On February 5 2025, the UK Information Commissioner's Office (ICO) released new guidance designed to help employers understand and comply with their obligations under the UK GDPR and the Data Protection Act 2018 in relation to the lawful collection, maintenance, and management of employment records.
The guidance emphasises the importance of balancing the need to maintain employment records with workers' rights to privacy, and is divided into three sections:
- guidelines on collecting, maintaining, and protecting employment records, covering lawful bases for processing personal data, conditions for special category and criminal offence data, and workers' rights regarding their personal data;
- guidelines on using employee data, covering the sharing of workers' personal data and handling of employment records, including considerations for references, publishing information about workers, and obligations during mergers and acquisitions and business reorganisations; and
- checklists for various employment functions, including collecting and keeping employment records, outsourced employment functions, equality monitoring, pension and insurance schemes, and handling data during mergers and acquisitions.
Some key takeaways include:
- Scope and applicability: The guidance applies to all types of employment relationships, including employees, contractors, volunteers, and gig or platform workers. It covers all scenarios where there is a relationship between an organisation and an individual performing work for it, regardless of the contract type.
- Legal obligations: The guidance clarifies that data protection laws do not prevent the collection, storage, and use of employment records but aim to ensure these activities are conducted in a manner that respects workers' privacy rights.
- Compliance framework: The guidance outlines what organisations must, should, and could do to comply with data protection laws.
- Additional legal considerations: While the guidance focuses on data protection obligations, it notes that employers may have other legal responsibilities, such as health and safety or employment law, which are not covered and for which separate advice should be sought.
The guidance is available here.
[View source.]
