Staff records

From payroll to performance records, your business will always hold data about its . These records will inevitably contain and will be regulated by law. This section will help ensure that you collect and store data in accordance with your legal obligations, including understanding what data you can collect, how to store it, and when and how to delete it. It also provides information about sharing , including when you are providing references.

Records and staff data

  1. 1.What data protection obligations do I have when collecting, storing or otherwise using staff personal data?
  2. 2.What are the legal reasons I can rely on to collect and store staff personal data?
  3. 3.How do I identify a specific purpose for processing staff personal data?
  4. 4.What steps must I take to ensure that I legally collect and hold information about my staff?
  5. 5.What personal information should I collect and hold about my staff?
  6. 6.How long can I keep personal data about my staff?
  7. 7.What records can I collect and hold about staff absences and holidays?
  8. 8.Can I hold records about staff absences and holidays for former staff?
  9. 9.What records can I hold about staff pay?
  10. 10.Can I hold records about staff pay for former staff?
  11. 11.What records can I keep about staff performance and disciplinary records?
  12. 12.Can I hold records about staff performance and disciplinary records for former staff?
  13. 13.What records can I keep about staff accidents or injuries?
  14. 14.Can I hold records about staff accidents or injuries for former staff?
  15. 15.What records can I keep about staff lateness?
  16. 16.Can I hold records about staff lateness for former staff?
  17. 17.What records do I need to keep about my staff for the coronavirus contact tracing scheme?
  18. 18.In what format should I keep staff records?
  19. 19.What should I do with staff records that are no longer required?

Sharing staff data

  1. 20.Can I share staff data with third parties like payroll providers, pension providers, insurance companies and other staff members?
  2. 21.What are the legal reasons I can rely on to share staff personal data?
  3. 22.How do I identify a specific purpose for sharing staff personal data?
  4. 23.What steps must I take to ensure that I legally share staff personal data?
  5. 24.If I share staff personal data with a third party, who is responsible for data protection obligations?
  6. 25.Can I share staff personal data outside the UK?
  7. 26.What should I do if a member of staff asks for a copy of the data and records my business holds?

Records and data of former staff

  1. 27.Can I retain personal data about members of staff after they leave?
  2. 28.What are the legal reasons I can rely on to retain data and records about members of staff after they leave?
  3. 29.How do I identify a specific legal purpose for retaining staff personal data?
  4. 30.What steps must I take to ensure that I legally retain data and records about members of staff after they leave?
  5. 31.What should I do with a member of staff's emails, messages and documents after they leave?
  6. 32.What should I do if a former member of staff asks for a reference?
  7. 33.How long can I retain personal data relating to a former member of staff for?

Data protection impact assessment policy

A data protection impact assessment policy is an internal document setting out how and when your business will assess the data protection risks of its activities. It’s important to have proper policies and procedures in place when you’re handling personal data and carrying out a data protection impact assessment is sometimes mandatory under Article 35 UK GDPR. A data protection impact assessment might also be referred to as a privacy impact assessment, a DPIA or a GDPR risk assessment. This template DPIA policy will help you to comply with your data protection obligations by setting out when and how your staff should consider carrying out data impact assessments. It also includes a template DPIA form, which has been produced by the Information Commissioner’s Office (ICO). This provides an example of how you can assess, record and seek to reduce the privacy risks associated with your projects. Where applicable, it also includes a template DPIA form for use by online services which are directed at, or are likely to be used by, children, which has been produced by the ICO. This will help relevant online services to comply with their obligations under the ICO's Age Appropriate Design Code. You can also purchase this policy as part of the Data protection policy toolkit .
£25 + VAT

Checklist for departing staff

Use this checklist for departing staff to tick off the various tasks you need to undertake when a staff member leaves your business, and make sure you don’t forget anything important. This checklist covers practical matters for the security of your premises, like returning keys, and administrative matters, like dealing with final salary payments. It also includes measures to take to protect your business interests, such as removing the individual’s access to your internal systems. You can also purchase this checklist as part of the TUPE transfer toolkit for outgoing employer .
Free
See all solutions