removed from the file and destroyed once the warning period has expired. All people that need access to the employee records for the purpose of running the business need to understand the principles of data protection.
If you are passing on information to an outsourced payroll provider you need to make sure that information is sent securely and to the correct place. Where you are legally required to provide information, such as to the Inland Revenue, the Data protection Act does not prevent you from doing so. You may provide salary details on a reference, if requested by the future employer. Payroll records are all bound by the rules of secure and confidential storage under the Data Protection Act.
If you record phone calls, use video cameras or monitor emails then you need to ensure that your employees are made aware of how and when and its purpose. Any information gained through monitoring is bound by the 8 principles of Data Protection. This includes only using the data for the purpose intended.
Employee references will be covered by other legislation, such as the Equality Act 2010, but under the Data Protection Act an employee may seek compensation under the this act where they feel a reference has resulted in the withdrawal of a job offer.
When placing a job advert, your company name should be clearly identified. Applicants should be made aware of what information is being collected about them and what it will be used for. All CVs and application forms, as well as notes made about candidates, must be kept securely and you should only keep CVs and application forms for as long as there is a commercial business need to have that information. Consent must be obtained to keep candidate details on file. You must not use their information for anything other than recruitment for the job they have applied for and should not be asking for information you don’t need – i.e. information you would only want once you have offered the role to someone (e.g. bank details).
This may include their employee file, with their original recruitment applications, their contract of employment, next of kin forms, medical records, disciplinary records, appraisals and bank details. Basically it’s all the information you have on your employees. Investigation notes, results of the hearings and possible copies of written warnings related to disciplinaries and grievances should all be kept securely. It is important that the employee file is kept up-to-date and that the information is removed from the file and destroyed once the warning period has expired. All people that need access to the employee records for the purpose of running the business need to understand the principles of data protection.
If you are passing on information to an outsourced payroll provider you need to make sure that information is sent securely and to the correct place. Where you are legally required to provide information, such as to the Inland Revenue, the Data protection Act does not prevent you from doing so. You may provide salary details on a reference, if requested by the future employer. Payroll records are all bound by the rules of secure and confidential storage under the Data Protection Act.
If you record phone calls, use video cameras or monitor emails then you need to ensure that your employees are made aware of how and when and its purpose. Any information gained through monitoring is bound by the 8 principles of Data Protection. This includes only using the data for the purpose intended.
Employee references will be covered by other legislation, such as the Equality Act 2010, but under the Data Protection Act an employee may seek compensation under the this act where they feel a reference has resulted in the withdrawal of a job offer.
To see this piece of interactive content, please visit our main site below.
Copyright © 2025. All rights reserved.