Under the General Data Protection Regulation (GDPR), storage limitation is one of the most important principles that all organisations need to get to grips with. This states that personal data should be kept for “no longer than is necessary” for the purposes for which it was created or obtained. For employee data, special care should be taken when you put this storage limitation principle into practice.
For one thing, when it comes to areas such as payroll, copy health information and disciplinary records, this data tends to be sensitive in nature and, therefore, needs particular care to ensure that the rights and interests of individuals are protected.
At the same time, it is rarely appropriate to have a ‘one size fits all’ storage limitation rule covering the entire contents of an employee file. What to keep, how to store it, and for how long, depends on multiple factors, ranging from specific HMRC requirements through to protecting your business against any legal claims brought by previous employees.
This guide explains how to put together a retention policy for your employee records, helping you to protect your business, respect the rights of your employees and stay compliant with the GDPR.
Employee records: why you need a GDPR-compliant retention policy
For all types of personal data you process, your business should have a set of internal rules setting out how long data should be stored, depending on the category the data belongs to. Taken together, these rules form your personal data retention policy.
Storage limitation is one of the fundamental GDPR principles; one of the “golden rules” you need to take into account when processing the personal information of individuals, including your employees. You can read more about implementing all seven GDPR principles here.
The GDPR also includes further, more detailed requirements where the principle of storage limitation becomes directly applicable. These include the following:
Privacy by default
This becomes especially relevant when making changes to your existing processes or introducing technologies (a new online HR management portal, for instance). You need to show that you have taken measures to ensure that only data “necessary for each specific purpose of the processing” is processed. This includes keeping storage periods to a minimum.
The information you must provide to employees
Staff personal data tends to fall into three categories: data supplied to you by the employee (e.g. bank and contact details), data supplied by third parties (employer references and information from the Student Loans Company) and data created by you (training and conduct records). In all three cases, the GDPR requires that you provide employees with information on what you hold, its purpose, and how long you will hold it.
If your retention rules seem arbitrary, with no real justification behind them, you could be regarded by the data regulator as having failed in your duty to treat employees in a “fair and transparent” way.
The right to be forgotten
Our guide to erasure explains more about this important new aspect of the GDPR. In the event of requests from former employees asking you to delete the records you hold on them, a thorough retention policy enables you to respond appropriately. In particular, it stops you from inadvertently erasing data that you are obliged to hold on to (for tax purposes, for instance).