Personnel Records and Data Protection
Personnel records cover all the information an organisation holds about its employees: contract details, payroll information, training records, appraisal notes, disciplinary history, health and sickness information, right-to-work documentation and everything in between. Much of it is personal data, and some of it is special category data (particularly anything relating to health).
Managing these records well is a legal requirement and a practical one. The organisation needs to know what it holds, why, where it is, who can see it, how long it is kept and when it is securely destroyed.
The Legal Framework for Personnel Records and Data Protection
In the UK, personnel records fall under the UK GDPR and the Data Protection Act 2018. The main principles that apply:
- Lawful basis - employee data is usually processed under contract (for managing the employment relationship) or legal obligation (for tax, H&S, equality reporting).
- Data minimisation - only collect what is actually needed for the purpose.
- Storage limitation - keep records only as long as needed, set against a documented retention schedule.
- Integrity and confidentiality - appropriate technical and organisational security.
- Accountability - be able to demonstrate compliance, including records of processing activities where required.
Special category data (health, union membership, ethnicity, sexual orientation and others) has additional protections and can only be processed where specific conditions apply. Sickness records, occupational health information and disability-related adjustments fall into this category.
Other jurisdictions have their own data protection frameworks that apply to personnel records in broadly similar ways. The specifics vary but the principles are widely recognised.
What Personnel Records Should Be Kept
Typical personnel records include recruitment documents and pre-employment checks, the signed contract of employment and any variations, personal details and next-of-kin information, payroll and tax records, training and competence records, appraisal records, sickness and absence records, any disciplinary or grievance records, right-to-work documentation, and occupational health information where relevant.
Different records should be kept separately where sensitivity levels differ. Disciplinary records should not sit in the same file accessed by anyone needing basic personal details. Medical and occupational health information typically goes in a separate confidential file with restricted access.
Retention of Personnel Records
Every type of personnel record should have a defined retention period, based on legal requirements and business need. In the UK, commonly applied periods include:
- Right-to-work documents - for the duration of employment plus two years.
- Payroll and tax records - typically six years under HMRC rules.
- Training records - for the duration of employment and a reasonable period afterwards.
- Unsuccessful candidate records - typically six months to one year.
- Accident records - three years after the last entry under UK H&S law.
These periods vary by jurisdiction and should be documented in a retention schedule. When records reach the end of their retention period they should be securely destroyed, not just forgotten.
Access Controls for Personnel Records
Access to personnel records should be limited to those who need it. Typical access roles include:
- HR - full access to the main personnel file for day-to-day administration.
- Line managers - access to relevant parts of the file for the staff they manage, not the full history.
- Payroll and finance - access limited to payroll-relevant information.
- Occupational health - access to medical information for employees they are supporting, usually held separately.
- Employees - the right to access their own record under data subject access requests.
Where records are electronic, access should be controlled through permissions rather than filing cabinets. Under ISO 27001, access control is a specific domain with controls covering user access provisioning, review and removal.
Personnel Records and the Management System
Personnel records touch several parts of the management system. ISO 9001 Clause 7.5 covers documented information and how it is controlled. ISO 27001 covers information security and access control. Data protection compliance supports the broader requirement to meet applicable legal requirements under Clause 4.2 in all the standards.
Integrating personnel records management with the wider document control arrangements (rather than treating HR as a separate silo) makes audit easier and avoids gaps.
Clause 7.5 of ISO 9001 and the equivalent in other standards require documented information to be identified, controlled, accessible and protected. Personnel records are documented information, and the controls for them need to match the sensitivity. A shared drive where everyone can see everyone is not going to pass an audit.
Occupational health and sickness records are the ones most often handled badly. They are special category data and need particular care. A manager having casual access to a colleague health records is a problem, whether or not anyone complains.
We moved from paper personnel files to a secure HR system a few years ago. It has access controls, an audit trail of who has seen what, and a proper retention schedule that prompts us when records need review or deletion. It took effort to set up and it is much better than the old cabinet-and-key approach.
The retention schedule is the thing people forget. Keeping everything forever is not a strategy - it is a risk.
Personnel records are not special. They are documented information like anything else in the management system, just with a higher sensitivity level. Know what you hold, limit who can see it, keep it only as long as needed, then destroy it properly.
Practical Compliance Guidance
Section 3.1 of the IMS1 IMS Manual covers the management of staff, and section 7.5 covers documented information. Personnel records sit across both, with specific additional requirements from data protection law.
Several alphaZ documents support the management of personnel records and data protection compliance:
| alphaZ document | How to use it |
|---|---|
| GDPR Toolkit for Data Protection Act Compliance | Complete toolkit covering GDPR and Data Protection Act compliance, including policies, registers and forms. |
| P-25 Data Protection Policy | Policy setting out the organisation approach to data protection, including personal data held about employees. |
| PP-1-16 Data Protection Policy Procedure | Policy and procedure covering the operational side of data protection, including handling personnel data. |
| F-IMS30 Record of Processing Activities Register | Register of processing activities including employment data, required under UK GDPR for most organisations. |
| F-Q106 GDPR Compliance Checklist | Checklist for reviewing personal data handling against GDPR and Data Protection Act requirements. |
| F-HR1 Employee Details Form | Form for collecting employee personal details in a consistent, documented way at the start of employment. |
| F-HR6 Employee Details Register | Register for maintaining current employee details and acting as the main personnel record index. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
The following UK legislation is relevant to personnel records and data protection. Organisations outside the UK should identify the equivalent legislation applicable in their jurisdiction.
