Cookies on Knowhow

We use cookies in order for parts of NCVO Knowhow to work properly, and also to collect information about how you use the site. We use this information to improve the site and tailor our services to you. For more, see our page on privacy and data protection.


Skip to content. | Skip to navigation

Community-made content which you can improve Case study from our community

Keeping records, data protection and IT

This page is free to all

When you employ staff or engage volunteers, you must keep records, whether in paper form or electronically. It is easier to maintain confidentiality and ensure that records are kept securely if you keep only one file about each person.

Records containing data on people are subject to the Data Protection Act 1998. Records should be 'accurate, up to date and kept no longer than is necessary'.

You must ensure that: your filing system is lockable; any electronic records are password and virus protected; and that only those people who need to use the data have access to it.

There are specific rules laid down about the length of time you should keep personnel and other related records. Refer to the CIPD Factsheet 'Retention of personnel and other related records'.

What records should be kept

You are advised to keep the information listed below, either in hard copy or electronically, in respect of each employee. This is not an exhaustive list; there may be other records your organisation needs to retain. 

  • A copy of the original recruitment application and job description
  • A copy of the signed written statement of terms and conditions of employment (the ‘contract’)
  • Employment details – date employment began, date present job started, job title, basic salary, overtime and any other payments
  • A signed copy of any confirmation of having read and agreed to policies and procedures
  • References, copy of document(s) indicating right to work in the UK, health declaration as relevant, qualification certificates as relevant
  • A note of the DBS number and the date of the DBS certificate, if a DBS check was sought
  • A signed/dated copy of the employee’s agreement to any changes to their employment contract, ie hours of work, job description etc
  • Copies of probation reviews, notes of supervision and appraisal meetings (dated)
  • Personal details – name, sex, date of birth, address, education, qualifications, previous experience, tax code, National Insurance number, emergency contact, details of any job- related disability
  • Equality monitoring information if you undertake equality monitoring. This may include: gender, age, date of birth, sexual orientation, gender reassignment, religion, race
  • Absence details – sickness, lateness, authorised, unauthorised
  • Details of accidents
  • Details of disciplinary action
  • Training details

Data protection legislation

The Data Protection Act 1998 covers both computer and manual records and works in two ways:

  • It gives individuals certain rights, including the right to see information that is held about them and to have it corrected if it is not right. For a fee, employees can ask to see the data you hold on them.
  • It says that anyone who records and uses personal information (data controllers) must be open about how the information is used and must follow eight principles of good information handling. The eight principles state that data must be:
    • fairly and lawfully processed
    • processed for limited purposes
    • adequate, relevant and not excessive
    • accurate
    • not kept for longer than is necessary
    • processed in line with the data subject’s rights
    • secure
    • not transferred to countries outside the EU without adequate protection.

Sensitive personal data

The Data Protection Act 1998 defines 'sensitive personal data'; that is data that consists of information about an employee's:

  • racial or ethnic origins
  • political opinions
  • religious beliefs
  • trade union membership (or non-membership)
  • physical or mental health or condition
  • sex life or sexual orientation
  • criminal (or alleged criminal) activities
  • criminal proceedings, criminal convictions (or any sentences imposed by the courts).

Sensitive personal data must not be held on a personnel file without the employee’s express consent – unless held to comply with an employer's legal obligations. This data may be retained for so long as may be necessary for the original purpose.


As an employer, you will probably need to register under the Data Protection Act. Call the Information Commissioner on 0303 123 1113. You can also use the ICO’s interactive tool.


All employees have a responsibility to ensure that their activities comply with the Data Protection Act. You should ensure that your employees understand their responsibilities.


Data Protection applies when monitoring employee's telephone calls, emails and CCTV. If monitoring occurs, workers must be aware of the nature and reason for any monitoring. See the Acas guidance.


The General Data Protection Regulation (GDPR) was implemented in the UK in May 2018, replacing the Data Protection Act. Employers are required to carry out audits of employee personal data that they collect and process to ensure it meets the Regulation. See NCVO’s GDPR guidance.

Information technology

A clear IT policy will also help to raise awareness of the risks associated with using IT and can protect your charity from loss of data.

You have a responsibility to ensure that all data is kept securely on computers and that employees know their obligations in respect of IT.

You will need to take a view on whether staff are permitted to use IT equipment for personal use (eg accessing webmail or shopping online at lunchtime). The policy needs to clarify acceptable and non-acceptable use and what will happen if the policy is breached.

NCVO members can download an example IT policy.

Social media

Large numbers of people use social media outside of work. Social media can distort boundaries between work and home and if used unwisely, could affect the reputation of employers.

Because employers will have different rules and expectations about the use of social media at work, policies should reflect the context in which staff are expected to work.

Further resources

Page last edited Jun 28, 2018

Help us to improve this page – give us feedback.

1 star 2 stars 3 stars 4 stars 5 stars 2.9/5 from 564 ratings