UK Law and Practice Contributed by: Phil Linnard, Philippa O’Malley, David Rintoul and Clare Fletcher, Slaughter and May
• the employer’s “legitimate interests” – eg, process - ing information about an employee’s performance. Consent is included as a lawful basis under Article 6 of the GDPR. However, ICO guidance warns employers against using employee consent as a ground for pro - cessing employee data, given the inherent imbalance of power in an employment context. Additional considerations apply to the processing of “special categories of personal data”, which include: • racial or ethnic origin; • political opinions; • religious or philosophical beliefs; To process special category data about its employees, an employer must first identify a lawful basis under Article 6 of the GDPR, and then an additional special category ground under Article 9 of the GDPR. The special category ground most likely to be relied on by an employer is that the processing is necessary for the performance of rights and obligations in connection with employment. To rely on this ground, the employer must be able to identify their legal obligation or right under employment law, and any processing must be limited to what is a reasonable and proportionate way of meeting that obligation. ICO guidance issued in February 2025 further outlines how employers should deal with special category data in the context of col - lecting and keeping employment records. The Data (Use and Access) Act 2025 (DUAA) also makes significant changes to data protection law that employers should be aware of: • trade union membership; • genetic and biometric data; • health; and • sex life or sexual orientation. • an uplift in the maximum fines for marketing/cookie and other tracking technology infringements to the GDPR levels and increased enforcement tools for the ICO; • a relaxation of the rules on the use of cookies, which would allow employers to set some types of cookies without having to get consent;
• a relaxation of the rules around automated deci - sion-making, enabling greater use of legitimate interests where decisions do not involve special category data; and • a clarification of the GDPR rules around scientific research to bolster confidence in the application of these provisions, with potential relevance for AI training. Data Subject Access Requests (DSARs) Under Article 15 of the UK GDPR, current and former employees can make a DSAR to obtain all their per - sonal data held by their employer. The employer must respond within one month, with the possibility of a two-month extension. Certain information is exempt from a DSAR, including: • information about other people, which typically should be redacted; • confidential references provided or received for employment purposes; and • management information if disclosure is likely to prejudice the conduct of the business. Moreover, under the DUAA, an employer will only have to make “reasonable and proportionate” searches when an employee makes a DSAR. Employee Monitoring Employers may wish to monitor their employees for a variety of reasons: to review their performance, to protect their health and safety or as part of information security measures. Such monitoring may cover use of telephone systems, email content and traffic, device activity or CCTV and video surveillance. Employers should carry out a Data Protection Impact Assessment (DPIA) and notify employees of the scope and purposes of any proposed monitoring. Monitoring should be restricted to the smallest num - bers of people possible and to the least intrusive methods of processing. Generally, information gath - ered should be used only for the purpose for which the monitoring has taken place. Employers should also be mindful of their use of bio - metric attendance monitoring. According to updated
695 CHAMBERS.COM
Powered by FlippingBook