By Sara Meyer, Joanne Bell & Tim Gooder

|

Published 10 March 2025

Overview

The Information Commissioner's Office (ICO) has published updated guidance for employers on what they need to do to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) (together, "data protection law") when processing their employees' personal data.

 

Format and scope

The guidance is presented as a series of Q&As, covering collecting, keeping and using employment records. The ICO notes that the new guidance is intended to be read alongside its other guidance on data protection and employment, such as the detailed guidance on information about workers' health and monitoring workers.

The guidance is stated to cover all employment relationships, including current and former employees, contractors, volunteers, and gig or platform workers, regardless of the nature of the contract.

The terms "must", "should" and "could" are used in the guidance to indicate, respectively:

  • Things that employers are required to do by law (must)
  • Things that the ICO expects employers to do to comply effectively with the law, where they need to be able to demonstrate that they are still compliant if they choose to take a different approach (should), and
  • Options or examples that may help employers to comply effectively, but where there are likely to be various other ways to comply (could)

 

Collecting and keeping employment records

The section that deals with collecting and keeping employment records runs through employers' basic obligations under data protection law, including requirements to:

  • Ensure that all data processing is fair, lawful and transparent
  • Identify an appropriate lawful basis for processing (flagging that employers are unlikely to be able to rely on consent, given the power imbalance in the employment relationship)
  • Satisfy an additional condition when processing criminal offence data, or special category data such as health data
  • Limit personal data collected to that which is relevant and necessary (the data minimisation principle)
  • Keep personal data accurate and up-to-date
  • Retain personal data for no longer than necessary
  • Implement appropriate security measures to keep personal data safe (e.g. to prevent unauthorised access)
  • Provide certain minimum information to workers about how their personal data is used – usually via a privacy notice
  • Comply with workers' requests to exercise their individual rights under data protection law, such as the right of subject access and the right to erasure, and
  • Establish processes to ensure and demonstrate compliance with the accountability principle (e.g. documenting processing activities, carrying out data protection impact assessments for high risk processing, etc.)

The guidance includes employment-focused examples to illustrate how these requirements apply in practice, and links out to additional resources that employers may find useful, such as the ICO's checklists and template documents.

 

Using employment records

The section on using employment records includes a series of questions about the following common scenarios that may arise in an employment relationship and provides practical guidance on how employers should approach them:

  • Sharing workers’ personal information with third parties (both where this is a legal requirement and where the employer has a choice about whether or not to share the information)
  • Providing employment references
  • Publishing information about workers (including in company financial reports, advertising materials and social media posts)
  • Handling sickness, injury and occupational health records (although here the guidance just refers out to the ICO's separate guidance on this topic that was published in March 2024)
  • The obligations that apply where an employer has outsourced the processing of certain information about its workers (e.g. its payroll function)
  • Collecting workers’ information to use for equal opportunities monitoring
  • Using employment records to detect fraud (such as where an employer receives a request from an external agency to check that a worker is not receiving benefits to which they are not entitled)
  • The data protection implications of using pension and insurance schemes, since such schemes are typically run by third-party organisations
  • Handling employment records during mergers, acquisitions, business reorganisations and insolvency processes, and
  • Sharing workers’ information in the context of a TUPE transfer, including whether the transferor can share more information with the transferee than is required by the TUPE regulations, provide employment records to the transferee, and keep personal information itself after the transfer

 

What does this mean for employers?

The publication of this new guidance does not indicate any changes to the law or to the ICO's approach to regulating employers' handling of personal data. However, it provides a useful central resource for employers when assessing their data protection compliance. That said, the specific steps that will be required to comply with data protection law will depend on the individual circumstances in each case and employers should always seek legal advice if they are unsure. In addition, as flagged in the introduction to the guidance, employers must always bear in mind their obligations under other provisions, such as health and safety or employment laws.

Authors