Our consultation on this draft guidance is now closed. The final version will be published in due course.
In detail
- What kinds of records might we keep about our workers?
- How can we lawfully process workers’ personal information?
- Can we rely on a worker’s consent?
- What lawful bases might apply when processing employment records?
- What conditions for processing special category information might apply?
- How much personal information can we hold?
- How do we keep workers’ personal information accurate and up to date?
- How long can we keep workers’ personal information?
- What do we need to tell workers when processing their personal information?
- Do workers have a right to access their employment records?
- Do workers have a right to have their employment records erased?
- Who is responsible for data protection and employment records in our organisation?
What kinds of records might we keep about our workers?
As an employer, there are many different kinds of records you may need to keep about your workers. For example:
- personnel files;
- sickness and injury records;
- disciplinary and grievance records;
- training records;
- appraisal or performance review records;
- payroll information;
- pension information;
- interview notes;
- emails;
- references; and
- equality and diversity information (eg information about ethnicity, religion, disability and sexual orientation).
The UK GDPR and the DPA 2018 (referred to here as data protection law) applies whenever you are processing your workers’ personal information. Data protection law sets out principles for collecting and using personal information. These do not stop you from keeping the records you need about your workers. But you must make sure that you use their information in line with the data protection principles. In particular, you must make sure that your use is:
- fair – you only use people’s personal information in ways they could reasonably expect, and not in ways that have unjustified adverse effects on them;
- lawful – you have a lawful basis to use the information, and you don’t do anything generally unlawful with it; and
- transparent – you are open, honest, and inform people about what you are doing with their information.
Before you collect and use any personal information about your workers, you must be clear about why you are doing so. You must also be satisfied that you have justified reasons for collecting it.
You must record your purposes and specify them in your privacy information.
You can only use the information collected for employment records for a new purpose if:
- this is compatible with your original purpose;
- you get specific consent from the worker; or
- you have a clear obligation or function set out in law.
Remember to consider your obligations under:
- employment law;
- health and safety law;
- any other legislation;
- any common law duties; and
- any relevant industry standards.
Further reading
Read our guidance on:
How can we lawfully keep records of workers’ personal information?
To lawfully keep records of your workers’ personal information, you must first identify a lawful basis. There are six lawful bases for processing set out in Article 6 of the UK GDPR. Remember that:
- You must apply at least one of these whenever you are keeping records of your workers’ personal information.
- You should not see any one basis as always better, safer or more important than the others. There is no hierarchy in the order of the list in the UK GDPR.
- How you decide which lawful basis for keeping records applies depends on your specific purposes, and your relationship with the worker.
- You must think about why you want to keep records of the information and consider which lawful basis best fits the circumstances.
- You might consider that more than one basis applies, in which case you must identify and document all of them from the start.
You can use our interactive guidance tool to help you decide which lawful basis might apply.
You may need different lawful bases for different categories of information, or for information used for different purposes.
You may also need to keep records of special category information about your workers. This is information that is considered especially sensitive, and so is given a greater level of protection. The special categories are information about peoples’:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic information;
- biometric information (where used for identification purposes);
- health;
- sex life; and
- sexual orientation.
There are rules that cover using special category information and you cannot keep records of this type of information unless you meet some additional requirements. This means that in addition to a lawful basis, you must also identify a special category condition (under Article 9 of the UK GDPR). You may also need to satisfy a condition in Schedule 1 of the DPA 2018.
Lawfulness also means that you don’t do anything with the personal information which is unlawful in a more general sense. This includes statute and common law obligations, whether criminal or civil. If keeping records would involve you committing a criminal offence, it will obviously be unlawful. However, keeping records may also be unlawful if, for example, it results in:
- a breach of a duty of confidence;
- your organisation exceeding its legal powers or exercising those powers improperly;
- an infringement of copyright;
- a breach of an enforceable contractual agreement;
- a breach of industry-specific legislation or regulations; or
- a breach of the Human Rights Act 1998.
You may need to take your own legal advice on other relevant legal requirements.
Further reading
Read our guidance on:
Can we rely on a worker’s consent?
You may be considering relying on a worker’s consent to process the information in their employment records. Consent is one of the lawful bases for processing personal information. Explicit consent is one of the conditions that can be used to process special category information. However, consent provides certain challenges in an employment context.
The UK GDPR sets a high standard for consent, and people must have a genuine choice over how you use their information. Consent must be:
- freely given;
- specific;
- informed;
- unambiguous; and
- expressed by a clear affirmative action (ie using an opt-in).
It must be as easy for someone to withdraw their consent as it is to give it.
It may be difficult for you to rely on consent to keep records of personal information about your workers. This is because, as an employer, you will generally be in a position of power over your workers. They may fear adverse consequences and might feel they have no choice but to agree to you collecting and using their information. In such circumstances, consent is not considered freely given.
Explicit consent is not defined in the UK GDPR, but it is not likely to be very different from the usual high standard of consent. The key difference is that explicit consent must be expressly confirmed in a clear statement (whether oral or written), and not by inference from someone’s actions.
You should avoid relying on consent unless you are confident you can demonstrate it is freely given. This means that you must give a worker the option to say ‘no’ without fear of a penalty being imposed and allow them to withdraw their consent at any time.
You must not rely on consent as a lawful basis if:
- the worker has no genuine choice over how you use their information; or
- you would still keep records of the information on a different lawful basis if the worker refused or withdrew consent.
If you think it will be difficult for you to show that consent has been freely given, you should consider relying on a different lawful basis, such as legitimate interests. See ‘What lawful bases might apply when keeping employment records?’ for more information.
However, this does not mean that, as an employer, you can never use consent as a lawful basis. Even where you are in a position of power, there may be situations where you could still show that consent is freely given.
There are also other considerations you must take into account if you want to rely on consent, such as recording and managing consent. Please see our separate guidance on consent for more information.
What lawful bases might apply to employment records?
We’ve listed below the lawful bases which are most likely to be relevant in an employment records context, but other lawful bases may be available.
Remember, it is your responsibility to decide what lawful basis is most appropriate. If you can meet the criteria for a specific lawful basis, then you are likely to be able to rely on it.
Contract
This lawful basis applies where you need to keep employment records for a contract you have with the worker, or because they have asked you to take specific steps before entering into a contract. This is most likely to apply when you need to collect and use information about your workers under an employment contract.
You must only use the contract lawful basis once an employment offer of employment has been accepted, even if a contract has not yet been entered into. Acceptance of a conditional offer of employment shows an intention on both sides to enter into the contract. Until that stage, legitimate interest could be a more appropriate lawful basis.
This lawful basis only applies for contractual employment purposes rather than legal obligations under employment law.
Example
An organisation keeps records of their workers’ names, addresses and salary information to meet their contractual obligation to pay them for their work.
Legal obligation
You may be able to rely on this lawful basis where you need to use personal information kept in employment records to comply with a common law or statutory obligation (although this does not include contractual obligations).
Example
Employers have an obligation to share workers’ names, addresses and salary details with HMRC for tax purposes.
Legitimate interests
This lawful basis may apply if keeping records of workers’ personal information is necessary for your legitimate interests or the legitimate interests of a third party. This won’t apply if there is a good reason to protect the worker’s personal information which outweighs those legitimate interests. As part of this, you should carry out a legitimate interests assessment to determine if this is the case. For more information see our separate guidance which covers How can we apply legitimate interests in practice?
Example
An organisation requests references containing personal information about a job applicant from a previous employer. The organisation can rely on legitimate interests to collect and hold the information in this reference.
Vital interests
In exceptional circumstances, you may be able to rely on the vital interests lawful basis to protect someone’s life. This lawful basis is very limited in its scope and generally only applies to matters of life and death. For example, if there is a medical emergency and a worker’s life is at immediate risk. It is important to note that you cannot rely on vital interests for health or other special category information if the person is capable of giving consent, even if they refuse their consent.
Further reading
Read our guidance on:
What conditions for keeping records of special category information might apply?
As explained above, if you are keeping records of special category information about your workers, in addition to identifying a lawful basis, you must also identify a special category condition.
There are 10 conditions for special category information. For five of these conditions, you must meet additional conditions and safeguards set out in Schedule 1 of the DPA 2018.
If you are relying on a Schedule 1 condition, many of these also require you to have an ‘appropriate policy document’ in place. This acts as part of the additional safeguards that are necessary for keeping records. See our separate guidance What is an appropriate policy document for more information. We have also produced an appropriate policy document template you can use.
Remember that you must determine your condition before you begin keeping records and you must document your decision, along with your lawful basis.
We’ve listed below the special category conditions which are most likely to be relevant in an employment records context:
Employment, social security and social protection law
To rely on this condition to keep employment records, you must be keeping records to comply with employment law, or social security and social protection law. You should identify the legal obligation or right, either by referring to the specific legal provision or by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, you could refer to a government website or to industry guidance that explains generally applicable employment obligations or rights.
This condition does not cover any employment records you keep to meet purely contractual employment rights or obligations.
You must be able to justify why keeping records of this specific information is necessary, and a reasonable and proportionate way of meeting specific rights or obligations under employment, social security and social protection law. You must not obtain or use more information than you need.
If you are relying on this condition, you should also meet the associated condition set out in Part 1 of Schedule 1 of the DPA 2018. This condition also requires you to have an appropriate policy document in place.
Legal claims or judicial acts
You may be able to rely on this condition if using special category information is necessary to establish, exercise or defend legal claims. For example, if a worker is suing their employer.
You must be able to justify why keeping records of this specific information is ‘necessary’ to establish, exercise or defend the legal claim. You must only use this information if it is relevant and proportionate, and you must not obtain or use more information than you need.
You must only rely on the legal claims element of this condition, as the judicial acts element only applies to courts acting in their judicial capacity.
Substantial public interest
This condition allows you to keep records of special category information, if this is necessary for reasons of substantial public interest, as set out in UK law.
To rely upon this condition, you must meet one of the specific substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018. You must also have an appropriate policy document in place for almost all of these conditions.
The most likely substantial public interest conditions relevant for processing special category information about your workers are:
- statutory and government purposes;
- equality of opportunity or treatment;
- racial and ethnic diversity at senior levels;
- preventing or detecting unlawful acts;
- regulatory requirements;
- preventing fraud;
- safeguarding of children and of individuals at risk; and
- occupational pensions.
This list isn’t exhaustive and if you intend to rely on any substantial interest conditions, you should look at the details of the specific conditions in the legislation to determine what condition is most appropriate to your purpose.
Vital interests
You may also find that vital interests might apply in some limited circumstances, similar to the vital interests lawful basis, discussed above.
Further reading
Read our guidance on:
How much personal information can we hold in our employment records?
The data minimisation principle says that you must make sure that the personal information you hold is adequate, relevant, and limited to what is necessary for your purposes. This links closely with the storage limitation principle where you must consider how long you need to keep the information and why. For more information see ‘How long can we keep workers’ personal information?’.
This means that you must identify the minimum amount of personal information you need to hold about your workers. You must not hold more information than that.
How much is adequate, relevant and necessary will depend on the context. It may also differ from one person to another. Therefore, to work out whether you are holding the right amount of personal information, you should first be clear about why you need it.
If you only need to hold particular information about certain workers, you must collect it just for those people. The information is likely to be excessive and irrelevant about other workers.
Example
An organisation holds information about employees’ disabilities, so that they can make reasonable adjustments to enable them to carry out their roles. Information about disabilities is information about health, and so is special category information. The organisation ensures that it only holds information about disabilities for workers who need reasonable adjustments, as it would be unnecessary to hold this information about other workers.
You should periodically review your records to check that the personal information you hold about your workers is still relevant and adequate for your purposes, and delete anything you no longer need.
How do we keep workers’ personal information in our records accurate and up-to-date?
The accuracy principle says that you must take all reasonable steps to keep any personal information you hold about your workers accurate and up-to-date.
In practice, this means that you should:
- take reasonable steps to ensure the accuracy of any personal information;
- make sure that is clear where you have obtained personal information from;
- carefully consider any challenges to the accuracy of information; and
- consider whether it is necessary to periodically check and update the information.
If you are collecting personal information directly from your workers, it is your responsibility to make sure it is correct. You should take particular care if the information might have serious implications for the worker if it was recorded inaccurately (eg information that is used to calculate a worker’s salary).
The more important it is that the personal information is accurate, the greater the effort you should put into ensuring its accuracy. So if you are using the information to make decisions that might significantly affect the worker concerned or others, you should put more effort into ensuring accuracy. This may mean you have to get independent confirmation that the information is accurate. For example, you may need to check the precise details of the education, qualifications and work experience of job applicants, if it is essential for a particular role.
A record of an opinion is not necessarily inaccurate personal information just because the person disagrees with it, or it is later proved to be wrong. For example, an opinion expressed in a performance review that someone is underperforming is not necessarily inaccurate, just because the worker disagrees with it. Opinions are, by their very nature, subjective and not intended to record matters of fact. However, in order to be accurate, your records should make clear that it is an opinion, and, where appropriate, whose opinion it is.
If someone challenges the accuracy of an opinion, you could add a note recording the challenge and the reasons behind it. If it becomes clear that an opinion was based on inaccurate personal information, you should also record this fact in order to ensure your records are not misleading.
Remember that workers have the right to have inaccurate personal information corrected. This is known as the right to rectification.
How long can we keep records of our workers’ personal information?
The storage limitation principle says that you must not keep personal information for longer than you need it. Making sure that you erase or anonymise personal information when you no longer need it will also reduce the risk that it becomes irrelevant, excessive, inaccurate or out-of-date.
Therefore, you need to consider how long you need to keep workers’ personal information, as well as the information of former workers, and be able to justify doing so. This depends on your purposes for holding the information.
Data protection law does not set specific time limits for how long you can keep personal information of your workers. This is up to you, and will depend on how long you need the information for your particular purposes.
You must consider any legal or regulatory requirements and seek advice on compliance, if necessary. There are various legal requirements and professional guidelines about keeping certain kinds of records, such as information on aspects of taxation, or health and safety. Certain legislation may require you to keep the information for a specified period. If you keep workers’ personal information to comply with a requirement like this, you will not be considered to have kept the information for longer than necessary.
You must make sure that you only retain records that you still need. Once you no longer need the information, you should erase it, or, where possible, anonymise it. For example, after the employment relationship and all your legal obligations to retain the information have ended. This links to the accuracy and data minimisation principles. If you hold on to information for longer than you need it, you are holding on to more information than you need, and it is more likely to become inaccurate over time.
You should set up a retention policy or schedule that lists:
- the types of record or information you hold;
- what you use it for; and
- how long you intend to keep it.
They help you establish and document standard retention periods for different categories of personal information.
You should not take a ‘one-size-fits-all’ approach to retention of workers’ personal information. While you may need to hold on to some types of information about previous workers, you may be able to delete other information as soon as the employment relationship ends.
Different categories of personal information will need different retention periods. This will depend on your purpose for holding the information. You may also have other legal or regulatory obligations to retain some records, such as about income tax, or certain aspects of health and safety. You should know what these other obligations are, and factor them in to your retention schedules.
Where possible, you could set up automated systems to help with this process that flag when information you are holding is due to be reviewed or deleted.
Further reading
Read our guidance on:
How do we keep our records about workers’ personal information secure?
The security principle says that you must have appropriate security measures in place to prevent the personal information you hold about workers being accidentally or deliberately compromised.
You must choose a level of security appropriate to the nature of the information you are protecting and the level of harm that might result from misuse or loss.
You must make sure that the employment records you hold:
- can only be accessed, altered, disclosed or deleted by those who are authorised to do so (and that those people only act within the scope of the authority you give them). For example, ensuring that access to employment records systems is limited to HR staff only, and that the information managers have access to is limited to what they need to meet their obligations;
- are accurate and complete about why you are processing them; and
- remain accessible and usable. This means that you should put in place steps to ensure that you can recover the information if it is accidentally lost, altered or destroyed.
In particular, if you hold special category or criminal offence information about your workers you should think carefully about its security. For example, limiting access to only those who need to see it, such as password protecting it. If a physical record exists, you should keep it in a sealed envelope in the worker’s file or in a lockable cabinet, and make sure that only people who need it have access to it.
Example
An organisation collects information about its workers’ health conditions and disabilities so that they can provide additional support or reasonable adjustments to workers who need it, as well as for equality monitoring purposes. The organisation determines which members of staff need to know this information (certain staff in Human Resources and workers’ line managers) and makes sure that no other staff have access to the records.
When you are reviewing your information management systems that you use for employment records, you must consider data protection by design and by default, so that data protection is built in to your systems. If you are reviewing your existing systems, you must consider how you can incorporate this requirement.
You should make sure that access to necessary information is protected against any automatic deletion processes. Also you should ensure you still have access to information if staff leave or change roles. For example, you should store employment records centrally, rather than locally so you are not dependent on the availability of individual managers for access.
Further reading
Read our guidance on:
What do we need to tell workers about the records we hold of their personal information?
Data protection law requires fairness and transparency, and provides a right for people to be informed about how you are using their personal information and why.
Transparency is fundamentally linked to fairness. Transparent processing is about being clear, open and honest with your workers.
You must tell your workers:
- your purposes for collecting and using their personal information;
- your lawful basis;
- your condition for processing (if it includes special category or criminal offence information);
- your retention periods for the information;
- who, if anyone, you plan to share their information with;
- their rights over their information; and
- details of where you got their personal information from, how you are going to use it, and who you will disclose it to.
If you are collecting this information directly from your workers, you must make this privacy information available to them at the time you collect their information. If you are collecting the information from other organisations, rather than directly from the worker, you must provide them with privacy information within a reasonable period, but at the latest within one month of obtaining it.
You must provide this information in a way that is easily accessible to your workers, easy to understand, and in clear and plain language.
There are a range of ways you can provide this privacy information, but you must make workers aware of it and give them an easy way to access it. You could provide it:
- as part of your staff privacy notice on your organisation’s intranet;
- as part of your general data protection policy;
- as separate privacy information in a worker handbook;
- using ‘just in time’ notices if using online workshops, platforms or tools where personal information might be collected or shared with others;
- as a general notice on a staff notice board; or
- by sending a letter or email to workers.
What method you use and the most effective way of giving privacy information to your workers will depend on the nature of your organisation and what way fits best with your needs.
You should make sure that you periodically remind existing workers about this information too. If your organisation is large, you could check with a random sample of workers that they:
- are aware of this information;
- received it; or
- know how to find it.
You should regularly review and, where necessary, update your privacy information. You must bring any new uses of people’s personal information to their attention before you start the processing.
Further reading
- Right to be informed
- How to write a privacy notice and what goes in it – guidance for small to medium sized enterprises
- We have also produced a privacy notice template.
Do workers have a right to access their employment records?
Yes. The right of access is commonly referred to as a subject access request (SAR). It gives someone the right to obtain a copy of their personal information from your organisation. This includes where you got their information from, what you’re using it for and who you’re sharing it with.
There are no formal requirements about how the request is made. A SAR can be made verbally or in writing, including by social media. Workers can make requests to any part of your organisation, and they do not have to direct it to a specific person or contact point. However, you should have a designated person, team and email address for SARs. You could set up a specialist portal or process for your workers to help them make SARs efficiently and to help you to recognise and respond to them.
Workers are especially likely to exercise their right to access their employment records during grievance or disciplinary proceedings, or in the case of dismissal. You should make sure that managers in your organisation are aware that a worker going through a disciplinary or grievance proceedings still has the right to access their personal information.
You must respond to a SAR from a worker without delay and within one month of receiving the request. However, you could extend the time limit for responding by up to two months if the SAR is complex or if they have sent you a number of requests.
If you have a large amount of information about someone, and their request is not clear, you can ask them to specify the information or processing activities their request relates to. In these cases, the time limit for responding to the request is paused until you receive clarification, although you should still provide any of the supplementary information you can do within one month.
You may have outsourced some of your processing to another organisation that holds personal information on your behalf (and you, as controller, do not hold that information). As a controller, you are still ultimately responsible for complying with SARs for employment records, not your processor.
The processor must help you meet your obligations for SARs and you should make this clear in the agreement with them. The processor must search for this information and, if necessary, give you a copy, if you request it. See ‘What are our obligations if we have outsourced some of our processing about our workers?’
Sometimes you may need to give or receive confidential references about someone. The personal information in a confidential reference is exempt from the right of access for prospective or actual workers. The exemption applies regardless of whether you have given or received the reference.
It is important to note that this exemption only applies to references given in confidence. You should make it clear to people, and those providing references, whether you are treating references confidentially or if you are adopting a policy of openness. You should do this through the privacy information you provide. For more information see our guidance on the right to be informed.
Further reading
Read our detailed guidance on the right of access. This includes detail on possible exemptions from the right of access, some of which may be relevant in the context of employment records, such as the exemption for confidential records.
Also see our separate SARs Q&A for employers.
Do workers have a right to have their employment records erased?
In some circumstances, people have the right to have their personal information erased. This is known as the right to erasure, or sometimes, the right to be forgotten.
It only applies in certain circumstances, many of which do not apply in an employment context.
However, the right to erasure does apply where the personal information is no longer necessary for the purpose you collected it for. The obvious example is after an employment contract has ended it may no longer be necessary to keep references provided by previous employers or job application materials. However, current workers may also have a right to have information in their employment record erased, if this is no longer needed.
Example
An organisation receives a complaint about one of its workers. After investigating, the organisation concludes that the complaint was vexatious, and they do not need to take any further action. The worker requests that the organisation erase the details of this complaint from their employment record. The organisation decides that it no longer needs this information for the reasons it collected it for and decides to accept the request.
People also have a right to have their personal information erased when it is being processed on the basis of consent, and they withdraw that consent. As mentioned in ‘Can we rely on a worker’s consent?’ above, in most cases you will not be relying on consent to process employment records. But if you are, and the worker later withdraws their consent, you must erase the information.
Example
An organisation asks some of their workers if their images can appear in marketing and promotional materials. They collect these images and publish them on the basis of the workers’ consent. One worker who initially agreed, later changes their mind and withdraws their consent for their image to appear. The organisation must remove the worker’s image from the marketing materials as soon as possible, and should erase them, if the worker requests it.
There are a number of reasons why you can refuse to comply with a request for erasure. In the employment context, the ones that are most likely to be relevant are if:
- you are under a legal obligation to keep some records about past workers for tax or social security reasons; or
- the request is manifestly unfounded or excessive.
Further reading
Read our guidance on the right to erasure.
Who is responsible for data protection and employment records in our organisation?
Accountability is one of the key principles in data protection law. The accountability principle means that you are responsible for what you do with personal information and how you comply with the other principles.
You must have appropriate measures and records in place to be able to demonstrate your compliance with your data protection obligations. This doesn’t just include compliance with the principles (as explained in the preceding sections). But also, your other obligations, such as:
- taking a ‘data protection by design and default’ approach;
- documenting your processing activities; and
- carrying out data protection impact assessments (DPIAs) for uses of personal information that are likely to result in high risk.
You should identify who within your organisation has responsibility to authorise or collect your workers’ personal information. You should ensure they are aware of your organisation’s policies and procedures.
You should also make them aware of data protection law. If they lack proper authority and necessary training, this could lead to a risk of non-compliance. You should also consider any obligations under other laws, such as employment law and health and safety legislation.
Ultimately, your organisation, as the controller, has responsibility for data protection compliance. If you use any processors that are processing workers’ personal information on your behalf, you must have a written contract in place with them. See ‘What are our obligations if we have outsourced some of our processing about our workers?’
If you have a data protection officer, you must involve them in any decisions about your processing of workers’ information.
You also must be aware of the data protection rights workers have when you are processing their information.
We also produced the Accountability framework which can help any organisation, whether small or large, with their obligations. You may wish to use the framework to help you assess your organisation’s accountability.