For employers, understanding and implementing compliant data protection practices is crucial due to their regular handling of sensitive personal information. Recognising the need for clear guidelines, the Information Commissioner’s Office (ICO) has taken steps to create an Employment Information resource hub which is designed to help employers and recruiters navigate their data protection obligations. The ICO continues to add to this online resource, with its most recent additions being draft guidance on (i) the retention of employee records and (ii) staff recruitment procedures. Consultation on these drafts is open until 5 March 2024. In this blog, we highlight some of the key aspects from both sets of guidance and provide a recap on an employer’s obligations under the data protection legislation.

Keeping employment records: understanding your obligations

The draft guidance in relation to the retention of employee data (employment records guidance)is designed for staff managing employment records and aims to clarify the employer’s responsibilities under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).

Of course, maintaining employment records is crucial for any employer – personnel files, training records, payroll information and diversity data are all examples of data that an organisation would routinely keep on a worker. The collection and processing of this data must, of course, be done in accordance with data protection laws. It is about finding a balance between keeping employment records and ensuring a worker’s right to a private life.

This balancing act is reflected in theemployment records guidance which emphasises the need for employers to handle personal data of workers in a fair, lawful and transparent way:

  • Justification: Employers are reminded that they must not only be clear about why they are collecting personal information about their workers, but also that they have clear justifications for doing so.
  • Lawful basis: Employers must identify and apply at least one of the lawful bases set out under the UK GDPR for processing a worker’s personal data. As a reminder, the most common bases relied upon in the context of the employment relationship are (i) contractual necessity; (ii) legal obligation; and (iii) legitimate interests. The ICO has highlighted again that relying solely on a worker’s consent to process their personal information is difficult due to the potential imbalances in power between employer and worker and should be avoided.
  • Sensitive data: The employment records guidance also details the rules for processing sensitive data, known as special category information, such as information about an individual’s health, political opinions, trade union membership and sexual orientation. The guidance includes a reminder that this type of information requires greater protection. As such, in addition to a lawful basis, an organisation must also identify an applicable special category condition under the GDPR when processing this data.
  • Data minimisation and accuracy: Employment records must only contain personal data that is adequate, relevant and is limited to what is necessary for the employer’s processing purpose. The guidance explains that employers must not hold any more personal information than is necessary about their workers. It also advises employers that they should carry out regular reviews of their employment records to ensure that the workers’ personal data held within those records is still relevant and adequate, and anything that is not must be deleted.
  • Right of access: Employers are frequently faced with requests from workers for access to their personal data which the employer holds, also known as a subject access request. These requests are particularly likely to come up in the context of grievance and disciplinary processes or where the employment relationship has been terminated. The employment records guidance underlines the importance of transparency and sets out a helpful summary of the steps an employer needs to take when it receives a subject access request.

To assist employers with complying with their obligations, the ICO has also provided several checklists which can be easily accessed from the employment records guidance. The checklists relate to collecting and keeping employment records, outsourced employment functions, equality monitoring, pension and insurance schemes, and mergers and acquisitions.

Recruitment and selection: navigating data protection

The draft guidance in relation to staff recruitment procedures (recruitment guidance) is intended to assist employers and recruitment agencies in ensuring their recruitment processes adhere to UK data protection laws. It explains the requirement for fair, lawful and transparent use of candidate data and the importance of collecting only necessary information.

Navigating recruitment can be complex and can pose challenges from a data protection perspective, particularly given that it can often involve several organisations and the increased use of technologies.

The recruitment guidance is aimed at helping employers and recruiters understand their data protection obligations when handling candidates’ personal data. Below is a snapshot of some specific considerations that employers and recruiters should have in mind when using a candidate’s personal data:

  • Processing is fair and proportionate: A candidate’s personal data must be used fairly and proportionately. This includes (i) being clear with the candidate about the data that is being collected and what it will be used for during the hiring process; (ii) only collecting information that is necessary for the recruitment process; and (iii) ensuring that only essential information about the candidate is shared with the decision-makers.
  • Timing: Employers and recruiters should also consider when they ask for certain types of information from the candidate to ensure that they are not collecting data unnecessarily (for example, if a copy of a degree certificate is only needed for a successful candidate, an employer should not ask all applicants to provide certificates).
  • Candidate expectations: An employer or recruiter should not use candidates’ information in (i) an unexpected way; (ii) a way that the candidate has not been told about; or (iii) a manner that could adversely affect them. That said, the guidance is clear that using information to decide not to shortlist a candidate is considered fair and reasonable. It is not unexpected in the context, even though the candidate may consider it an adverse effect.
  • Transparency: Candidates have a right to be informed about the use of their personal information. A candidate must be told: (i) the purpose of processing their personal data; (ii) how long their information will be held; and (iii) with whom their data will be shared. This is known as privacy information and, even if it seems obvious how a candidate’s data will be used, the privacy information must still be provided.
  • Security: Appropriate measures should be in place to protect personal information collected during recruitment. This includes assessing security risks, ensuring secure data collection, restricting access to only necessary staff, storing information securely and securely deleting or anonymising information.

Overall, the ICO’s new draft guidelines, which are open for public consultation until 5 March 2024, are a helpful resource for employers looking to better understand their data protection obligations in respect of maintaining employment records and navigating recruitment processes.

If you have any questions on any of the points touched on in this blog, or would like advice on ensuring compliance with the guidance discussed above, please reach out to a member of our People Reward and Mobility team.

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
, , , , ,
Mark Hamilton

About Mark Hamilton

Mark is a partner in Dentons' Employment and Labor practice. He has specialised in employment law since 1995. He advises on all aspects of employment law including Executive contracts and severances, TUPE transfers, collective employee relations, large restructuring and redundancy programmes, negotiation and termination of contracts and unfair dismissals. He is recognized as having both top class technical legal knowledge and an extremely pragmatic approach whether he is providing strategic advice or guiding clients through a complex dispute.

Full bio

You might also like...