This is the fourth instalment of our GDPR for HR FAQs series of mini blogs. In this blog, we consider your GDPR data retention policy and the following question: How long should my organisation retain personal data about our employees?
Our Frequently Given Response:
GDPR doesn’t specify timescales for which personal data should be retained but it requires organisations to retain personal data for no longer than is necessary for the purpose for which it was collected.
Some key considerations for a GDPR data retention policy from an HR perspective are:
- Ensure personal data is retained for any periods required at law. For example, right to work documentation should be retained for 2 years beyond termination of employment and HMRC requires PAYE records to be retained for 3 years beyond termination of employment (https://www.gov.uk/paye-for-employers/keeping-records). Holiday records should be retained for at least 2 years beyond termination;
- Consider whether employment contracts have been signed as contracts or deeds. If they are signed as contracts, the limitation period for contractual claims is 6 years from the date the liability arises, so contracts should be retained for at least 6 years beyond termination of employment. The limitation period increases to 12 years for claims made pursuant to a deed;
- Consider possible claims for personal injury. The limitation period is 3 years from the date the injury arises, although in the case of latent personal injury claims (such as asbestosis) the 3 year period won’t commence until the individual is aware of the injury. Each business should consider the likelihood of latent personal injury claims arising. It’s worth bearing in mind that even if latent personal injury issues may arise in respect of some workers (such as factory or warehouse workers or those working with chemicals), it is unlikely that all employees within an organisation could potentially suffer latent personal injury to the same extent. For example, office workers such as management and secretaries / PAs etc. may not have the same concerns. In that scenario, it would be difficult to argue that retaining all HR / employee personal data for a longer period due to the risk of latent personal injury occurring is GDPR compliant – files should be separated between those employees that may have a genuine risk of latent personal injury occurring and all other employees, and different retention periods applied;
- If candidates are successful, their data will be retained in line with the organisation’s retention periods in respect of HR / employee data;
- If candidates are unsuccessful, organisations should decide for how long they will keep the application / CV on file. Organisations may choose to retain applications for the probation period of the relevant job, in case the successful candidate does not pass the period and the unsuccessful candidate may have another opportunity to interview for the role. Organisations may also choose to keep the CV / application in case a similar job opportunity arises in the future for which the candidate may be suitable, but candidate information should not be kept indefinitely “just in case”, particularly as it is likely to become out of date relatively quickly.
If you are currently determining retention periods for your organisation for your GDPR data retention policy and would like more advice, please contact Matthew Hattersley.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.