On 7 May 2025, we hosted the latest in our series of employment law update webinars, where our speakers Sarah FitzGerald, Dr. Nathalie Moreno and Dorotea Sikorska explored some of the most topical issues currently facing employers and HR professionals. This session focused on three key areas:
- The growing risks associated with age discrimination claims
- Developments in data protection and artificial intelligence (AI) in the employment context
- Recent case law updates and what’s on the horizon
As part of the session, we received a number of excellent employment related data protection law questions from the audience. Below, we’ve summarised some of the most frequently asked:
1. Does DUA Bill have any impact on the Data Protection Act 2018?
Yes — the Data Use and Access Bill (DUAB) does impact the Data Protection Act 2018 (DPA 2018), but it does not replace or override it.
Instead, DUAB proposes targeted amendments to the DPA 2018 and UK GDPR to reflect the UK Government’s post-Brexit data reform agenda. It supplements existing law with changes focused on data re-use, scientific research, and the governance structure of the ICO.
Notably, it recasts the ICO as the “Information Commission” and modifies its structure and duties to include economic growth considerations. DUAB also alters enforcement powers and accountability obligations, especially around data sharing and smart data schemes. However, the DPA 2018 and UK GDPR remain the core legal framework, with DUAB acting as a legislative overlay.
Businesses will need to read the DPA 2018 as amended by DUAB, once enacted.
2. Can you clarify when it may be fair and proportionate to access an employee’s work email (I.e., long term sick etc.)?
Access to an employee’s work email may be fair and proportionate under UK GDPR and the DPA 2018 where it is necessary for legitimate business purposes—such as during long-term sickness, sudden departure, or internal investigations. A lawful basis (typically legitimate interests) must be established, and access must be limited to what is strictly necessary. Access should be governed by a clear IT Acceptable Use Policy and Employee Privacy Notice, both of which should inform staff that monitoring or access may occur in specific situations, and that no expectation of privacy should apply to business systems. Where risks are higher (e.g. misconduct investigations), a DPIA may be appropriate. Access should avoid obviously personal or irrelevant material, be documented, and involve HR/legal oversight. Blanket or unnotified access may be unlawful.
3. Personnel records were always considered to be the property of the employer so therefore could be passed on to the employer’s litigation solicitor. Does the employer now need the employee’s permission?
Under UK GDPR, the employer does not need the employee’s consent to share personnel records with a litigation solicitor. The lawful basis for doing so would typically be legitimate interests, or exercise, or defense of legal claims. However, the employer must ensure that the data shared is necessary, and the process remains transparent and compliant with data protection principles.
