This guide primarily focuses on keeping the right staff records but you should also be aware of all of the data protection principles under the UK GDPR.

There are certain staff records that you must gather and retain.

There are other records you should keep as a matter of good employment practice - and having such records can even benefit your business. Set up a basic record-keeping system.

Staff records you must keep

You must keep staff-related records on:

Pay rates

To meet the statutory requirement to issue workers with pay statements and to ensure you are paying your workers at least the national minimum wage.

Payroll

On income tax and National Insurance deductions for HM Revenue & Customs.

Sickness of more than four days

How much statutory sick pay you have paid.

Accidents, injuries and dangerous occurrences

To meet health and safety requirements.

You must also keep records to ensure that weekly working time and night work limits (under the Working Time Regulations) are complied with in your business. It's up to you to determine what records you need to keep for working time purposes, but you may be able to use existing records maintained for other purposes, such as pay and payroll.

You don't have to keep a running total of how much time workers work on average each week, and you need only make occasional checks of workers who work standard hours and who are unlikely to reach the average 48-hour limit. However you should monitor the hours of workers who appear to be close to the working time limit and make sure they don't work too many hours unless they have opted out of the Working Time Regulations and have therefore agreed to work longer. See working hours in a week.

You do need to keep an up-to-date record of workers who have agreed to work more than 48 hours a week, but you don't need to record how many hours they actually worked. However, you might consider that such records should be kept in order to establish compliance with National Minimum Wage legislation.

Staff records you should keep

It's good employment practice to keep records of each worker's:

• training and development
• appraisals
• employment history - date employment began, promotions, job title(s)
• absence - records of lateness, sickness, and any other authorised or unauthorised absences
• personal details - name, address, emergency phone number(s), qualifications, work-relevant disability
• terms and conditions of employment - including a copy of each employee's written statement and correspondence relating to any changes to their terms and conditions

More generally, you should keep written records - eg minutes - of:

• meetings with workplace representatives
• any disciplinary action you have ever taken, in particular disciplinary hearings, although disciplinary warnings should be removed from employee's personnel files once they have expired
• individual and collective redundancy consultation meetings and agreements
• negotiations relating to information and consultation agreements

Personal and sensitive personal data

The Data Protection Act 2018 defines personal data as data which identifies and relates to living individuals. The Act goes on to define a separate category of personal information - 'sensitive personal data' relates to any of the following:

1. Race/ethnic origin
2. Political opinion
3. Religious belief
4. Member of a Trade Union
5. Physical/mental health condition
6. Sexual life
7. Commission/alleged commission of offences
8. Sentences handed down as a result of offences

There is a greater need to keep sensitive personal information secure as if this information is compromised or lost then there could be a greater harm caused to the individual.

If any of the employee records you keep are considered to be 'sensitive personal data', you are required to adopt appropriate security to safeguard the nature of this data.

The level of detail in staff records

Under the Data Protection Act 2018, any personal information you keep on your staff should be adequate, relevant and not excessive. Inadequate staff records can lead to problems when dealing with absence levels, staff turnover, sickness, lateness and discipline.

Read Information Commissioner's Office (ICO) guidance on data protection.

Keeping staff records beyond those required by law may benefit your business by helping you to:

• match staff resources with production or service requirements
• avoid or defend employment tribunal claims if a dispute with a worker arises
• assess the performance and productivity of individual workers or teams
• ensure that you are treating job applicants and workers consistently and fairly
• make decisions in relation to staffing levels, eg on recruitment and redundancy

Staff records systems tend to involve some kind of electronic database backed up by paper documents. Any paper forms you do issue and retain should be standardised where possible.

Features of en effective records system

Whatever type of employee records system you have, it should be:

• secure
• reliable
• accurate
• consistent
• adaptable
• confidential
• simple to use
• easy to maintain

Staff records: manual and electronic systems

If you run only a very small business, you may find that manual employee records meet all your needs.

However, if your business is growing and you are therefore employing more people, keeping paper records accurate and up to date can become more difficult. You may find therefore that you come to rely more and more on electronic staff records.

Larger employers may find that they need to set up a centrally administered computerised system - this makes information easier to retrieve but will cost money to set up and to train staff to use.

Staff documents

Despite the widespread use of electronic systems, it is unlikely that any business will maintain all its staff records electronically. You still need to keep, for example, signed paper copies of employment contracts and letters agreeing to a change in terms and conditions.

Such staff documents are particularly important in the event of an employment tribunal claim arising against you. Computerised records may be used but you would be in a stronger position if you can show the tribunal signed documents demonstrating that the claimant has understood or agreed to certain issues relevant to the case.

Standardising staff documents

It's worthwhile designing standard document templates for each procedure, eg for staff appraisals or holiday requests, etc. If the documents are easy to read and logical, you will find it easy to extract data from them.

Ask staff who use the documents to help design the templates. You may also have to train other staff how to use them. HR documents and templates.

Keeping your records systems secure

You must keep personal records secure. In relation to the records system itself, you should therefore:

• make sure your paper filing system is locked
• make sure only those staff who need to use the data have access to it
• protect electronic records with passwords, anti-virus software and firewalls
• put an audit trail into computerised systems so you can check who has accessed a particular record and when
• ensure you meet your legal obligations under the General Data Protection Regulation (GDPR)

When retaining any information you should remember that, under the Data Protection Act, you must not keep data any longer than is necessary for a particular purpose.

You need to:

• review the length of time you keep personal data
• consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it
• securely delete information that is no longer needed
• update, archive or securely delete information if it goes out of date

How long should employers keep employee records?

How long you retain different categories of information should be based on individual business needs.

The appropriate retention period is also likely to depend on:

• what the information is used for
• the surrounding circumstances
• legal or regulatory requirements
• specific business sector requirements

Personal data: deleting and archiving

At the end of the retention period, a record should be reviewed and deleted, unless there is a particular reason for keeping it.

You should only archive a document, rather than deleting it, if you still need to hold it.

If it is appropriate to delete a record from a live system, you should also ensure it is deleted from any back-up of the information.

Deletion can mean different things in relation to electronic data.

Read the Information Commissioner's Office (ICO) guidance storage limitation under GDPR.

The Data Protection Act is concerned with personal data - information about living, identifiable individuals held on a computer or in certain structured manual filing systems.

Six principles for processing of personal data

The GDPR sets out six data protection principles that you must comply with when processing personal data:

Lawfulness, fairness and transparency

Make sure workers understand why you are collecting the data and how you will use it.

Purpose limitation

You must only collect personal data for a specific, explicit, and legitimate purpose. You must clearly state what this purpose is and only collect data for as long as necessary.

Data minimisation

You must ensure that the personal data you process is adequate, relevant, and limited to what is necessary in relation to your processing purpose.

Accuracy

You must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you rectify incorrect data that relates to them.

Storage limitation

You must delete personal data when you no longer need it. Individuals have the right to request that you delete data that relates to them, you must do this within one month of receiving the request.

Integrity and confidentiality

You must keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

You must keep these principles in mind when deciding what information to collect, when establishing procedures for processing this information, and when dealing with requests from workers.

See the Information Commissioner's Office (ICO) guidance on data protection and the General Data Protection Regulation (GDPR).

Data Security

Personal information should be kept secure. You should use appropriate security to prevent personal data from being compromised.

This will involve having the right physical and technical security, backed up by robust policies and procedures and well-trained staff.

Read Information Commissioner's Office (ICO) guidance on information security.

Penalties for a breach of personal data

When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people's rights and freedoms. If it's likely that there will be a risk then you must notify the ICO; if it's unlikely then you don't have to report it. However, if you decide you don't need to report the breach, you need to be able to justify this decision, so you should keep a record of any personal data breaches regardless of whether you are required to notify the ICO.

You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.

Failing to notify a breach when required to do so can result in a significant fine of up to €10 million euros or 2% of your global turnover.

Under the Data Protection Act, individuals have a number of rights, in particular the right to receive a copy of any information you hold about them. These rights not only extend to workers but any person on which you hold personal data eg service users, clients and customers.

If you provide such information, you must ensure you don't also give out information on someone else unless it is reasonable in all the circumstances to do so.

Subject access requests

If a worker asks for any information that you hold about them, known as a subject access request, they may make the request verbally or in writing.

You must act on the subject access request at the latest within one month of receipt. You cannot charge a fee to deal with a request in most circumstances.

Where it is reasonable to do so, you can ask for evidence to prove their identity and for information you may need to help you find the information they are seeking.

The one month time limit starts from the day after the request is received until the corresponding calendar date in the next month. If this is not possible because the following month is shorter and there is no corresponding date, the date for the response will be the last date of the following month.

If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond. Where it is necessary to obtain someone's ID documents for identification purposes before responding, the period for responding to the request will only begin on receipt of these documents.

See our guidance on the Freedom of Information (FOI) Act.

Information protected under subject access requests

You do not have to provide copies of information if the information is exempt. The exemptions include:

• information held for management planning, eg plans to promote a worker or make a worker redundant
• information as to your intentions in respect of negotiations with the requester
• references you have given about the worker in confidence (references received by you are not exempt)
• information about the prevention or detection of a crime, or the arrest or prosecution of offenders
• information that may affect the price of a company's shares

Read Information Commissioner's Office (ICO) guidance on right of access to personal data.

Keeping other workers' information confidential

When you provide the data, make sure you don't violate anyone else's data protection rights.

For example, if you get a complaint about a worker, and that worker then requests access to their file, this could lead to the complainant being identified.

To avoid this, obscure any identifying information in the original document before copying it and giving the copy to the worker. In some cases the contents of a document may still identify the complainant so it may be necessary to obscure other parts of the document.

Workers' other rights in relation to their records

As well as the right to access data on themselves, a worker also has the right to:

• have inaccurate personal data corrected or completed if it is incomplete
• compensation for damage suffered as a result of your breach of the Act
• prevent processing likely to cause substantial damage or substantial distress
• know the logic behind any automated decision taken about them, eg psychometric testing decisions
• have personal data erased
• data portability to obtain and reuse their personal data for their own purposes across different services
• object to the processing of their personal data in certain circumstances, eg direct marketing

This guide primarily focuses on keeping the right staff records but you should also be aware of all of the data protection principles under the UK GDPR.

There are certain staff records that you must gather and retain.

There are other records you should keep as a matter of good employment practice - and having such records can even benefit your business. Set up a basic record-keeping system.

Staff records you must keep

You must keep staff-related records on:

Pay rates

To meet the statutory requirement to issue workers with pay statements and to ensure you are paying your workers at least the national minimum wage.

Payroll

On income tax and National Insurance deductions for HM Revenue & Customs.

Sickness of more than four days

How much statutory sick pay you have paid.

Accidents, injuries and dangerous occurrences

To meet health and safety requirements.

You must also keep records to ensure that weekly working time and night work limits (under the Working Time Regulations) are complied with in your business. It's up to you to determine what records you need to keep for working time purposes, but you may be able to use existing records maintained for other purposes, such as pay and payroll.

You don't have to keep a running total of how much time workers work on average each week, and you need only make occasional checks of workers who work standard hours and who are unlikely to reach the average 48-hour limit. However you should monitor the hours of workers who appear to be close to the working time limit and make sure they don't work too many hours unless they have opted out of the Working Time Regulations and have therefore agreed to work longer. See working hours in a week.

You do need to keep an up-to-date record of workers who have agreed to work more than 48 hours a week, but you don't need to record how many hours they actually worked. However, you might consider that such records should be kept in order to establish compliance with National Minimum Wage legislation.

Staff records you should keep

It's good employment practice to keep records of each worker's:

• training and development
• appraisals
• employment history - date employment began, promotions, job title(s)
• absence - records of lateness, sickness, and any other authorised or unauthorised absences
• personal details - name, address, emergency phone number(s), qualifications, work-relevant disability
• terms and conditions of employment - including a copy of each employee's written statement and correspondence relating to any changes to their terms and conditions

More generally, you should keep written records - eg minutes - of:

• meetings with workplace representatives
• any disciplinary action you have ever taken, in particular disciplinary hearings, although disciplinary warnings should be removed from employee's personnel files once they have expired
• individual and collective redundancy consultation meetings and agreements
• negotiations relating to information and consultation agreements

Personal and sensitive personal data

The Data Protection Act 2018 defines personal data as data which identifies and relates to living individuals. The Act goes on to define a separate category of personal information - 'sensitive personal data' relates to any of the following:

1. Race/ethnic origin
2. Political opinion
3. Religious belief
4. Member of a Trade Union
5. Physical/mental health condition
6. Sexual life
7. Commission/alleged commission of offences
8. Sentences handed down as a result of offences

There is a greater need to keep sensitive personal information secure as if this information is compromised or lost then there could be a greater harm caused to the individual.

If any of the employee records you keep are considered to be 'sensitive personal data', you are required to adopt appropriate security to safeguard the nature of this data.

The level of detail in staff records

Under the Data Protection Act 2018, any personal information you keep on your staff should be adequate, relevant and not excessive. Inadequate staff records can lead to problems when dealing with absence levels, staff turnover, sickness, lateness and discipline.

Read Information Commissioner's Office (ICO) guidance on data protection.

Keeping staff records beyond those required by law may benefit your business by helping you to:

• match staff resources with production or service requirements
• avoid or defend employment tribunal claims if a dispute with a worker arises
• assess the performance and productivity of individual workers or teams
• ensure that you are treating job applicants and workers consistently and fairly
• make decisions in relation to staffing levels, eg on recruitment and redundancy

Staff records systems tend to involve some kind of electronic database backed up by paper documents. Any paper forms you do issue and retain should be standardised where possible.

Features of en effective records system

Whatever type of employee records system you have, it should be:

• secure
• reliable
• accurate
• consistent
• adaptable
• confidential
• simple to use
• easy to maintain

Staff records: manual and electronic systems

If you run only a very small business, you may find that manual employee records meet all your needs.

However, if your business is growing and you are therefore employing more people, keeping paper records accurate and up to date can become more difficult. You may find therefore that you come to rely more and more on electronic staff records.

Larger employers may find that they need to set up a centrally administered computerised system - this makes information easier to retrieve but will cost money to set up and to train staff to use.

Staff documents

Despite the widespread use of electronic systems, it is unlikely that any business will maintain all its staff records electronically. You still need to keep, for example, signed paper copies of employment contracts and letters agreeing to a change in terms and conditions.

Such staff documents are particularly important in the event of an employment tribunal claim arising against you. Computerised records may be used but you would be in a stronger position if you can show the tribunal signed documents demonstrating that the claimant has understood or agreed to certain issues relevant to the case.

Standardising staff documents

It's worthwhile designing standard document templates for each procedure, eg for staff appraisals or holiday requests, etc. If the documents are easy to read and logical, you will find it easy to extract data from them.

Ask staff who use the documents to help design the templates. You may also have to train other staff how to use them. HR documents and templates.

Keeping your records systems secure

You must keep personal records secure. In relation to the records system itself, you should therefore:

• make sure your paper filing system is locked
• make sure only those staff who need to use the data have access to it
• protect electronic records with passwords, anti-virus software and firewalls
• put an audit trail into computerised systems so you can check who has accessed a particular record and when
• ensure you meet your legal obligations under the General Data Protection Regulation (GDPR)

When retaining any information you should remember that, under the Data Protection Act, you must not keep data any longer than is necessary for a particular purpose.

You need to:

• review the length of time you keep personal data
• consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it
• securely delete information that is no longer needed
• update, archive or securely delete information if it goes out of date

How long should employers keep employee records?

How long you retain different categories of information should be based on individual business needs.

The appropriate retention period is also likely to depend on:

• what the information is used for
• the surrounding circumstances
• legal or regulatory requirements
• specific business sector requirements

Personal data: deleting and archiving

At the end of the retention period, a record should be reviewed and deleted, unless there is a particular reason for keeping it.

You should only archive a document, rather than deleting it, if you still need to hold it.

If it is appropriate to delete a record from a live system, you should also ensure it is deleted from any back-up of the information.

Deletion can mean different things in relation to electronic data.

Read the Information Commissioner's Office (ICO) guidance storage limitation under GDPR.

The Data Protection Act is concerned with personal data - information about living, identifiable individuals held on a computer or in certain structured manual filing systems.

Six principles for processing of personal data

The GDPR sets out six data protection principles that you must comply with when processing personal data:

Lawfulness, fairness and transparency

Make sure workers understand why you are collecting the data and how you will use it.

Purpose limitation

You must only collect personal data for a specific, explicit, and legitimate purpose. You must clearly state what this purpose is and only collect data for as long as necessary.

Data minimisation

You must ensure that the personal data you process is adequate, relevant, and limited to what is necessary in relation to your processing purpose.

Accuracy

You must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you rectify incorrect data that relates to them.

Storage limitation

You must delete personal data when you no longer need it. Individuals have the right to request that you delete data that relates to them, you must do this within one month of receiving the request.

Integrity and confidentiality

You must keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

You must keep these principles in mind when deciding what information to collect, when establishing procedures for processing this information, and when dealing with requests from workers.

See the Information Commissioner's Office (ICO) guidance on data protection and the General Data Protection Regulation (GDPR).

Data Security

Personal information should be kept secure. You should use appropriate security to prevent personal data from being compromised.

This will involve having the right physical and technical security, backed up by robust policies and procedures and well-trained staff.

Read Information Commissioner's Office (ICO) guidance on information security.

Penalties for a breach of personal data

When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people's rights and freedoms. If it's likely that there will be a risk then you must notify the ICO; if it's unlikely then you don't have to report it. However, if you decide you don't need to report the breach, you need to be able to justify this decision, so you should keep a record of any personal data breaches regardless of whether you are required to notify the ICO.

You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.

Failing to notify a breach when required to do so can result in a significant fine of up to €10 million euros or 2% of your global turnover.

Under the Data Protection Act, individuals have a number of rights, in particular the right to receive a copy of any information you hold about them. These rights not only extend to workers but any person on which you hold personal data eg service users, clients and customers.

If you provide such information, you must ensure you don't also give out information on someone else unless it is reasonable in all the circumstances to do so.

Subject access requests

If a worker asks for any information that you hold about them, known as a subject access request, they may make the request verbally or in writing.

You must act on the subject access request at the latest within one month of receipt. You cannot charge a fee to deal with a request in most circumstances.

Where it is reasonable to do so, you can ask for evidence to prove their identity and for information you may need to help you find the information they are seeking.

The one month time limit starts from the day after the request is received until the corresponding calendar date in the next month. If this is not possible because the following month is shorter and there is no corresponding date, the date for the response will be the last date of the following month.

If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond. Where it is necessary to obtain someone's ID documents for identification purposes before responding, the period for responding to the request will only begin on receipt of these documents.

See our guidance on the Freedom of Information (FOI) Act.

Information protected under subject access requests

You do not have to provide copies of information if the information is exempt. The exemptions include:

• information held for management planning, eg plans to promote a worker or make a worker redundant
• information as to your intentions in respect of negotiations with the requester
• references you have given about the worker in confidence (references received by you are not exempt)
• information about the prevention or detection of a crime, or the arrest or prosecution of offenders
• information that may affect the price of a company's shares

Read Information Commissioner's Office (ICO) guidance on right of access to personal data.

Keeping other workers' information confidential

When you provide the data, make sure you don't violate anyone else's data protection rights.

For example, if you get a complaint about a worker, and that worker then requests access to their file, this could lead to the complainant being identified.

To avoid this, obscure any identifying information in the original document before copying it and giving the copy to the worker. In some cases the contents of a document may still identify the complainant so it may be necessary to obscure other parts of the document.

Workers' other rights in relation to their records

As well as the right to access data on themselves, a worker also has the right to:

• have inaccurate personal data corrected or completed if it is incomplete
• compensation for damage suffered as a result of your breach of the Act
• prevent processing likely to cause substantial damage or substantial distress
• know the logic behind any automated decision taken about them, eg psychometric testing decisions
• have personal data erased
• data portability to obtain and reuse their personal data for their own purposes across different services
• object to the processing of their personal data in certain circumstances, eg direct marketing

This guide primarily focuses on keeping the right staff records but you should also be aware of all of the data protection principles under the UK GDPR.

There are certain staff records that you must gather and retain.

There are other records you should keep as a matter of good employment practice - and having such records can even benefit your business. Set up a basic record-keeping system.

Staff records you must keep

You must keep staff-related records on:

Pay rates

To meet the statutory requirement to issue workers with pay statements and to ensure you are paying your workers at least the national minimum wage.

Payroll

On income tax and National Insurance deductions for HM Revenue & Customs.

Sickness of more than four days

How much statutory sick pay you have paid.

Accidents, injuries and dangerous occurrences

To meet health and safety requirements.

You must also keep records to ensure that weekly working time and night work limits (under the Working Time Regulations) are complied with in your business. It's up to you to determine what records you need to keep for working time purposes, but you may be able to use existing records maintained for other purposes, such as pay and payroll.

You don't have to keep a running total of how much time workers work on average each week, and you need only make occasional checks of workers who work standard hours and who are unlikely to reach the average 48-hour limit. However you should monitor the hours of workers who appear to be close to the working time limit and make sure they don't work too many hours unless they have opted out of the Working Time Regulations and have therefore agreed to work longer. See working hours in a week.

You do need to keep an up-to-date record of workers who have agreed to work more than 48 hours a week, but you don't need to record how many hours they actually worked. However, you might consider that such records should be kept in order to establish compliance with National Minimum Wage legislation.

Staff records you should keep

It's good employment practice to keep records of each worker's:

• training and development
• appraisals
• employment history - date employment began, promotions, job title(s)
• absence - records of lateness, sickness, and any other authorised or unauthorised absences
• personal details - name, address, emergency phone number(s), qualifications, work-relevant disability
• terms and conditions of employment - including a copy of each employee's written statement and correspondence relating to any changes to their terms and conditions

More generally, you should keep written records - eg minutes - of:

• meetings with workplace representatives
• any disciplinary action you have ever taken, in particular disciplinary hearings, although disciplinary warnings should be removed from employee's personnel files once they have expired
• individual and collective redundancy consultation meetings and agreements
• negotiations relating to information and consultation agreements

Personal and sensitive personal data

The Data Protection Act 2018 defines personal data as data which identifies and relates to living individuals. The Act goes on to define a separate category of personal information - 'sensitive personal data' relates to any of the following:

1. Race/ethnic origin
2. Political opinion
3. Religious belief
4. Member of a Trade Union
5. Physical/mental health condition
6. Sexual life
7. Commission/alleged commission of offences
8. Sentences handed down as a result of offences

There is a greater need to keep sensitive personal information secure as if this information is compromised or lost then there could be a greater harm caused to the individual.

If any of the employee records you keep are considered to be 'sensitive personal data', you are required to adopt appropriate security to safeguard the nature of this data.

The level of detail in staff records

Under the Data Protection Act 2018, any personal information you keep on your staff should be adequate, relevant and not excessive. Inadequate staff records can lead to problems when dealing with absence levels, staff turnover, sickness, lateness and discipline.

Read Information Commissioner's Office (ICO) guidance on data protection.

Keeping staff records beyond those required by law may benefit your business by helping you to:

• match staff resources with production or service requirements
• avoid or defend employment tribunal claims if a dispute with a worker arises
• assess the performance and productivity of individual workers or teams
• ensure that you are treating job applicants and workers consistently and fairly
• make decisions in relation to staffing levels, eg on recruitment and redundancy

Staff records systems tend to involve some kind of electronic database backed up by paper documents. Any paper forms you do issue and retain should be standardised where possible.

Features of en effective records system

Whatever type of employee records system you have, it should be:

• secure
• reliable
• accurate
• consistent
• adaptable
• confidential
• simple to use
• easy to maintain

Staff records: manual and electronic systems

If you run only a very small business, you may find that manual employee records meet all your needs.

However, if your business is growing and you are therefore employing more people, keeping paper records accurate and up to date can become more difficult. You may find therefore that you come to rely more and more on electronic staff records.

Larger employers may find that they need to set up a centrally administered computerised system - this makes information easier to retrieve but will cost money to set up and to train staff to use.

Staff documents

Despite the widespread use of electronic systems, it is unlikely that any business will maintain all its staff records electronically. You still need to keep, for example, signed paper copies of employment contracts and letters agreeing to a change in terms and conditions.

Such staff documents are particularly important in the event of an employment tribunal claim arising against you. Computerised records may be used but you would be in a stronger position if you can show the tribunal signed documents demonstrating that the claimant has understood or agreed to certain issues relevant to the case.

Standardising staff documents

It's worthwhile designing standard document templates for each procedure, eg for staff appraisals or holiday requests, etc. If the documents are easy to read and logical, you will find it easy to extract data from them.

Ask staff who use the documents to help design the templates. You may also have to train other staff how to use them. HR documents and templates.

Keeping your records systems secure

You must keep personal records secure. In relation to the records system itself, you should therefore:

• make sure your paper filing system is locked
• make sure only those staff who need to use the data have access to it
• protect electronic records with passwords, anti-virus software and firewalls
• put an audit trail into computerised systems so you can check who has accessed a particular record and when
• ensure you meet your legal obligations under the General Data Protection Regulation (GDPR)

When retaining any information you should remember that, under the Data Protection Act, you must not keep data any longer than is necessary for a particular purpose.

You need to:

• review the length of time you keep personal data
• consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it
• securely delete information that is no longer needed
• update, archive or securely delete information if it goes out of date

How long should employers keep employee records?

How long you retain different categories of information should be based on individual business needs.

The appropriate retention period is also likely to depend on:

• what the information is used for
• the surrounding circumstances
• legal or regulatory requirements
• specific business sector requirements

Personal data: deleting and archiving

At the end of the retention period, a record should be reviewed and deleted, unless there is a particular reason for keeping it.

You should only archive a document, rather than deleting it, if you still need to hold it.

If it is appropriate to delete a record from a live system, you should also ensure it is deleted from any back-up of the information.

Deletion can mean different things in relation to electronic data.

Read the Information Commissioner's Office (ICO) guidance storage limitation under GDPR.

The Data Protection Act is concerned with personal data - information about living, identifiable individuals held on a computer or in certain structured manual filing systems.

Six principles for processing of personal data

The GDPR sets out six data protection principles that you must comply with when processing personal data:

Lawfulness, fairness and transparency

Make sure workers understand why you are collecting the data and how you will use it.

Purpose limitation

You must only collect personal data for a specific, explicit, and legitimate purpose. You must clearly state what this purpose is and only collect data for as long as necessary.

Data minimisation

You must ensure that the personal data you process is adequate, relevant, and limited to what is necessary in relation to your processing purpose.

Accuracy

You must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you rectify incorrect data that relates to them.

Storage limitation

You must delete personal data when you no longer need it. Individuals have the right to request that you delete data that relates to them, you must do this within one month of receiving the request.

Integrity and confidentiality

You must keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

You must keep these principles in mind when deciding what information to collect, when establishing procedures for processing this information, and when dealing with requests from workers.

See the Information Commissioner's Office (ICO) guidance on data protection and the General Data Protection Regulation (GDPR).

Data Security

Personal information should be kept secure. You should use appropriate security to prevent personal data from being compromised.

This will involve having the right physical and technical security, backed up by robust policies and procedures and well-trained staff.

Read Information Commissioner's Office (ICO) guidance on information security.

Penalties for a breach of personal data

When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people's rights and freedoms. If it's likely that there will be a risk then you must notify the ICO; if it's unlikely then you don't have to report it. However, if you decide you don't need to report the breach, you need to be able to justify this decision, so you should keep a record of any personal data breaches regardless of whether you are required to notify the ICO.

You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.

Failing to notify a breach when required to do so can result in a significant fine of up to €10 million euros or 2% of your global turnover.

Under the Data Protection Act, individuals have a number of rights, in particular the right to receive a copy of any information you hold about them. These rights not only extend to workers but any person on which you hold personal data eg service users, clients and customers.

If you provide such information, you must ensure you don't also give out information on someone else unless it is reasonable in all the circumstances to do so.

Subject access requests

If a worker asks for any information that you hold about them, known as a subject access request, they may make the request verbally or in writing.

You must act on the subject access request at the latest within one month of receipt. You cannot charge a fee to deal with a request in most circumstances.

Where it is reasonable to do so, you can ask for evidence to prove their identity and for information you may need to help you find the information they are seeking.

The one month time limit starts from the day after the request is received until the corresponding calendar date in the next month. If this is not possible because the following month is shorter and there is no corresponding date, the date for the response will be the last date of the following month.

If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond. Where it is necessary to obtain someone's ID documents for identification purposes before responding, the period for responding to the request will only begin on receipt of these documents.

See our guidance on the Freedom of Information (FOI) Act.

Information protected under subject access requests

You do not have to provide copies of information if the information is exempt. The exemptions include:

• information held for management planning, eg plans to promote a worker or make a worker redundant
• information as to your intentions in respect of negotiations with the requester
• references you have given about the worker in confidence (references received by you are not exempt)
• information about the prevention or detection of a crime, or the arrest or prosecution of offenders
• information that may affect the price of a company's shares

Read Information Commissioner's Office (ICO) guidance on right of access to personal data.

Keeping other workers' information confidential

When you provide the data, make sure you don't violate anyone else's data protection rights.

For example, if you get a complaint about a worker, and that worker then requests access to their file, this could lead to the complainant being identified.

To avoid this, obscure any identifying information in the original document before copying it and giving the copy to the worker. In some cases the contents of a document may still identify the complainant so it may be necessary to obscure other parts of the document.

Workers' other rights in relation to their records

As well as the right to access data on themselves, a worker also has the right to:

• have inaccurate personal data corrected or completed if it is incomplete
• compensation for damage suffered as a result of your breach of the Act
• prevent processing likely to cause substantial damage or substantial distress
• know the logic behind any automated decision taken about them, eg psychometric testing decisions
• have personal data erased
• data portability to obtain and reuse their personal data for their own purposes across different services
• object to the processing of their personal data in certain circumstances, eg direct marketing

This guide primarily focuses on keeping the right staff records but you should also be aware of all of the data protection principles under the UK GDPR.

There are certain staff records that you must gather and retain.

There are other records you should keep as a matter of good employment practice - and having such records can even benefit your business. Set up a basic record-keeping system.

Staff records you must keep

You must keep staff-related records on:

Pay rates

To meet the statutory requirement to issue workers with pay statements and to ensure you are paying your workers at least the national minimum wage.

Payroll

On income tax and National Insurance deductions for HM Revenue & Customs.

Sickness of more than four days

How much statutory sick pay you have paid.

Accidents, injuries and dangerous occurrences

To meet health and safety requirements.

You must also keep records to ensure that weekly working time and night work limits (under the Working Time Regulations) are complied with in your business. It's up to you to determine what records you need to keep for working time purposes, but you may be able to use existing records maintained for other purposes, such as pay and payroll.

You don't have to keep a running total of how much time workers work on average each week, and you need only make occasional checks of workers who work standard hours and who are unlikely to reach the average 48-hour limit. However you should monitor the hours of workers who appear to be close to the working time limit and make sure they don't work too many hours unless they have opted out of the Working Time Regulations and have therefore agreed to work longer. See working hours in a week.

You do need to keep an up-to-date record of workers who have agreed to work more than 48 hours a week, but you don't need to record how many hours they actually worked. However, you might consider that such records should be kept in order to establish compliance with National Minimum Wage legislation.

Staff records you should keep

It's good employment practice to keep records of each worker's:

• training and development
• appraisals
• employment history - date employment began, promotions, job title(s)
• absence - records of lateness, sickness, and any other authorised or unauthorised absences
• personal details - name, address, emergency phone number(s), qualifications, work-relevant disability
• terms and conditions of employment - including a copy of each employee's written statement and correspondence relating to any changes to their terms and conditions

More generally, you should keep written records - eg minutes - of:

• meetings with workplace representatives
• any disciplinary action you have ever taken, in particular disciplinary hearings, although disciplinary warnings should be removed from employee's personnel files once they have expired
• individual and collective redundancy consultation meetings and agreements
• negotiations relating to information and consultation agreements

Personal and sensitive personal data

The Data Protection Act 2018 defines personal data as data which identifies and relates to living individuals. The Act goes on to define a separate category of personal information - 'sensitive personal data' relates to any of the following:

1. Race/ethnic origin
2. Political opinion
3. Religious belief
4. Member of a Trade Union
5. Physical/mental health condition
6. Sexual life
7. Commission/alleged commission of offences
8. Sentences handed down as a result of offences

There is a greater need to keep sensitive personal information secure as if this information is compromised or lost then there could be a greater harm caused to the individual.

If any of the employee records you keep are considered to be 'sensitive personal data', you are required to adopt appropriate security to safeguard the nature of this data.

The level of detail in staff records

Under the Data Protection Act 2018, any personal information you keep on your staff should be adequate, relevant and not excessive. Inadequate staff records can lead to problems when dealing with absence levels, staff turnover, sickness, lateness and discipline.

Read Information Commissioner's Office (ICO) guidance on data protection.

Keeping staff records beyond those required by law may benefit your business by helping you to:

• match staff resources with production or service requirements
• avoid or defend employment tribunal claims if a dispute with a worker arises
• assess the performance and productivity of individual workers or teams
• ensure that you are treating job applicants and workers consistently and fairly
• make decisions in relation to staffing levels, eg on recruitment and redundancy

Staff records systems tend to involve some kind of electronic database backed up by paper documents. Any paper forms you do issue and retain should be standardised where possible.

Features of en effective records system

Whatever type of employee records system you have, it should be:

• secure
• reliable
• accurate
• consistent
• adaptable
• confidential
• simple to use
• easy to maintain

Staff records: manual and electronic systems

If you run only a very small business, you may find that manual employee records meet all your needs.

However, if your business is growing and you are therefore employing more people, keeping paper records accurate and up to date can become more difficult. You may find therefore that you come to rely more and more on electronic staff records.

Larger employers may find that they need to set up a centrally administered computerised system - this makes information easier to retrieve but will cost money to set up and to train staff to use.

Staff documents

Despite the widespread use of electronic systems, it is unlikely that any business will maintain all its staff records electronically. You still need to keep, for example, signed paper copies of employment contracts and letters agreeing to a change in terms and conditions.

Such staff documents are particularly important in the event of an employment tribunal claim arising against you. Computerised records may be used but you would be in a stronger position if you can show the tribunal signed documents demonstrating that the claimant has understood or agreed to certain issues relevant to the case.

Standardising staff documents

It's worthwhile designing standard document templates for each procedure, eg for staff appraisals or holiday requests, etc. If the documents are easy to read and logical, you will find it easy to extract data from them.

Ask staff who use the documents to help design the templates. You may also have to train other staff how to use them. HR documents and templates.

Keeping your records systems secure

You must keep personal records secure. In relation to the records system itself, you should therefore:

• make sure your paper filing system is locked
• make sure only those staff who need to use the data have access to it
• protect electronic records with passwords, anti-virus software and firewalls
• put an audit trail into computerised systems so you can check who has accessed a particular record and when
• ensure you meet your legal obligations under the General Data Protection Regulation (GDPR)

When retaining any information you should remember that, under the Data Protection Act, you must not keep data any longer than is necessary for a particular purpose.

You need to:

• review the length of time you keep personal data
• consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it
• securely delete information that is no longer needed
• update, archive or securely delete information if it goes out of date

How long should employers keep employee records?

How long you retain different categories of information should be based on individual business needs.

The appropriate retention period is also likely to depend on:

• what the information is used for
• the surrounding circumstances
• legal or regulatory requirements
• specific business sector requirements

Personal data: deleting and archiving

At the end of the retention period, a record should be reviewed and deleted, unless there is a particular reason for keeping it.

You should only archive a document, rather than deleting it, if you still need to hold it.

If it is appropriate to delete a record from a live system, you should also ensure it is deleted from any back-up of the information.

Deletion can mean different things in relation to electronic data.

Read the Information Commissioner's Office (ICO) guidance storage limitation under GDPR.

The Data Protection Act is concerned with personal data - information about living, identifiable individuals held on a computer or in certain structured manual filing systems.

Six principles for processing of personal data

The GDPR sets out six data protection principles that you must comply with when processing personal data:

Lawfulness, fairness and transparency

Make sure workers understand why you are collecting the data and how you will use it.

Purpose limitation

You must only collect personal data for a specific, explicit, and legitimate purpose. You must clearly state what this purpose is and only collect data for as long as necessary.

Data minimisation

You must ensure that the personal data you process is adequate, relevant, and limited to what is necessary in relation to your processing purpose.

Accuracy

You must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you rectify incorrect data that relates to them.

Storage limitation

You must delete personal data when you no longer need it. Individuals have the right to request that you delete data that relates to them, you must do this within one month of receiving the request.

Integrity and confidentiality

You must keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

You must keep these principles in mind when deciding what information to collect, when establishing procedures for processing this information, and when dealing with requests from workers.

See the Information Commissioner's Office (ICO) guidance on data protection and the General Data Protection Regulation (GDPR).

Data Security

Personal information should be kept secure. You should use appropriate security to prevent personal data from being compromised.

This will involve having the right physical and technical security, backed up by robust policies and procedures and well-trained staff.

Read Information Commissioner's Office (ICO) guidance on information security.

Penalties for a breach of personal data

When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people's rights and freedoms. If it's likely that there will be a risk then you must notify the ICO; if it's unlikely then you don't have to report it. However, if you decide you don't need to report the breach, you need to be able to justify this decision, so you should keep a record of any personal data breaches regardless of whether you are required to notify the ICO.

You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.

Failing to notify a breach when required to do so can result in a significant fine of up to €10 million euros or 2% of your global turnover.

Under the Data Protection Act, individuals have a number of rights, in particular the right to receive a copy of any information you hold about them. These rights not only extend to workers but any person on which you hold personal data eg service users, clients and customers.

If you provide such information, you must ensure you don't also give out information on someone else unless it is reasonable in all the circumstances to do so.

Subject access requests

If a worker asks for any information that you hold about them, known as a subject access request, they may make the request verbally or in writing.

You must act on the subject access request at the latest within one month of receipt. You cannot charge a fee to deal with a request in most circumstances.

Where it is reasonable to do so, you can ask for evidence to prove their identity and for information you may need to help you find the information they are seeking.

The one month time limit starts from the day after the request is received until the corresponding calendar date in the next month. If this is not possible because the following month is shorter and there is no corresponding date, the date for the response will be the last date of the following month.

If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond. Where it is necessary to obtain someone's ID documents for identification purposes before responding, the period for responding to the request will only begin on receipt of these documents.

See our guidance on the Freedom of Information (FOI) Act.

Information protected under subject access requests

You do not have to provide copies of information if the information is exempt. The exemptions include:

• information held for management planning, eg plans to promote a worker or make a worker redundant
• information as to your intentions in respect of negotiations with the requester
• references you have given about the worker in confidence (references received by you are not exempt)
• information about the prevention or detection of a crime, or the arrest or prosecution of offenders
• information that may affect the price of a company's shares

Read Information Commissioner's Office (ICO) guidance on right of access to personal data.

Keeping other workers' information confidential

When you provide the data, make sure you don't violate anyone else's data protection rights.

For example, if you get a complaint about a worker, and that worker then requests access to their file, this could lead to the complainant being identified.

To avoid this, obscure any identifying information in the original document before copying it and giving the copy to the worker. In some cases the contents of a document may still identify the complainant so it may be necessary to obscure other parts of the document.

Workers' other rights in relation to their records

As well as the right to access data on themselves, a worker also has the right to:

• have inaccurate personal data corrected or completed if it is incomplete
• compensation for damage suffered as a result of your breach of the Act
• prevent processing likely to cause substantial damage or substantial distress
• know the logic behind any automated decision taken about them, eg psychometric testing decisions
• have personal data erased
• data portability to obtain and reuse their personal data for their own purposes across different services
• object to the processing of their personal data in certain circumstances, eg direct marketing

This guide primarily focuses on keeping the right staff records but you should also be aware of all of the data protection principles under the UK GDPR.

There are certain staff records that you must gather and retain.

There are other records you should keep as a matter of good employment practice - and having such records can even benefit your business. Set up a basic record-keeping system.

Staff records you must keep

You must keep staff-related records on:

Pay rates

To meet the statutory requirement to issue workers with pay statements and to ensure you are paying your workers at least the national minimum wage.

Payroll

On income tax and National Insurance deductions for HM Revenue & Customs.

Sickness of more than four days

How much statutory sick pay you have paid.

Accidents, injuries and dangerous occurrences

To meet health and safety requirements.

You must also keep records to ensure that weekly working time and night work limits (under the Working Time Regulations) are complied with in your business. It's up to you to determine what records you need to keep for working time purposes, but you may be able to use existing records maintained for other purposes, such as pay and payroll.

You don't have to keep a running total of how much time workers work on average each week, and you need only make occasional checks of workers who work standard hours and who are unlikely to reach the average 48-hour limit. However you should monitor the hours of workers who appear to be close to the working time limit and make sure they don't work too many hours unless they have opted out of the Working Time Regulations and have therefore agreed to work longer. See working hours in a week.

You do need to keep an up-to-date record of workers who have agreed to work more than 48 hours a week, but you don't need to record how many hours they actually worked. However, you might consider that such records should be kept in order to establish compliance with National Minimum Wage legislation.

Staff records you should keep

It's good employment practice to keep records of each worker's:

• training and development
• appraisals
• employment history - date employment began, promotions, job title(s)
• absence - records of lateness, sickness, and any other authorised or unauthorised absences
• personal details - name, address, emergency phone number(s), qualifications, work-relevant disability
• terms and conditions of employment - including a copy of each employee's written statement and correspondence relating to any changes to their terms and conditions

More generally, you should keep written records - eg minutes - of:

• meetings with workplace representatives
• any disciplinary action you have ever taken, in particular disciplinary hearings, although disciplinary warnings should be removed from employee's personnel files once they have expired
• individual and collective redundancy consultation meetings and agreements
• negotiations relating to information and consultation agreements

Personal and sensitive personal data

The Data Protection Act 2018 defines personal data as data which identifies and relates to living individuals. The Act goes on to define a separate category of personal information - 'sensitive personal data' relates to any of the following:

1. Race/ethnic origin
2. Political opinion
3. Religious belief
4. Member of a Trade Union
5. Physical/mental health condition
6. Sexual life
7. Commission/alleged commission of offences
8. Sentences handed down as a result of offences

There is a greater need to keep sensitive personal information secure as if this information is compromised or lost then there could be a greater harm caused to the individual.

If any of the employee records you keep are considered to be 'sensitive personal data', you are required to adopt appropriate security to safeguard the nature of this data.

The level of detail in staff records

Under the Data Protection Act 2018, any personal information you keep on your staff should be adequate, relevant and not excessive. Inadequate staff records can lead to problems when dealing with absence levels, staff turnover, sickness, lateness and discipline.

Read Information Commissioner's Office (ICO) guidance on data protection.

Keeping staff records beyond those required by law may benefit your business by helping you to:

• match staff resources with production or service requirements
• avoid or defend employment tribunal claims if a dispute with a worker arises
• assess the performance and productivity of individual workers or teams
• ensure that you are treating job applicants and workers consistently and fairly
• make decisions in relation to staffing levels, eg on recruitment and redundancy

Staff records systems tend to involve some kind of electronic database backed up by paper documents. Any paper forms you do issue and retain should be standardised where possible.

Features of en effective records system

Whatever type of employee records system you have, it should be:

• secure
• reliable
• accurate
• consistent
• adaptable
• confidential
• simple to use
• easy to maintain

Staff records: manual and electronic systems

If you run only a very small business, you may find that manual employee records meet all your needs.

However, if your business is growing and you are therefore employing more people, keeping paper records accurate and up to date can become more difficult. You may find therefore that you come to rely more and more on electronic staff records.

Larger employers may find that they need to set up a centrally administered computerised system - this makes information easier to retrieve but will cost money to set up and to train staff to use.

Staff documents

Despite the widespread use of electronic systems, it is unlikely that any business will maintain all its staff records electronically. You still need to keep, for example, signed paper copies of employment contracts and letters agreeing to a change in terms and conditions.

Such staff documents are particularly important in the event of an employment tribunal claim arising against you. Computerised records may be used but you would be in a stronger position if you can show the tribunal signed documents demonstrating that the claimant has understood or agreed to certain issues relevant to the case.

Standardising staff documents

It's worthwhile designing standard document templates for each procedure, eg for staff appraisals or holiday requests, etc. If the documents are easy to read and logical, you will find it easy to extract data from them.

Ask staff who use the documents to help design the templates. You may also have to train other staff how to use them. HR documents and templates.

Keeping your records systems secure

You must keep personal records secure. In relation to the records system itself, you should therefore:

• make sure your paper filing system is locked
• make sure only those staff who need to use the data have access to it
• protect electronic records with passwords, anti-virus software and firewalls
• put an audit trail into computerised systems so you can check who has accessed a particular record and when
• ensure you meet your legal obligations under the General Data Protection Regulation (GDPR)

When retaining any information you should remember that, under the Data Protection Act, you must not keep data any longer than is necessary for a particular purpose.

You need to:

• review the length of time you keep personal data
• consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it
• securely delete information that is no longer needed
• update, archive or securely delete information if it goes out of date

How long should employers keep employee records?

How long you retain different categories of information should be based on individual business needs.

The appropriate retention period is also likely to depend on:

• what the information is used for
• the surrounding circumstances
• legal or regulatory requirements
• specific business sector requirements

Personal data: deleting and archiving

At the end of the retention period, a record should be reviewed and deleted, unless there is a particular reason for keeping it.

You should only archive a document, rather than deleting it, if you still need to hold it.

If it is appropriate to delete a record from a live system, you should also ensure it is deleted from any back-up of the information.

Deletion can mean different things in relation to electronic data.

Read the Information Commissioner's Office (ICO) guidance storage limitation under GDPR.

The Data Protection Act is concerned with personal data - information about living, identifiable individuals held on a computer or in certain structured manual filing systems.

Six principles for processing of personal data

The GDPR sets out six data protection principles that you must comply with when processing personal data:

Lawfulness, fairness and transparency

Make sure workers understand why you are collecting the data and how you will use it.

Purpose limitation

You must only collect personal data for a specific, explicit, and legitimate purpose. You must clearly state what this purpose is and only collect data for as long as necessary.

Data minimisation

You must ensure that the personal data you process is adequate, relevant, and limited to what is necessary in relation to your processing purpose.

Accuracy

You must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you rectify incorrect data that relates to them.

Storage limitation

You must delete personal data when you no longer need it. Individuals have the right to request that you delete data that relates to them, you must do this within one month of receiving the request.

Integrity and confidentiality

You must keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

You must keep these principles in mind when deciding what information to collect, when establishing procedures for processing this information, and when dealing with requests from workers.

See the Information Commissioner's Office (ICO) guidance on data protection and the General Data Protection Regulation (GDPR).

Data Security

Personal information should be kept secure. You should use appropriate security to prevent personal data from being compromised.

This will involve having the right physical and technical security, backed up by robust policies and procedures and well-trained staff.

Read Information Commissioner's Office (ICO) guidance on information security.

Penalties for a breach of personal data

When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people's rights and freedoms. If it's likely that there will be a risk then you must notify the ICO; if it's unlikely then you don't have to report it. However, if you decide you don't need to report the breach, you need to be able to justify this decision, so you should keep a record of any personal data breaches regardless of whether you are required to notify the ICO.

You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.

Failing to notify a breach when required to do so can result in a significant fine of up to €10 million euros or 2% of your global turnover.

Under the Data Protection Act, individuals have a number of rights, in particular the right to receive a copy of any information you hold about them. These rights not only extend to workers but any person on which you hold personal data eg service users, clients and customers.

If you provide such information, you must ensure you don't also give out information on someone else unless it is reasonable in all the circumstances to do so.

Subject access requests

If a worker asks for any information that you hold about them, known as a subject access request, they may make the request verbally or in writing.

You must act on the subject access request at the latest within one month of receipt. You cannot charge a fee to deal with a request in most circumstances.

Where it is reasonable to do so, you can ask for evidence to prove their identity and for information you may need to help you find the information they are seeking.

The one month time limit starts from the day after the request is received until the corresponding calendar date in the next month. If this is not possible because the following month is shorter and there is no corresponding date, the date for the response will be the last date of the following month.

If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond. Where it is necessary to obtain someone's ID documents for identification purposes before responding, the period for responding to the request will only begin on receipt of these documents.

See our guidance on the Freedom of Information (FOI) Act.

Information protected under subject access requests

You do not have to provide copies of information if the information is exempt. The exemptions include:

• information held for management planning, eg plans to promote a worker or make a worker redundant
• information as to your intentions in respect of negotiations with the requester
• references you have given about the worker in confidence (references received by you are not exempt)
• information about the prevention or detection of a crime, or the arrest or prosecution of offenders
• information that may affect the price of a company's shares

Read Information Commissioner's Office (ICO) guidance on right of access to personal data.

Keeping other workers' information confidential

When you provide the data, make sure you don't violate anyone else's data protection rights.

For example, if you get a complaint about a worker, and that worker then requests access to their file, this could lead to the complainant being identified.

To avoid this, obscure any identifying information in the original document before copying it and giving the copy to the worker. In some cases the contents of a document may still identify the complainant so it may be necessary to obscure other parts of the document.

Workers' other rights in relation to their records

As well as the right to access data on themselves, a worker also has the right to:

• have inaccurate personal data corrected or completed if it is incomplete
• compensation for damage suffered as a result of your breach of the Act
• prevent processing likely to cause substantial damage or substantial distress
• know the logic behind any automated decision taken about them, eg psychometric testing decisions
• have personal data erased
• data portability to obtain and reuse their personal data for their own purposes across different services
• object to the processing of their personal data in certain circumstances, eg direct marketing