Under the new General Data Protection Regulation (GDPR), storage limitation is one of the most important principles that all organisations need to get to grips with. This states that personal data should be kept for “no longer than is necessary” for the purposes for which it was created or obtained. For employee data, special care should be taken when you put this storage limitation principle into practice.
For one thing, when it comes to areas such as payroll, copy health information and disciplinary records, this data tends to be sensitive in nature and, therefore, needs particular care to ensure that the rights and interests of individuals are protected.
At the same time, it is rarely appropriate to have a ‘one size fits all’ storage limitation rule covering the entire contents of an employee file. What to keep, how to store it, and for how long, depends on multiple factors, ranging from specific HMRC requirements through to protecting your business against any legal claims brought by previous employees.
This guide explains how to put together a retention policy for your employee records, helping you to protect your business, respect the rights of your employees and stay compliant with the GDPR.
Employee records: why you need a GDPR-compliant retention policy
For all types of personal data you process, your business should have a set of internal rules setting out how long data should be stored, depending on the category the data belongs to. Taken together, these rules form your personal data retention policy.
Storage limitation is one of the fundamental GDPR principles; one of the “golden rules” you need to take into account when processing the personal information of individuals, including your employees. You can read more about implementing all seven GDPR principles here.
The GDPR also includes further, more detailed requirements where the principle of storage limitation becomes directly applicable. These include the following:
Privacy by default
This becomes especially relevant when making changes to your existing processes or introducing technologies (a new online HR management portal, for instance). You need to show that you have taken measures to ensure that only data “necessary for each specific purpose of the processing” is processed. This includes keeping storage periods to a minimum.
The information you must provide to employees
Staff personal data tends to fall into three categories: data supplied to you by the employee (e.g. bank and contact details), data supplied by third parties (employer references and information from the Student Loans Company) and data created by you (training and conduct records). In all three cases, the GDPR requires that you provide employees with information on what you hold, its purpose, and how long you will hold it.
If your retention rules seem arbitrary, with no real justification behind them, you could be regarded by the data regulator as having failed in your duty to treat employees in a “fair and transparent” way.
The right to be forgotten
Our guide to erasure explains more about this important new aspect of the GDPR. In the event of requests from former employees asking you to delete the records you hold on them, a thorough retention policy enables you to respond appropriately. In particular, it stops you from inadvertently erasing data that you are obliged to hold on to (for tax purposes, for instance).
Retention periods for various categories of employee records
The periods we’ve suggested below are for broad illustration only. To formulate your own retention policy, you should also bear in mind the following:
- HMRC rules. Statutory rules for retention of records can change from time to time, so make sure you keep a lookout for official updates.
- Professional regulatory guidance. Your regulator may set their own retention guidelines (relating to training or professional conduct, for instance).
- Insurer recommendations. Your employers’ liability and professional indemnity insurers may issue instructions on how long to keep the type of records relating to potential claims (e.g. linked to accidents at work).
- PAYE and NI data – including tax code notices: three years from the end of the tax year to which they relate.
- Statutory Maternity/Paternity/Parental Pay: three years after the end of the tax year in which the pay period ends.
- Pension records: auto-enrolment records need to be retained for six years from the date of enrolment. Opt-out notices need to be kept for four years.
- Records of accidents at work: at least three years from the date on which the incident occurred.
- Records relating to exposure to hazardous substances: at least 40 years from the time of exposure. This is because damage linked to exposure sometimes takes many years to become apparent. Employees generally have three years from becoming aware of symptoms within which to take legal action.
- Personnel data. This includes absence records, training logs, performance reviews, documentation relating to any redundancy process and records of disciplinary proceedings. Many organisations will be able to claim a legitimate interest in retaining these records for up to six years from the end of the employment period. The standard time limit for bringing most Industrial Tribunal claims is three months from the end of the employment period. However, it’s worth remembering that in theory, there is a possibility of civil claims for breach of contract for up to six years.
Further help from The Privacy Compliance Hub
The Privacy Compliance Hub offers a complete framework for staying on top of your GDPR compliance obligations. When it comes to data retention, this includes enabling you to assess, categorise and justify specific rules for data right across your organisation. To discover how it works, check out our demo or phone for a chat today.