Keeping Employment Records; Understanding the New ICO Guidance

The ICO’s new guidance, Employment Practices and Data Protection: Keeping Employment Records, outlines employers’ obligations under UK GDPR and the DPA 2018. It covers key areas such as lawful data processing, handling sensitive employee information, data minimisation, retention, security, and employee rights. Here we cover some of the main obligations under the new law.

Scope of Employment Records

The ICO guidance defines employment records as any personal data related to an individual’s employment, including:

• Recruitment and selection documents
• Payroll and tax information
• Performance evaluations
• Health and safety records
• Disciplinary and grievance records

Lawful Basis for Processing

Employers must establish a lawful basis for processing personal data. The guidance advises that consent is often inappropriate due to the inherent power imbalance in employment relationships. Instead, employers may rely on:

• Contractual necessity: Processing required to fulfil employment contracts, such as issuing salaries and managing benefits.
• Legal obligation: Compliance with employment laws and regulations, such as maintaining tax records and complying with workplace safety requirements.
• Legitimate interests: Processing necessary for the employer’s interests, provided it does not override employee rights, such as improving workplace efficiency or managing performance.

Special Category and Criminal Offence Data

Employers handling sensitive data, such as health information or criminal records, must take additional precautions. This includes:

• Identifying a lawful basis and an additional processing condition: Employers must justify why they are processing this data and ensure it aligns with employment laws.
• Ensuring compliance with employment law obligations: This may include assessing an individual’s right to work, monitoring workplace safety, or maintaining sickness and maternity records.
• Implementing additional safeguards: This involves having an appropriate policy document outlining why and how data is processed, as well as conducting a Data Protection Impact Assessment (DPIA) to evaluate risks.

Data Minimisation and Accuracy

To uphold data protection principles, employers should:

• Collect only necessary personal data: Avoid excessive data collection and ensure that only the information required for employment purposes is gathered.
• Maintain accuracy: Employers should regularly review and update records to ensure information remains current and does not become misleading or outdated.

Retention and Security

Employers must:

• Establish clear retention policies: Define how long different categories of employment data will be kept and ensure data is deleted once it is no longer required.
• Implement security measures: Employers must take steps to protect personal data from unauthorised access, loss, or damage. This may include encryption, access controls, and staff training on data security.

Transparency and Individual Rights

Employers should:

• Provide privacy notices: Clearly communicate to employees what personal data is collected, how it is used, and their rights under UK GDPR.
• Facilitate employee rights: Employees must be able to exercise their rights, including access to their data, requesting corrections, and, in some cases, having their data erased or restricted from processing.

Data Sharing and Third Parties

When sharing employee data with third parties, employers must:

• Assess necessity and proportionality: Share only the data required for the intended purpose and ensure it is not excessive.
• Implement data protection agreements: Employers should have contracts in place with third parties, such as payroll providers or benefits administrators, to ensure they comply with data protection laws.

Practical Tools and Checklists

The ICO provides practical resources, including checklists, to support employers in implementing best practices for managing employment records.

For a detailed understanding and access to these resources, employers are encouraged to consult the full ICO guidance on its official website.