We use cookies to help us provide you with the best experience, improve and tailor our services, and carry out our marketing activities. For more information, including how to manage your cookie settings, see our privacy notice.


Skip to content. | Skip to navigation

As we prepare to move content to our new website this summer, we're temporarily turning off authentication on and To ensure members can still access everything they need, member content will be available to all users until the end of July. Please note: changes made to your profile won't be reflected in our system.

Community-made content which you can improve Case study from our community

Keeping records, data protection and IT

This page is free to all

When you employ staff or engage volunteers, you must keep records, whether in paper form or electronically. It is easier to maintain confidentiality and ensure that records are kept securely if you keep only one file about each person. Increasingly, organisations are choosing to retain electronic files only, by scanning all employment documentation and retaining it securely, with appropriate password access.

Records containing data on people are subject to the Data Protection Act 2018.

You must ensure that:

  • any paper filing system is lockable
  • any electronic records are password and virus protected
  • only those people who need to use the data have access to it.

Information must be kept for no longer than is necessary. There are specific rules and guidance about the length of time you should keep personnel and other related records. Refer to the CIPD factsheet on keeping records.

What records should be kept

You are advised to keep the information listed below, either in hard copy or electronically, in respect of each employee. This is not an exhaustive list; there may be other records your organisation needs to retain. 

  • A copy of the original recruitment application and job description
  • A copy of the signed written statement of terms and conditions of employment (the ‘contract’)
  • Employment details: date employment began, date present job started, job title, basic salary, overtime and any other payments
  • A signed copy of any confirmation of having read and agreed to policies and procedures
  • References, copy of document(s) indicating right to work in the UK, health declaration as relevant, qualification certificates as relevant
  • A note of the DBS number and the date of the DBS certificate, if a DBS check was sought
  • A signed/dated copy of the employee’s agreement to/acceptance of any changes to their employment contract, ie hours of work, job description etc
  • Copies of probation reviews, notes of supervision and appraisal meetings (dated)
  • Personal details: name, sex, date of birth, address, education, qualifications, previous experience, tax code, National Insurance number, emergency contact, details of any disability and of any reasonable adjustments implemented
  • Equality monitoring information if you undertake equality monitoring. This may include: gender, age, date of birth, sexual orientation, gender reassignment, religion/belief, race and disability
  • Absence details: sickness, lateness, authorised, unauthorised
  • Details of accidents
  • Details of disciplinary action
  • Training details

Data protection legislation

The Data Protection Act 2018 implements the EU General Data Protection Regulation (GDPR) into UK law. It covers both computer and manual records. Data protection legislation is about respecting the rights of individuals when processing their personal information.

There are six key principles:

  • Personal data should be processed fairly, lawfully and in a transparent manner.
  • Data should be obtained for specified and lawful purposes and not further processed in a manner that is incompatible with those purposes.
  • The data should be adequate, relevant and not excessive.
  • The data should be accurate and where necessary kept up to date.
  • Data should not be kept for longer than necessary.
  • Data should be kept secure.

Lawful basis

  • An organisation must have a lawful basis for handling any personal data. The Information Commissioner's Office (ICO) has an interactive tool to assist in identifying whether such a basis exists.
  • In employment matters, the most likely bases for processing will normally be: for the performance of the employee’s employment contract, or to comply with a legal obligation. Consent will only be required in limited circumstances, for example seeking consent to put an employee’s photo on your organisation’s website. See also ‘special categories of personal data’ below.

Special categories of personal data

The GDPR refers to ‘special categories of personal data’. This is information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and sexual orientation, and genetic or biometric data (for example, fingerprint images for security or internal payment systems).

Employers are likely to process special categories of personal data regularly, for example when dealing with an employee who has been absent from work due to ill-health or as part of equal opportunities monitoring. Such data may also be volunteered by the employee when notifying an absence.

As an example of how employers should use special categories of data, they should be aware that if an employee calls in sick, the reason given for the sickness is a ‘special category of personal data’. Unless the employee makes it clear they are happy for this information to be shared, the manager should only tell other staff that the employee is off sick, and not the reason.

Special categories of data can only be processed for more limited reasons than other personal data. For example, if you have explicit consent, or if processing is necessary for carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment.

For further information about special categories of personal data in employment, see the ICO website.


All staff have a responsibility to ensure that their activities comply with the data protection principles. Line managers have responsibility for the type of personal data they collect and how they use it. Staff should not disclose personal data outside the organisation's procedures, or use personal data held on others for their own purposes.

Staff and managers will need to be aware of the range of personal information will be covered under the Data Protection Act 2018. For example, if a manager has a written copy of contact details for their team or an employee keeps customer names and numbers on post it notes on their desk, these are all covered under the Act.


Data Protection applies when monitoring employee's telephone calls, emails and CCTV. If monitoring occurs, workers must be aware of the nature and reason for any monitoring.


To ensure its compliance to the Data Protection Act 2018 and GDPR, an organisation should:

  • carry out a data audit to understand the data lifecycle within your organisation, including identifying what data your organisation processes, how you process the data and how long data is retained for
  • have a clear retention policy for handling personal data and ensure it is not held for longer than is necessary
  • ensure that all staff are aware of the retention policy and follow it
  • have a lawful basis for acquiring and/or using any personal data (see above)
  • inform employees, workers, consultants and job applicants of their rights as data subjects through a privacy notice which can be provided to each individual. Alternatively, communicate to all individuals the location of this notice (eg the organisation’s website)
  • respond to subject access requests from individuals (sometimes called personal data requests) within one month.
  • inform the ICO within 72 hours if there is a personal data breach that is likely to result in a risk to the rights and freedom of an individual, and, if the risk is deemed to be high, also inform the individual concerned.
  • review whether additional measures are required to secure data where the data is shared outside of the EEA.
  • register with the Information Commissioner’s Office.
  • appoint a data protection officer, if required, who can help embed, communicate and monitor the organisation's GDPR data protection policy. For more information on data protection officers and when one may be required, see the ICO website.

Information technology

A clear IT policy will also help to raise awareness of the risks associated with using IT and can protect your charity from loss of data.

You have a responsibility to ensure that all data is kept securely on computers and that employees know their obligations in respect of IT.

You will need to take a view on whether staff are permitted to use IT equipment for personal use (eg accessing webmail or shopping online at lunchtime). The policy needs to clarify acceptable and non-acceptable use and what will happen if the policy is breached.

NCVO members can download an example IT policy.

Social media

Large numbers of people use social media outside of work. Social media can distort boundaries between work and home and, if used unwisely, could affect the reputation of employers.

Because employers will have different rules and expectations about the use of social media at work, policies should reflect the context in which staff are expected to work.

NCVO members can download an example social media policy

Further resources

Page last edited Apr 07, 2022

Help us to improve this page – give us feedback.