ICO Update: keeping employment records and subject access requests

James Howarth, Associate

On 5 February 2025, the Information Commissioner’s Office (ICO) released new guidance to help employers understand and comply with their data protection obligations regarding the collection and retention of employee records.

Employers will gather vast amounts of personal data about employees during the course of their employment, and need to have appropriate systems in place to capture and retain this information. It is also vital to understand why and how this personal data is captured, how long it can be lawfully retained and the lawful basis for every type of personal data processed.

The guidance sets out things employers either must, should or could do, and delineates what is a legislative requirement, what is best practice, and what steps could merely improve an employer’s data protection compliance. It is a helpful guide that employers should review to ensure they understand their obligations and adhere to best practice in relation to data protection.

The guidance doesn’t necessarily set out anything particularly new, however it does clarify what type of data employers will likely process for employees, and some of the lawful basis for this processing. The guidance also helpfully provides checklists that it encourages employers to follow when collecting and keeping employment records.

The guidance also emphasises the importance of balancing the need to maintain employment records with the often competing right to privacy that employees enjoy. This is especially important when considering an employee’s right to make a subject access request to see the personal data employers hold about them, and the processing activities to which they are subject.

Subject Access Requests

We are seeing a considerable uptick in employees making subject access requests. They appear to be a prerequisite and precursor to an employee bringing Tribunal proceedings against employers, with employees often making subject access requests to gather information that they think will assist with a Tribunal claim ahead of ordered disclosure.

Employees often don’t understand what information they are legitimately entitled to access through a subject access request. It is not uncommon to see employees demanding sight of information that does not identify or relate to them, or is information regarding another employee.

From an employer’s perspective, the motive of the requestor does not usually matter (unless the request is done solely with malicious intent and to harass and cause disruption). In most cases, you will have to comply with the request within strict timeframes, and compliance can often take up inordinate amounts of time.

It is therefore incredibly important when complying with a subject access request that employers, amongst other things, ensure that they:

• understand the subject access request and, if appropriate, liaise with the requestor to agree reasonable and proportionate search parameters.
• are maintaining the balance between disclosure and other employee’s right to privacy. It is a balancing test and should guide how and what employers disclose.
• consider the impact of disclosure on any future Tribunal proceedings. Just because something is disclosable at Tribunal, does not mean it is disclosable as part of a subject access request, although any relevant information found may affect Tribunal defence strategy.

Given this, it is vital that you seek appropriate advice when you receive a subject access request, to ensure you are complying with relevant data protection legislation and ICO guidance, but also to ensure you are not disclosing more than you should.

This is something that the team at Kuits have considerable expertise in, so if you have any queries in this regard please contact us on 0161 832 3434 or email us at info@kuits.com.