Our consultation on this draft guidance is open until 5 March 2024.
This guidance is aimed at employers who are keeping employment records. It will help them understand their data protection obligations under the UK GDPR and DPA 2018 (we refer to these as data protection law). Keeping records about workers is a necessary part of running an organisation. Data protection law applies whenever you process your workers’ personal information. The law does not stop you from collecting, holding and using records about workers. It helps to strike a balance between your need to keep employment records and workers’ right to private lives.
We have designed this guidance for you to read alongside our other published guidance on data protection and employment. In particular, our detailed guidance on information about workers’ health, Employee monitoring, and Recruitment and selection.
We use the terms ‘worker’ or ‘former worker’ to mean all employment relationships, whether this includes employees, contractors, volunteers or gig and platform workers. This is for the purposes of this guidance only and not in an employment law or other legal context.
How should we use this guidance?
To help you understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.
- Must refers to legislative requirements.
- Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
- Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.
This approach only applies where indicated in our guidance. We will update other guidance in due course.