Responses to the ICO’s consultation on the draft Employment Records guidance – summary of the responses and ICO comments
In December 2023, we launched a public consultation on the draft guidance on keeping employment records. The guidance aims to provide practical guidance about how to comply with data protection law when keeping records about your workers, and to promote good practice.
The consultation ran until March 2024. We received 16 responses to the public consultation. We thank everyone who took the time to comment and share their views.
About the consultation
We received responses from a range of organisations across the public, private and third sectors. The breakdown of responses according to sector is as follows:
| Sector | Number of responses |
|---|---|
| Law | 1 |
| Local government | 1 |
| Financial services | 3 |
| Professional body or trade association | 3 |
| Tech | 1 |
| Transport | 1 |
| Regulation | 1 |
| Third sector or charity | 1 |
| Individual acting in private capacity | 2 |
| Anonymous | 2 |
In general, the responses were positive. Most respondents said that the guidance:
- is clear and easy to understand; and
- will help them comply with their data protection obligations.
Many commented that the guidance is much needed. They reported making frequent use of the old DPA 1998 Employment Practices Code, and said that updated guidance would be very valuable.
Below we set out the main themes of the feedback we received, and explain how we have responded to this feedback.
More detail on keeping records about criminal offences
Respondents pointed out that while the guidance made frequent reference to keeping records of special category data, there was no specific reference to keeping records relating to criminal convictions and offences. They also asked for an example specifically relating to criminal offence records.
We recognise that criminal offence data has its own specific rules and presents specific challenges for organisations who need to keep records of this information. We have added more detail on this, as well as providing an example relating to erasure of spent records.
More detail on various aspects of data protection law
Several respondents asked for more detail about specific aspects of data protection law - including:
- content on all of the rights of the individual, not just the right of access and the right to erasure;
- more details on how the right of access operates in the workplace;
- more details on the lawful bases for processing, and the conditions for processing special category and criminal offence data; and
- more information about data sharing, what the rules are and how these apply in practice.
While we understand that readers may be looking for all of the information they need in one place, we think that adding more detail on each of these topics would make the guidance overly long, harder to navigate, and less useful. Detailed guidance already exists on all of the topics where more detail was requested. However, in response to this feedback we have included links in the text so that readers who want more detail on any particular topic are able to find it easily.
More detail about retention schedules
Some respondents noted that it can be difficult to know how long to keep various categories of personal information, and asked for more information on how different retention periods apply to different types of records. Some wanted the guidance to provide detailed model or template retention schedules that could be applied to their specific circumstances.
We know that it can be difficult to work out how long to keep different types of information. However, organisations are best placed to do this for themselves, as this will depend on their specific circumstances, including any specific regulatory or legal requirements that apply to them.
If we were to create model retention schedules, it’s possible these may fail to capture the specific needs of organisations – which would risk them being misleading and unhelpful.
However, in response to this feedback we have added links to:
- our detailed guidance on storage limitation, documentation requirements and erasure; and
- our own retention and disposal policy and schedules (although these are for reference, and should not be regarded as a model or template to follow).
Reference to other relevant legislation
Some respondents suggested that the guidance should explicitly refer to other pieces of legislation or regulations that often apply in an employment context, as these play a central role in determining how organisations comply with their data protection obligations. For example, in the recruitment sector there are regulations governing the length of time recruitment organisations must keep hold of records.
The ICO has no role to play in regulating those other pieces of legislation. Therefore we cannot provide guidance on how to comply with these as it lies outside our remit. If you are unsure or have concerns about how to balance your data protection requirements with your other legal or regulatory obligations, you should seek independent legal advice.
Related to this, some respondents commented on our approach to explaining your legal obligations in terms of what you must, should or could do. At the start of this guidance (and other guidance we have produced since adopting this approach), we explain that in the text, we use the word must to refer to legislative requirements, should to the things we expect you to do to comply, and could to options or examples of ways you might comply.
Some respondents argued that our approach was unclear, because we only used the word must when referring to data protection legislative requirements. But organisations have a range of other laws and regulations they are bound by, and when these are mentioned in the guidance, we do not use the word must to refer to these.
Here we have clarified our intent by adding detail to the description of our approach at the start of the guidance. We now make it clear that our use of the word must refers only to legislative requirements or established case law for the laws that the ICO regulates.