Data and GDPR concerns with your employer

We cover common concerns with employers handling your data - such as reading your emails, data breaches or withholding information from you.

Location: UK
Audience: All doctors
Updated: Wednesday 11 November 2020
whistle illustration

Can my employer read my emails without my permission?

This is an area where case law is evolving all the time and there are a number of variables to this.

The basic situation is that an employer can access your emails as long as there is a legitimate business reason to do so and that there is not a deliberate invasion of your privacy.

Employers should not routinely access email accounts without a defined business reason or access any emails that have been marked ‘private’ or ‘personal’, or even ‘trade union business’.

There is a caveat to this though. If an employer expressly forbids any personal use of their email system (which they are entitled to do) and this has been made known to employees, then they may claim it is legitimate to audit email accounts to ensure compliance with the policy. But it may well be disproportionate to then open the emails in question.

Employers conducting ‘fishing’ exercises in employees’ mailboxes in order to look for some evidence of wrongdoing without good cause may find themselves invading the privacy of their employees and potentially breaching their human rights (Article 8 Human Rights Act) as well as the GDPR.


What you should do if you think your employer has committed a data breach

Firstly, you should discuss the potential breach with your employer and their information governance team and allow them to investigate.

If it appears to be a serious incident - when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached - then the employer must report the incident to the ICO (Information Commissioner's Office) within 72 hours of becoming aware of the incident.

If the employer does not acknowledge there has been a breach, or does not believe it to be serious, it can be discussed with the BMA’s data protection officer who will give advice on possible next steps including reporting the breach yourself.


How to request information from your employer

Under GDPR you’re entitled to receive all of the personal data that an organisation holds about you within 30 days, subject to a few exemptions.

You would normally put the request in writing and provide some identification. You may be asked to narrow down your request which you may want to do, you may only want a few specific documents, but you are entitled to all information held in any format.

If you think your organisation is withholding information

If an organisation is withholding information from you they need to set out why. The information may contain third party personal data for example, or they may believe it is legally privileged.

Go back to the organisation and let them know what you feel is missing. If they have exempted you and you feel that this is incorrect, let them know why and ask for an independent review of the decision. The BMA can help you with this.

If the organisation is still not providing the information you requested you can go to the ICO and ask them to assess the situation, again the BMA can help you with this.