Warner Goodman Solicitors banner
Services
People
News and Events
Other
Blogs

How long should I hold on to employees' personal data?

View profile for Employment Team
  • Posted
  • Author

Employers collect a lot of employee personal data from recruitment to when they eventually leave the business. Some employers may have questions regarding how long they can hold employee data, or whether it should all be deleted soon after the employment relationship ends. In some circumstances, the length of time for which you must hold data will be set by statute. In other cases, the decision is left up to the employer, having regard to their data protection responsibilities under the Data Protection Act 2018 and the retained EU law version of the GDPR (UK GDPR).

Data protection principles

When processing data, employers must comply with the data protection principles as set out in the Data Protection Act 2018 (DPA). The fifth data protection principle under the DPA is that personal data may be stored for “no longer than is necessary for the purpose for which it is processed.” Therefore when deciding how long to retain employee records, you must always keep in mind your purpose in processing the data in the first place and whether or not that purpose has expired.

Statutory retention periods

The DPA and the UK GDPR do not set out specific retention periods for employee data. However, other statutes have mandated data retention periods which employers should be aware of. These include:

  • Coronavirus furlough records, which must be retained for six years;
  • Income tax and National Insurance records, which must be retained for at least three years from the end of the relevant financial year; 
  • Statutory maternity pay records, which must be kept for three years after the end of the tax year in which the maternity period ends; and
  • Working time records including overtime and annual holiday, which must be kept for two years from the date they were made.

For employee data which is not covered by a statutory retention period, it will be up to each employer to decide how long to keep the data. The Information Commissioner’s Office (ICO) has also issued the Employment Practices Code, which contains guidance on maintaining employee records.

Recruitment

Personal data during recruitment comes from a variety of sources including:

  • application forms and CVs;
  • interview notes;
  • references from former employers;
  • background checks;
  • medical fitness forms; and
  • assessment exercises.

Applicants should be informed of what personal data you will collect and how long you will hold it for. The ICO recommends that you do not keep applicants’ personal data beyond the statutory period in which they could bring a recruitment-related claim, unless there is a clear business reason for keeping the data longer. For example, under the Equality Act 2010, an unsuccessful applicant who believes they were discriminated against must bring a claim within six months. You should therefore maintain recruitment records for at least six months. However, in some cases, the Employment Tribunal may extend the time limit to bring a claim beyond six months. To account for this possibility, you may want to store the data for up to a year.

When an applicant is successful, you should carefully consider what personal data needs to be transferred to the individual’s employment record. In the case of a DBS check, you should only keep a record of whether the check produced a satisfactory or unsatisfactory result. Specific information revealed by the DBS check should be deleted, unless this information is necessary for the ongoing employment relationship.

If you keep an unsuccessful candidate’s information for the purpose of considering them for future vacancies, you should inform them of this and give the individual the opportunity to request that you delete their data.

Disciplinary decisions

As part of your disciplinary procedure, you should set out how long a warning will remain active and how you will deal with “spent” written warnings. Some employers say that a disciplinary warning will be completely removed from an employee’s record after a certain length of time. Other employers keep a record of spent warnings in the employee’s file but disregard them for the purposes of future disciplinary sanctions. How you treat spent warnings is a business decision, though there are some reasons employers may want to keep a record of spent warnings. For instance, when making promotion decisions you may want to consider an employee’s entire disciplinary record.

Your disciplinary policy should clearly state how you will treat spent warnings, and this should also be reiterated to any employee who receives a warning. If your policy states that spent warnings will be completely removed from an employee’s record, you must ensure that warnings are actually deleted in practice.

Leavers

When an employee leaves employment, a record should be kept on their file detailing the reason. The retention period for some of the employee’s data will be set by statute as explained above. For all other personal data, you should develop a policy outlining when such data should be deleted. The ICO guidance recommends setting standard retention times for categories of personal data. Only retain information where there is a real business need. The guidance also recommends setting up a system where any information which is held for a certain period is flagged to be reassessed as to whether it is still needed.

Once employee personal data is ready to be destroyed, this must be done effectively and securely. Paper records should be shredded, or destroyed in another secure way, rather that disposed of with general waste. Electronic records should be completely removed from your IT systems. 

If you have questions about your GDPR obligations as an employer, or would like help with a data retention policy,  contact out Employment Team today at employment@warnergoodman.co.uk or call 023 8071 7717.