GDPR Countdown Week 6: GDPR and HR record retention
There must be a valid lawful reason for retaining documents, but overly optimistic statements on data retention/destruction may also cause problems.
The Information Commissioner says that, under GDPR, organisations (as data controllers) need to document retention schedules for the different categories of personal data. The ICO says that this may be set by internal policies or based on industry guidelines. So in preparation for the GDPR coming into force, you need to have a written statement saying how long you will keep different types of employee data.
So how long is that? Remember that processing data includes simply storing it, so if you don’t have a lawful reason for keeping it, you shouldn’t do so. The plans you have in place to demonstrate GDPR compliance should spell out not just how long you are keeping things for, but why.
Whilst you do need to have a valid lawful reason for retaining documents, overly optimistic statements on data retention/destruction may also cause you problems. We know that the Information Commissioner is unimpressed if organisations do not adhere to what they say about documentation retention, so when setting out what you will do, be realistic and record what will actually happen.
Whilst we have heard of GDPR “experts” recommending the wholesale destruction of most employee records; we would recommend being more cautious. Documentation is so important when it comes to defending any employment claim, we would always say it is better to keep records for as long as you can, where you may need to do so. This risk will, in most cases, be a legitimate reason to retain records and the limitation periods for claims provides a sensible basis/rationale for record retention.
An employee can bring a claim for breach of contract at any time up to six years after their employment has ceased. Accordingly, the period of six years from the end of employment provides a sensible starting point for record retention. However, strictly speaking, you do need to keep the records a little longer as you will not necessarily be notified of a claim until after the six years has expired. Similarly, the period for which most employee records need to be retained for tax purposes is six years from the end of the relevant tax year, so some variation on six or seven years may be a sensible period – with the period over six years allowing for the possibility of a claim or the end of the tax year.
Retention periods do however need a little bit more consideration for employee records and one size does not fit all. Some other periods to consider are:
- There is probably little need to retain recruitment files for more than six months after appointment. Most claims which can arise must be brought within three months of being informed about the decision (or at least ACAS must be contacted in that period). You should however retain the appointee’s records throughout their employment and you might want to consider longer periods of retention if the applicants for one job might be considered for later vacancies (presumably having told them that this might occur);
- It is important to retain some records to ensure that you know when people have worked for you and in which roles, for a far longer period. You may need to provide references long after an employee has ceased to work for you, for example;
- The breach of contract risk won’t justify retaining all records for six (plus) years, so you should prune files and records to remove things which are no longer required. Mortgage application letters or next of kin contact details are two examples of things common to personnel files which do not need to be retained long after someone has left. Ideally, personnel files for current employees should also be pruned regularly so that historic data is removed when it can no longer be required; and
- Health reports and records are special categories of personnel data and therefore retention should be carefully considered and appropriate limits determined. However, some health records need to be retained even longer than other records, such as those relating to asbestos and hazardous substances which need to be kept for 40 years.
When determining and recording how long to keep things it is also worth being sensible about how destruction will occur. For those with slick computerised systems specific destruction periods may be workable, but for those of you taking on the job of destroying physical files, it will be worth recording in your policy that destruction will be undertaken periodically (and possibly defining roughly when that will occur).
What is also important with record retention is the security applied. Whilst advising on GDPR implementation, we have been told some concerning stories about managers with box files open to anyone which contain all sorts of staff personal data and documents. The records you keep must be retained securely and, ideally, centrally. The Information Commissioner will look to all employers to have a policy detailing the periods of retention of employee records/data, but she will be far more concerned about what you have in place if an ex-employee’s personal data is accessed and disseminated by one of your staff who did not have a legitimate reason to access it.
Should you require any guidance on this issue, please do not hesitate to contact firstname.lastname@example.org or your normal Weightmans contact.