ICO publishes new guidance on keeping employment records

The ICO has published new guidance on keeping employment records. It’s a comprehensive document designed to help employers understand their data protection obligations under the GDPR and the Data Protection Act 2018. We’ll speak to a data protection expert about how it helps in practice. 

For HR teams, managing employee records is a routine task, but ensuring compliance with data protection laws isn’t always straightforward. The guidance helps in clarifying key areas such as lawful processing, retention periods, security measures, and workers’ rights.

The guidance sets out clear principles for handling employment records, and one of the biggest takeaways is transparency. Employers must be upfront about what data they collect, why they collect it, and how long they keep it. That means providing employees with clear privacy notices explaining their rights and the employer’s obligations.

Retention is another key issue. Keeping records for longer than necessary can expose businesses to compliance risks. The guidance doesn’t prescribe specific retention periods but advises employers to justify how long they keep different types of data. HR should regularly review and update retention policies to ensure records aren’t kept indefinitely without a valid reason.

Security is also a major focus. The ICO expects employers to take robust measures to protect employee data from unauthorised access, loss, or cyber threats. That includes access controls, encryption, and staff training on data protection best practices.

And finally, workers’ rights. Employees have the right to access their personal data, correct inaccuracies, and, in some cases, request its deletion. HR teams need processes in place to handle these requests promptly and in line with legal requirements.

Whilst those key principles are all aimed at ensuring employers handle employee data lawfully and responsibly, there is another important consideration which is the legal basis for processing that data. A common assumption is that asking employees for consent provides a simple and easy way to process their information but the ICO warns against that approach. So, why is that and what should they do instead? Earlier, I caught up with data protection expert Steph Paton who has reviewed the ICO’s guidance. Steph joined me by phone from Edinburgh and I put that question to her:

Stephanie Paton: “So consent under the GDPR has to be freely given and capable of being withdrawn at any time and without any consequences and because of the power imbalance in an employment relationship there's a risk that employees could feel under pressure to give consent to their employer, or worried about the consequences if they don't, and so that would make any consent that they give legally invalid. So rather than relying on consent as a lawful basis, employers should think about some of the other lawful bases that are more appropriate in the employment context and those include, for example, legal obligation, contractual necessity, or legitimate interests.”

Joe Glavina: “What security measures should employers implement to protect employee records?”

Stephanie Paton: “Many employers tend to allow far too many people in an organisation to have access to employee data, especially if they have a shared HR system and that increases the risk, particularly when it comes to handling sensitive employee medical records, for example. So employers need to think really carefully about who actually needs to have access to that information and then limit the access to only those specific individuals, which will usually be HR advisors or the designated line managers. Employers also need to think about applying password protection to any sensitive electronic records and make sure that they're carrying out regular audits of their systems to detect any unauthorised access.”

Joe Glavina: “Many employers outsource payroll, pensions, and HR functions. How does the ICO’s guidance affect data sharing with third parties?”

Stephanie Paton: “A common mistake that many employers make is assuming that once data has been handed over to a third party that the responsibility for data protection shifts away from them but the ICO makes it clear that the employer is still the data controller in that situation and so the employer can still be held accountable if the third party loses or misuses the data in any way. So when it comes to sharing data with third parties, an employer firstly needs to make sure that the contract with the third party includes GDPR compliant data protection clauses and also they need to make sure that they're being open with their employees about what data is being shared externally and why.”

The ICO’s guidance on keeping employment records was published on 5 February 2025 and is available from the ICO’s website. We’ve included a link to it in the transcript of this programme.

- Link to ICO guidance