The Information Commissioner’s Office guidance provides direction on legal requirements and best practices to help employers comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). 

It is divided into three key sections: guidelines on collecting, maintaining and protecting employment records; guidelines on using employee data; and checklists for various employment functions.

Navigating lawful basis for data processing

Under article six of the UK GDPR, employers must select one of the six lawful bases for processing personal data. These are consent, contractual necessity, legal obligations, vital interests, public task and legitimate interest. 

Consent is generally unsuitable in employment relationships because of the inherent power imbalance. At the employment offer stage, the legitimate interest basis is often more appropriate, offering flexibility for recruitment. 

For routine tasks such as payroll processing, contractual necessity applies. However, more complex cases, such as AI monitoring of employee productivity, require careful assessment. While employers may initially rely on a legitimate interest basis, issues may arise if the AI collects sensitive data. Public authorities face further challenges, as legitimate interests cannot justify data processing for official tasks. 

Employers must identify and document their lawful basis upfront, avoiding retrospective changes. If circumstances change, individuals must be informed and records updated. 

Special category data: a delicate balance 

Special category data is scrutinised under article nine of the UK GDPR. The regulation outlines 10 conditions for processing, half of which mandate extra safeguards. Additionally, schedule one of the DPA states that criminal record data must be processed solely for legitimate purposes, such as detecting unlawful activities. 

This presents challenges for organisations, particularly when using automated decision-making systems, especially for diversity monitoring and recruitment. Under article 22 of the UK GDPR, these systems may only be used under specific conditions, such as demonstrating substantial public interest. 

While anonymisation might seem like a strategy to alleviate the complexities surrounding special category data, it is not always a viable solution. 

How long is too long?  

The guidance emphasises that employers should retain employee data only as long as necessary. Holding employee data beyond what is required could expose businesses to unnecessary risk. In terms of right to work checks, employers must retain them during employment and for two years after to avoid potential civil penalties. 

Employment data in mergers and acquisitions

During due diligence, organisations may need to share personal data with the acquiring entity for assets and liabilities evaluation. The target entity should consider requests for employee data, ensuring the information is used exclusively for asset evaluation. 

While informing employees about data transfers is best practice, in circumstances such as insider trading concerns, prior notification may not be possible. In these instances, legal advice is recommended to ensure compliance. 

Data-sharing complexities

The guidance seeks to clarify uncertainties, building on the 2021 Statutory Code of Practice on Data Sharing. While employers may feel justified to share employee data for business interests, organisations should weigh the potential benefits and harms. Sharing information may be essential, especially if it could safeguard an employee or where it is legally required, such as when responding to requests from HMRC for worker information.

TUPE

The guidance confirms that there will likely be a lawful basis where employee liability information is provided, as employers are legally obliged to provide this information. However, sharing employee information that is beyond the requirements of TUPE risks breaching data protection laws. It is advisable to conduct data protection impact assessments (DPIAs) where high-risk data sharing is involved and to agree on retention periods with the incoming employer. 

Handling subject access requests 

The guidance clarifies the growing role of subject access requests (SARs) in workplace disputes, including dismissal processes. While employers must respond to SARs within one month, the guidance acknowledges that responding to requests can be complex, particularly when balancing the right of access against legal privilege or confidentiality. 

What steps can be taken to mitigate risk? 

To navigate these challenges, employers should: 

  • Develop clear data-retention policies with regular audits
  • Train HR teams on SARs, data sharing and handling special category data
  • Conduct DPIAs to assess and mitigate risks
  • Apply a risk-based approach to balance privacy and necessity

It is clear that, while the ICO guidance seeks to clarify the use of employee data, each circumstance will still require careful consideration on a case by case basis. A strong starting place will be to ensure that adequate policies and procedures are in place to reflect the ICO guidance. 

Lucy Gordon is a partner in the employment and immigration team at Walker Morris