As an employer, you must adhere to the Data Protection Act and keep and protect certain records in relation to your workers.
Under the Data Protection Act you must:
- only collect information you need for a specific purpose
- keep the information secure
- ensure the information you have is relevant and up-to-date
- only hold as much as you need and only for as long as you need it
- allow the subject of the information to see it on request
This guide outlines the staff records you must and should keep, your data protection obligations for staff records and how long you must keep staff records for. It also explains the advantages of keeping staff records and how to set up a staff records system.
It also explains your legal obligations as an employer and a worker's right to access their records and data you hold on them.
The staff records you must and should keep
This guide primarily focuses on keeping the right staff records but you should also be aware of all of the data protection principles under the GDPR.
There are certain staff records that you must gather and retain.
There are other records you should keep as a matter of good employment practice - and having such records can even benefit your business. Set up a basic record-keeping system.
Staff records you must keep
You must keep staff-related records on:
- pay rates - to meet the statutory requirement to issue workers with pay statements and to ensure you are paying your workers at least the national minimum wage
- payroll - ie on income tax and National Insurance deductions - for HM Revenue & Customs
- sickness of more than four days - and how much statutory sick pay you have paid
- accidents, injuries and dangerous occurrences - to meet health and safety requirements
You must also keep records to ensure that weekly working time and night work limits (under the Working Time Regulations) are complied with in your business. It's up to you to determine what records you need to keep for working time purposes, but you may be able to use existing records maintained for other purposes, such as pay and payroll.
You don't have to keep a running total of how much time workers work on average each week, and you need only make occasional checks of workers who work standard hours and who are unlikely to reach the average 48-hour limit. However you should monitor the hours of workers who appear to be close to the working time limit and make sure they don't work too many hours unless they have opted out of the Working Time Regulations and have therefore agreed to work longer. See working hours in a week.
You do need to keep an up-to-date record of workers who have agreed to work more than 48 hours a week, but you don't need to record how many hours they actually worked. However, you might consider that such records should be kept in order to establish compliance with National Minimum Wage legislation.
Staff records you should keep
It's good employment practice to keep records of each worker's:
- training and development
- employment history - date employment began, promotions, job title(s)
- absence - records of lateness, sickness, and any other authorised or unauthorised absences
- personal details - name, address, emergency phone number(s), qualifications, work-relevant disability
- terms and conditions of employment - including a copy of each employee's written statement and correspondence relating to any changes to their terms and conditions
More generally, you should keep written records - eg minutes - of:
- meetings with workplace representatives
- any disciplinary action you have ever taken, in particular disciplinary hearings, although disciplinary warnings should be removed from employee's personnel files once they have expired
- individual and collective redundancy consultation meetings and agreements
- negotiations relating to information and consultation agreements
Personal and sensitive personal data
The Data Protection Act 2018 defines personal data as data which identifies and relates to living individuals. The Act goes on to define a separate category of personal information - 'sensitive personal data' relates to any of the following:
a. Race/ethnic origin
b. Political opinion
c. Religious belief
d. Member of a Trade Union
e. Physical/mental health condition
f. Sexual life
g. Commission/alleged commission of offences
h. Sentences handed down as a result of offences
There is a greater need to keep sensitive personal information secure as if this information is compromised or lost then there could be a greater harm caused to the individual.
If any of the employee records you keep are considered to be 'sensitive personal data', you are required to adopt appropriate security to safeguard the nature of this data.
The level of detail in staff records
Under the Data Protection Act 2018, any personal information you keep on your staff should be adequate, relevant and not excessive. Inadequate staff records can lead to problems when dealing with absence levels, staff turnover, sickness, lateness and discipline.
Read Information Commissioner's Office (ICO) guidance on the Data Protection Act 2018.
Advantages of keeping staff records
Keeping staff records beyond those required by law may benefit your business by helping you to:
- match staff resources with production or service requirements
- avoid or defend employment tribunal claims if a dispute with a worker arises
- assess the performance and productivity of individual workers or teams
- ensure that you are treating job applicants and workers consistently and fairly
- make decisions in relation to staffing levels, eg on recruitment and redundancy
Set up a staff records system
Staff records systems tend to involve some kind of electronic database backed up by paper documents. Any paper forms you do issue and retain should be standardised where possible.
Features of en effective records system
Whatever type of employee records system you have, it should be:
- simple to use
- easy to maintain
Staff records: manual and electronic systems
If you run only a very small business, you may find that manual employee records meet all your needs.
However, if your business is growing and you are therefore employing more people, keeping paper records accurate and up to date can become more difficult. You may find therefore that you come to rely more and more on electronic staff records.
Larger employers may find that they need to set up a centrally administered computerised system - this makes information easier to retrieve but will cost money to set up and to train staff to use.
Despite the widespread use of electronic systems, it is unlikely that any business will maintain all its staff records electronically. You still need to keep, for example, signed paper copies of employment contracts and letters agreeing to a change in terms and conditions.
Such staff documents are particularly important in the event of an employment tribunal claim arising against you. Computerised records may be used but you would be in a stronger position if you can show the tribunal signed documents demonstrating that the claimant has understood or agreed to certain issues relevant to the case.
Standardising staff documents
It's worthwhile designing standard document templates for each procedure, eg for staff appraisals or holiday requests, etc. If the documents are easy to read and logical, you will find it easy to extract data from them.
Ask staff who use the documents to help design the templates. You may also have to train other staff how to use them. HR documents and templates.
Keeping your records systems secure
You must keep personal records secure. In relation to the records system itself, you should therefore:
- make sure your paper filing system is locked
- make sure only those staff who need to use the data have access to it
- protect electronic records with passwords, anti-virus software and firewalls
- put an audit trail into computerised systems so you can check who has accessed a particular record and when
- ensure you meet your legal obligations under the General Data Protection Regulation (GDPR)
How long must staff records be kept?
When retaining any information you should remember that, under the Data Protection Act, you must not keep data any longer than is necessary for a particular purpose.
You need to:
- review the length of time you keep personal data
- consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it
- securely delete information that is no longer needed
- update, archive or securely delete information if it goes out of date
How long should employers keep employee records?
How long you retain different categories of information should be based on individual business needs.
The appropriate retention period is also likely to depend on:
- what the information is used for
- the surrounding circumstances
- legal or regulatory requirements
- specific business sector requirements
Personal data: deleting and archiving
At the end of the retention period, a record should be reviewed and deleted, unless there is a particular reason for keeping it.
You should only archive a document, rather than deleting it, if you still need to hold it.
If it is appropriate to delete a record from a live system, you should also ensure it is deleted from any back-up of the information.
Deletion can mean different things in relation to electronic data.
Staff records: your data protection obligations
The Data Protection Act is concerned with personal data - information about living, identifiable individuals held on computer or in certain structured manual filing systems.
Six principles for processing of personal data
The GDPR sets out six data protection principles that you must comply with when processing personal data. These are that data should be:
- Lawfulness, fairness and transparency - make sure workers understand why you are collecting the data and how you will use it.
- Purpose limitation - you must only collect personal data for a specific, explicit and legitimate purpose. You must clearly state what this purpose is, and only collect data for as long as necessary.
- Data minimisation - you must ensure that personal data you process is adequate, relevant and limited to what is necessary in relation to your processing purpose.
- Accuracy - you must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you rectify incorrect data that relates to them.
- Storage limitation - you must delete personal data when you no longer need it. Individuals have the right to request that you delete data that relates to them, you must do this within one month of receiving the request.
- Integrity and confidentiality - you must keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
You must keep these principles in mind when deciding what information to collect, when establishing procedures for processing this information and when dealing with requests from workers.
Personal information should be kept secure. You should use appropriate security to prevent the personal data being compromised.
This will involve having the right physical and technical security, backed up by robust policies and procedures and well trained staff.
Read Information Commissioner's Office (ICO) guidance on information security.
Penalties for a breach of personal data
When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people's rights and freedoms. If it's likely that there will be a risk then you must notify the ICO; if it's unlikely then you don't have to report it. However, if you decide you don't need to report the breach, you need to be able to justify this decision, so you should keep a record of any personal data breaches regardless of whether you are required to notify the ICO.
You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.
Failing to notify a breach when required to do so can result in a significant fine up to 10 million euros or 2 per cent of your global turnover.
A worker's right to access their records
Under the Data Protection Act, individuals have a number of rights, in particular the right to receive a copy of any information you hold about them. These rights not only extend to workers but any person on which you hold personal data eg service users, clients and customers.
If you provide such information, you must ensure you don't also give out information on someone else unless it is reasonable in all the circumstances to do so.
Subject access requests
If a worker asks for any information that you hold about them, known as a subject access request, they may make the request verbally or in writing.
You must act on the subject access request at the latest within one month of receipt. You cannot charge a fee to deal with a request in most circumstances.
Where it is reasonable to do so, you can ask for evidence to prove their identity and for information you may need to help you find the information they are seeking.
The one month time limit starts from the day after the request is received until the corresponding calendar date in the next month. If this is not possible because the following month is shorter and there is no corresponding date, the date for the response will be the last date of the following month.
If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond. Where it is necessary to obtain someone's ID documents for identification purposes before responding, the period for responding to the request will only begin on receipt of these documents.
See our guidance on the Freedom of Information (FOI) Act.
Information protected under subject access requests
You do not have to provide copies of information if the information is exempt. The exemptions include:
- information held for management planning, eg plans to promote a worker or make a worker redundant
- information as to your intentions in respect of negotiations with the requester
- references you have given about the worker in confidence (references received by you are not exempt)
- information about the prevention or detection of a crime, or the arrest or prosecution of offenders
- information that may affect the price of a company's shares
Read Information Commissioner's Office (ICO) guidance on right of access to personal data.
Keeping other workers' information confidential
When you provide the data, make sure you don't violate anyone else's data protection rights.
For example, if you get a complaint about a worker, and that worker then requests access to their file, this could lead to the complainant being identified.
To avoid this, obscure any identifying information in the original document before copying it and giving the copy to the worker. In some cases the contents of a document may still identify the complainant so it may be necessary to obscure other parts of the document.
Workers' other rights in relation to their records
As well as the right to access data on themselves, a worker also has the right to:
- have inaccurate personal data corrected or completed if it is incomplete
- compensation for damage suffered as a result of your breach of the Act
- prevent processing likely to cause substantial damage or substantial distress
- know the logic behind any automated decision taken about them, eg psychometric testing decisions
- have personal data erased
- data portability to obtain and reuse their personal data for their own purposes across different services
- object to the processing of their personal data in certain circumstances, eg direct marketing