Summary
- Under the UK GDPR, employers must only retain ex-employee personal data for as long as necessary, with recommended statutory retention periods typically ranging from three to six years depending on the type of information held.
- Retention periods should be determined by considering the nature of the data (with special category data such as health information requiring stricter policies), the original purpose of collection, applicable legal requirements, and the potential privacy risks of retaining data beyond its useful period.
- Non-compliance with UK GDPR retention obligations risks ICO fines of up to £17.5 million or 4% of global annual turnover, as well as reputational damage, making documented retention policies and regular reviews essential for all UK employers.
- This article is a guide to ex-employee record retention for UK employers, explaining how long personal data should be kept and deleted under the UK GDPR and Data Protection Act 2018.
- LegalVision is a commercial law firm that specialises in advising clients on data protection, privacy, and information technology law.
Tips for Businesses
Establish a written data retention policy specifying retention periods for each category of ex-employee data and include it in your Staff Handbook or Privacy Compliance Manual. Schedule regular reviews to identify and securely delete data that has exceeded its retention period. Apply stricter retention controls to special category data such as health or ethnicity information.
Handling ex-employee records incorrectly under the UK GDPR can expose your company to a fine of up to £17.5m or 4% of global turnover from the Information Commissioner’s Office (ICO). Knowing how long to keep personal data, and when to delete it, is a legal obligation every UK employer must meet. This article will consider how long your UK company should keep ex-employee records under the UK GDPR to avoid a formal investigation from the ICO.
What are ‘Ex-Employee Records’?
Ex-employee records include any personal data your company has collected about former employees during their employment. Personal data is any data that can identify another living person, and this can include information such as their:
- name;
- home address;
- date of birth;
- national insurance number;
- bank details; and
- employment history.
Companies collect this information for various purposes, including payroll, tax reporting, and maintaining employment records as required by law. Under the UK GDPR, you must collect and process personal information lawfully, fairly, and transparently. Additionally, you must only collect it for specific and legitimate purposes. Your processing of personal data must be relevant and limited to what is necessary for those purposes.
How Long Should My Company Keep Ex-Employee Information?
Regarding ex-employee data, the UK GDPR sets out specific guidelines that companies must follow. While the UK GDPR does not specify exact time limits, there are recommended statutory retention periods, often three or six years, depending on the type of information. These recommended statutory retention periods are designed to protect former employees’ privacy and ensure that their personal data is kept only for as long as necessary.
To do this, companies must determine the appropriate retention period based on various facts.
Let us explore these factors below.
Nature of the Data
One of the factors your business should consider when determining the appropriate retention period for ex-employee records is the nature of the data. Some types of personal data are more sensitive than others and require more protection.
For example, information about an ex-employee’s health or race would be considered sensitive personal data (special category data) and would require stricter retention policies. On the other hand, basic contact information or employment dates would generally be considered less sensitive.
Reason for Data Collection
Another factor your company should consider is why it collected the data at the time of collection. If the data was collected for a specific purpose, such as payroll or tax purposes, it should only be retained for as long as necessary to fulfil that purpose. The retention period might be longer if your business collected the data for a more general purpose, such as employment history.
Legal Requirements
Your company should also consider any legal requirements or industry standards that apply to it. Certain industries have specific regulations that dictate the retention period for certain types of personal data. Your business should ensure its retention policies comply with applicable laws or regulations.
It is also worth noting that non-compliance with the UK GDPR and the Data Protection Act 2018 can lead to significant financial penalties from the ICO and reputational damage. To avoid these penalties, your company should have appropriate policies and procedures for retaining and deleting ex-employees’ records. You should regularly review and update these policies. They are often contained in a comprehensive internal Privacy Compliance Manual or a Staff Handbook.
Risk Assessment
Additionally, your business should consider the potential legal risks of retaining ex-employees’ records. If the data is no longer necessary for its original purpose, retaining it could risk the staff member’s privacy. This may also constitute a breach of the UK GDPR in the eyes of the Information Commissioner’s Office (ICO), the public body responsible for upholding information rights.
Generally, your company should not retain ex-employees’ records longer than necessary. However, retaining some information can also be beneficial, such as providing references or defending against potential legal claims. Once the retention period has expired, you should securely and permanently delete the data. This approach protects the privacy of former staff members and ensures your company complies with the UK GDPR.
This factsheet outlines the steps for notifying the ICO and affected individuals about personal data breaches.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
Key Takeaways
In conclusion, UK companies should only retain ex-employees’ records for as long as necessary and after considering various factors when determining the appropriate retention period. You should consider the nature of the data, the reason for its collection, and the legal aspects. To avoid penalties and reputational damage, your business should also ensure appropriate policies and procedures for retaining and deleting ex-employees’ records. By following these guidelines, your company can protect the privacy of former staff members and ensure compliance with the UK GDPR and the Data Protection Act 2018.
If you need help complying with data protection laws regarding former employee data, LegalVision provides ongoing legal support for all businesses through our fixed-fee legal membership. Our experienced data, privacy and IT lawyers help businesses across industries manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page.
Frequently Asked Questions
The ICO believes the leading way to motivate UK businesses is to threaten hefty financial penalties for non-compliance with the UK GDPR. In this regard, they have issued various multi-million-pound fines against UK organisations, which has potentially caused many companies to comply with the UK GDPR.
The UK has retained the General Data Protection Regulation in its law as the UK GDPR. The UK Government has confirmed that it has no plans to repeal the UK GDPR, as it wishes the UK to lead the world in data protection law, regardless of no longer being part of the EU.
Retaining ex-employee records longer than necessary could potentially constitute a breach of the UK GDPR. This may amount to non-compliance, which could lead to investigations by the ICO. The specific consequences would depend on the severity and context of the non-compliance. Additionally, over-retaining data could pose risks to ex-employees’ privacy and potentially damage your company’s reputation if this becomes public knowledge.
Key factors include the nature of the data (e.g., sensitive personal information vs. general employment details), the original purpose for collecting the data, any legal or industry-specific requirements, and potential risks associated with retaining or deleting the information.
We appreciate your feedback – your submission has been successfully received.
