Given that it is now a legal requirement for some organisations to collect personal information in order to continue to function, the Information Commissioner’s Office (ICO) has published advice on collecting, storing, sharing and deleting the data that those employers have been asked to obtain.

The advice is reflected in the following five basic steps that employers should take to ensure they stay within the law:

  • Step one – ask only for what is needed. Employers should only ask people for the specific information set out in government guidance. They should not ask people to prove their details with identity verification, unless this is already standard practice for the business such as ID checks for age verification in pubs.


  • Step two – be transparent. Employers should be clear, open and honest with people about what they are doing with their personal information by explaining what is needed and what will happen to it. This could be done by displaying a notice on the premises or on the employer’s website or just by informing people in person.


  • Step three – carefully store the data. Employers must look after the personal data they have collected. For instance, they might do this by keeping it secure on a device if they’re collecting the records digitally or, if on paper, keeping the information locked away and out of public sight.


  • Step four – do not use it for other purposes. In other words, employers must not use the information collected for activities such as direct marketing, profiling or data analytics.


  • Step five – erase the information in line with government guidance. This means that employers should not keep the data for longer than is specified. It follows that they must also dispose of the data securely to reduce the risk that someone who is unauthorised might access the data.


You can read the five steps here.

The full guidance can be read here.