Collecting, using, and retaining employee records – ranging from payroll data to personnel files – remains an essential part of ensuring data protection compliance. Recently, the Information Commissioner’s Office (ICO) published its final guidance on employee data retention, addressing common practical issues not fully covered by the earlier Employment Practices Code. This updated guidance is divided into three key sections: (1) guidelines on collecting, maintaining, and protecting employment records; (2) guidelines on using employee data; and (3) checklists for various employment functions.

The guidance complements existing ICO advice, providing direction on legal requirements and best practices to help employers regardless of the type of worker – which includes employees, workers, contractors or volunteers – comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).

As such, the ICO’s guidance provides additional regulatory clarity, helping organisations to be data protection compliant in their daily operations. This article sets out the key pieces of recent guidance from the ICO.

Navigating lawful basis for data processing

Under Article 6 of the UK GDPR, employers must select one of the six lawful bases for processing personal data. These include consent, contractual necessity, legal obligations, vital interests, public task and legitimate interests. The ICO guidance stresses the importance of selecting the right basis, ensuring that processing is necessary and proportionate. Consent, in particular, is reiterated in the guidance as generally unsuitable in employment relationships due to the inherent power imbalance, except where employees can withdraw it without negative consequences. At the employment offer stage, the legitimate interest basis is often more appropriate, offering flexibility for recruitment without over-relying on consent.

Selecting the correct law basis (or bases) may be more straightforward in some cases. For example, processing payroll data will clearly fall under contractual necessity. However, in more complex situations, the choice is less clear. For example, a company using an AI tool to monitor employee productivity. While employers may initially rely on a legitimate interest basis, citing benefits for both the business and employees, issues may arise if the AI collects sensitive data such as communication logs or biometric information, raising concerns around transparency, necessity, and bias. Public authorities face further challenges, as legitimate interests cannot justify data processing for official tasks of a public authority.

No single basis is inherently better, and multiple bases may be relevant, but each must be identified and documented from the outset. Retrospectively changing the lawful basis may result in breaches of accountability and transparency and therefore be unlawful. If there is a genuine change in circumstances or an unforeseen purpose arises, organisations should then inform the individual and properly document the change. Maintaining clear records is essential for ensuring compliance. The ICO provides an interactive lawful basis guidance tool to assist in this process.

Special category data: a delicate balance

Special category data, including health information, trade union membership, and racial or ethnic origin, is subject to heightened scrutiny under Article 9 of the UK GDPR. The regulation outlines ten conditions for processing such data, half of which mandate additional safeguards. Additionally, the ICO requires employers to comply with Schedule 1 of the DPA regarding criminal record data, ensuring it is processed solely for legitimate purposes, such as detecting unlawful activities. Whilst these additional compliance obligations may be more onerous to businesses, the requirements should encourage a stronger policy of protecting sensitive information, fostering more robust data management practices.

The complexities of complying with these requirements present significant challenges for organisations, particularly when using automated decision-making systems. As outlined in Article 22 of the UK GDPR, these systems may only be used under specific conditions, such as obtaining explicit consent from individuals or demonstrating substantial public interest when processing special category data. This adds a layer of scrutiny that necessitates careful reassessment by employers, especially in areas such as diversity monitoring and recruitment, where sensitive data is commonly used.

While anonymisation might seem like a strategy to alleviate the complexities surrounding special category data, it is not always a viable solution.

Data retention: How long is too long?

The ICO’s guidance emphasises that employers should only retain employee data for as long as necessary, but this “necessity” can vary based on context. While certain sectors may justify retaining records longer due to specific circumstances, holding employee personnel data beyond what is required could expose businesses to unnecessary risk. In terms of right to work checks, employers must retain them during employment, and for two years after in order to avoid potential civil penalties.

Employment data in M&A

The guidance from the ICO sheds helpful light on using employee data in M&A transactions. It encourages employers to assess whether extending data retention periods is genuinely necessary, rather than defaulting to longer periods for convenience. During the due diligence process, organisations are often required to share personal data with the acquiring entity in order for them to evaluate assets and liabilities. The target entity should consider requests for employee data from the acquiring entity, ensuring the information is used exclusively for asset evaluation, kept confidential, and destroyed or returned by the acquiring entity after use. It is essential that the data transfer is lawful, fair, and transparent. This requires assessing the type of data being shared, the legal basis for processing, and ensuring that special category data, is handled in accordance with additional safeguards.

While informing employees about data transfers is best practice, in certain circumstances, such as where there are concerns of potential insider trading, market manipulation, or for commercial / confidentiality reasons, it may not be possible to notify them before the transaction completes. In these instances, seeking legal advice is recommended to ensure compliance.

Data sharing complexities

The guidance seeks to clarify long-standing uncertainties around data sharing, building on the 2021 Statutory Code of Practice on Data Sharing. While employers may feel justified to share employee data with third parties for business interests, the ICO stresses that organisations should carefully weigh the potential benefits and harms of sharing or not sharing the employee data – a subjective threshold that requires rigorous case-by-case assessments and documented decision-making. In emergencies, sharing information may be essential, especially if it could safeguard an employee or prevent serious harm. In other situations, sharing may be legally required, such as when responding to requests from HMRC for worker information.

TUPE

Data sharing during TUPE transfers should be carefully considered by employers. The guidance confirms that there will likely be a lawful basis where ELI information is provided, as employers are legally obliged to provide this information. However, sharing employee information which is above and beyond the requirements of TUPE (such as particularly sensitive data like health or criminal records) risks breaching data protection laws unless there is a lawful basis and, where required, a specific condition for processing special category data. It would be advised to conduct Data Protection Impact Assessments (DPIAs) where high-risk data sharing is involved and to agree on retention periods with the incoming employer. These safeguards are essential to prevent excessive data sharing and to ensure that employee information is not held for longer than necessary post-transfer.

Handling subject access requests (SARs)

The guidance clarifies the growing role of SARs in workplace disputes, including grievance, disciplinary, and dismissal processes. While employers must respond to SARs within one month (subject to any lawful extension of time) the guidance acknowledges that responding to requests can be complex, particularly when balancing the right of access against legal privilege or third-party confidentiality.

Employers are encouraged to establish clear internal procedures to manage SARs efficiently. This includes identifying exempt information early and ensuring staff are trained to handle requests in line with legal timeframes. The increased use of SARs as a tool during workplace disputes means organisations must be prepared to handle them sensitively without obstructing employees’ rights.

What steps can be taken to mitigate risk?

 To navigate these challenges, we recommend:

1. Developing clear data retention policies: Regular audits and clear retention schedules are essential.
2. Invest in data protection training: Ensure HR teams are prepared for complex issues like SARs, data sharing, and special category data handling.
3. Conducting risk assessments for sensitive data: Use DPIAs where necessary to identify and mitigate risks.
4. Adopt a risk-based approach: For data sharing or retention, always conduct a risk assessment to ensure privacy risks don’t outweigh the benefits.

The ICO has additional checklists and tools to guide organisations on activities such as email correspondence, social media posts, and telemarketing, highlighting the regulator’s push for greater accountability in data sharing practices.

The guidance highlights the challenging balancing act employers face – meeting operational needs while upholding data protection principles. By following the ICO’s recommendations, employers can ensure compliance and build trust with employees.

For guidance on managing employee data retention, please contact our Employment and Immigration team.