The GDPR maintains the line that “data should not be kept longer than necessary for the purpose for which it was processed.” But how does this relate to the different elements of personal data placed in HR’s care?
How long to keep recruitment and applicant data?
During your recruitment process, there’s a lot of data that comes your way (CVs, cover letters, interview notes). Ideally, you’ll want to keep this information for at least six months. This is the period of time during which a discrimination claim could be brought against your organisation. The data you collect during your recruitment process is important for defending any of these potential claims.
If you want to keep CVs on file longer than six months, for example in a talent pool for future opportunities, then you’ll need consent from the applicants. In the interest of keeping information you hold up-to-date, you might want to consider asking applicants in your talent pool to review and update their CV, as well as asking them to re-issue their consent. If you do not gain the applicant’s consent, you should remove their CV from your system.
How long to keep payroll data?
Data relating to PAYE must be kept for three years after an employee leaves your company, as that is how long the HMRC may be interested in the information for conducting reviews or audits. Beyond this, you are unlikely to have a legitimate interest reason for holding pay information for ex-employees. You should therefore remove this information.
How long to keep employee records?
Data such as employees’ personal records (including salary and bonus records), performance appraisals, employment contracts, etc. should be held on to for six years after they have left. This is because whilst employees can bring a claim in a tribunal up to three months after leaving an organisation, they can bring a county or high court claim many years down the line. Under the GDPR, the condition for processing would be legal obligation, or legitimate interest.
See below a helpful chart to have as your ‘go-to’ if you remain unsure!
Accident books, accident records/reports : 3 years from the date of the last entry
Income tax and NI returns/records: not less than 3 years after the end of the financial year to which they relate
Medical records as specified by (COSHH) : 40 years from the date of the last entry
SMP record and certificates : 3 years after the end of the tax year in which the maternity period ends
SSP records : 3 years after the end of the tax year to which they relate
Wage/salary records : 6 years
National minimum wage records : 3 years after the end of the pay reference period following the one that the records cover
Records relating to working time : 2 years from date on which they were made
Application forms and interview notes : 6 months
How to keep your employee data GDPR compliant?
Remember that GDPR has some serious teeth, with huge fines possible for those that transgress. So, it’s wise to go above and beyond what you think is required to ensure you don’t fall foul of these new regulations.
To keep yourself safe, put every category of employee data through this six-step procedure:
1. Carry out an audit – undertake an audit of all your current record keeping to identify how your data is kept, why it is kept, for how long and the reason for that length of time.
2. Put someone in charge – appoint a record keeper with responsibility for this area.
3. Write a statement – draw up a data protection impact statement that details risks associated with your records. This should be added to your existing business risk register.
4. Protect your data – make sure your data is held securely, is backed up, and can’t be stolen or tampered with.
5. Uphold individual rights – ensure that you can access, change or delete data if asked to by an employee
6. Have regular clear outs – check your data regularly and destroy any records you don’t need. If you find that some data needs to be kept for longer than first thought, you must receive consent from all employees involved.