What would you like to see?

Case Studies

Discover our track record of success. See how we've resolved complex legal challenges for clients.

View Case Studies

Employment Practices and Data Protection: Keeping Employment Records – An ICO Update


by Camille Renaudon DATE 01/07/25
Image of a key board with a key in red saying data protection for the ICO update blog

In February 2025, the UK’s Information Commissioner’s Office (ICO) released updated guidance on employment practices and data protection, specifically focusing on maintaining employment records. This update reflects the evolving nature of work and aims to assist employers in aligning their data handling practices with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).

The Importance of Employment Records

Employment records encompass a wide array of information, from personal details and performance evaluations to health data and disciplinary actions. Proper management of these records is crucial for several reasons:

  • Employers are legally obligated to maintain certain records to comply with employment laws and regulations.
  • Accurate records facilitate effective HR management, payroll processing, and performance assessments.
  • Employees have the right to access their personal data and expect it to be handled transparently and securely.

Key Updates in the ICO Guidance

The ICO’s updated guidance provides comprehensive advice on several aspects of employment records:

  • Data Collection and Processing
    • Purpose Limitation: Employers should collect personal data only for specified, explicit, and legitimate purposes. For example, collecting health information should be directly related to assessing an employee’s fitness for work or ensuring workplace safety.
    • Data Minimisation: Only data that is necessary for the intended purpose should be collected, gathering excessive information without direct relevance should be avoided.
  • Transparency and Employee Awareness
    • Privacy Notices: Employers must provide clear privacy notices, inform employees about what data is collected, how it will be used, and their rights regarding that data. 
    • Employee Rights: Employees should also have the right to access their personal data or request corrections to inaccurate data. 
    • Regular Updates: Employees should be notified of any significant changes in data processing practices, ensuring ongoing transparency.
  • Data Accuracy and Retention
    • Regular Reviews: Implement procedures to regularly review and update personal data such as contact details and addresses to maintain its accuracy. 
    • Retention Policies: Establish clear data retention schedules. Personal data should not be kept longer than necessary. For example, records of disciplinary actions might be retained for a specific period before being securely deleted.
  • Security Measures
    • Access Controls: Ensure that only authorised personnel have access to sensitive personal data. Implement role-based access controls to limit data exposure.
    • Technical Safeguards: Use encryption, secure servers, and other technical measures to protect data from unauthorised access or breaches.
  • Third-Party Sharing
    • Due Diligence: Before sharing personal data with third parties, such as payroll processors or benefits providers, ensure they have adequate data protection measures in place.
    • Data Sharing Agreements: Establish formal agreements outlining the responsibilities of each party in protecting shared data.

Implications of the ICO Update for Employers

Employers should take proactive steps to:

  • Review existing practices, data collection, storage, and processing practices to identify areas needing improvement.
  • Ensure that all employees are trained on data protection principles and the organisation’s policies.
  • Develop or update data protection policies, which are readily available to staff, to align with the latest guidance.
  • Encourage employees to participate in data protection initiatives, such as regular reviews of their personal information and feedback on data handling practices.

In Summary

The ICO’s updated guidance on keeping employment records serves as a vital resource for employers striving to balance operational needs with the privacy rights of their employees. By implementing these best practices, organisations can ensure compliance with legal obligations and promote a trustworthy and transparent workplace culture.

For help and guidance ensuring your employment practices and data protection are in line with the latest guidance, contact our employment team here.

Camille Renaudon

Partner & Head of Employment

Camille Renaudon became a Partner of Hibberts LLP Solicitors in 2014.Receiving her Law Degree with honours at Sheffield University Camille graduated in 2002. Opting to work in the world of Youth Justice for the next 3 years to gain ‘life experience’, she returned to university in 2005 to complete a Legal Practice Course full time.Following this Camille completed her training course with Hibberts in 2008, qualifying as Solicitor.Heading up our Employment Law Department and primarily based at our Crewe office, she provides an employment law service for all of our offices across South Cheshire and North Shropshire.Camille represents both employers and employees across the UK and abroad. She provides a flexible service seeing clients’ at their convenience, either in the office or in their homes.