Employee data: what UK law lets you use and what it does not

Dave manages a team of twelve field engineers. Every working day they leave a trail of data behind them: clock-in and clock-out times, van locations, job completions, app logins, messages sent through the scheduling tool. Collecting all of it costs almost nothing, and the temptation to hold on to it is real. You never know when it might come in handy. The trouble is that on employee data, UK law has already drawn a line, and it sits precisely where most employers are not expecting it.

The line does not run between “good data” and “bad data”. It runs between what you genuinely need and what you are collecting because you can. That distinction is the backbone of data minimisation under the UK GDPR: you can process personal data about your workers only for a declared purpose, only to the extent that purpose requires, and only for as long as it remains relevant. It sounds like a technicality, but it is actually the most practical question you can ask yourself: what is this data actually for? If the answer is “not sure, but let’s keep it just in case”, you should not have it. That is where almost every ICO enforcement case begins, not with elaborate surveillance systems, but with swollen archives nobody can justify.

Take attendance, the most common case. Knowing when a field worker started and finished a job is a legitimate and almost always necessary thing to know: you need it to pay wages accurately, to invoice the client, to prove the work happened. Knowing where that person was at every moment throughout the day is a different matter entirely, and rarely necessary for any of those purposes. Between the two sits a significant gap, and it is the same gap the ICO’s employee monitoring guidance identifies when it calls for a data protection impact assessment (DPIA) before you deploy any monitoring technology, along with a legitimate interest assessment (LIA) to weigh your business need against the worker’s right to privacy. The clock-in record you can have. The full-day film, no.

The free tools to get yourself compliant

Three free tools, all in your browser and with no account, to move from theory to practice:

• Are you compliant with employee data? — a 9-question test with a score and the areas to fix.
• GPS privacy notice generator — builds the Art. 13 sample, now with the worker-representation clause per country.
• Data retention policy generator — a retention table by country, with recommended periods and PDF export.

Purpose first, data second

There is a reflex that catches even careful employers out: collect the data first, decide what it is for later. UK GDPR works the other way around, and rightly so. You fix the purpose, then you collect only what that purpose actually requires. A practical example that holds for any business with field teams: if your purpose is proving to a client that a job was carried out, you need a point-in-time record, where the team was when they arrived and when they left, plus a photo if the contract calls for it. You do not need to track the route. You do not need to know where they had lunch. You do not need to retain that location data for two years. Every extra piece you hold is an extra piece you will one day have to justify, secure, and, if something goes wrong, explain to the ICO.

Retention is the chapter nobody reads until it is too late. Data collected lawfully but held indefinitely becomes unlawful data. Location records from a completed job are not needed once the job is invoiced and closed. Keeping them “for safety” is not prudent, it is the reverse: you are accumulating a liability that gives you nothing in return. Real safety is being able to tell the ICO that you delete what you no longer need, and being able to demonstrate it. The guidance on records retention makes this point clearly, and it applies whether you are running a paper timesheet or a GPS-enabled field service app.

---

Workers are not a special case. They are the whole point.

There is one thing that separates employee data from every other category, and it is the reason the law is stricter here than almost anywhere else. Between you and the people who work for you, there is no equality of bargaining position. This is why consent, as a lawful basis, is generally not valid in the employment relationship: no one working for you is genuinely free to say no to their employer and expect nothing to follow from it. Your basis for processing employee data sits in legitimate interest or the performance of the employment contract, and whichever you choose, it needs to be weighed, documented, and explained in an information notice the worker reads before monitoring begins, not after. Where there is a recognised trade union or elected worker representatives, the ICO recommends consulting them as good practice before introducing monitoring arrangements. Not because the law demands it as a formal step in every case, but because it is how you show that you are on the right side of the line.

One more thing worth noting: the ICO is explicit that continuous monitoring and out-of-hours tracking are very difficult to justify under any lawful basis. If your location data runs past the end of a shift, or if your system logs activity when someone is technically off the clock, those records are almost certainly indefensible. A LIA or DPIA will not rescue them if the underlying collection was disproportionate from the start.

Looked at this way, compliance on employee data stops feeling like a constraint and starts looking like a sensible way to run things: collect the proof, not the surveillance. That is the same logic behind GeoTapp, which records location only at the moment of clock-in and clock-out, not across the working day, so you hold what you need for proof of work and nothing more. If you want to see how the rules vary across EU member states, the map of GPS and worker monitoring regulations is publicly available, and there is also a generator that prepares a compliant Article 13 privacy notice for your workforce in a few minutes.

So here is the question to sit with: of all the data you could collect on your field team today, how much of it do you actually need, and how much are you holding because no one has got around to asking?