Table of Contents
If you own a UK company that handles personal data, knowing about the General Data Protection Regulation (GDPR) is essential. This provides a legal framework for protecting personal data and applies to all UK organisations that handle the personal data of individuals and employees. This article will consider how long your UK company should keep ex-employee records under the GDPR, so it avoids a formal investigation from the Information Commissioner’s Office (ICO) and a potential fine of up to £17.5m.
What Are ‘Ex-Employee Records’?
Ex-employee records include any personal data your company has collected about former employees during their employment. This could include information such as their:
- name;
- home address;
- date of birth;
- national insurance number;
- bank details; and
- employment history.
Under the GDPR, you must collect and process personal information lawfully, fairly, and transparently. Additionally, you must only collect it for specific and legitimate purposes. It must be relevant and limited to what is necessary for those purposes.
The GDPR also requires that you ensure all personal information is accurate, kept up-to-date and not kept longer than necessary.
How Long Should My Company Keep Ex-Employee Information?
Regarding ex-employee data, the GDPR sets out specific guidelines that companies must follow. These recommended statutory retention periods (often three or six years) are designed to protect former employees’ privacy and ensure that their personal data is kept only for as long as necessary.
According to the GDPR, businesses should only keep ex-employees’ HR records for as long as necessary for the purpose for which they collected them. The GDPR does not specify a set time limit for retaining ex-employee files. Instead, companies must determine the appropriate retention period based on various facts.
Let us explore these factors below.
Nature of the Data
One of the factors your business should consider when determining the appropriate retention period for ex-employee records is the nature of the data. Some types of personal data are more sensitive than others and require greater protection. For example, information about an ex-employees’ health or race would be considered sensitive personal data and would require stricter retention policies.
Reason for Data Collection
Another factor your company should consider is why it collected the data at the time of collection. If it collected the data for a specific purpose, such as payroll or tax purposes, it should only be retained for as long as necessary to fulfil that purpose. The retention period might be longer if your business collected the data for a more general purpose, such as employment history.
Legal Requirements
Your company should also consider any legal requirements or industry standards to apply to it. Certain industries have specific regulations that dictate the retention period for certain types of personal data. Your business should ensure its retention policies comply with applicable laws or regulations.
It is also worth noting that non-compliance with the GDPR and the Data Protection Act 2018 can lead to significant financial penalties from the ICO and reputational damage. To avoid these penalties, your company should have appropriate policies and procedures for retaining and deleting ex-employees’ records. These policies should be regularly reviewed and updated..
Risk Assessment
Additionally, your business should consider the potential legal risks of retaining ex-employees’ records. If the data is no longer necessary for the purpose it was collected, then keeping it could risk the staff member’s privacy. This may constitute a GDPR violation in the ICO’s eyes. In turn, you may face a financial penalty (of up to £17.5m).
Generally, your company should not retain ex-employees’ records longer than necessary. Once the retention period has expired, you should securely and permanently delete the data. This ensures that the privacy of former staff members is protected and your company complies with GDPR rules.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Key Takeaways
In conclusion, UK companies should only retain ex-employees’ records for as long as necessary and after considering various factors when determining the appropriate retention period. The nature of the data, reason for collection and legal aspects should all be considered. Your business should also ensure it has appropriate policies and procedures for retaining and deleting ex-employees’ records to avoid penalties and reputational damage. By following these guidelines, your company can protect the privacy of former staff members and ensure compliance with the GDPR and Data Protection Act 2018.
If you need help complying with data protection laws regarding former employee data, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
The ICO believes the leading way to motivate UK businesses is to threaten hefty financial penalties for GDPR non-compliance. In this way, they have provided various multi-million-pound fines against UK organisations, which has caused many companies to comply with GDPR rules.
The UK Government has confirmed that it has no plans to repeal the GDPR, as it wishes the UK to lead the world in data protection law, regardless of no longer being part of the EU.
We appreciate your feedback – your submission has been successfully received.
