Checklists
- Collecting and keeping employment records
- Outsourced employment functions
- Equality monitoring
- Pension and insurance schemes
- Mergers and acquisitions
Collecting and keeping employment records
We only collect the personal information of workers that is necessary for our purposes.
We identify and document a lawful basis for collecting and using workers’ personal information.
If we want to collect special category information from our workers, we identify a special category condition (under Article 9 of the UK GDPR).
If we want to collect criminal offence data, we identify a condition for processing under Schedule 1 of the DPA 2018.
We inform new and existing workers of their rights under data protection law, including their right to access the information we keep about them.
We remind existing workers about how to find our privacy information.
We give new workers privacy information to tell them what information we will collect about them, how we will use it, and who we will disclose it to.
We ask our workers to regularly check their information to make sure it is accurate and up-to-date, and make any changes where necessary.
We make sure that only those staff who need it have access to workers’ records.
We periodically review the personal information we hold on our workers, and erase or anonymise it when we no longer need it.
We dispose of worker records securely and effectively when we no longer need them.
We have clear retention policies in place setting out how long we keep different categories of our workers’ personal information.
Outsourced employment functions
We have written contracts with the processors we use if we outsource any of our employment functions. These require the processor to use workers’ personal information only in line with our instructions, and to maintain appropriate security.
We make sure the contract states that the processor may use workers’ personal information only in line with our instructions.
We make sure the contract states that the processor must maintain appropriate security, including technological and organisational measures.
Equality monitoring
We have identified and documented a special category condition for collecting information about workers’ ethnicities, religion, disability or sexual orientation.
Where possible, we anonymise personal information we collect for equality monitoring purposes.
We make sure:
- we don’t use the information we collect for equality monitoring for any other purpose; and
- staff with access to this information are aware of their data protection responsibilities.
Pension and insurance schemes
We inform workers about what the scheme involves.
We make sure workers are aware what personal information we will pass to the scheme provider.
We make sure we do not share more information with the provider than is necessary to run the scheme.
If we are sharing information with the scheme provider about workers’ sickness or injury records, or other health information, we have identified a special category condition and documented it.
We make sure the staff involved in collecting information for this purpose are aware of their data protection responsibilities.
We make sure only the people in our organisation who need to help run the scheme have access to the personal information we collect for this purpose.
Mergers and acquisitions
We consider sharing personal information about workers as part of our due diligence.
We agree what information we should transfer, and how, before a transfer takes place.
We tell our workers when there is a change in circumstances that affects who is responsible for their personal information.
Where possible, we tell our workers that we will share their employment records with another organisation before an acquisition, merger or business reorganisation takes place.
We tell our workers about which parts of their employment records we will transfer to the new employer.
We make sure those responsible for negotiating the transfer of staff are aware of their responsibilities to comply with the data protection principles (eg, to keep personal information up-to-date and secure).
Where applicable, we transfer enough information to meet TUPE obligations and to allow the new employer to run the business and manage the staff.
We don’t transfer excessive and irrelevant information.