Stephanie Creed: How should employers handle data sourced from benefits scheme technology?

As a society, we are producing and storing ever more data, which is especially prevalent in the employee benefits sphere with the development of programmes, software and applications to manage vast amounts of employee data.


But with great power comes great responsibility. The Data Protection Act 1998 (DPA), which governs data protection in the UK, imposes certain obligations on employers when handling personal data.

What kind of information can be gathered?

Benefits scheme technology encompasses a wide range of applications and software, including online benefits portals, workplace savings platforms, wearable technology, health screening apps and so on. Information gathered may include earnings and other personal financial information (pension, insurance, etc), health information (whether collected from monitoring devices, apps or insurance schemes) and personal information in relation to an employee’s family.

Because of its nature, much of the data sourced from benefits scheme technology is sensitive personal data, meaning that even greater obligations are placed on employers and third parties when collecting, storing and processing.

What should this information be used for?

The information should be used purely for its stated purpose; in other words, if data is stated to be collected purely for the provision of a pension benefit, it should be used for that purpose only; it should not be used in a redundancy process, sold to third parties for marketing purposes or for any other purpose. 

What pitfalls should employers be aware of? 

Employers must ensure that employee data is collected, stored and processed in compliance with the requirements of the DPA, even where the processing, collection and/or storage is outsourced to an external provider. They must ensure that any employees collecting, storing or processing such data also comply with DPA obligations. For sensitive personal data, prior employee consent is usually needed.

Broadly speaking, the DPA requires data to be processed for limited purposes. Data must be relevant, adequate, accurate and lawfully and fairly processed. Such data must be kept secure and for no longer than necessary. There are also restrictions on transferring it outside the EU without adequate protection.

Third-party benefits providers often sell or use employee data for other purposes, commonly marketing, and employers should be aware when outsourcing benefits arrangements.

There may be practical difficulties in ensuring data protection compliance where employees handling employee data are either off site, at home or remote working or working flexibly, and likewise where bring-your-own devices (BYOD) and wearable technology are used.

Cloud computing or storage and file-hosting sites similarly pose difficulties for employers, partly because many of these facilities are not sufficiently secure and partly because the facilities’ servers are often located in the US or overseas, for example, outside the European data network.

What should employers do?

Employers need to make sure that they consider the grounds for the processing of personal data (such as data subject consent); what (sensitive) personal data they are collecting, storing or processing; and who is handling data. They also need to assess the purposes for handling data; where data will be stored, for example hard drives, company network, cloud storage, personal laptops and so on; and the geographical location(s) of data throughout. Also, they need to consider whether data will be transferred, as well as where and how any transfers will take place.

Employers should provide a data protection policy clearly setting out the reason and standards expected of employees when handling personal data, monitoring powers and the obligations on the company and its employees regarding the collection, storage and processing of (sensitive) personal data. They should also provide initial and regular update training on data protection obligations; a structure and process for reporting and managing queries and breaches of data protection obligations; adequate data protection, network and security systems; and adequate monitoring and data tracking systems.

Also key is that employers have adequate structures for making workers such as contractors or agency workers aware of obligations and enforcing sanctions; and adequate structures for home workers and remote and flexible workers, including as regards monitoring, training and supervision.

Stephanie Creed is an associate at law firm Taylor Wessing