GDPR for HR: How UK Employers Must Handle Employee Data

UK employers hold vast amounts of personal data: names, addresses, bank details, health records, performance reviews, disciplinary notes, and more. Every piece of that data is regulated by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). Getting it wrong can mean fines from the Information Commissioner's Office (ICO) of up to 17.5 million pounds or 4% of global annual turnover, whichever is higher.

This guide explains exactly what UK employers need to do to handle HR data lawfully, from the moment a candidate applies to long after they leave.

What Counts as Employee Personal Data?

Personal data is any information that identifies or could identify a living individual. In the HR context, this includes:

Identity information: name, address, date of birth, National Insurance number, passport or visa copies
Financial data: bank details, salary information, tax codes, pension contributions
Employment records: contracts, job descriptions, performance reviews, training records
Health data: sickness absence records, fit notes, occupational health reports, disability information
Disciplinary records: investigation notes, warnings, hearing minutes, outcomes
Monitoring data: email logs, internet usage, CCTV footage, GPS tracking
Recruitment data: CVs, interview notes, references, right to work check documentation

Health data, trade union membership, and information about criminal convictions or offences are classified as "special category data" under Article 9 of the UK GDPR. These require an additional lawful basis for processing, which we cover below.

The Seven Data Protection Principles

Every piece of employee data must comply with the principles in Article 5 of the UK GDPR:

Lawfulness, fairness, and transparency. Have a valid legal reason for processing, and be open with employees about what you collect and why.
Purpose limitation. Only collect data for specified, legitimate purposes. Health data collected for sickness management cannot be repurposed for promotion decisions.
Data minimisation. Only collect what you need. Asking applicants for marital status when it is irrelevant to the role breaches this principle.
Accuracy. Keep data accurate and up to date. Build processes for employees to update their own records.
Storage limitation. Do not keep data longer than necessary. Retention periods are covered below.
Integrity and confidentiality. Protect data through encryption, access controls, training, and organisational measures.
Accountability. You must demonstrate compliance with all of the above. Documentation is not optional.

Choosing the Right Lawful Basis for HR Data

You need a lawful basis under Article 6 of the UK GDPR for every processing activity. The three most relevant to HR are:

Contract (Article 6(1)(b))

Processing is necessary for the performance of the employment contract. This covers payroll, providing benefits, administering leave entitlements, and most day-to-day HR functions. When you pay an employee's salary, you are fulfilling a contractual obligation and this is your lawful basis.

Legal Obligation (Article 6(1)(c))

Processing is necessary to comply with a legal obligation. This covers HMRC tax reporting, right to work checks under the Immigration, Asylum and Nationality Act 2006, statutory sick pay administration, pension auto-enrolment duties, and health and safety record-keeping.

Legitimate Interests (Article 6(1)(f))

Processing is necessary for your legitimate interests, provided those interests are not overridden by the employee's rights. This can cover performance management, internal investigations, monitoring for security purposes, and business planning. You must carry out a legitimate interests assessment (LIA) and document it before relying on this basis.

Consent is rarely appropriate for employment data. The ICO has made clear that the power imbalance between employer and employee means consent is almost never freely given in the workplace. Do not rely on consent as your primary lawful basis.

Special Category Data: The Additional Condition

For health data, trade union membership, racial or ethnic origin, religious beliefs, and biometric data, you need both an Article 6 lawful basis and a Schedule 1 condition under the DPA 2018. The two most relevant conditions are:

Employment purposes (Schedule 1, paragraph 1), covering sickness absence, occupational health referrals, and reasonable adjustments. Requires an appropriate policy document.
Legal claims (Article 9(2)(f)), covering data retained for potential tribunal claims.

Your appropriate policy document must explain your data protection procedures and your retention and deletion policies for special category data.

Privacy Notices: Telling Employees What You Do With Their Data

Under Articles 13 and 14 of the UK GDPR, you must provide employees with a privacy notice that explains:

Your identity and contact details (and your Data Protection Officer if you have one)
What personal data you collect
Why you collect it and the lawful basis for each purpose
Who you share data with (payroll providers, pension administrators, HMRC, occupational health services)
Whether you transfer data outside the UK and what safeguards apply
How long you keep data
The employee's rights (access, rectification, erasure, restriction, portability, objection)
How to complain to the ICO

Provide this notice at the start of employment. Best practice is to include it as part of your onboarding pack alongside the employment contract. Review and update it whenever your processing activities change.

For recruitment, you need a separate (or extended) privacy notice for candidates, covering the data you collect during the application process and how long you retain unsuccessful applications.

Data Retention: How Long to Keep HR Records

The UK GDPR does not prescribe specific retention periods for most employment data. Instead, you must determine what is "necessary" and justify your decisions. The following table reflects current best practice, drawing on ICO guidance, HMRC requirements, and limitation periods for legal claims:

Recommended Retention Periods

Recruitment records (unsuccessful candidates): 6 months after the recruitment exercise ends. This covers the three-month limitation period for discrimination claims, plus a reasonable buffer.

Employment contracts and written particulars: 6 years after employment ends. The limitation period for breach of contract claims is 6 years under the Limitation Act 1980.

Payroll and tax records: 6 years after the end of the tax year they relate to. HMRC can investigate within this window.

Sickness absence records and fit notes: Duration of employment plus 3 years after the employee leaves. Personal injury claims have a 3-year limitation period.

Maternity, paternity, and shared parental leave records: 3 years after the end of the tax year in which the leave ended. HMRC requires this.

Pension auto-enrolment records: 6 years from the date of enrolment or opt-out. The Pensions Regulator requires this.

Disciplinary and grievance records: Duration of employment for live warnings. Keep dismissal-related records for 6 years after employment ends (limitation period for unfair dismissal and discrimination claims).

Health and safety records: Accident records for 3 years (RIDDOR 2013). COSHH health surveillance records for 40 years.

Right to work check documents: Duration of employment plus 2 years, in line with right to work check requirements.

DBS check certificates: Do not keep copies. Record the date, level, certificate number, and result only. Destroy the certificate within 6 months of the recruitment decision.

Build a retention schedule, document it, and enforce it. Deleting data on time is just as important as protecting it while you hold it.

Employee Rights You Must Facilitate

Employees have the following rights under the UK GDPR. You must have processes in place to handle each one:

Right of Access (Subject Access Request)

Employees can request a copy of all personal data you hold about them. You must respond within one calendar month. The Data (Use and Access) Act 2025, which came into force in February 2026, introduced a "reasonable and proportionate" standard for searching, meaning you are not required to search every conceivable system if doing so would be disproportionate. But you must still conduct a thorough search across HR systems, email, line manager files, and any other location where employee data is likely to be held.

You can extend the response period by a further two months for complex or voluminous requests, but you must inform the employee within the first month that you are doing so, and explain why.

Other Key Rights

Rectification: Employees can ask you to correct inaccurate data. Update records promptly.
Erasure: The "right to be forgotten." Does not apply where you are legally required to retain data or where retention is necessary for legal claims, but you must erase data you hold without legitimate reason.
Restriction: Employees can ask you to restrict processing while accuracy is disputed.
Data portability: Employees can request their data in a structured, machine-readable format for data processed by automated means.
Objection: Employees can object to processing based on legitimate interests. You must stop unless you can demonstrate compelling grounds that override the employee's interests.

Data Sharing With Third Parties

Employers routinely share employee data with payroll bureaux, pension providers, benefits platforms, occupational health providers, and HMRC. Each relationship needs appropriate agreements:

Data processors (those who process data on your instructions, such as payroll providers) must be governed by a written processing agreement under Article 28. This must specify what data is processed, the security measures required, and what happens to data when the contract ends.
Data controllers (those who determine their own purposes, such as HMRC or pension trustees) require appropriate data sharing arrangements.

Review your supplier contracts. If a processor suffers a breach affecting your employees, you may be jointly liable if proper contractual protections were not in place.

Data Security: Practical Measures for HR

The UK GDPR requires "appropriate technical and organisational measures" to protect personal data. For HR, this means:

Encryption for HR databases, laptops, and portable storage devices
Role-based access controls so only those who need HR data can see it
Multi-factor authentication on HR systems and cloud platforms
Audit trails enabled on HR systems to track who accessed what
Annual data protection training for HR staff and line managers (the ICO expects regular refreshment)
Clear desk policy for physical HR files
Data breach response plan documented and tested

Data Breaches: What to Do When Things Go Wrong

Common HR breaches include sending a payslip to the wrong email address, losing an unencrypted laptop, phishing attacks on HR systems, and accidentally sharing disciplinary procedure records with unauthorised colleagues.

Under Article 33, you must report breaches to the ICO within 72 hours unless the breach is unlikely to result in a risk to individuals. If the breach poses a high risk, you must also notify affected employees without undue delay. Document every breach in a breach register, even those you decide not to report.

Data Protection Impact Assessments

A DPIA is required under Article 35 before any processing likely to result in high risk to individuals. In HR, this includes introducing employee monitoring, implementing automated decision-making, processing special category data at scale, or deploying new HR technology. The assessment must describe the processing, evaluate necessity and proportionality, identify risks, and set out mitigation measures.

Employee Monitoring

Monitoring employees (email, internet, calls, CCTV, vehicle tracking) is lawful, but only if you carry out a DPIA first, inform employees clearly in your privacy notice and employee handbook, have a lawful basis (usually legitimate interests with a documented balancing test), and apply the least intrusive monitoring that achieves your aim. Covert monitoring is only justified where you have specific grounds to suspect criminal activity and overt monitoring would prejudice detection.

The ICO's updated workplace monitoring guidance (October 2023) reinforces that blanket surveillance is rarely justified and monitoring employees do not know about is very likely to breach the UK GDPR.

International Data Transfers

If your HR system, payroll provider, or applicant tracking software hosts data outside the UK, you are making an international data transfer. You can only do this if the destination country has a UK adequacy decision, you have appropriate safeguards (such as the International Data Transfer Agreement or Standard Contractual Clauses with UK addendum), or a specific derogation applies. Check where your HR software stores data and ensure the right transfer mechanisms are in place.

Quick Compliance Checklist

Record of Processing Activities (Article 30)
Employee and candidate privacy notices
Data retention schedule with documented justifications
Appropriate policy document for special category data
Data processing agreements with all HR processors
Subject access request response process (one-month target)
Data breach notification process (72-hour target)
Data deletion process aligned with retention schedule
Role-based access controls, encryption, MFA, and audit logging
Annual data protection training for HR staff and line managers

Run a Compliance Check

Not sure where you stand? Our EmployeeKit Audit tool can help you identify gaps in your HR compliance, including data protection. It takes five minutes and gives you a prioritised action plan.

Frequently Asked Questions

Q: Can I rely on employee consent as a lawful basis for processing their data?

A: Almost never. The ICO has consistently stated that the power imbalance in the employment relationship means consent cannot be freely given. Use contract, legal obligation, or legitimate interests instead. The narrow exception is genuinely optional processing with no consequences, such as a voluntary social club mailing list.

Q: How long can I keep a former employee's records?

A: It depends on the type of record. Payroll and tax records: 6 years after the tax year. Employment contracts and claims-relevant records: 6 years after employment ends. Health records from workplace exposure: up to 40 years. Build a retention schedule, apply it consistently, and delete data when the period expires.

Q: Do I need a Data Protection Officer?

A: Under Article 37, you must appoint a DPO if you are a public authority, or your core activities require large-scale systematic monitoring or large-scale processing of special category data. Most private sector employers will not meet these thresholds, but it is good practice to designate someone with data protection responsibility.

Q: What happens if an employee makes a subject access request during a disciplinary process?

A: You must still comply. A SAR cannot be refused because disciplinary proceedings are ongoing. Provide all personal data including investigation notes and hearing records, with appropriate redaction of third-party identifiers. The one-month deadline still applies. Tactical SARs before tribunal claims are increasingly common, so build your process now.

Q: What should I do if I accidentally send an employee's payslip to the wrong person?

A: This is a personal data breach. Assess the risk, contact the unintended recipient to delete it, and record it in your breach register. If there is a risk to the affected individual (for example, the payslip was sent externally or reveals sensitive deductions), report it to the ICO within 72 hours and notify the affected employee.