New ICO guidance on employment records: Time for a spring clean?

Last month, the Information Commissioner’s Office (ICO) issued guidance aimed at helping employers understand their obligations in relation to employment records. The guidance covers all worker relationships (employees, contractors, volunteers and gig or platform workers), as well as former workers.

Given the complexities of data privacy law, the guidance is understandably high level and not a substitute for seeking legal advice. However, it does provide some useful, tailored information for employers covering the collection, retention and use of staff data. The guidance also cross refers to other resources available on the ICO website, covering specific topics in more detail (such as information about workers’ health).

With spring nearly upon us, it could be the perfect time to clean up outdated privacy documents and processes:

Back to bases

The guidance covers the key basic requirements for collecting staff personal data, including a snapshot of the most relevant lawful bases and, where relevant, special category condition that might apply to employment records.

You should ensure that you review your data processing activities regularly, and update your records accordingly. If you haven’t gone through this process for staff data in the last 12 months then now is the time to get started. Take stock of what staff data you process, where and why.

Retaining data

Assessing how long to keep staff data can be tricky, and as confirmed in the guidance, there is no specific time limit under data protection law. The retention period will vary depending on the document and purpose for processing, and as noted in the guidance, employers need to consider legal and / or regulatory requirements that might apply; do not take a ‘one-size-fits-all’ approach.

You should have a record retention policy or schedule in place, so make sure you review this regularly and have processes in place to ensure data is erased or anonymised accordingly.

Keep it safe

The guidance reminds employers that appropriate security measures need to be in place. This is particularly important for staff records that will likely contain sensitive and special category data.

Review these measures on a regular basis and ensure only those who need to access staff data are authorised to do so, and that those individuals receive adequate and regular training. Additionally, ensure to encrypt sensitive and special category staff data.

Keep staff informed

A lot of the information covered by the guidance needs to be set out in your staff and applicant privacy notices. Remember to ensure the information covers not only employees, but workers and contractors too. These need to be accurate and up to date, so review them on at least an annual basis and inform staff of any changes.

Sharing data

Employers will inevitably share staff data – it is collected to be used. This is likely to be internally within the company or group, as well as externally. External sharing could be on a routine basis, for example, if you use external payroll providers or benefits providers. Or it might be on an ad hoc basis, such as to respond to queries from HMRC. The guidance covers a range of scenarios tailored to employers, from providing references to TUPE transfers.

Contact us

For further information on how we can support you with data protection, please contact a member of the team or submit an enquiry form, below.