Skip to content

What Happens if a Staff Member Asks My UK Business to Delete All Information Relating to Them?

Table of Contents

Many UK business owners know the importance of data protection compliance. Over the past few years, the General Data Protection Regulation (GDPR) has received significant media attention. Compliance with the GDPR is essential because the Information Commissioner’s Office (ICO) can fine UK businesses up to £17.5m for GDPR violations. This article will explore the danger of ignoring a request for the deletion of data from a staff member. Furthermore, it should clarify the circumstances in which your business can safely reject a request for data deletion. 

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) is the primary data protection law covering UK businesses. Most UK companies seek to achieve GDPR compliance to reduce the risk of hefty ICO fines (up to £17.5m).

Most media coverage focuses on the obligations imposed by the GDPR on UK businesses concerning data collection and processing. However, the GDPR imposes various obligations on UK businesses, including data security, cyber defences and suitable data deletion.

In this article, we will explore one of the lesser-known scenarios brought to life by the GDPR: data erasure.

What Does Data Erasure Mean?

Data erasure is the act of deleting personal information upon request from the relevant data subject. This is otherwise known as the ‘right to be forgotten’.

UK law requires UK organisations to respond to a data erasure request without undue delay and, at most, within one month. Any business that fails to take reasonable steps and respond within this one-month period breaches the GDPR.

However, the GDPR provides a valuable exception to UK businesses when considering whether to erase personal data. It does so by stating that UK organisations only have to erase personal information when it is ‘no longer necessary in relation to the purpose for which it was collected or processed’.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

When Retaining Personal Information Necessary

Naturally, whether personal data retains its original purpose depends on the circumstances in which you collected it and the legitimate interests of your business.

This article will consider the potential scenario of a current employee requesting data deletion. Here, much will depend on the nature of the relevant information. This is because employers usually keep employees’ personal data to ensure they have sufficient information to continue their employment and comply with legal obligations.

Let us consider some examples of personal details that your company should retain about existing staff members, which can include any of the following:

  • their contract of employment and start date;
  • their payslips and salary details;
  • their current home address and contact details;
  • any previous health records or Occupational Health reports;
  • details of any incidents in the workplace; and
  • records of grievances or disciplinary proceedings.

The reasoning for needing these records is relatively straightforward. For example, evidence of a start date is necessary to calculate any future redundancy pay. Likewise, the HMRC compels you to retain payslip records. Additionally, you must keep health records to ensure the company discharges its duty of care.

So whilst an individual can request data erasure under the UK GDPR, it is not an absolute right but subject to any overriding legitimate interest.

When is Staff Personal Information No Longer Necessary?

There are limited situations in which an existing staff member can ask your company to erase pieces of personal information. Examples of this may include:

  • out-of-date home addresses;
  • old personal email addresses; and
  • inaccurate emergency contact information.

For instance, an employee going through a divorce may move house, want to remove their spouse as emergency contact and switch from any joint email address. This would be reasonable if they provided more up-to-date information, as the previous details would no longer be necessary.

Is the Situation Different With a Former Staff Member?

Your business may have more leeway to delete personal information relating to previous staff members than current ones. However, your company should retain particular information following an employee’s departure. For example, most businesses will keep information about workplace injuries for at least six years (to guard against personal injury time limits).

Key Takeaways

Your company should ensure that it only deletes staff information when necessary. If a staff member asks for the deletion of personal data but it remains accurate and necessary, your company should refuse.  

The main circumstance in which your business is likely to be able to delete the personal data of an existing staff member safely is when it is out-of-date. For this reason, most companies will seek expert legal advice when handling a formal data erasure request.

If you need help ensuring the safe erasure of staff information, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Why has the GDPR survived Brexit?

This is a common question because the GDPR derives from European Union law. However, the UK Government has clarified that it intends to retain the GDPR despite the UK’s removal from European Court jurisdiction.

Why would a staff member request the erasure of their information?

Slightly bizarrely, the reason for the data erasure request is irrelevant in the ICO’s eyes. Instead, it is a matter of running through the ‘necessary’ test and only retaining information if necessary.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards