How employers should handle sensitive and personal data / information about an employee.
This information was obtained from the UK government website.
Employers must keep their employees’ personal data safe, secure and up to date.
Employers can keep the following data about their employees without their permission:
name
address
date of birth
sex
education and qualifications
work experience
National Insurance number
tax code
emergency contact details
employment history with the organisation
employment terms and conditions (eg pay, hours of work, holidays, benefits, absence)
any accidents connected with work
any training taken
any disciplinary action
Employers need their employees’ permission to keep certain types of ‘sensitive’ data, including:
race and ethnicity
religion
political membership or opinions
trade union membership
genetics
biometrics, for example if your fingerprints are used for identification
health and medical conditions
sexual history or orientation
Employers must keep sensitive data more securely than other types of data.
Sensitive data would be confidential in nature and this information should not be divulged by the employer to other employees in the workplace, unless it is absolutely required as discussed above (e.g for Human Resources / Equality Diversity and Inclusion purposes); a standard operating procedure should be in place for this to occur. Permission should be sought from the employee before the information is divulged.
It is also important to ensure that the information is accurate; the best way to obtain the information, is from the actual (potential) employee, particularly if it is of a sensitive nature.
What an employer should tell an employee
An employee has a right to be told:
what records are kept and how they’re used
the confidentiality of the records
how these records can help with their training and development at work
If an employee asks to find out what data is kept on them, the employer will have 30 days to provide a copy of the information.
An employer should not keep data any longer than is necessary and they must follow the rules on data protection.