The ICO exists to empower you through information.

Our consultation on this draft guidance is open until 5 March 2024.

In detail

When can we share workers’ employment records with other people or organisations?

From time to time you may receive requests for information about particular workers that come from other people or organisations. You are not necessarily required to share information about your workers just because someone has asked for it. However, there are occasions where you may need or want to.

In some cases, you may have no choice but to share the information requested about a worker. This is when there is a legal obligation to share, arising from laws outside data protection legislation which you must respond to. For example, you are under a legal obligation to respond to requests for information about your workers from HMRC. If this is the case, data protection does not stand in the way of sharing.

In other cases, you have a choice whether or not to share. You should consider the request carefully and only share information about a worker when you are satisfied that it is right to do so. You should carefully weigh the potential benefits and harms of sharing or not sharing the information. If you are not sure, you could ask the worker for their consent to share their information.

You must have a lawful basis for sharing your workers’ personal information with other organisations. You must make sure that you only share necessary information, and that you send it securely to the correct person. You must also make your workers aware about who you are sharing their information with, and why you are sharing it.

You should work out who in your organisation will be responsible for dealing with requests to share information, and give them adequate training to do so.

If you are asked to share personal information from a worker’s record in an emergency, you should carefully decide whether to share. You should take into account the nature of the information being requested and the likely impact on the worker of not providing it. You can and should share information about someone in an emergency if it will save their life or protect them or others from serious harm.

Further reading

We have developed a data sharing page which includes the Data sharing code of practice, as well as FAQs, checklists and case studies to help you work out what you need to do to share personal information with other organisations.

What do we need to consider when providing references?

Providing or receiving a reference about a worker with another organisation involves sharing that worker’s personal information. Data protection law allows you to share information for this purpose.

In general, the references that you provide will relate to the worker’s employment with you. However you may sometimes be asked to give references in other circumstances, such as character references for voluntary roles or a financial reference for a mortgage application. These still count as references and still involve sharing the worker’s personal information.

You must be as open as possible with workers about information which relates to them. They have a right to challenge information that they consider to be inaccurate or misleading, particularly when, as in the case of a reference, this may have an adverse impact on them.


A worker, who has been employed at Company A for several years, applies for a job at a Company B. Company B requests a reference from Company A, asking for information about the worker’s performance, capability to perform the role they have applied for and attendance records. Company A can rely on the legitimate interests lawful basis to share this information about the worker. Company A should share only the information that is necessary for Company B to make an assessment of the worker’s suitability for the role.

Can we publish information about our workers?

You may wish to publicise your activities and operations in a way that involves sharing information about your work force. For example:

  • annual financial reports;
  • advertising materials;
  • media articles; or
  • social media posts.

If you are a public authority, you may be under a legal obligation to publish information that contains your workers personal information, under the Freedom of Information Act (FOI) or the Environmental Information Regulations (EIR).

You must balance the benefits to you of publishing information about your workers with their reasonable expectations of privacy. Where possible, you should use information that does not identify individual workers.

You could implement an employee information disclosure policy that sets out how you approach this. You could set out what factors to consider when deciding whether to publish personal information about workers, either proactively, or in response to, FOI and EIR requests.

If it is necessary to publish your workers’ personal information, you must make them aware of this in advance. You must make sure that you do not publish more information than necessary. For example, if you are publishing information in response to FOI requests, consider whether you can redact any information that identifies your workers.

You must identify a lawful basis to publish information about your workers. If this involves special category information, remember you must also identify a special category condition.

How do we handle sickness and injury records?

We have covered the issue of sickness records in our guidance on information about workers’ health.

What are our obligations if we have outsourced some of our employment records about our workers?

You may have outsourced some of your record keeping to another organisation, such as human resources or payroll functions. You are considered the controller of the personal information and the other organisation is acting as a processor.

As controller, you have ultimate responsibility for making sure that your processing of workers’ personal information complies with data protection law. This includes any processing that is carried out by a processor on your behalf.

You must:

  • comply with the data protection principles;
  • make sure that your workers can exercise their rights about their personal information;
  • make your workers aware of your use of a processor and inform them who you are sharing their information with and what you are sharing;
  • have contractual arrangements in place to guarantee that you can deal with SARs properly, irrespective of whether the request is sent to you or the processor;
  • implement appropriate technical and organisational security measures to ensure the security of personal information;
  • make sure that any processor you use adopts appropriate security measures, both in terms of technical and organisational measures;
  • have a written contract with your processor, which requires the processor to only use your workers’ personal information in line with your instructions, and to maintain appropriate security;
  • comply with the UK GDPR accountability obligations, such as maintaining records, carrying out data protection impact assessments and appointing a data protection officer; and
  • comply with the UK GDPR’s restrictions on transfers of personal information outside the UK.

Can we collect workers’ information to use for equal opportunity monitoring?

You may be under a legal or regulatory obligation to collect information about your workers to monitor equality of opportunity and prevent discrimination. This may include collecting information about workers’ ethnic origin, disabilities, religion, or sexual orientation.

In Northern Ireland, section 75 of the Northern Ireland Act 1998 requires public authorities to monitor and promote equality of opportunity between people of different religious belief, political opinion, racial group, age, marital status or sexual orientation.

This type of information will often be special category information, which you must handle especially carefully. You must make sure that you do not use information you collect to monitor equality of opportunity for any other purpose. See ‘What conditions for processing special category information might apply?

Where possible, you should anonymise this information. When collecting this type of information from job applicants, you should make sure that you can separate it from any identifying information about the job candidate, so that you can save it anonymously as statistical information.

Be aware that equal opportunity monitoring information might potentially identify particular workers, even if the names have been removed. For example, if it makes reference to a characteristic shared by relatively few of your workers. In this case, you should make sure that any staff with access to this information are aware of its sensitivity and the need to keep it secure and confidential.

You should make sure that your equality monitoring questions are designed so that the personal information you collect is accurate and not excessive. You should ask questions that allow workers to identify themselves accurately. For example, in ethnic origin monitoring, do not limit the range of choices given so that workers are forced to make a choice that does not properly describe them.

Further reading

Can we use employment records to detect fraud?

You may receive a request for your workers’ personal information from external organisations tasked with preventing or detecting fraud. They may ask for your workers’ records to check, for example, that they are not receiving benefits they aren’t entitled to. This can involve electronic comparison of data sets held for different purposes to identify inconsistencies or discrepancies which may indicate fraud. This is known as data matching.

You must only share personal information from your workers’ employment records for fraud detection purposes if:

  • you are required by law;
  • you believe that failure to disclose in this specific case is likely to prejudice the prevention or detection of crime; or
  • your workers’ employment contracts allows you to share information in such cases.

If you are using your workers’ personal information for fraud prevention or detection purposes, you must inform new workers about this. You should also give existing workers periodic reminders. The only exemption from this is when informing a worker would be likely to prejudice the prevention or detection of crime, for example by tipping off the worker that they are under investigation for suspected fraud.

Further reading

We have a data sharing page which includes guidance on data sharing, such as sharing personal data with law enforcement authorities, as well as the full data sharing code.

Other resources

The Cabinet Office has produced a Data matching code of practice.

What do we need to consider when using pension and insurance schemes?

Most workplace pension and health insurance schemes are run by third-party organisations. You must comply with your data protection obligations when you are sharing information about your workers with these organisations.

You must make sure that when a worker joins a health or insurance scheme, you make them aware of what personal information you will share with the scheme provider, and how it will be used.

You must make sure that you do not share more information with the provider than is necessary to run the scheme.

If you are sharing information with the provider about workers’ sickness or injury records, or other health information, you must identify both a special category condition and a lawful basis. See ‘What conditions for processing special category information might apply?’, as well as our separate guidance on information about workers’ health.

You must not access any personal information you collect on behalf of the provider to run the scheme and use it for general employment purposes. You should ensure that the only people in your organisation who have access to this information are those who need it to run the scheme. You should make them aware of their data protection responsibilities, and that they must not use the information for other employment purposes.

Further reading

See our detailed guidance on Special category data.

How do we handle employment records during mergers and acquisitions?

You may need to share personal information about your workers with another organisation as part of a takeover or other situation involving a change in organisational structure. For example, an acquisition, merger or insolvency. This may take place during the evaluation of assets and liabilities prior to the final merger or acquisition decision.

You must:

  • consider information sharing as part of your due diligence;
  • establish what personal information you’re transferring, why you have it in the first place, and your lawful basis for sharing it;
  • if you are transferring any special category information, identify a special category condition;
  • comply with the data protection principles – especially lawfulness, fairness and transparency;
  • tell your workers that there has been a change of circumstances, and remind them about their information rights; and
  • document your actions and decisions.

Wherever possible, if you are sharing workers’ information with another organisation in connection with a prospective acquisition, merger or business reorganisation, you should anonymise the information.

During negotiations, you should carefully assess any request for personal information from the other organisation. Prior to any final merger or acquisition decision, you should only hand over your workers’ personal information once you have been assured that they will:

  • use it solely to evaluate assets and liabilities;
  • treat it in confidence and not disclose to other parties; and
  • destroy or return it after use.

If possible, you should tell workers if you are going to share their employment records with another organisation before an acquisition, merger or business reorganisation takes place.

If the acquisition or merger takes place, you should make sure your workers are aware of the extent to which you are transferring their employment records to the new employer.

In some circumstances, ‘insider trading’ or similar restrictions will apply. For example, if providing an explanation to workers would alert them to the possibility of a takeover of which they would otherwise be unaware, and could thereby affect the price of a company’s shares. In such circumstances, you may not have to explain to workers that you are sharing their personal information for the purposes of evaluating assets prior to acquisition.

As a new employer, you have all the same obligations about workers’ information as their original employer did. You must make sure that records you hold as a result of a merger or acquisition are accurate, up-to-date and relevant, and do not include more personal information than necessary.

Further reading

Other resources

The Financial Conduct Authority has produced a best practice note on identifying, controlling and disclosing inside information.

When can we share workers’ information under the Transfer of Employment Regulations?

In the case of some mergers or acquisitions, you may be legally required to share certain information under the Transfer of Employment Regulations 2006 (TUPE).

The TUPE Regulations are designed to preserve employees’ terms and conditions of employment when:

  • an organisation (or part of it) is transferred to a new owner or employer, (eg by sale or merger); or
  • a ‘service provision change’ occurs, such as when a service is transferred to a new provider, but the client remains the same.

Under the TUPE Regulations, the outgoing employer is required to provide the new employer with specific information about their new workforce in advance of any business transfer or change in service provision. This is known as ‘employee liability information’. It includes:

  • the identity (usually the name) and age of the transferring employees;
  • information contained in their ‘statements of employment particulars’, such as a written statement of pay, hours of work and holidays (usually contained in the employee’s offer letter or contract of employment);
  • information about any collective agreements;
  • information about any grievance procedure taken by an employee within the last two years;
  • information about any disciplinary procedure taken against an employee within the last two years; and
  • details of any legal action (before the court or employment tribunal) brought against the employer by an employee in the last two years and information about any potential legal action arising from their employment.

The original employer is required to provide this information at least 28 days before the transfer is completed. If special circumstances make this impractical, you should supply it as soon as possible.

Because providing this information is a legal requirement, you can rely on the legal obligation lawful basis. You must still comply with data protection law when providing workers’ personal information.

Be aware that some transfers are outside the scope of TUPE (such as share takeovers). Therefore, in these cases there is not a legal requirement to provide employee liability information.

Can we share more information than is required by the TUPE regulations?

A prospective employer may, as part of their due diligence, request more information than is required by the TUPE Regulations.

Also, in the early stages of the sale of a business there may be a number of potential bidders. This means that although only one will become the eventual new employer, all of them need the information to assess whether to pursue the purchase.

If you need to share personal information about workers that falls outside the scope of employee liability information, you must document another lawful basis for processing. The most likely one is legitimate interests. If it includes special category information, you must also identify a condition for processing this.

You should consider carrying out a data protection impact assessment for information that falls outside the scope of employee liability information, particularly if this includes special category information.

You should also consider whether you could pseudonymise any personal information not required by TUPE before sharing it.

You must put in place safeguards to make sure unsuccessful bidders only use information in connection with the proposed business transfer, and that they will not keep it once they have used it for this purpose.

Can we give employment records to the new employer?

Once the transfer has taken place, it is likely that the new employer will need to keep a large proportion of a worker’s employment record to manage the workforce and run the business.

The new employer should consider whether they need all the information contained in a worker’s employment record, and destroy unnecessary information.

Can we, as the original employer, keep personal information after the transfer?

After the transfer has taken place, it is likely that the original employer will need to keep some personal information about former employees (eg to deal with any liabilities).

Data protection law allows this, but you must have a justifiable reason to keep this information, and only keep it for as long as necessary.

Further reading

ACAS has published guidance on Transfer of Undertakings (TUPE).