How long should you retain employee records for?
Katy Cracknell • September 4, 2020
Are you guilty of having archive boxes full of employee paperwork sat in a cupboard or, a drawer full of CV’s that you’ve never got around to dealing with? Storing individual’s data in this way could mean that you are breaching the GDPR guidance and the fines for employers can be hefty.
Although the Data Protection Act (DPA) and General Data Protection Regulations (GDPR) do not expressly set out specific minimum or maximum periods for retaining employee data it is crystal clear that data must not be kept any longer than is necessary for a legitimate purpose and it must not be excessive.
The emphasis is on the employer (the data controller) to have systems in place to determine how long the data should be retained and when records should be destroyed so it’s vital that your business is adhering to the correct statutory retention periods for different document types in order to remain compliant.
A lot of businesses now use HR software
to house their employee data and this will often mean that you are compliant with the regulations. However, if you’re not using HR software
(or even if you are but you still have boxes of paperwork stacked in the corner or employee files saved on a shared drive) then now is the time to ensure that the records you hold comply with retention guidelines.
How long should I store data for?
If in doubt you should keep employee records for at least 6 years to cover the time limit for an individual to be able to bring any civil legal action, however the table below summarises the statutory retention periods for the different types of employee data.
Remember that GDPR legislation means that employees can request to view information that you hold about them, even after they have left and it’s for this reason that it is imperative that records are only retained as long as necessary and are accurate.
Record Type | Statutory Retention Period |
---|---|
Accident books, accident records/reports | 3 years from the date of the last entry (or, if the accident involves a child/ young adult, then until that person reaches the age of 21) |
Application and Recruitment Records | 6-12 months (in case of a pre employment claim) If you want to keep CV’s longer (because you want to use them for a future talent pool) then you will require consent from the applicant. The easiest way to do this is to provide candidates with a privacy notice, setting out how you will use their personal data and for how long it will be kept. |
First aid training | 6 years after employment |
Fire warden training | 6 years after employment |
Health and Safety representatives and employees’ training | 5 years after employment |
Payroll wage/salary records (also overtime, bonuses, expenses) | 6 years from the end of the tax year to which they relate |
Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity | 6 years from the end of the scheme year in which the event took place |
Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence (also shared parental, paternity and adoption pay records) | 3 years after the end of the tax year in which the maternity period ends |
Subject access request | 1 year following completion of the request |
Whistleblowing documents | 6 months following the outcome (if a substantiated investigation). If unsubstantiated, personal data should be removed immediately |
Working time records including overtime, annual holiday, jury service, time off for dependents, etc | 2 years from date on which they were made |