MDL Sign In
20
Feb
2025

New ICO Guidance on Keeping Employment Records

, ,
Print Friendly, PDF & Email

What Employers Need to Know About Keeping Employment Records

Key Contacts: Rachelle Sellek and Juliette Franklin

In this article, we set out some key takeaways from the new ICO guidance on keeping employment records. In February 2025, the Information Commissioner’s Office (ICO) released its final comprehensive guidance titled Employment Practices and Data Protection: Keeping Employment Records. This document serves as a vital resource for employers, outlining their obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) concerning the management of employment records.

“HR should be highly cognisant of data protection because they handle sensitive personal information daily, from employee records to payroll details,” says Juliette Franklin, Legal Director at Acuity Law.

She adds: “A failure to protect this data not only puts employees at risk but can also lead to serious legal and financial consequences for the company. Essentially, safeguarding employee data is vital for maintaining a secure, ethical, and legally sound workplace.”

Scope of employment records

The guidance defines employment records as any personal data related to an individual’s employment, including:

  • Recruitment and selection documents
  • Payroll and tax information
  • Performance evaluations
  • Health and safety records
  • Disciplinary and grievance records

Lawful basis for processing

Employers must identify a lawful basis for processing personal data. The guidance emphasises that consent is often not appropriate due to the power imbalance in employment relationships. Instead, employers might rely on:

  • Contractual necessity: processing required to fulfil employment contracts.
  • Legal obligation: compliance with employment laws and regulations.
  • Legitimate interests: processing necessary for the employer’s legitimate interests, provided it doesn’t override the rights and freedoms of employees.

Special category and criminal offence data

Processing sensitive data, such as health information or criminal records, requires additional protections. As well as a lawful basis for processing, employers must identify a separate condition for processing:

  • Special category data: conditions include carrying out obligations in employment law and may cover assessing an individuals’ right to work in the UK; ensuring an employee’s health, safety and welfare and maintaining sick pay and maternity pay records.
  • Criminal offence data: processing is permissible if authorised by law and necessary for employment purposes.

Employers will need an appropriate policy document and have undertaken a data protection impact assessment.

Data minimisation and accuracy

Employers are advised to:

  • Collect only necessary personal data: ensure data is relevant and limited to what is required.
  • Maintain accuracy: regularly update records to reflect current information.

Retention and security

Employers must take all reasonable steps to keep information about workers accurate and up to date. In particular:

  • Retention periods: employers should establish clear policies on how long different types of data are retained, ensuring they are not kept longer than necessary.
  • Data security: employers must implement appropriate technical and organisational measures to protect personal data from unauthorised access, loss, or damage.

Transparency and individual rights

Employers must:

  • Inform employees: provide clear information about data collection, purposes, and rights through privacy notices.
  • Facilitate rights: enable employees to exercise their rights, including access, rectification, and erasure of their data.

Data sharing and third parties

When sharing employee data with third parties, employers must:

  • Assess necessity and proportionality: share only what is necessary for the intended purpose.
  • Ensure data protection: have agreements in place to ensure third parties process data in compliance with data protection laws.

Practical tools and checklists

The ICO provides additional resources, such as checklists, to assist employers in implementing best practices in data protection related to employment records.

For a detailed understanding and access to these resources, employers are encouraged to consult the full guidance on the ICO’s official website.

“Following the ICO’s guidance on keeping employment records isn’t just about ticking boxes – it’s about protecting your employees’ privacy, building trust, and steering clear of legal headaches. Compliant employers show they’re serious about data protection, creating a safer, more transparent environment for everyone,” says Juliette.

For a review of your data protection policies and procedures, or data protection and privacy advice, please contact our Data Privacy & Cyber Security team.

For support with your HR practices, please get in touch with our Employment team

Recent Posts

Image of two people shaking hands in front of a contract to illustrate lessons for Dental Practice Owners from Ter-Berg v Malde & Anor
Lessons for Dental Practice Owners from Ter-Berg v Malde & Anor
March 20, 2025
Diverse group of people waving
Government Launches Consultation on Mandatory Pay Gap Reporting on Disability and Ethnicity
March 19, 2025
Illustration of company directors in a meeting
Can a Sole Director Run their Business, or Must New Directors be Appointed?
March 18, 2025
Discover Momenta Liva Healthcare logos
Acuity Law Represents Discover Momenta in Acquisition by Liva Healthcare
March 18, 2025
Community Infrastructure Levy (“CIL”): Limits on Limitation
February 27, 2025
Image of hanging lanterns and the phrase Ramadan Mubarak.
How Employers Can Support Employees During Ramadan
February 27, 2025

Archives

Categories

Skip to content