Managing the Retention of Employee Data

Managing the Retention of Employee Data

Under the GDPR, the requirements relating to the retention of employees’ personal data are very similar to those which applied under the Data Protection Act. As before, it is a key requirement that personal data should only be retained for as long as there is a clear business need for it and it should be securely destroyed (for instance, by shredding) after that period has passed. In addition, employers must provide employees – new and current – with a Privacy Notice, which explains when they collect personal data from them and providing information about how the data will be processed. This must include the period for which the data will be stored, or if that is not possible, the criteria used to determine the storage period.

The Guidance Note: Managing the Retention of Employee Data gives further employers advice on the recommended and statutory retention times that apply in respect of employee personal data.

Employers can retain personal data relating to former employees only if one of the specified legal bases for processing applies. For example, retention for a certain period may be required for tax purposes, in which case the legal basis under the GDPR would be that it is necessary for compliance with a legal obligation.

Former employees can ask an employer to delete any personal data it holds about them (the ‘right to be forgotten’) and, in certain circumstances, the employer must comply with requests to delete such personal data (e.g. if the data is no longer necessary in relation to the purposes for which it was collected or processed).