Know your data purpose.
Knowing the original purpose for which you obtained personal data is the key to unlocking the conundrum that is data retention. We know all too well, having advised many, that businesses are struggling with the concept of data retention, what they should retain, for how long, what they should delete and how. This isn’t a new concept under the GDPR and the Data Protection Act 2018 (it existed under the Data Protection Act 1998), however, it is perhaps more prominent now because of the level of the fines that the ICO can issue.
Personal data comes in different shapes and sizes. Some data fits neatly into distinct boxes and some data crosses into a few different boxes. So, businesses need to take time and analyse what personal data they collect and why they collect it. Data needs classifying in order for it to become manageable. For example, how long should a business keep employee records for? To keep things brief, let’s think about 4 areas where personal data is collected and processed relating to employees:
- the recruitment process and the individual’s CV;
- general employee personal data - name, address, date of birth, job title, work permit status, bank account details, NI number and salary and benefits;
- employment contract; and
- personal development records, annual leave records, qualifications, references and disciplinary records.
Each business is different and should clearly document its approach in a personal data retention policy. In some cases, it may be prudent to document why a decision to hold personal data for a certain period was taken, particularly if it is longer than might be expected. Here are some rough guidelines for retention periods for the 4 areas highlighted above:
- Recruitment data – 6 months after recruitment has come to an end. The retention period for personal data relating to the recruitment process should be retained whilst there is a clear business need, or for the period that has been agreed with the candidate.
- General employee personal data. Immigration checks – 3 years after employment has come to an end. Bank details – delete as soon as final payment has been made. Payroll and salary records and PAYE records - these must be kept for at least 3 years after the end of the tax year to which they relate. However, given their potential relevance to pay disputes they can be retained for 7 years after employment ends.
- Employment contracts – 7 years after employment has come to an end
- Disciplinary, grievance, qualifications, references, annual leave records, annual assessment records, resignation, termination and retirement records – these records should all be kept for 7 years after the employment has come to an end.
Interestingly, accident records should be retained for at least 4 years from the date report of the accident was made.
There is not a ‘one size fits all’ approach when it comes to data retention. Data retention policies should accommodate other legal obligations or risks of the business in respect of non-employee related documents. This could include the duty to co-operate with any investigation by HMRC, which may take place several years after the relevant tax year, or the need to defend a claim which may be brought in the employment tribunal after employment has ended.
Where a document covers different topic areas, such as an email which may have both personal and business-related content, the business should analyse what the content of the email is and make a decision based on its retention policy.
At the end of each retention period, the information should be reviewed prior to deletion, to ensure that the correct data is being destroyed. Deletion or destruction means that the personal data is completely removed from the business’ records, whether that be - hard copy and electronic documents, emails, financial and company records, digital media such as CCTV recordings and/or back-up storage.
Don’t have a blanket approach to deleting information containing personal data, you may find you needed it! There are many other examples of where information needs to be retained by a business, which is not directly related to data protection - did you know minutes of board meetings must be retained for 10 years?. Equally, don’t hold on to personal data longer than is necessary.