A significant proportion of staff personal data will inevitably be generated by employee management processes, such as disciplinary, grievance, performance management procedures. Employers will need to consider how to handle the information generated. Certain processes and activities may involve sharing data about other individuals – for example, it isn’t uncommon for statements made by other employees to form part of the evidence in a disciplinary process. Employers will need to consider how best to handle such instances.

The rise of individual rights in relation to data, and in particular the right of access to personal information held by an organisation (referred to as subject access rights in the EU), is an additional factor for employers to consider and should be an incentive for employers to ensure such data is processed compliantly. Whilst usually intended to give greater clarity and protection to individuals, such rights are often increasingly used for other purposes; for example, individuals often request access to personal data as a route to early disclosure when either considering bringing, or having already filed, a court claim or regulatory complaint. Staff and their advisers, as well as trade unions / works councils and other representative bodies, are demonstrating increasing awareness of these rights and willingness to employ them tactically. Employers will need to think carefully as to how best to meet their obligations and minimising the risk to their business, as well as considering the wider context and implications of any such requests and their response.

Trade unions, works councils and other representative bodies are entitled to certain personal information relating to staff, and often request additional information. In their roles, representatives of these bodies may also participate in (and accordingly access information relating to) employee management processes, such as disciplinary, grievance and performance management processes as referred to above. In each case, employers will need to consider the scope of the information it proposes to share, and the basis on which it does so.

Employers are often keen to monitor staff, whether to ensure productivity, prevent damage or harm to their commercial activities or for other business-related reasons. Staff monitoring is a high-risk and sensitive matter, and employers will need to carefully consider the purpose / reason and justification for any such monitoring, as well as ensuring such monitoring is carried out in compliance with local laws. Employers would be well advised to consider the employee relations implications as part of their preparations for new monitoring activities as these can often carry significant wider costs.

It is important for employers to provide appropriate training to staff, particularly those handling or with access to significant amounts of personal data. Employers should ensure that refresher training is also provided. Records of attendance at training should be maintained, as this should assist the employer in demonstrating the guidance given to staff (particularly in the event of a data breach).

Diversity and equal opportunities monitoring is increasingly common, and is legally mandated in certain countries. Employers carrying out this kind of monitoring will need to ensure that, as far as possible, such monitoring is carried out on an anonymised basis and that the data generated is not misused (as doing so could create other hazards, such as the risk of discrimination claims).

< Back to Lifecycle page