Employee data needs a reason, not another folder.
Start with why each record exists, then decide the minimum fields, who needs access, how long it stays and how the person can exercise their rights. A tidy folder is not a data-protection strategy.
- Purpose before collection
- Access by job, not curiosity
- Retention by record, not forever
How does UK GDPR apply to employee records?
Employee records are personal data, and health, biometric, trade-union and some other records can be special-category data. For each purpose, identify an appropriate Article 6 lawful basis; where special-category data is involved, identify the additional Article 9 condition and any required UK law or policy documentation.
Then apply the practical principles: collect only what the purpose needs, keep it accurate, restrict access, protect it, set a defensible retention route and make correction, access and other rights workable. Consent is often unsuitable in employment because the imbalance can make it difficult to regard as freely given.
This is practical general information, not legal advice. Use the current linked official guidance for the facts in front of you.
Make six decisions before creating another field.
Write the purpose in ordinary language. Name the lawful basis. Ask whether every proposed field is needed for that purpose. Assign access to roles or jobs, not to a vague 'HR' group. Decide the retention event and disposal route. Finally, test how a person can find out what you hold and exercise their rights.
These decisions are connected. A retention period without a purpose is arbitrary; an access role without a minimum-data decision still exposes too much; a subject-access route cannot work if nobody knows which systems and processors contain the record.
- 01
Purpose: what real employment or legal job does the record support?
- 02
Basis: which Article 6 basis, and if needed which special-category condition?
- 03
Minimum: what can be removed without preventing that job?
- 04
Access: who needs to see or change it, and for which task?
- 05
Retention: which event starts review, archive or deletion?
- 06
Rights: how will search, correction, restriction and access work?
Not every employee field belongs in the same view.
A work email, emergency contact, salary, identity evidence and health note do not carry the same risk. Separate general work information from manager-needed employment context and tightly restricted identity, pay or health material. Avoid repeating sensitive detail in task names, notifications or team calendars.
Least privilege is ongoing work. Review access when roles change, managers move and administrators leave. Know which processors support the service, what the contract requires, where data can be processed and how incidents or deletion requests are handled.
- Team-visible: only the work information the team genuinely needs.
- Manager-limited: employment context required to manage that person.
- Specialist-restricted: pay, health, identity and investigation material.
- System operators: audited, purpose-bound support rather than casual browsing.
- 1ReceiveAny ordinary-language request
- 2VerifyProportionate identity check
- 3SearchRelevant systems and processors
- 4ReviewScope, third parties, exemptions
- 5RespondSecure, clear and on time
Design subject access before the first request.
A subject access request can arrive in ordinary language and normally needs a response without undue delay and within one month. Complex or numerous requests can allow more time under the rules, but the person must be told. Identity checks should be proportionate rather than an automatic demand for excessive documents.
Map the systems, repositories and processors likely to contain responsive data; preserve the request and decision trail; review third-party information and exemptions carefully; and deliver through an appropriate secure route. A product export can help with collection, but it is not automatically a complete or legally reviewed response.
HollyHR provides controls; your organisation remains responsible for lawful use.
HollyHR supports organisation-scoped access, role and membership checks, bounded exports, audit records and selected-field controls. Those controls can assist a privacy programme, but HollyHR does not choose your lawful basis or retention period, decide a subject-access exemption, certify your compliance or provide legal advice. HollyHR's public privacy policy, DPA and sub-processor register remain deliberately unpublished from search pending their own legal review.
HollyHR can help with
- Scoped access and membership checks
- Bounded export and audit evidence
- Selected-field protection
Keep outside the claim
- Choose lawful basis or retention
- Decide DSAR exemptions
- Certify UK GDPR compliance
Check the rule where it is maintained.
We reviewed these sources on 19 July 2026. Follow the official page for the current rule, conditions and exceptions rather than relying on an old quotation.
- ICO — data-protection principlesLawfulness, minimisation, accuracy, storage, security and accountability.
- ICO — employment informationThe ICO's current worker and employment-information guidance.
- ICO — worker health informationHealth information needs additional conditions and tighter handling.
- ICO — right of accessCurrent timescales, identity, searches, exemptions and response duties.
Questions behind the checklist.
Short answers for scanning; the practical detail and source links stay above.
Can an employer rely on consent for employee data?
Sometimes, but it is often unsuitable because the employment relationship can make freely given consent difficult to demonstrate. Choose the lawful basis for the real purpose and use current ICO guidance.
How long should employee records be kept?
There is no single UK GDPR retention period for every HR record. Set periods by purpose, legal requirement and risk; document the trigger and disposal route; and review rather than keeping everything forever.
Does an HR system export complete a subject access request?
Not automatically. A bounded product export can help collect records from that system, but the controller must search relevant sources, review scope, third-party information and exemptions, and respond securely.
Keep the rule, owner and people record in one calm place.
HollyHR is in early access for small UK teams. See the relevant product workflow, or tell us what you are trying to improve.