Staff Records Management

The Data Protection Act 1998 gives individuals the right to access the information that an organisation holds on them. In order to comply with this part of the Act, organisations need to have in place effective means of extracting and retrieving information from a variety of sources.

Academic departments and support services sections may hold a great deal of information on their staff, usually in a variety of forms and locations. In order to comply with a subject access request, departments/sections will need to be able to locate and collate the information quickly. It is therefore vital that key personnel (typically Head of Department/Section, Line Manager and/or administrator) know what information is held and by whom. Ideally, all information relating to individual staff should be kept in departmental staff record files (paper or electronic) so that, in the event of a subject access request, the department/section can be confident that all the information is easily accessible from a limited number of central sources. However, the University recognises that this may not always be the case in practice. Departments/sections should ensure that staff record files are as complete as possible but it is acknowledged that there may be some instances where designated individuals* need to retain information on staff which would not be appropriate for more general access.

*As practice varies across the University, Data Protection Advisers will be responsible for agreeing lists of designated individuals who are likely to hold information on individual members of staff. A designated individuals database might be a useful tool to develop and the Data Protection Officer is happy to offer advice and assistance.

The Data Protection Advisory Group has devised the following guidelines for academic departments and support services sections to follow:

  1. Wherever possible, copies of documentation relating to an individual member of staff should be lodged in a departmental staff record file(s) (paper or electronic). Some departments/sections may (on occasion) choose to also lodge copies of certain information with Personnel Services but this is not a mandatory requirement.
  2. Designated individuals are permitted to retain duplicate copies of any documentation (electronic or paper), particularly if the information is consulted on a regular basis.
  3. Exceptionally, designated individuals may also keep documentation relating to sensitive information (e.g. relating to health or other problems) without copying the information to the departmental staff record file. Designated individuals should only follow this practice when unauthorised access/disclosure of the information concerned to other staff in the department/section poses a risk of damage/distress to the member of staff.
  4. Members of staff, other than those responsible for the staff record files and designated personnel, should not retain information (electronic or paper) about individual members of staff. Documentation should be filed either in the departmental staff record file or with a relevant designated individual.
  5. The exception to this is email as it would be impractical for staff to pass all emails to a central source. However, all staff must be aware that in the event of a subject access request, they may be asked to search their email archives for all emails referring to the member of staff that has made the request. Therefore, staff are advised not to keep emails relating to other members of staff unless it is absolutely necessary. In writing emails referring to other members of staff, you are reminded that, in the event of a subject access request, that member of staff is entitled to receive copies of all emails which refer to them.
  6. Information should only be retained in accordance with the suggested retention periods in the University’s Records Retention Schedule.
  7. When a designated individual leaves the University, they should pass all information to the member of staff responsible for staff files, to be either destroyed (in accordance with the University’s records retention schedule), or filed on the departmental staff record file, or passed to a replacement designated individual.
  8. Staff should be informed of what information is being held about them, what it will be used for, to whom it might be disclosed and whether or not it will stored in the departmental staff record file.

If these guidelines are followed, personal information held on staff can be easily located from a limited number of sources and departments will be much better prepared to respond to subject access requests efficiently.

For further guidance, please contact the University's Data Protection Officer.