Table of Contents
Your business likely stores a significant amount of employee data within personnel files. Therefore, it is essential that you meet all requirements to avoid fines for improper use of employee data. The General Data Protection Regulation (GDPR) and Data Protection Act provide organisations with data protection rules in England. In particular, the GPDR includes directions on how long your organisation can process and store employee records. This article will explain the main data protection principles relating to employee information, so your business can safely delete staff data when you no longer need it.
Importance of Compliance
Any breach of the GDPR can lead to an investigation by the Information Commissioner’s Office (ICO). Moreover, the ICO can issue fines up to £17.5m to any organisation that breaches the GDPR. Therefore, your business should make every effort to comply with data protection rules, including those relating to employee records. For simplicity, this article will focus on the information within employee personnel files only.
Handling Employee Data
The ICO and GDPR expect your business to do the following:
- only record relevant personal information concerning staff;
- record such data securely and safely;
- keep staff information up-to-date; and
- safely delete employee records when no longer required.
This article will focus on the last expectation, the safe deletion of employee data.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
When Records Are No Longer Required
Naturally, your company should keep employee records of current staff. The main question is, how long after their departure should your business delete their information?
Our data protection laws do not provide an exact time period to delete data after a staff member’s departure. Instead, English law expects companies to calculate how long they need to keep employee data, and then ensure speedy deletion when they no longer it. Notably, the GDPR does not require companies to immediately delete all information relating to an employee upon their departure. Your business should not do so as it may prevent it from being able to provide a:
- P45;
- reference; or
- fighting any legal action down the line.
Instead, companies should consider deleting certain sections of a personnel file before others.
Example
Suppose you have an employee named Lisa who has worked for your company for nine years. Unfortunately, she suffered a leg injury in the workplace five months ago and resigned last week. Your first action is not to delete her personnel file upon her departure. Instead, you are likely to keep it in place to ensure you can provide an accurate reference and P45 documentation in the immediate future.
However, your company could consider deleting the following documents upon reaching the sixth anniversary of her departure:
- any records of any performance improvement plans or disciplinaries;
- her payslips;
- copies of any grievances or medical information concerning her injury; and
- other miscellaneous documentation.
If Lisa did not suffer a workplace injury and left on excellent terms, you could probably delete her documents sooner (perhaps after four years). So, why not less than four years? Because this allows HMRC to query any taxation of her wage or perform an audit of that tax year.
Key Takeaways
Data protection laws do not outline a specific period for which employers must retain employee information. Therefore, companies can determine how long to retain different types of data, depending on the employee’s departure and any legal or financial circumstances. Some business owners engage specialist lawyers to help them with these decisions.
If you need help with data protection principles and the calculation of data retention dates, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
If you wish to delete digital information, you should consider using specialist deletion software to ensure the data is irrecoverable and delete the data from any backups on your IT system. The ICO also recommends avoiding re-selling your electronic equipment to others unless you securely and thoroughly wipe all data from it.
You can consult the ICO website and review their guidance documents or obtain advice from a specialist lawyer. If you are unsure whether the information remains potentially useful, you should keep it and record the reasons for doing so within the employee file.
We appreciate your feedback – your submission has been successfully received.