The implementation of the General Data Protection Regulation (GDPR) on 25 May 2018 means that organisations are looking at how they will comply with the Regulations. One of the questions we are being asked is how long employers are required to keep employee records.
Neither the Data Protection Act nor GDPR specifies time limits for retention of data. The emphasis is on the data controller to identify for how long the data should be retained. Employers should have systems in place to determine when employee records should be destroyed.
One of the Information Commissioner’s “Twelve steps to take now” is to document what personal data you hold, where it came from and who you share it with. It suggests that the data controller may need to organise an information audit.
There are statutory requirements to keep certain employee records for a minimum length of time, as follows:
|Pay and deductions (PAYE and National Insurance)
|3 years from the end of the tax year to which they relate.|
|National Minimum Wage records
||3 years after the pay reference period following the pay period that they cover.|
|Working time records, e.g.
||2 years from the date on which they were made.|
|SSP records||There is no longer a need for employers to keep records of statutory sick pay (SSP) that has been paid. However it is advisable to keep records of employee sickness absence.|
|Records relating to Statutory Maternity/Adoption/Paternity/Shared Parental Pay||3 years after the end of the tax year in which the maternity/adoption/paternity/shared parental pay period ends.|
|Pension auto enrolment records||6 years, with the exception of opt-out notices, which must be kept for 4 years.|
|Immigration checks||2 years from termination of employment.|
|Record of any injury resulting from a work-related accident that results in the worker being incapacitated for more than three days (not counting the day of the accident).||At least three years.|
|Work-related medical examinations related to hazardous substances||A minimum of 40 years, from the date of the last entry made in the record.|
For other employee records, for example personnel files, the employer should have regard to potential claims that could be brought against it and should ensure that records that could be required as evidence in such cases are kept for the appropriate length of time.
Recruitment records in relation to unsuccessful applicants should be retained for at least a year after the individual has been notified that they are unsuccessful. An applicant has three months to bring most Industrial Tribunal claims, but the Tribunal can extend the time limit if it considers the extension just and equitable.
For current employees we would recommend retaining the whole personnel file for the duration of the employment. Historical issues may become important in future legal proceedings. For example, in an equal pay claim, it may be necessary to look at an employee’s entire employment history to get a full picture of the employee’s promotions, pay increases, grading etc.
For former employees, it will most likely be fine to keep personnel files for no longer than one year after termination of employment. An employee has three months to bring most Industrial Tribunal claims (6 months for a redundancy payment), and the Tribunal can extend the time limit if it considers the extension just and equitable. It is very unlikely that a claim brought by an employee who has left their employment more than one year ago would be entertained by a Tribunal. However, a breach of contract claim can be brought in the civil courts up to six years after the alleged breach so an employer may be able to justify keeping personnel files for this length of time to cover the unlikely scenario of a breach of contract claim from a former employee.
One of the principles of the GDPR is that data held should not be excessive. This implies that the data controller should sift through data and destroy irrelevant data at some point. The GDPR places responsibility for deciding how long such information should be retained on the data controller. We therefore recommend that you firstly identify the employee information you hold, and then consider and document how long your organisation will retain each type of information. You should then ensure that this is regularly reviewed so that information that is no longer authorised to be retained under your policy, is securely destroyed.
For further advice on this or any other employment law matter, please do not hesitate to get in touch.