Skip to main content
Hafan

Collecting and keeping employment records

Contents

In detail

What kinds of records might we keep about our workers?

As an employer, there are many kinds of records you may need to keep about your workers. For example:

  • personnel files;
  • sickness and injury records;
  • disciplinary and grievance records;
  • training records;
  • appraisal or performance review records;
  • payroll information;
  • pension information;
  • interview notes;
  • emails;
  • references; and
  • equality and diversity information (eg, information about ethnicity, religion, disability and sexual orientation).

The UK GDPR and the DPA 2018 (referred to here as data protection law) apply whenever you are processing your workers’ personal information. 

Data protection law sets out principles for collecting and using personal information. These do not stop you keeping the records you need about your workers. But you must make sure you use their information in line with the data protection principles. In particular, you must make sure your use is:

  • fair – you use people’s personal information only in ways they could reasonably expect, and not in ways that have unjustified adverse effects on them;
  • lawful – you have a lawful basis to use the information, and you don’t do anything generally unlawful with it; and
  • transparent – you are open, honest, and inform people about what you are doing with their information.

Before you collect and use any personal information about your workers, you must be clear why you are doing so. You must also be satisfied you have justified reasons for collecting it.

You must record your purposes and specify them in your privacy information. 

You may only use the personal information in employment records for a new purpose if: 

  • this is compatible with your original purpose;
  • you get specific consent from the worker; or
  • you have a clear obligation or function set out in law.

Remember to consider your obligations under: 

  • employment law;
  • health and safety law;
  • any other legislation;
  • any common law duties; and
  • any relevant industry standards,
    and obtain separate advice on these where necessary. 

Further reading 

Read our guidance on:

How can we lawfully keep records of workers’ personal information? 

To lawfully keep records of your workers’ personal information, you must identify a lawful basis. Six lawful bases for processing are set out in Article 6 of the UK GDPR. Remember the following points:

  • You must apply at least one lawful basis whenever you are keeping records of your workers’ personal information.
  • No one basis is always better, safer or more important than the others. There is no hierarchy in the order of the list in the UK GDPR.
  • How you decide which lawful basis for keeping records applies depends on your specific purposes, and your relationship with the worker.
  • You must think about why you want to keep records of the information and consider which lawful basis best fits the circumstances.
  • If you think more than one basis applies, you must identify and document all of them from the start.

You can use our interactive guidance tool to help you decide which lawful basis applies.

You may need different lawful bases for different categories of information, or for information used for different purposes. 

You may also need to keep records of special category information about your workers. This is information that is considered especially sensitive, so has a greater level of protection. The special categories are information about a person’s:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic information;
  • biometric information (where used for identification purposes);
  • health;
  • sex life; or
  • sexual orientation.

There are rules that cover using special category information. You may only keep records of this type of information if you meet some additional requirements. This means that in addition to a lawful basis, you must identify a special category condition (under Article 9 of the UK GDPR). You may also need to satisfy a condition in Schedule 1 of the DPA 2018. 

You may also sometimes need to keep records about workers’ criminal convictions or offences. There are rules that cover using this information, and you may only keep records of criminal convictions or offences if you:

  • have official authority to do so; or
  • meet one of the conditions in Schedule 1 of the DPA 2018.

Lawfulness also means you don’t do anything with the personal information that is unlawful in a more general sense. This includes statute and common law obligations, whether criminal or civil. If keeping records would involve you committing a criminal offence, it will obviously be unlawful. Keeping records may also be unlawful if, for example, it results in:

  • a breach of a duty of confidence;
  • your organisation exceeding its legal powers or exercising those powers improperly;
  • an infringement of copyright;
  • a breach of an enforceable contractual agreement;
  • a breach of industry-specific legislation or regulations; or
  • a breach of the Human Rights Act 1998.

You may need to take your own legal advice on other relevant legal requirements.

Further reading

Read our guidance on:

Can we rely on a worker’s consent?

You may be considering relying on a worker’s consent to process the information in their employment records. Consent is one of the lawful bases for processing personal information. Consent is also one of the Schedule 1 conditions you can use to process criminal offence information, and explicit consent is one of the conditions you can use to process special category information. However, consent provides certain difficulties in an employment context. 

The UK GDPR sets a high standard for consent, and people must have a genuine choice over how you use their information. Consent must be:

  • freely given;
  • specific;
  • informed;
  • unambiguous; and
  • expressed by a clear affirmative action (ie, using an opt-in). 

It must be as easy for someone to withdraw their consent as to give it. 

It may be difficult for you to rely on consent to keep records of personal information about your workers. This is because, as an employer, you will generally be in a position of power over your workers. They may fear adverse consequences and may feel they have no choice but to agree to you collecting and using their information. In such circumstances, consent is not considered freely given. 

Explicit consent is not defined in the UK GDPR, but it is likely to be similar to the usual high standard of consent. The key difference is that explicit consent should be expressly confirmed in a clear statement (whether oral or written), and not by inference from someone’s actions.  

You should avoid relying on consent unless you are confident you can demonstrate it is freely given. This means you should give a worker the option to say ‘no’ without fear of a penalty being imposed and allow them to withdraw their consent at any time.

You cannot rely on consent if:

  • the worker has no genuine choice over how you use their information; or
  • you would still keep records of the information using a different lawful basis or condition if the worker refused or withdrew consent.

If you think it will be difficult for you to show that consent has been freely given, you should consider relying on a different lawful basis, such as legitimate interests. See ‘What lawful bases might apply when keeping employment records?’ for more information. You should also consider relying on a different condition for processing special category or criminal offence information.

However, this does not mean that, as an employer, you can never use consent. Even when you are in a position of power, there may be situations where you could still show that consent is freely given.

There are also other considerations you must take into account if you want to rely on consent, such as recording and managing consent. Please see our separate guidance on consent for more information.

Example

An organisation operates a cycle-to-work scheme, where workers can buy a bicycle at a subsidised rate to encourage them to cycle to and from work. To do this, they need to share some personal information about the workers who want to participate, with the firm that provides the bicycles. Since take-up of the scheme is voluntary, and there are no penalties for not participating, the organisation could use consent as the basis for collecting and sharing this information.

Further reading

Read our guidance on:

What lawful bases might apply to employment records?

We’ve listed below the lawful bases that are most likely to be relevant in an employment records context, but other lawful bases may be available.

Remember, you are responsible for deciding what lawful basis is most appropriate. If you can meet the criteria for a specific lawful basis, you are likely to be able to rely on it. 

We have detailed guidance on each of the lawful bases, so read this for more information about how each basis works.

  • Contract

This lawful basis applies where you need to keep employment records for a contract you have with the worker, or because they have asked you to take specific steps before entering into a contract. This is most likely to apply when you need to collect and use information about your workers under an employment contract. 

You should only use the contract lawful basis once an offer of employment has been accepted, even if a contract has not yet been entered into. Acceptance of a conditional offer of employment shows an intention on both sides to enter into the contract. Until that stage, legitimate interests could be a more appropriate lawful basis. 

This lawful basis only applies for contractual employment purposes rather than legal obligations under employment law.

Example

An organisation keeps records of their workers’ names, addresses and salary information to meet their contractual obligation to pay them for their work.

  • Legal obligation

You could rely on this lawful basis where you need to use personal information kept in employment records to comply with a common law or statutory obligation (this does not include contractual obligations). 

Example

Employers have an obligation to share workers’ names, addresses and salary details with HMRC for tax purposes.

  • Legitimate interests

This lawful basis may apply if you need to keep records of workers’ personal information for your legitimate interests or those of a third party. It won’t apply if there is a good reason to protect the worker’s personal information that outweighs those legitimate interests. As part of this, you should carry out a legitimate interests assessment to determine if this is the case. For more information, see our separate guidance that covers How can we apply legitimate interests in practice?

Example

An organisation requests references containing personal information about a job applicant from a previous employer. The organisation can rely on legitimate interests to collect and hold the information in this reference.

  • Vital interests

In exceptional circumstances, you may be able to rely on the vital interests lawful basis. This lawful basis is very limited in its scope and generally only applies to matters of life and death – for example, if there is a medical emergency and a worker’s life is at immediate risk. Important: you cannot rely on vital interests for health or other special category information if the person is capable of giving their consent, even if they refuse their consent.

Further reading

Read our guidance on:

What conditions might apply for keeping records of special category information?

As explained above, if you are keeping records of special category information about your workers, you must identify a special category condition, as well as identifying a lawful basis.

There are 10 conditions for special category information. For five of them, you must meet the additional conditions and safeguards in Schedule 1 of the DPA 2018.

Remember that you should determine your special category condition before you begin keeping records and you should document this, along with your lawful basis.

If you are relying on a Schedule 1 condition, many of them also require you to have an ‘appropriate policy document’ in place. This acts as part of the additional safeguards that are necessary for keeping records. See our separate guidance What is an appropriate policy document for more information. We have also produced an appropriate policy document template you can use. 

We’ve listed below the conditions that are most likely to be relevant in an employment records context:

  • Employment, social security and social protection law 

To rely on this condition for keeping employment records, you must be keeping them to comply with employment law, or social security and social protection law. You should identify the legal obligation or right, either by referring to the specific legal provision or by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, you could refer to a government website or to industry guidance that explains employment obligations or rights that generally apply. 

This condition does not cover any employment records you keep to meet purely contractual employment rights or obligations.

You must be able to justify why keeping records of this specific information is necessary and is a reasonable and proportionate way of meeting specific rights or obligations under employment, social security and social protection law. You should only obtain or use the information you need, and not collect excessive information.

If you are relying on this condition, you must also meet the associated condition in Part 1 of Schedule 1 of the DPA 2018. This condition also requires you to have an appropriate policy document in place.

  • Legal claims or judicial acts 

You may be able to rely on this condition if you need to use special category or criminal offence information to establish, exercise or defend legal claims – for example, if a worker is suing you as their employer.

You should be able to justify why keeping records of this specific information is necessary to establish, exercise or defend the legal claim. You can only rely on this condition if the information is relevant and proportionate, and you do not obtain or use more information than you need.

As an employer you can rely only on the legal claims element of this condition, as the judicial acts element applies only to courts acting in their judicial capacity.

  • Substantial public interest

This condition allows you to keep records of special category information if you need to because of substantial public interest.

To rely on this condition, you must meet one of the specific substantial public interest conditions in Part 2 of Schedule 1 of the DPA 2018. You must also have an appropriate policy document in place for most of these conditions. 

The most likely substantial public interest conditions are:

  • statutory and government purposes;
  • equality of opportunity or treatment;
  • racial and ethnic diversity at senior levels;
  • preventing or detecting unlawful acts;
  • regulatory requirements;
  • preventing fraud;
  • safeguarding of children and of individuals at risk; or
  • occupational pensions.

This list isn’t exhaustive and if you intend to rely on any substantial interest conditions, you should look at the details of the specific conditions in the DPA 2018 to determine which condition is most appropriate to your purpose. 

  • Vital interests

You may also find that vital interests apply in some limited circumstances, similar to the vital interests lawful basis, discussed above. 

Further reading

Read our guidance on:

What conditions might apply for keeping records of criminal offence information?

If you are keeping records about criminal offences, and you do not have official authority to do so, you must meet one of the 28 conditions in Schedule 1 of the DPA 2018.

The conditions in Schedule 1 do not all apply to both criminal offence and special category information. Many of them apply to both types of information, but some only apply to special category information and some only to criminal offence information. The conditions also have different requirements and some are applied differently, depending on the nature of the information.

Remember that you should determine your condition before you begin keeping records and you should document this, along with your lawful basis.

Many conditions also require you to have an ‘appropriate policy document’ in place. This acts as part of the additional safeguards that are necessary for keeping records. See our separate guidance What is an appropriate policy document for more information. We have also produced an appropriate policy document template you can use. 

The conditions most likely to be relevant in an employment records context are:

  • employment, social security and social protection;
  • statutory and government purposes;
  • preventing or detecting unlawful acts;
  • regulatory requirements;
  • preventing fraud;
  • safeguarding of children and of individuals at risk; or
  • legal claims.

This list isn’t exhaustive and you should look at the details of the specific conditions in the DPA 2018 to determine which condition is most appropriate to your purpose. 

Further reading

Read our guidance on:

Criminal offence data

How much personal information can we hold?

The data minimisation principle says you must make sure the personal information you hold is adequate, relevant, and limited to what you need for your purposes. This links closely to the storage limitation principle where you must consider how long you need to keep the information and why. For more information see ‘How long can we keep workers’ personal information?’.

This means you must identify the minimum amount of personal information you need to hold about your workers, and not hold more information than that. 

If you are holding more information about your workers than you need for your purpose, this is likely to be unlawful (as most of the lawful bases have a necessity element) as well as a breach of the data minimisation principle. 

How much is adequate, relevant and necessary will depend on the context. It may also differ from one person to another. Therefore, to work out whether you are holding the right amount of personal information, you should first be clear about why you need it.

If you need to hold particular information only about certain workers, you must only collect it for those people. The information is likely to be excessive and irrelevant about other workers.

Example

An organisation employs people in various roles. It sends a general questionnaire to all job applicants, which includes specific questions about health conditions that are only relevant to particular manual roles. It would be irrelevant and excessive to obtain this information from someone applying for a desk-based job.

You could periodically review your records to check that the personal information you hold about your workers is still relevant and adequate for your purposes, and delete anything you no longer need. Certain legislation may require you to keep information for a specific period. If you need advice on other legislation outside the ICO’s remit, you may wish to obtain independent legal advice on this.

Further reading

Read our guidance on:

How do we keep workers’ personal information accurate and up-to-date?

The accuracy principle says you must take all reasonable steps to keep any personal information you hold about your workers accurate and up-to-date.

In practice, this means you should:

  • take reasonable steps to ensure the accuracy of any personal information;
  • make sure it is clear where you have obtained the personal information;
  • carefully consider any challenges to the accuracy of information; and
  • consider whether you need to periodically check and update the information.

If you are collecting personal information directly from your workers, you are responsible for making sure you record it correctly. You should take particular care if the information might have serious implications for the worker if it were recorded inaccurately (eg, information you use to calculate a worker’s salary). 

The more important it is that the personal information is accurate, the greater the effort you should put into ensuring its accuracy. So if you are using the information to make decisions that might significantly affect the worker concerned or others, you should put more effort into ensuring its accuracy. This may mean you have to get it independently confirmed. For example, you may need to check the precise details of the education, qualifications and work experience of job applicants, if these are essential for a particular role.

A record of an opinion is not necessarily inaccurate personal information just because the worker disagrees with it or it is later proved to be wrong. Opinions are, by nature, subjective and not intended to record matters of fact. However, to be accurate, your records should make clear that it is an opinion, and, where appropriate, whose opinion it is. 

If someone challenges the accuracy of an opinion, you could add a note recording the challenge and the reasons behind it. If it becomes clear that an opinion was based on inaccurate personal information, you should also record this fact to ensure your records are not misleading.

Remember that workers have the right to have inaccurate personal information corrected. This is known as the right to rectification.

Example

During a performance review, a manager records the facts about a worker’s performance accurately, and expresses the opinion that the worker is underperforming in their role. The worker voices disagreement with this assessment. However, just because the worker disagrees does not make the information inaccurate. The manager could include a note in the assessment to record the worker’s disagreement.

Further reading

Read our guidance on:

How long can we keep our workers’ personal information?

The storage limitation principle says you can only keep personal information for as long as you need it. Making sure you erase or anonymise personal information when you no longer need it will also reduce the risk that it becomes irrelevant, excessive, inaccurate or out-of-date.

Therefore, you need to consider how long you need to keep workers’ personal information, as well as the information of former workers, and be able to justify doing so. This depends on your purposes for holding the information.

Data protection law does not set specific time limits for how long you can keep your workers’ personal information. This is up to you, and will depend on how long you need the information for your particular purposes.

You should consider any legal or regulatory requirements and seek advice on compliance, if necessary. There are various legal requirements and professional guidelines about keeping certain kinds of records, such as information about taxation and health and safety. Certain legislation may require you to keep the information for a specified period. If you keep your workers’ personal information to comply with a requirement like this, you will not be considered to have kept the information for longer than necessary.

You must make sure you only keep the records you still need. Once you no longer need the information, you should erase it or, if possible, anonymise it – for example, after the employment relationship and all your legal obligations to retain the information have ended. This links to the accuracy and data minimisation principles. If you keep information longer than you need it, you are keeping more information than you need, and it is more likely to become inaccurate over time.

Example

An organisation holds a record it collected about a worker’s criminal conviction. This information was relevant at the time of collection, but has since become ‘spent’ under the Rehabilitation of Offenders Act. As keeping the information is no longer needed, the organisation must erase it from the worker’s record.

Further reading

There is government guidance on the Rehabilitation of Offenders Act, which includes detail about spent convictions and exceptions.

You should set up a retention policy or schedule that lists: 

  • the types of record or information you hold;
  • what you use it for; and
  • how long you intend to keep it. 

This will help you establish and document the standard retention periods for different categories of personal information. 

Do not take a ‘one-size-fits-all’ approach to retaining workers’ personal information. While you may need to hold on to some types of information about previous workers, you may be able to delete other information as soon as the employment relationship ends. 

Different categories of personal information will need different retention periods. This will depend on your purpose for holding the information. You may also have other legal or regulatory obligations about retaining some records, such as on income tax or certain aspects of health and safety. If you know what these other obligations are, you can factor them in to your retention schedules. 

Where possible, you could set up automated systems to help with this process, which would flag when information you are holding is due to be reviewed or deleted.

Further reading

Read our guidance on:

You can read the ICO’s retention and disposal policy and schedules: Retention and Disposal Policy 

How do we keep our records about workers’ personal information secure?

The security principle says you must have appropriate security measures in place to prevent the personal information you hold about workers being accidentally or deliberately compromised. 
You must choose a level of security appropriate to the nature of the information you are protecting and the level of harm that might result from misuse or loss. 
You must make sure that the employment records you hold:
  • can only be accessed, altered, disclosed or deleted by those who are authorised to do so (and that those people only act within the scope of the authority you give them) – for example, ensuring that access to employment records systems is limited to HR staff only, and that managers only have access to the information they need to meet their obligations;
  • are accurate and contain enough information for your purposes; and
  • remain accessible and usable. This means you should put in place measures to ensure you can recover the information if it is accidentally lost, altered or destroyed. 
In particular, if you hold special category or criminal offence information about your workers, you should think carefully about its security – for example, limiting access only to those who need to see it, such as by password-protecting it. If a physical record exists, you should keep it in a sealed envelope in the worker’s file or in a lockable cabinet, and make sure only people who need it have access to it. 
Example
An organisation collects information about its workers’ health conditions and disabilities so it can provide additional support or reasonable adjustments to workers who need it, as well as for equality monitoring purposes. The organisation determines which members of staff need to know this information (certain staff in Human Resources and workers’ line managers) and makes sure no other staff have access to the records.
When you are reviewing the information management systems you use for employment records, you must consider data protection by design and by default, so that you build data protection in to your systems. If you are reviewing your existing systems, you must consider how you can incorporate this requirement. 
You should make sure that access to necessary information is protected against any automatic deletion processes. You should also ensure you still have access to information if staff leave or change roles. For example, you could store employment records centrally rather than locally, so you are not dependent on the availability of individual managers for access.

Further reading

Read our guidance on:

What do we need to tell workers about the personal information we hold and how we are going to use it?

Data protection law requires fairness and transparency, and provides a right for people to be informed about how you are using their personal information and why.
Transparency is about being clear, open and honest with your workers, and is linked to fairness. 
You must tell your workers:
  • your purposes for collecting and using their personal information;
  • your lawful basis;
  • your condition for processing (if it includes special category or criminal offence information);
  • your retention periods for the information;
  • who, if anyone, you plan to share their information with;
  • their rights over their information; and
  • details of where you got their personal information, how you are going to use it and who you will disclose it to. 
We call this ‘privacy information’.
If you are collecting personal information directly from your workers, you must give them the privacy information at the time you collect their information. 
If you are collecting their personal information from other organisations, rather than directly from the worker, you must give them the privacy information within a reasonable period, but at the latest within one month of obtaining it. 
You must give the privacy information in a way that is easily accessible to your workers, easy to understand, and in clear and plain language.
There are a range of ways you can provide the privacy information, but you must make workers aware of it and give them an easy way to access it. You could provide it:
  • as part of your staff privacy notice on your organisation’s intranet;
  • as part of your general data protection policy;
  • as separate privacy information in a worker handbook;
  • using ‘just in time’ notices if you offer online workshops, platforms or tools where personal information might be collected or shared with others;
  • as a general notice on a staff notice board; or
  • by sending a letter or email to workers.
The most effective way of giving privacy information to your workers will depend on the nature of your organisation and what fits best with your needs.
You should make sure you periodically remind existing workers about the privacy information. If your organisation is large, you could check with a random sample of workers that they: 
  • are aware of the privacy information;
  • received it; and
  • know how to find it.
You should regularly review and, where necessary, update your privacy information. You must bring any new uses of workers’ personal information to their attention before you start the processing.

Further reading

Do workers have a right to access their employment records?

Yes. The right of access is commonly called a subject access request (SAR). It gives someone the right to obtain a copy of their personal information from your organisation. This includes where you got their information, what you’re using it for and who you’re sharing it with. 

There are no formal requirements about how the request is made. A SAR can be made verbally or in writing, including by social media. Workers can make requests to any part of your organisation, and they do not have to direct it to a specific person or contact point. However, you should have a designated person, team and email address for SARs. You could set up a specialist portal or process for your workers to help them make SARs efficiently and to help you recognise and respond to them.

Workers are especially likely to exercise their right to access their employment records during grievance or disciplinary proceedings, or in the case of dismissal. You should make sure managers in your organisation are aware that a worker going through disciplinary or grievance proceedings still has the right to access their personal information.

You must respond to a SAR from a worker without delay and within one month of receiving the request. However, you could extend the time limit for responding by up to two months if the SAR is complex or if they have sent you a number of requests.

If you have a large amount of information about someone, and their request is not clear, you can ask them to specify the information or processing activities that their request relates to. In these cases, the time limit for responding to the request is paused until you receive clarification, although you should still provide any of the supplementary information you can within one month.

You may have outsourced some of your processing to another organisation that holds personal information on your behalf (and you, as controller, do not hold that information). As a controller, you are still ultimately responsible for complying with SARs for employment records, not your processor.

The processor must help you meet your obligations for SARs and you should make this clear in the agreement with them. The processor must  search for this information and, if necessary, give you a copy, if you request it. See ‘What are our obligations if we have outsourced some of our processing about our workers?

Sometimes you may need to give or receive confidential references about someone. The personal information in a confidential reference is exempt from the right of access for prospective or actual workers. The exemption applies regardless of whether you have given or received the reference.

Important: this exemption applies only to references given in confidence. You should make clear to people providing references and to anyone else relevant whether you are treating references confidentially or if you are adopting a policy of openness. You should do this through the privacy information you provide. For more information, see our guidance on the right to be informed.

Further reading

Read our detailed guidance on the right of access. This includes detail on possible exemptions from the right of access, some of which may be relevant in the context of employment records, such as the exemption for confidential records.

We have also produced separate SARs Q&A for employers

You can find links to all our SAR guidance and resources here: Helping you find our subject access request (SAR) resources.

Do workers have a right to have their employment records erased?

In some circumstances, people have the right to have their personal information erased. This is known as the right to erasure or, sometimes, the right to be forgotten.

It only applies in certain circumstances, many of which do not apply in an employment context.

However, the right to erasure does apply if the personal information is no longer necessary for the purpose you collected it for. The obvious example is that after an employment contract has ended you may no longer need to keep job application materials or references from previous employers. Your current workers may also have a right to have information in their employment record erased if you no longer need it. 

Example

An organisation receives a complaint about one of its workers. After investigating, it concludes that the complaint was vexatious, and it does not need to take further action. The worker requests that the organisation erase the details of this complaint from their employment record. The organisation decides it no longer needs the information for the reasons it collected it and accepts the request.

People also have a right to have their personal information erased when it is being processed on the basis of consent, and they withdraw that consent. As mentioned in ‘Can we rely on a worker’s consent?’ above, in most cases you will not be relying on consent to process employment records. But if you are, and the worker later withdraws their consent, in most circumstances you must erase the information.

Example

An organisation asks some of its workers if their images can appear in marketing and promotional materials. It collects these images and publishes them on the basis of the workers’ consent. One worker who initially agreed, later changes their mind and withdraws consent for their image to appear. The organisation must remove the worker’s image from the marketing materials as soon as possible, and should erase them if the worker requests it.

There are several reasons why you can refuse to comply with a request for erasure. In the employment context, those most likely to be relevant are if:

  • you are under a legal obligation to keep some records about past workers for tax or social security reasons; or
  • the request is manifestly unfounded or excessive. 

Further reading

Read our guidance on the right to erasure

Who is responsible for data protection and employment records in our organisation?

Accountability is one of the key principles in data protection law. The accountability principle means you are responsible for what you do with personal information and how you comply with the other principles.
You must have appropriate measures and records in place to be able to demonstrate compliance with your data protection obligations. This includes compliance with the principles (as explained in the previous sections). But it also includes your other obligations, such as: 
  • taking a ‘data protection by design and default’ approach;
  • documenting your processing activities; and
  • carrying out data protection impact assessments (DPIAs) for uses of personal information that are likely to result in high risk. 
You should identify who within your organisation is responsible for authorising or collecting your workers’ personal information. You should ensure they are aware of your organisation’s policies and procedures. 
You should also make them aware of data protection law. If they lack proper authority and necessary training, this could lead to a risk of non-compliance.  You should also consider any obligations under other laws, such as employment law and health and safety legislation.
Ultimately, your organisation, as the controller, has responsibility for data protection compliance. If you use any processors that are processing workers’ personal information on your behalf, you must have a written contract in place with them. See ‘What are our obligations if we have outsourced some of our processing about our workers?
If you have a data protection officer, you must involve them in any decisions about your processing of workers’ information.
You also should be aware of workers’ data protection rights when you are processing their information. 
We have produced an Accountability framework that can help you assess your organisation’s accountability.

Further reading

Read our guidance on: