4 March 2025

Need to Know about Employment Records

By Sofia Carroll, Senior Information Governance Manager

The Information Commissioner’s Office (ICO) published new guidance on your data protection responsibilities in the context of keeping employment records. Below we look at some of the main messages employers must note.

The employment relationship is key to balancing rights and interests

There is a running theme in the ICO guidance about the context in which employers will process data. This includes industry, job type and title, and uses for which employees’ personal data is kept.

For example, it would be reasonable for a miner to carry a tracking device on them while in the mine (because of security risks and to their life), but the same won’t apply to tracking a desk-based employee while they are on business outside the office.

Another key theme in the employment relationship is the validity of consent provided by an employee to their employer. Because of the imbalance of bargaining power – the employee may feel forced to say yes so they don’t lose their job – there are few, if any, situations where consent would be your Article 6 UK GDPR lawful basis for data use.

The ICO does provide an example of using consent: when an organisation uses employee photo for marketing materials. While possible, this tends to not work perfectly in practice.

If the employee withdraws their consent to be in promotional materials later, it would be hard to act on it if, for instance, materials have gone to print. The employer cannot offer a meaningful way to withdraw consent, rendering it meaningless. Legitimate interests might be a better option here – please contact us at info@naomikorn.com if you would like to discuss.

Data protection is only one area of law to consider

As an employer, the UK GDPR and Data Protection Act 2018 are only part of the regulatory framework you must consider. Remember also:

  • Employment Rights Act 1996
  • Human Rights Act 1998
  • Industry guidance
  • Financial / tax regulation
  • Anything else specific to your organisation

The main areas where employers will realise data protection isn’t the only area to consider are:

  • Retention

Data protection law does not state how long to keep data for, but you must consider other laws to decide how long to keep data for and if there is a prescribed period. For example, you can decide to keep complaint details for two years because of your legitimate interests to respond to them, but you will keep employees’ tax data for six years from the day they leave because you have a legal obligation to do so.

  • Purpose of using data

The type and amount of personal data you must have will be determined by what is needed for. You could end up with a lot of personal and special category data during an occupational health assessment, but much less when you are recording a regular catch-up between a manager and their line report.

  • Right to erasure

Some employees might want all their data deleted after they leave, but, as above, you will have to keep it not because data protection law says so, but because you need to manage your accounts under different legislation.

Plan for various safeguards of personal data

Employers must make sure they have the lawful basis and processing conditions, if applicable, for various kinds of personal data:

  • Personal data such as contact details
  • Special category such as health or race
  • Criminal offence
  • Biometric

Join our Data Protection Essentials course to learn more about these types of data and how to use them lawfully.

The use of biometric data has become more prevalent with advances in technology, for example allowing machine or office access with facial recognition or fingerprints. Biometric data becomes special category data if used to specifically identify someone, bringing together all corresponding responsibilities from the UK GDPR.

Employers could record this in their Record of Processing Activities and not skip:

  • Completing a Data Protection Impact Assessment if the data used is more sensitive
  • Completing a Legitimate Interest Assessment if relying on legitimate interests
  • Having an Appropriate Policy Document for the use of special category and criminal offence data.

If you have any questions about the new ICO guidance and how to keep your employment practices compliant with data protection law, please email us at info@naomikorn.com

You can also join Naomi Korn Associates’ Training Academy and upskill. Our courses cater to all stakeholders with varying knowledge levels. For more information or any queries, please contact our Training Manager at info@naomikorn.com.

Recent News

London Library Back Stacks © Simon Brown
31 March 2026

Generally Recognised Standards for use in the data protection purpose ‘archiving purposes in the public interest’

read story
Horace Bénédict de Saussure and others ascending Mont Blanc. Coloured aquatint. Wellcome Collection.
25 March 2026

Data Subject Access Requests: A Burden for Small Businesses?

read story
A Battle between Animals, Divs and Hindu Deities, Unknown Artist, Wellcome Collection, via ArtUK
18 March 2026

Get a Grip on Copyright – Understanding the Basics

read story
Salford Quays, Jason Jeandron via Unsplash
12 March 2026

Data Breach News: Salford City College Group

read story

Back to News

Discover more from Naomi Korn Associates

Subscribe now to keep reading and get access to the full archive.

Continue reading