This guide primarily focuses on keeping the right staff records but you should also be aware of all of the data protection principles under the GDPR.
There are certain staff records that you must gather and retain.
There are other records you should keep as a matter of good practice - and having such records can even benefit your business. Set up a basic record-keeping system.
Personal and sensitive personal data
The Data Protection Act 2018 defines personal data as data which identifies and relates to living individuals. The Act goes on to define a separate category of personal information – ‘sensitive personal data’ relates to any of the following:
a. Race/ethnic origin
b. Political opinion
c. Religious belief
d. Member of a Trade Union
e. Physical/mental health condition
f. Sexual life
g. Commission/alleged commission of offences
h. Sentences handed down as a result of offences
There is a greater need to keep sensitive personal information secure as if this information is compromised or lost then there could be a greater harm caused to the individual.
If any of the employee records you keep are considered to be ‘sensitive personal data’, you are required to adopt appropriate security to safeguard the nature of this data.
Staff records you must keep
You must keep staff-related records on:
- pay rates - to meet the statutory requirement to issue workers with pay statements and to ensure you are paying your workers at least the national minimum wage
- payroll - ie on income tax and National Insurance deductions - for HM Revenue & Customs
- sickness of more than four days - and how much statutory sick pay you have paid
- accidents, injuries and dangerous occurrences - to meet health and safety requirements
You must also keep records to ensure that weekly working time and night work limits (under the Working Time Regulations) are complied with in your business. It's up to you to determine what records you need to keep for working time purposes, but you may be able to use existing records maintained for other purposes, such as pay and payroll.
You don't have to keep a running total of how much time workers work on average each week, and you need only make occasional checks of workers who work standard hours and who are unlikely to reach the average 48-hour limit. However you should monitor the hours of workers who appear to be close to the working time limit and make sure they don't work too many hours unless they have opted out of the Working Time Regulations and have therefore agreed to work longer.
You do need to keep an up-to-date record of workers who have agreed to work more than 48 hours a week, but you don't need to record how many hours they actually worked. However, you might consider that such records should be kept in order to establish compliance with National Minimum Wage legislation.
Staff records you should keep
It's good practice to keep records of each worker's:
- training and appraisals
- employment history - date employment began, promotions, job title(s)
- absence - records of lateness, sickness, and any other authorised or unauthorised absences
- personal details - name, address, emergency phone number(s), qualifications, work-relevant disability
- terms and conditions of employment - including a copy of each employee's written statement and correspondence relating to any changes to their terms and conditions
More generally, you should keep written records - eg minutes - of:
- meetings with workplace representatives
- any disciplinary action you have ever taken, in particular disciplinary hearings, although disciplinary warnings should be removed from employee's personnel files once they have expired
- individual and collective redundancy consultation meetings and agreements
- negotiations relating to information and consultation agreements
The level of detail in staff records
Under the Data Protection Act 2018, any personal information you keep on your staff should be adequate, relevant and not excessive. Inadequate records can lead to problems when dealing with absence levels, staff turnover, sickness, lateness and discipline.
Read Information Commissioner's Office (ICO) guidance on the Data Protection Act 2018.