interests; for example, it could decide that employee monitoring is disproportionately
intrusive. Where it reaches such a conclusion, the employer should either stop processing
the relevant category of data, or process the data in a way that reduces the impact on
employees.
If the processing is not necessary for the performance of a contract or compliance with a
legal obligation and the employer is unable to identify a legitimate interest that provides a
basis for processing the data, it should stop processing it, except in the limited
circumstances in which it may be appropriate to seek the employee's consent.
Recording different grounds for processing
The employer may process the same data for more than one purpose. For example,
information about family-related leave is processed to ensure that employees receive their
legal entitlements. However, it may also be processed for diversity monitoring reasons, to
allow the employer to assess its record on retaining and promoting employees who have
taken a period of leave. Processing the data for that reason will be in the employer's
legitimate interests and the impact on employees is likely to be low.
Another example of where there is more than one basis for processing is the processing of
data relating to disciplinary, grievance or performance issues. This will be necessary to
enable the employer to comply with its employment law obligations, but is also necessary to
enable it to meet its legitimate interests in maintaining appropriate standards of behaviour
and performance within the organisation. Those needs will generally outweigh the rights and
freedoms of employees.
If there is more than one basis for processing data, the employer should identify and record
all of the relevant legal bases, to ensure that relevant data subject rights are observed. As
noted above, an individual has greater rights in relation to data processed for legitimate
interests than in relation to data processed for other reasons. Therefore, it is important for
employers to record all the reasons why they process a particular type of data at the outset.
Where an employer is processing special categories of personal data or criminal records
data, it needs to carry out a similar exercise to identify the legal basis for processing and
ensure that one of the relevant conditions for processing applies. This is likely to be
particularly relevant to health data, which the employer may need to process to establish an
employee's fitness to work and to comply with its obligations to employees with disabilities;
to special categories of data processed for equal opportunities monitoring; and to
information about an employee's criminal record processed as part of a recruitment process.