The law has always required you to keep HR records. The Data Protection Act (DPA), which governs this area, stipulates statutory retention periods for some records – for example, payroll data, P60s and P45s must be retained for at least six years.
But for other areas, such as CVs and interview notes, the DPA lays down no fixed regulation and instead advises that employee personal data should ‘not be kept longer than necessary for the purpose for which it was processed’. So, in many cases, you must use your discretion.
There is slightly conflicting guidance on the exact length of data retention, and it very much depends on the specific nature of the individual record. Here’s a brief run-down on the typical record types that HR are likely to deal with and an indication of how long they should be retained for. Please note that this is purely a guide and you should seek specific guidance where possible:
- Accident Records: Minimum of 3 years since the last entry, or if it involves a child until they reach 21.
- Income Tax and NI: Minimum of 3 years from the end of the financial year to which they relate.
- Maternity and Paternity: Minimum of 3 years from the end of the tax year in which the leave ends.
- Salary and Pay: Minimum of 6 years.
- Working Time: 2 years.
You can also check with the Information Commissioner’s Office (ICO) for specific guidance or refer to the guidelines provided by the Chartered Institute of Personnel and Development (CIPD). The key retention periods outlined by the CIPD are listed below:
- Application and Recruitment Records: 6-12 months.
- Parental Leave: 5 years from birth or adoption, or 18 years if the child receives a disability allowance.
- Pension Benefits: 12 years from the ending of any benefit payable.
- All Personnel Files and Training Records: 6 years from the end of employment.
- Redundancy Records: 6 years.
- Sickness Absence Records: A minimum of 3 months but potentially up to 6 years after employment ends.
How does GDPR change data retention laws?
In short, not much – GDPR largely mirrors the DPA in regards to record keeping.
However, where GDPR goes beyond the DPA is in requiring HR departments to demonstrate, for each category of personal data, why it is being kept and the reasons behind the length of retention.
Be safe, not sorry
Remember that GDPR has some serious teeth, with huge fines possible for those that transgress. So, it’s wise to go above and beyond what you think is required to ensure you don’t fall foul of these new regulations.
To keep yourself safe, put every category of employee data through this six-step procedure:
Step one – Carry out an audit. Undertake an audit of all your current record keeping to identify how your data is kept, why it is kept, for how long and the reason for that length of time.
Step two – Put someone in charge. Appoint a properly trained record keeper with responsibility for this area.
Step three – Write a statement. Draw up a data protection impact statement that details risks associated with your records. This should be added to your existing business risk register.
Step four – Protect your data. Make sure your data is held securely, is backed up, and can’t be stolen or tampered with.
Step five – Uphold individual rights. Ensure that you can access, change or delete data if asked to by an employee
Step six – Have regular clear outs. Check your data regularly and destroy any records you don’t need. If you find that some data needs to be kept for longer than first thought, you must receive consent from all employees involved.
Be careful when moving and storing data
Another important point – especially if you are an international company – is that GDPR prohibits you from exporting data to countries outside the European Economic Area unless that country has data protection laws equal to those laid out in GDPR. So be sure to check the regulations before moving data outside the EU.
From a data storage perspective, both digital and manual records must be secure and accessible by an individual under their rights. Destruction of records, after the appropriate time has elapsed, must also happen securely. We strongly recommend that you refer directly to the Employment Practices Code issued by the Information Commissioner, about how to store records.
Treat GDPR as a blessing, not a curse
Good record keeping is the backbone of any business. So, you should see the necessity of preparing for GDPR as an opportunity to get your records in shape, rather than a necessary chore.
And it doesn’t have to be overly complex. Most HR software will allow you to take employee data from a variety of sources and centralise it in one, easily accessible format that automatically backs up – ensuring you get all your regards safe, accessible, organised and legal with minimum effort.