Table of Contents
In Short
- Determine the nature of ex-employee data; sensitive information like health details may require stricter retention policies.
- Keep records only as long as necessary for their original purpose, considering legal and business needs.
- Regularly review and update data retention policies to ensure compliance with GDPR and other relevant laws.
Tips for Businesses
Develop a clear data retention policy specifying how long different types of ex-employee records are kept. Regularly audit and update this policy to align with current legal requirements and business needs. Ensure secure disposal of records once they are no longer needed.
If you own a UK company that handles personal data, knowing about the UK General Data Protection Regulation (GDPR) is essential. This provides a legal framework for protecting personal data and applies to all UK organisations that handle the personal data of individuals and employees. This article will consider how long your UK company should keep ex-employee records under the UK GDPR, so it avoids a formal investigation from the Information Commissioner’s Office (ICO) and a potential fine of up to £17.5m, or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
What are ‘Ex-Employee Records’?
Ex-employee records include any personal data your company has collected about former employees during their employment. Personal data is any data that can identify another living person, and this can include information such as their:
- name;
- home address;
- date of birth;
- national insurance number;
- bank details; and
- employment history.
Companies collect this information for various purposes, including payroll, tax reporting, and maintaining employment records as required by law. Under the UK GDPR, you must collect and process personal information lawfully, fairly, and transparently. Additionally, you must only collect it for specific and legitimate purposes. Your processing of personal data must be relevant and limited to what is necessary for those purposes.
How Long Should My Company Keep Ex-Employee Information?
Regarding ex-employee data, the UK GDPR sets out specific guidelines that companies must follow. While the UK GDPR does not specify exact time limits, there are recommended statutory retention periods, often three or six years, depending on the type of information. These recommended statutory retention periods are designed to protect former employees’ privacy and ensure that their personal data is kept only for as long as necessary.
To do this, companies must determine the appropriate retention period based on various facts.
Let us explore these factors below.
Nature of the Data
One of the factors your business should consider when determining the appropriate retention period for ex-employee records is the nature of the data. Some types of personal data are more sensitive than others and require more protection.
For example, information about an ex-employee’s health or race would be considered sensitive personal data (special category data) and would require stricter retention policies. On the other hand, basic contact information or employment dates would generally be considered less sensitive.
Reason for Data Collection
Another factor your company should consider is why it collected the data at the time of collection. If the data was collected for a specific purpose, such as payroll or tax purposes, it should only be retained for as long as necessary to fulfil that purpose. The retention period might be longer if your business collected the data for a more general purpose, such as employment history.
Legal Requirements
Your company should also consider any legal requirements or industry standards that apply to it. Certain industries have specific regulations that dictate the retention period for certain types of personal data. Your business should ensure its retention policies comply with applicable laws or regulations.
It is also worth noting that non-compliance with the UK GDPR and the Data Protection Act 2018 can lead to significant financial penalties from the ICO and reputational damage. To avoid these penalties, your company should have appropriate policies and procedures for retaining and deleting ex-employees’ records. You should regularly review and update these policies. They are often contained in a comprehensive internal Privacy Compliance Manual or a Staff Handbook.
Risk Assessment
Additionally, your business should consider the potential legal risks of retaining ex-employees’ records. If the data is no longer necessary for its original purpose, retaining it could risk the staff member’s privacy. This may also constitute a breach of the UK GDPR in the eyes of the Information Commissioner’s Office (ICO), the public body responsible for upholding information rights.
Generally, your company should not retain ex-employees’ records longer than necessary. However, retaining some information can also be beneficial, such as providing references or defending against potential legal claims. Once the retention period has expired, you should securely and permanently delete the data. This approach protects the privacy of former staff members and ensures your company complies with the UK GDPR.

This factsheet outlines the steps for notifying the ICO and affected individuals about personal data breaches.
Key Takeaways
In conclusion, UK companies should only retain ex-employees’ records for as long as necessary and after considering various factors when determining the appropriate retention period. You should consider the nature of the data, the reason for its collection, and the legal aspects. To avoid penalties and reputational damage, your business should also ensure appropriate policies and procedures for retaining and deleting ex-employees’ records. By following these guidelines, your company can protect the privacy of former staff members and ensure compliance with the UK GDPR and the Data Protection Act 2018.
If you need help complying with data protection laws regarding former employee data, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
The ICO believes the leading way to motivate UK businesses is to threaten hefty financial penalties for non-compliance with the UK GDPR. In this regard, they have issued various multi-million-pound fines against UK organisations, which has potentially caused many companies to comply with the UK GDPR.
The UK has retained the General Data Protection Regulation in its law as the UK GDPR. The UK Government has confirmed that it has no plans to repeal the UK GDPR, as it wishes the UK to lead the world in data protection law, regardless of no longer being part of the EU.
Retaining ex-employee records longer than necessary could potentially constitute a breach of the UK GDPR. This may amount to non-compliance, which could lead to investigations by the ICO. The specific consequences would depend on the severity and context of the non-compliance. Additionally, over-retaining data could pose risks to ex-employees’ privacy and potentially damage your company’s reputation if this becomes public knowledge.
Key factors include the nature of the data (e.g., sensitive personal information vs. general employment details), the original purpose for collecting the data, any legal or industry-specific requirements, and potential risks associated with retaining or deleting the information.
We appreciate your feedback – your submission has been successfully received.