Most UK employers collect time and attendance data without giving much thought to how the UK GDPR applies. In April 2024, the ICO issued an enforcement notice against Serco Leisure for using facial recognition technology to record employee attendance. The problem was not the technology itself. It was that workers had no genuine choice about whether to consent, and no real alternative was offered. This guide explains what the rules actually say, where the risks are, and what a compliant approach looks like in 2026, including recent changes under the Employment Rights Act 2025 and the Data (Use and Access) Act 2026, which received Royal Assent on 19 June 2026.
This article is for informational purposes only and does not constitute legal advice. Employers should seek qualified data protection or employment law advice for their specific circumstances.
What counts as time and attendance data under UK GDPR?
Under the UK GDPR and the Data Protection Act 2018, any information that can identify an individual is personal data. Time and attendance records fall into two distinct categories, and the distinction matters significantly for your compliance obligations.
Standard clocking data includes clock-in and clock-out times, shift records, absence logs, late arrivals and any timestamps generated by a door entry fob, swipe card, PIN or mobile app. This is routine personal data. You need a lawful basis under Article 6 of the UK GDPR to collect it, but no additional conditions apply.
Biometric clocking data is different. Fingerprint scanners, facial recognition systems and iris scanners all generate what the ICO classifies as special category data when processed for the purpose of uniquely identifying a person. Special category data carries a higher compliance burden, additional legal conditions and mandatory impact assessments before processing begins.
Health-related absence data is also special category data. If your records include the reason for an absence, such as a specific illness or a disability-related adjustment, those details attract the same heightened protections as biometric data. Our absence management software page covers how to handle this correctly.
Whichever time and attendance system you use, the starting point is identical: map what data you collect, identify which category it falls into, and document your lawful basis before collection begins.
Your lawful basis for standard clocking data
Before processing any personal data you must identify a lawful basis under Article 6 of the UK GDPR and record that decision. The ICO’s guidance on monitoring workers is clear that you should identify the right basis from the outset, because changing it later without good reason is not straightforward.
For standard time and attendance data, three bases are commonly relevant.
Article 6(1)(b), contract performance, applies where processing is necessary to perform the employment contract. Calculating pay based on hours worked is the clearest example, and this is the basis most UK employers rely on for core clocking data.
Article 6(1)(c), legal obligation, covers processing required by law. The Working Time Regulations 1998 require employers to keep adequate records to show that workers are not exceeding the 48-hour weekly maximum, unless they have opted out in writing. This gives you a clear statutory basis for at least part of your attendance record-keeping.
Article 6(1)(f), legitimate interests, can apply where you have a genuine operational reason for monitoring attendance that is not overridden by workers’ rights. This basis requires a documented legitimate interests assessment setting out what the interest is, why the processing is necessary, and why the balance tips in the employer’s favour.
Most employers will rely on a combination of contract performance and legal obligation for standard clocking data. Document your decision clearly, and make sure your staff privacy notice reflects it.
When biometric clocking becomes special category data
The ICO’s guidance is unambiguous: any biometric recognition system used to uniquely identify individuals processes special category data. For time and attendance purposes that means fingerprint scanners, facial recognition clocks and iris scanners all trigger the additional requirements under Article 9 of the UK GDPR.
To process special category data lawfully you need two things: a lawful basis under Article 6 (as above), and a condition under Article 9(2). In an employment context Article 9(2)(b) covers processing necessary for employment law obligations. However, the ICO’s published position is that explicit consent is likely to be the only viable condition in most biometric time and attendance scenarios.
Explicit consent has specific requirements. It must be a clear, affirmative act (written consent is best practice). It must be freely given, meaning workers must be genuinely able to refuse without penalty. You must offer a genuine, accessible alternative method of clocking. And workers must be able to withdraw consent at any time without detriment.
A Data Protection Impact Assessment is mandatory before deploying any biometric clocking system. The DPIA must be completed before processing begins, not after deployment.
ICO enforcement: Serco Leisure (2024)
Serco Leisure used facial recognition technology to record employee attendance and calculate pay. Workers’ photographs were converted into a biometric map stored alongside names and staff numbers. The ICO issued an enforcement notice after finding that workers had not been offered a genuine alternative, that biometric clocking had been presented as a condition of receiving pay, and that the power imbalance in an employment relationship meant consent could not be freely given.
The ICO noted that less intrusive alternatives such as identification cards, key fobs or sign-in sheets could have achieved the same outcome. Serco failed to demonstrate why those alternatives were insufficient, and failed to produce an appropriate policy document addressing the risks of processing special category data.
For employers weighing up their options, the practical question is whether the operational benefit justifies the compliance overhead. RFID cards and fobs, mobile app clocking and PIN entry all avoid the special category data requirement entirely, while still providing accurate, tamper-resistant attendance records. Our clocking systems guide covers the hardware options in detail.
What you must tell your workers
The ICO makes clear that a generic clause in an employment contract stating the employer “may monitor your activity” is not sufficient. Workers must be given specific, transparent information before monitoring begins, set out in a privacy notice they can actually find and read.
That notice must cover what data is collected and how, the purpose for collecting it, the lawful basis being relied upon, how long records will be kept, who has access to the data including any third-party software providers, and workers’ rights including the right to make a subject access request and receive a response within one calendar month.
Where biometric processing is involved, workers must be informed specifically that biometric data is being processed, what the biometric template captures, and when it will be deleted. This information should be provided before data collection starts and updated whenever your practices change. It should not be buried in a contract schedule that most workers will not read in detail.
How long should you keep attendance records?
One of the most common compliance gaps is retaining data for longer than necessary without a documented justification. The UK GDPR’s storage limitation principle requires you to keep personal data only for as long as there is a valid purpose, and to delete it when that purpose has been served.
For time and attendance data, the following statutory periods apply.
| Record type | Minimum period | Notes |
|---|---|---|
| Working time records | 2 years | From date records were made. Working Time Regulations 1998, reg. 9. |
| PAYE and payroll records | 3 years (6 recommended) | From end of relevant tax year. Most employers keep 6 years for audit protection. |
| National minimum wage records | 6 years | Extended from 3 years in April 2021. |
| Holiday and holiday pay records | 6 years | Criminal offence not to comply from 6 April 2026. Employment Rights Act 2025. |
| SSP and sickness records | 3 years | From end of relevant tax year. Health details are special category data. |
| Right to work checks | 2 years after leaving | Gov.uk right to work guidance. |
| Biometric templates | Minimum necessary | Delete on employment end or consent withdrawal. Templates are special category data. |
The holiday records change is the most significant for 2026. Under the Employment Rights Act 2025, failing to keep adequate annual leave and holiday pay records for six years has been a criminal offence since 6 April 2026. Timesheets and attendance data that feeds holiday pay calculations falls directly within scope.
For biometric templates specifically, the ICO recommends retaining only what is strictly necessary. Even where a system stores a mathematical template rather than a raw biometric image, that template is still special category data and must be deleted when employment ends or consent is withdrawn.
The Data (Use and Access) Act 2026
The Data (Use and Access) Act 2026 received Royal Assent on 19 June 2026. At the time of publication, the ICO and the Department for Science, Innovation and Technology are working through commencement plans. Employers with established data protection programmes should monitor the ICO’s employment guidance pages for updates as provisions take effect. This article will be updated as clarification is issued.
A practical compliance checklist
If you want to check your position quickly, work through these points.
- Map all time and attendance data you collect and classify each type as standard personal data or special category data.
- Document your Article 6 lawful basis for each data type before collection starts.
- If you use biometric clocking: identify an Article 9(2) condition, obtain written explicit consent, and provide a genuine alternative that carries no penalty for choosing it.
- Complete a Data Protection Impact Assessment before deploying any biometric system or significantly changing how you monitor attendance.
- Update your staff privacy notice to describe specifically what is collected, why, for how long, and who has access.
- Set retention schedules aligned to the statutory periods in the table above, and delete records once those periods expire.
- Keep holiday and holiday pay records for six years from 6 April 2026. Failure to do so is a criminal offence under the Employment Rights Act 2025.
- Confirm your data processor agreements are current with any third-party software providers who handle your attendance data.
- Establish a subject access request process that can respond within one calendar month, and test it before a request arrives.
Time and attendance data is not a GDPR grey area. The rules are clear, the ICO is active in this space, and the Serco enforcement action shows that compliance failures have real consequences. A system that collects only what you need, retains it for exactly as long as required, and deletes it when that period expires is not just a compliance requirement. It is also considerably easier to manage than a data breach investigation or an ICO inquiry.
Ready to get your time and attendance data in order?
