GDPR: How long should you keep your HR records?
Keeping up with the ever changing landscape of GDPR is essential for business success. But in our venture to stay compliant, we might be holding onto data for longer than necessary. So, how long is too long? We’ve put together this simple guide to help you know where you stand.
The law has always required you to keep HR records. The Data Protection Act (DPA), which governs this area, stipulates statutory retention periods for some records – for example, payroll data, P60s and P45s must be retained for at least six years, as should proof of an employee’s right to work in the UK. The UK Border Control Agency can ask to see this proof for up to seven years after the employee has left your company.
But for other areas, such as CVs and interview notes, the DPA lays down no fixed regulation and instead advises that employee personal data should ‘not be kept longer than necessary for the purpose for which it was processed’. So, in many cases, you must use your discretion.
How long should we retain data?
There is slightly conflicting guidance on the exact length of data retention, and it very much depends on the specific nature of the individual record. Here’s a brief run-down on the typical record types that HR are likely to deal with and an indication of how long they should be retained for. Please note that this is purely a guide, and you should seek specific guidance where possible:
- Accident Records: Minimum of 3 years since the last entry, or if it involves a child until they reach 21.
- Income Tax and NI: Minimum of 3 years from the end of the financial year to which they relate.
- Maternity and Paternity: Minimum of 3 years from the end of the tax year in which the leave ends.
- Salary and Pay: Minimum of 6 years.
- Working Time: 2 years.
You can also check with the Information Commissioner’s Office (ICO) for specific guidance or refer to the guidelines provided by the Chartered Institute of Personnel and Development (CIPD). The key retention periods outlined by the CIPD are listed below:
- Application and Recruitment Records: 6-12 months.
- Parental Leave: 5 years from birth or adoption, or 18 years if the child receives a disability allowance.
- Pension Benefits: 12 years from the ending of any benefit payable.
- All Personnel Files and Training Records: 6 years from the end of employment.
- Redundancy Records: 6 years.
- Sickness Absence Records: A minimum of 3 months but potentially up to 6 years after employment ends.
How does GDPR change data retention laws?
In short, not much – GDPR largely mirrors the DPA in regard to record keeping. However, where GDPR goes beyond the DPA in requiring HR departments to demonstrate, for each category of personal data, why it is being kept and the reasons behind the length of retention.
Be safe, not sorry
Remember that GDPR has some serious teeth, with huge fines possible for those that transgress. So, it’s wise to go above and beyond what you think is required to ensure you don’t fall foul of these regulations. To keep yourself safe, put every category of employee data through this six-step procedure:
- Carry out an audit: Undertake an audit of all your current record keeping to identify exactly how your data is kept, why it is kept, for how long and the reason for that length of time.
- Put someone in charge: Appoint a properly trained record keeper with responsibility for this area.
- Write a statement: Draw up a data protection impact statement that details risks associated with your records. This should be added to your existing business risk register.
- Protect your data: Make sure your data is held securely, is backed up, and can’t be stolen or tampered with.
- Uphold individual rights: Ensure that you can access, change or delete data if asked to by an employee.
- Have regular clear outs: Check your data regularly and destroy any records you don’t need. If you find that some data needs to be kept for longer than first thought, you must receive consent from all employees involved.
Be careful when moving and storing data.
Another important point, especially if you are an international company, is that GDPR prohibits you from exporting data to countries outside the European Economic Area unless that country has data protection laws equal to those laid out in GDPR. So be sure to check the regulations before moving data outside the EU.
From a data storage perspective, both digital and manual records must be secure and accessible by an individual under their rights. Destruction of records, after the appropriate time has elapsed, must also happen securely. We strongly recommend that you refer directly to the Employment Practices Code issued by the Information Commissioner, about how to store records.
Treat GDPR as a blessing, not a curse.
Good record keeping is the backbone of any business. So, you should see the necessity of following the rules under GDPR as an opportunity to get your records in shape, rather than a necessary chore.
And it doesn’t have to be overly complex. Most HR software will allow you to take employee data from a variety of sources and centralise it in one, easily accessible format that automatically backs up – ensuring you get all your regards safe, accessible, organised and legal with minimum effort.