General Data Protection Regulation (GDPR) was introduced in May 2018. It requires businesses to take steps to protect the personal information they collect for. It also specifies actions required by law to prevent data breaches and lists eight “data subject rights”. These are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object Rights in relation to automated decision making and profiling
These rights apply to partner businesses, clients and employees alike. Failure to adhere to them may result in prosecution. This article deals in particular with the “right to erasure” and specifically GDPR data retention periods.
How long to keep employee records after termination of a UK contract?
So how long can you keep personal data relating to your employees in HR records? The answer is that there are no definitive GDPR statutory retention periods, per se.
The legislation states that a business should keep information for “no longer than is necessary”. If you need the data only for the period of the individual’s employment, you should destroy it after they leave.
If you’re likely to need it for archiving or research “in the public interest”, it may be that you can keep it for longer.
GDPR data storage requirements state that you must only keep data to use in the manner for which it was first collected.
One of the chief reasons for the retention of employee records in the UK is legal defence against potential claims. A business may need to use certain data as evidence should the subject make a race or discrimination claim against it.
Our guide to GDPR and how long to keep data
“Should personal data be deleted every 5 years?” is a common query – with rumours of other periods also regularly heard. However, the guideline period for most types of GDPR retention policy is six years after the end of the current tax year according to HMRC.
This does not apply to every situation, as businesses may keep hold of data for many different reasons – each requiring different lengths of time.
How long should records be kept under the Data Protection Act and GDPR?
1. Hiring and applicant data
It may not seem vital to keep information from interview notes or job applications you have received once someone has filled the role.
However, there is the possibility that a rejected applicant may make a claim against you for discrimination.
By law, they have six months from the date of the alleged incident in which to do so. For this reason, we recommend that you keep all data throughout this period.
2. Payroll data
It is less likely that you will need this information to defend a claim. Because financial details are very sensitive, we recommend destroying them without much delay. This will help you to demonstrate a strong data retention policy under GDPR.
HMRC can investigate your activities relating to PAYE and other payroll-related matters up to three years after the fact. For this reason, it’s a good idea to keep these details for this length of time and no more.
3. Employee records
This information includes employment contracts, details of their performance and other records relating directly to their work with you.
This data can prove very useful when defending against a claim brought by the data subject. Among other things, you may use it to:
- Disprove details of their accusationsServe as evidence that you did your duty as an employerSupport claims that you gave the subject the correct information and support during their employment
A claim for unfair dismissal must be made a maximum of three months after the fact. However, the data subject can take their case to the county court or crown court up to six years following the alleged act.
For this reason, it’s a good idea to keep this information for around six years.
What are the legal requirements for storing business information for use in court?
An important point is that much of this data will not have been originally collected for use as a legal defence. It is unlikely to have been taken into account when you first asked for the data subject’s consent to process their information.
However, as mentioned earlier, GDPR states that businesses must only keep data to use in the manner for which it was first collected.
This is where “legitimate interest” comes into play.
This term refers to occasions where businesses may overlook the need for consent – or the “right to restrict processing” – when using data. Oftentimes, this is permitted in order for the business to uphold a legal duty.
For example, an employee may have failed to give you permission to use their bank details – but it is illegal for you to allow them to work for free.
Furthermore, you may not have consent to share a suspect’s information with law enforcers, but it may be in the public interest for you to do so.
The use of employee data to ensure your business can build a fair defence in court falls into this category.
Of course, the invocation of legitimate interest should always be balanced against the legal rights of the data subject.
So – how long can personal data be stored under the Data Protection Act and GDPR? The answer depends on the type of data.
For applicant data, we recommend six months. For payroll information, three years. For employee records, six years. For anything else, it’s a good idea to follow the HMRC six year limit in case you are required to respond to any form of investigation.