Skip to main content
Home

About this guidance

Contents

Latest updates - last updated 5 February 2025

5 February 2025 - this guidance was published.

This guidance is aimed at employers who keep employment records. It will help you understand your obligations under the UK GDPR and DPA 2018 (we refer to these as data protection law). Keeping records about workers is a necessary part of running an organisation. Data protection law applies whenever you process your workers’ personal information. The law does not stop you collecting, holding and using records about workers. It helps to strike a balance between your need to keep employment records and every worker’s right to a private life. 

We have designed this guidance for you to read alongside our other published guidance on data protection and employment – in particular, our detailed guidance on information about workers’ health and monitoring workers.

The guidance also provides links to other pieces of general data protection guidance. You should read them alongside this employment-focused guidance if you need more information.

We use the terms ‘worker’ or ‘former worker’ to mean all employment relationships, including employees, contractors, volunteers, and gig or platform workers. The guidance covers all circumstances where there is an employment relationship or otherwise a relationship between your organisation and a person who performs work for you, regardless of the nature of the contract. This is for the purposes of this guidance only and not in an employment law or other legal context.

The guidance only covers your data protection obligations. You may have other legal obligations to comply with, such as health and safety regulations or employment law, which are not covered by this guidance. You should obtain separate advice on these where necessary.

How should we use this guidance?

To help you understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.

Legislative or legal requirements

Must refers to:

  • legislative requirements within the ICO’s remit; and
  • established case law (for the laws we regulate) that is binding.

Good practice

  • Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you need to be able to demonstrate that this approach also complies with the law.
  • Could refers to an option or example that you may consider to help you comply effectively. There are likely to be various other ways you could comply.

This approach only applies where indicated in our guidance. We will update other guidance in due course.