The General Data Protection Regulation ('GDPR') came into force in the UK via the Data Protection Act 2018. It controls the way personal information is used by organisations, businesses and the government.

Detailed information on the application of the law is available from the Information Commissioner's Office which includes information on the health and social care sector.

Data protection principles 

Everyone responsible for using personal data has to follow strict data protection principles. They must make sure the information is:

• used fairly, lawfully and transparently
• used for specified, explicit purposes
• used in a way that is adequate, relevant and limited to only what is necessary
• accurate and, where necessary, kept up to date and kept for no longer than is necessary
• handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

There is stronger legal protection for more sensitive information, including (but not limited to):

• race
• ethnic background
• political opinions
• religious beliefs
• trade union membership
• biometrics (where used for identification), and
• health.

Here we address some of the data protection issues our members ask us about most often.

For more information about your obligations around patient confidentiality, see our confidentiality advice guide.

The term 'personal data' includes names and photos of any individuals. 

If you have any concerns about your employer using or displaying your photo, please discuss this with your manager in the first instance. This includes displaying your photo in your workplace, online or in any promotional material.

It is likely that the use of the photo would be ‘fair and lawful’ if your objection is simply that you do not want it displayed.

The use of your photo may be a breach of data protection legislation if you raise a reasonable objection. For example, in a clinical environment staff may raise personal safety and security concerns because they have access to drugs in the course of their employment.

If your employer takes your photo, you should be told why it is being taken. It should not be used for any other reason without your permission.

If you are unable to resolve any concerns informally, please contact us for further advice.

Employers may be able to monitor workers, as long as this is done in a way which is consistent with data protection legislation. Employers must also consider Article 8 of the European Convention on Human Rights (ECHR) which creates a right to respect for your private and family life, including your correspondence.

An example of data which may be collected in certain circumstances is biometric data, including fingerprints.

Your employer may also be able to monitor your use of the internet while you are at work and your workplace emails. They should have a local policy which defines 'acceptable use' and outlines how this will be monitored.

Please also see GOV.UK guidance.

The use of closed circuit television (CCTV) in workplaces has become more common and its use will fall under the General Data Protection Regulation (GDPR). The onus is on the employer to ensure that they are compliant with GDPR and wider regulations. 

In practice, employers should have signage and policies in place that state the purpose for which any recordings are made and who is responsible for their control and processing. This should be near to the point where any recording is made. Typically, signs will say “CCTV is in use for your safety and security” and not reference their use in any workplace hearings. Employers should also have explicit reference to the use of CCTV in their disciplinary policies and any local policies covering CCTV usage. 

If you’ve been told you are going to be involved in an investigation or disciplinary process, please read our investigation advice guide and contact us without delay.

The unsolicited photographing, filming or recording of nursing staff by patients, service users and the public (particularly when such content is uploaded to social media platforms) raises serious concerns regarding privacy, consent, and the psychological safety of staff.

While patients may lawfully record their own consultations for personal use under UK General Data Protection Regulation exemptions, this does not extend to recording staff without their knowledge or consent, especially when such recordings are shared publicly. Uploading these photographs or recordings to social media without consent may constitute a breach of privacy data protection laws. It could also amount to harassment and/or lead to cyberstalking – both of which are criminal offences. 

Employers have a duty under health and safety laws to take all reasonable measures to keep staff safe whilst at work. There are clear risks to staff safety and wellbeing through workplace stress, anxiety and a breakdown in trust when this activity takes place.

The impact of this activity can be serious and the RCN expects employers to protect nursing staff by:

• implementing clear zero-tolerance policies 
• displaying signage to support and communicate those policies
• supporting staff through escalation process and support services
• engaging with patients and visitors to encourage open communication
• exploring legal action and/or involving the police service where necessary.

Read more in the RCN’s position statement on photographing filming or recording nursing staff by third parties on mobile devices without consent.

Please read the RCN position on the use of body worn cameras. 

Employers should communicate the details of their drug and alcohol policy to staff. If you're unsure - look for the policy on the staff intranet (or similar) or ask your manager.

Regular drug testing is usually only justified where there is a reasonable suspicion of drug use that has an impact on health and safety in the workplace. Any test must provide real evidence of impairment/potential impairment at work that will put the safety of others at risk. Drugs taken outside of work would not normally concern your employer unless there is any sign of impairment at work. In this situation, your employer may be able to take action.

When undertaking testing, your employer must be clear about what they are looking for and why the test is being conducted. They should take particular care to ensure testing is proportionate to risk i.e. the extent of testing reflecting the risks associated with a specific role and is backed up by scientific evidence as to the effect of specific substances on workers.

Please check your local policy and should there be any concerns, please contact us for support.

Data protection legislation defines a health record as 'information relating to someone's physical or mental health that has been made by (or on behalf of) a health professional'. It must have been prepared 'in connection with the care of that individual'. Health records which fall within this definition are protected; this includes manual and computerised records.

Find out more from the Professional Records Standards Body.

Under data protection legislation, health records are 'sensitive data'. This is any information concerning the physical or mental health or condition of a job applicant or employee. This includes:

• pre-employment questionnaires
• drug and alcohol test results
• information about disabilities, and
• any information that has been revealed through an occupational health examination.

Before information about your health is shared your employer must ensure:

• you have given your explicit consent to share the information
• sharing is necessary to enable your employer to meet their legal obligations, for example regarding health and safety or to comply with disability legislation
• it is for medical purposes and is undertaken by a medical or health professional or someone working under an equivalent duty of confidentiality.

Your employer must ask for your consent before accessing your health records or requesting a medical report. You have the right to decline consent however it is important that your employer explains the implications of this.

Everyone has the right to view their health records. You should:

• contact your NHS Trust or GP surgery and request access to your records. Keep a copy of your request along with proof of postage or a copy of your email. 
• clearly state that you are requesting information under current data protection legislation.

You may be denied access if it likely to cause serious harm to you or another person’s physical or mental health.

Keeping records about employees is a necessary part of running an organisation.   

The Information Commissioner’s Office (ICO) has guidance on accessing your employment records.

As an applicant you will normally be entitled to access your interview notes. These will be kept for a reasonable time whether you are successful or not. The collection and storage of this information is covered by current data protection legislation.

For more information on a fair recruitment process, please see our recruitment, interviews and job offers advice guide.

If your own employee data has been compromised or you are the victim of a data breach, please contact your employer’s Data Protection Officer immediately. 

Once the breach has been reported they will talk you through the process and advise you of the next steps. You may also wish to obtain a copy of your employer's Data Protection policy which will outline the rights and responsibilities of both you and your employer.

Our advice on investigations and statement writing may also be useful.

If you want to find out more about claiming for compensation, please see the Information Commissioner’s Office (ICO) guidance. The RCN does not provide support for pursuing a data breach claim.

Information Commissioner’s Office (ICO)

Confidentiality: NHS Code of Practice - supplementary guidance: public interest disclosures

Gov.uk - Data Protection

Professional Records Standards Body