Skip to main content
Hafan

Using employment records

Contents

In detail

When can we share workers’ personal information with other people or organisations?

From time to time, you may receive requests from people or organisations for information about particular workers. You do not need to share information about your workers just because someone has asked for it. However, there are occasions when you may need or want to. 

In some cases, you may have no choice but to share the information. This is when there is a legal obligation to share it, arising from laws outside data protection legislation that you need to respond to. For example, you are legally obliged to respond to HMRC’s requests for information about your workers. 

In other cases, you have a choice whether or not to share information about a worker. You should consider the request carefully and only share the information when you are satisfied it is right to do so. You should carefully weigh the potential benefits and harms of sharing or not sharing it. If you are not sure, you could ask the worker to give you their consent.

You must:

  • have a lawful basis for sharing your workers’ personal information with other people or organisations;
  • make sure that you only share necessary information, and that you send it securely to the correct person; and
  • make your workers aware about who you are sharing their information with, and why.

You should work out who in your organisation will be responsible for dealing with requests to share information, and give them adequate training to do so.

If you are asked to share personal information from a worker’s record in an emergency, you should carefully decide whether to share. You should take into account the nature of the information being requested and the likely impact on the worker of not providing it. You can and should share information about someone in an emergency if it may save their life or protect them or others from serious harm.

Further reading

We have developed a data sharing page that includes the Data sharing code of practice, as well as FAQs, checklists and case studies to help you work out what you need to do to share personal information with other organisations.

We have also published guidance on information sharing in mental health emergencies at work.

What do we need to consider when providing references?

Providing or receiving a reference about a worker with another organisation involves sharing their personal information. Data protection law allows you to share information for this purpose.

In general, the references you provide will relate to the worker’s employment with you. However, you may sometimes be asked to give references in other circumstances, such as character references for voluntary roles or a financial reference for a mortgage application. These still count as references and still involve sharing the worker’s personal information.

You must be as open as possible with workers about information that relates to them. They have a right to challenge information they consider inaccurate or misleading, particularly when, as in the case of a reference, it may adversely affect them.

Remember that you do not have to share all the information asked for in a reference request. You can choose to provide a neutral reference that contains minimal information confirming the job title and the dates the person worked for you.

Example

A worker employed by Company A for several years applies for a job at Company B. Company B requests a reference from Company A, seeking information about the worker’s performance, capability to perform the role applied for and attendance records. Company A can rely on the legitimate interests lawful basis to share this information. Company A should share only the information that Company B needs to assess the worker’s suitability for the role.

Can we publish information about our workers?

You may wish to publicise your activities and operations in a way that involves sharing information about your workers. For example:

  • annual financial reports;
  • advertising materials;
  • media articles; or
  • social media posts.

If you are a public authority, you may be under a legal obligation to publish information that contains your workers’ personal information, under the Freedom of Information Act (FOI) or the Environmental Information Regulations (EIR). 

You must balance the benefits to you of publishing information about your workers with their reasonable expectations of privacy. If possible, you should use information that does not identify individual workers.

You could have an employee information disclosure policy that sets out how you approach this. You could set out what factors to consider when deciding whether to publish personal information about workers proactively or in response to FOI and EIR requests.

If you need to publish your workers’ personal information, you should make them aware of this in advance. You must make sure you do not publish more information than necessary. For example, if you are publishing information in response to FOI requests, consider whether you can redact information that identifies your workers.

You must identify a lawful basis to publish information about your workers. If this involves special category information, remember you must also identify a special category condition.

Further reading

Requests for personal data about public authority employees (PDF)(FOI and EIR guidance)

How do we handle sickness, injury and occupational health records?

We cover sickness records in our guidance on information about workers’ health

What are our obligations if we have outsourced some of our employment records about our workers?

You may have outsourced some of your record keeping, such as human resources or payroll functions, to another organisation. You are considered the controller of the personal information, and the other organisation is acting as a processor.

As controller, you have ultimate responsibility for making sure your processing of workers’ personal information complies with data protection law. This includes any processing done by a processor on your behalf. 

You must:

  • comply with the data protection principles;
  • make sure your workers can exercise their rights about their personal information;
  • tell your workers you are using a processor and inform them who you are sharing their information with and what you are sharing;
  • have arrangements in place to guarantee that you can deal with SARs properly, irrespective of whether the request is sent to you or the processor;
  • implement appropriate technical and organisational security measures to ensure the security of personal information;
  • make sure any processor you use adopts appropriate security measures, both technical and organisational;
  • have a written contract with your processor that requires the processor to use your workers’ personal information only in line with your instructions, and to maintain appropriate security;
  • comply with the UK GDPR accountability obligations, such as maintaining records, carrying out data protection impact assessments and appointing a data protection officer; and
  • comply with the UK GDPR’s restrictions on transfers of personal information outside the UK.

Further reading

Read our guidance on:

Can we collect workers’ information to use for equal opportunity monitoring?

You may be under a legal or regulatory obligation to collect information about your workers to monitor equality of opportunity and prevent discrimination. This may include collecting information about workers’ ethnic origin, disabilities, religion, or sexual orientation.

In Northern Ireland, under the Fair Employment (Monitoring) Regulations 1999, employers with 10 or more employees who each work more than 16 hours a week must collect information about workers’ religious backgrounds and share this with the Equality Commission. Section 75 of the Northern Ireland Act 1998 also requires public authorities to monitor and promote equality of opportunity between people of different religious belief, political opinion, racial group, age, marital status or sexual orientation.

In England, Wales and Scotland there is no general legal obligation to collect information about your workers for equality of opportunity monitoring purposes. However, you may still choose or be required to do so under specific legal or regulatory obligations that apply to your sector or industry.

This type of information will often be special category information, which you need to handle especially carefully. You must make sure you do not use information you collect to monitor equality of opportunity for any other purpose. See ‘What conditions for processing special category information might apply?

Where possible, you should anonymise this information. When collecting this type of information from job applicants, you should make sure you can separate it from any identifying information about the job candidate, so that you can save it anonymously as statistical information.

Be aware that equal opportunity monitoring information might potentially identify particular workers, even if the names have been removed – for example, if it refers to a characteristic shared by relatively few of your workers. In this case, you should make sure any staff with access to this information are aware of its sensitivity and the need to keep it secure and confidential.

You should make sure your equality monitoring questions are designed so that the personal information you collect is accurate and not excessive. You should ask questions that allow workers to identify themselves accurately. For example, in ethnic origin monitoring, do not limit the range of choices given so that workers are forced to make a choice that does not properly describe them. 

Further reading

Can we use employment records to detect fraud?

You may receive a request for your workers’ personal information from external organisations tasked with preventing or detecting fraud. They may ask for your workers’ records to check, for example, that they are not receiving benefits they aren’t entitled to. This can involve electronic comparison of data sets held for different purposes to identify inconsistencies or discrepancies that may indicate fraud. This is known as data matching.

You must only share personal information from your workers’ employment records for fraud detection purposes if:

  • you are required to do so by law;
  • you believe that failure to disclose in this specific case is likely to prejudice the prevention or detection of crime; or
  • your workers’ employment contracts allow you to share information in such cases.

If you are using your workers’ personal information for fraud prevention or detection purposes, you must inform new workers about this. You should also give existing workers periodic reminders. The only exemption from this is when informing a worker would be likely to prejudice the prevention or detection of crime, for example by tipping them off that they are under investigation for suspected fraud.

Further reading

We have a data sharing page that includes guidance on data sharing, such as sharing personal data with law enforcement authorities, as well as the full data sharing code.

Other resources

The Cabinet Office has produced a Data matching code of practice.

What do we need to consider when using pension and insurance schemes?

Most workplace pension and health insurance schemes are run by third-party organisations. You must comply with your data protection obligations when you are sharing information about your workers with these organisations.

When a worker joins a health or insurance scheme, you must make them aware of what personal information you will share with the scheme provider, and how it will be used.

You must make sure you do not share more information with the provider than it needs to run the scheme.

If you are sharing information with the provider about workers’ sickness or injury records, or other health information, you must identify both a special category condition and a lawful basis. See ‘What conditions for processing special category information might apply?’, as well as our separate guidance on information about workers’ health.

You must only use the personal information you collect on behalf of the provider (to run the scheme) for that purpose – and not for general employment purposes. You should ensure that the only people in your organisation who have access to this information are those who need it to run the scheme. You should make them aware of their data protection responsibilities, and ensure they do not use it for other employment purposes.

Further reading

See our detailed guidance on Special category data

How do we handle employment records during mergers, acquisitions, business reorganisation or insolvency?

You may need to share personal information about your workers with another organisation as part of a takeover or other situation involving a change in organisational structure – for example, an acquisition, merger or insolvency. This may take place during the evaluation of assets and liabilities before the final merger or acquisition decision. 

You must:

  • consider information sharing as part of your due diligence;
  • establish what personal information you’re transferring, why you have it in the first place, and your lawful basis for sharing it;
  • identify a special category condition if you are transferring any special category information;
  • comply with the data protection principles – especially lawfulness, fairness and transparency;
  • tell your workers there has been a change of circumstances and remind them about their information rights; and
  • document your actions and decisions.

Wherever possible, if you are sharing workers’ information with another organisation in connection with a prospective acquisition, merger or business reorganisation, you should anonymise the information.

During negotiations, you should carefully assess any request for personal information from the other organisation. Before any final merger or acquisition decision, you should only hand over your workers’ personal information once you have been assured that the organisation will:

  • use it solely to evaluate assets and liabilities;
  • treat it in confidence and not disclose it to other parties; and
  • destroy or return it after use.

If possible, you should tell workers that you are going to share their employment records with another organisation before the acquisition, merger or business reorganisation takes place.

If the acquisition or merger takes place, you should make sure your workers are aware of the extent to which you are transferring their employment records to the new employer.

In some circumstances, ‘insider trading’ or similar restrictions will apply – for example, if providing an explanation to workers would alert them to the possibility of a takeover they would not otherwise know about, which could thereby affect a company's share price. In such circumstances, you do not need to tell workers that you are sharing their personal information for the purposes of evaluating assets before the acquisition. Seek separate legal advice on this where necessary.

As a new employer, you have all the same obligations about workers’ information as their original employer did. You must make sure that records you hold as a result of a merger or acquisition are accurate, up-to-date and relevant, and avoid including more personal information than necessary.

Further reading

Other resources

The Financial Conduct Authority has produced a best practice note on identifying, controlling and disclosing inside information.

When can we share workers’ information under TUPE Regulations?

In some mergers or acquisitions, you may be legally required to share certain information under the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE).

The TUPE Regulations are designed to preserve employees’ terms and conditions of employment when: 

  • an organisation (or part of it) is transferred to a new owner or employer, (eg by sale or merger); or
  • a ‘service provision change’ occurs, such as when a service is transferred to a new provider, but the client remains the same. 

Under the TUPE Regulations, the outgoing employer is required to provide the new employer with specific information about their new workforce in advance of any business transfer or change in service provision. This is known as ‘employee liability information’. It includes:

  • the identity (usually the name) and age of the transferring employees;
  • information in their ‘statements of employment particulars’, such as a written statement of pay, hours of work and holidays (usually found in the employee’s offer letter or contract of employment);
  • information about any collective agreements;
  • information about any grievance procedure taken by an employee in the last two years;
  • information about any disciplinary procedure taken against an employee in the last two years; and
  • details of any legal action (before the court or employment tribunal) brought against the employer by an employee in the last two years and information about any potential legal action arising from their employment.

The original employer is required to provide this information at least 28 days before the transfer is completed. If special circumstances make this impractical, you should supply it as soon as possible.

Because providing this information is a legal requirement, you can rely on the legal obligation lawful basis. You must still comply with data protection law when providing workers’ personal information.

Be aware that some transfers are outside the scope of TUPE (such as share takeovers). Therefore, in these cases you are not legally required to provide employee liability information.

Can we share more information than is required by the TUPE regulations?

A prospective employer may, as part of their due diligence, request more information than the TUPE Regulations require.

Also, in the early stages of the sale of a business there may be a number of potential bidders. This means that although only one will become the eventual new employer, all of them need the information to assess whether to pursue the purchase.

If you need to share personal information about workers that falls outside the scope of employee liability information, you must document another lawful basis for processing. The most likely one is legitimate interests. If the information includes special category information, you must also identify a condition for processing this.

You should consider carrying out a data protection impact assessment for information that falls outside the scope of employee liability information, particularly if it includes special category information.

You should also consider whether you could pseudonymise any personal information not required by TUPE before sharing it.

You must put in place safeguards to make sure that:

  • unsuccessful bidders only use information in connection with the proposed business transfer; and
  • they will not keep it once they have used it for this purpose.

Can we give employment records to the new employer?

Once the transfer has taken place, it is likely that the new employer will need to keep a large proportion of a worker’s employment record to manage the workforce and run the business.

The new employer will need to consider whether they need all the information contained in a worker’s employment record, and destroy unnecessary information.

Can we, as the original employer, keep personal information after the transfer?

After the transfer has taken place, it is likely that the original employer will need to keep some personal information about former employees (eg, to deal with any liabilities).

Data protection law allows this, but you must have a justifiable reason to keep it, and do so only for as long as necessary.

Further reading

ACAS has published guidance on Transfer of Undertakings (TUPE)