The ICO exists to empower you through information.

Our consultation on this draft guidance is open until 5 March 2024.

Collecting and keeping employment records

☐ We give new workers privacy information to tell them what information we will collect about them, how we will use it, and who we will disclose it to.

☐ We remind existing workers about how to find our privacy information.

☐ We inform new and existing workers of their rights under data protection law, including their right to access the information we keep about them.

☐ We make sure that we only collect personal information that is necessary for our purposes.

☐ We ask our workers to regularly check their information to make sure it is accurate and up-to-date, and make any changes where necessary.

☐ We identify and document a lawful basis for collecting and using workers’ personal information.

☐ We make sure that only those staff that need it have access to workers’ records.

☐ If we want to collect special category information from our workers, we identify a special category condition (under Article 9 of the UK GDPR).

☐ If we want to collect criminal offence data, we identify a condition for processing under Schedule 1 of the DPA 2018.

☐ We dispose of worker records securely and effectively when we no longer need them.

☐ We periodically review the personal information we hold on our workers, and erase or anonymise it when we no longer need it.

☐ We have clear retention policies in place setting out how long we keep different categories of our workers’ personal information.

Outsourced employment functions

☐ We have written contracts with the processors we use if we outsource any of our employment functions. These require the processor to only use workers’ personal information in line with our instructions, and to maintain appropriate security.

☐ We make sure that the contract states that the processor can only use workers’ personal information in line with our instructions.

☐ We make sure that the contract states that the processor must maintain appropriate security, including technological and organisational measures.

Equality monitoring

☐ We have identified and documented a special category condition for collecting information about workers’ ethnicities, religion, disability or sexual orientation.

☐ Where possible, we anonymise personal information we collect for equality monitoring purposes.

☐ We make sure that we don’t use the information we collect for equality monitoring for any other purpose, and that staff with access to this information are aware of their data protection responsibilities.

Pension and insurance schemes

☐ We inform workers about what the scheme involves.

☐ We make sure that we do not share more information with the provider than is necessary to run the scheme.

☐ We make sure that workers are aware what personal information we will pass to the scheme provider.

☐ If we are sharing information with the scheme provider about workers’ sickness or injury records, or other health information, we have identified a special category condition and documented this.

☐ We make sure that the staff involved in collecting information for this purpose are aware of their data protection responsibilities.

☐ We make sure that only the people in our organisation who need to help run the scheme have access to the personal information we collect for this purpose.

Mergers and acquisitions

☐ We consider sharing personal information about workers as part of our due diligence.

☐ We agree what information we should transfer, and how, before a transfer takes place.

☐ We tell our workers when there is a change in circumstances that affects who is responsible for their personal information.

☐ Where possible, we tell workers if we will share their employment records with another organisation before an acquisition, merger or business reorganisation takes place.

☐ We tell our workers about which parts of their employment records we will transfer to the new employer.

☐ We make sure those responsible for negotiating the transfer of staff are aware of their responsibilities to comply with the data protection principles (eg to keep personal information up-to-date and secure).

☐ Where applicable, we transfer enough information to meet TUPE obligations and to allow the new employer to run the business and manage the staff. 

☐ We don’t transfer excessive and irrelevant information.