GDPR and Employee Sickness Records: A Guide for Small UK Employers

Sickness and absence records are 'special category' health data under UK GDPR, with stricter rules. Here's what small employers must do to handle staff absence data lawfully.

Employee sickness and absence records are not ordinary HR data — they are "special category" health data under UK GDPR, and the rules are stricter. If you record why someone was off sick, you are handling some of the most sensitive personal data your business holds, and mishandling it can lead to complaints to the ICO and fines of up to 4% of annual global turnover.

This guide explains, in plain English, what that means for a small employer and how to stay on the right side of it.

This is general information, not legal advice. For decisions about your specific obligations, consult a data-protection or employment law professional.

Why sickness data is treated differently

Most HR data — names, contact details, job titles — is standard personal data. But anything that reveals an employee's health is "special category data" under Article 9 of the UK GDPR, which gets a higher level of legal protection. Sickness and absence records frequently fall into this bracket, because the reason for an absence can reveal a medical condition.

This isn't theoretical. The ICO actively investigates complaints from employees who feel their medical details were shared or stored without proper controls.

What small employers must do

You don't need a compliance department to handle this well. The core obligations are practical:

1. Only collect what you actually need (data minimisation)

You are not entitled to an employee's specific diagnosis just because they're off sick. "Respiratory condition" is enough — you don't need "asthma" unless there's a genuine operational reason. The less detail you store, the lower your risk.

2. Don't share medical details unnecessarily

A line manager needs to know someone is off and for how long to manage the team — they usually do not need to know why. Separate the operational fact ("off until Friday") from any medical context, and limit who can see the latter.

3. Respect employees' rights

Under UK GDPR your staff can:

  • Access their own data — if an employee makes a Subject Access Request (SAR), you have one month to respond with a copy of everything you hold about them.
  • Request corrections to inaccurate records.
  • Request erasure in some circumstances — though this right is not absolute for employment records (see below).

4. Keep data only as long as necessary (storage limitation)

You shouldn't keep records forever. The common UK practice is to retain employment records for around 6 years after employment ends, because that's the window in which most tribunal and contractual claims can arise. After that, records should be deleted or anonymised.

5. Store it securely

Health data should sit behind proper access controls — not in a shared spreadsheet anyone can open. Role-based access, encryption, and a record of who accessed what are the kinds of controls an ICO investigation or tribunal would expect to see.

"Can an employee make us delete their sickness records?"

This is one of the most common questions, and the answer surprises people: not necessarily. The right to erasure is not absolute. You are allowed to retain records for as long as is genuinely necessary for a legitimate purpose — and defending a potential tribunal claim (typically up to 6 years) is one. A good middle path is to anonymise older records: wipe the personal and medical detail while keeping the statutory shell (dates, leave type, statutory pay figures) that you may still need for historical payroll. If an employee insists on full deletion, take legal advice before acting.

Are you the "data controller"?

Yes. For your own employees' data, you are the data controller — the legal responsibility for how the data is used sits with you, not with any software vendor you use. Software can give you the technical controls (separation of medical notes, access roles, audit trails, retention tools), but the processes — who you let see what, what you collect, when you delete — are yours to own.

How software helps

Handling all of this in spreadsheets is where small employers get exposed: medical notes sitting next to operational ones, no record of who viewed what, and no reliable way to anonymise old data.

Coverboard is built to make lawful absence handling the default for UK employers. It stores any medical/sickness note in a separate field from the general operational note (so the medical detail can be wiped without losing the rest), restricts access by role, keeps an append-only audit log of changes, generates a complete machine-readable SAR export for any employee on request, and provides a retention tool that anonymises records past your chosen cut-off (default 6 years) while preserving statutory pay history.

Coverboard provides these controls, but — as with any tool — GDPR compliance remains your responsibility as the data controller, not something a product can guarantee on your behalf.


This guide is general information, not legal advice. For decisions about a specific employee or your obligations under UK GDPR, consult a data-protection or employment law professional.