An employer’s duties to retain personnel records are governed by a combination of business and statutory requirements, along with professional recommendations. Personnel records include the employee’s personal details, pay and tax information, working time, absences, training, career progression and any disciplinary or grievance matters.
Employers should bear in mind that they owe general obligations under data protection legislation not only to their employees, both current and former, but also to contract workers, agency staff and applicants, all of whom may be current or former.
This guide will consider the types of employee records and the differing obligations of the employer to retain each of them, as well as how to manage the personnel records in accordance with data protection legislation during and after an employee’s period of employment.
Which personnel records?
As an organisation you will hold different types of records about each of your former or current employees. The length of time for which you have to keep each type of record depends on whether it is set by statute, or by the length of time your business could be sued by the employee after they have left, or simply good practice.
Below is a list of documents and for how long they should be kept.
- Working time records – two years from the date to which they relate;
- Maternity, paternity, adoption and shared parental leave pay records – three years after the end of the tax year in which the pay ceased. Note that if an employee provides their child’s birth certificate as evidence, then the employer cannot keep a copy of this, only of the date of birth of the child;
- Income tax and National Insurance records – three years after the end of the tax year to which they relate;
- National Minimum Wage wage records – three years from the end of the pay reference period to which the record relates;
- Salary and pay generally – six years;
- Tachograph records relating to drivers’ working hours and rest breaks – a minimum of one year after use;
- Records of accidents in the workplace – at least three years since date the record was made, or, if the accident involved a child, you must wait until the child reaches the age of 21;
- Application and recruitment records (including interview notes) – at least six months as the deadline for a discrimination claim in the employment tribual is six months, and up to twelve months for an unsuccessful candidate. If successful, these records will form part of the employee’s personnel file;
- Parental leave records – five years from the birth or adoption, or until the child is aged 18 if they receive a disability allowance;
- Pensions benefits – six years, but only four years in relation to employees who opt out of the pension scheme;
- Disclosure and Barring Service (DBS) check – only for as long as is necessary and not usually for more than six months;
- Right to work documents – these should be kept for the duration of the person’s employment and for two years after they have left; and
- All personnel files and training records, including disciplinary, redundancy and sickness absence records – six years from when the person ceased to be employed by you.
The six-year period is the limitation period in English civil law. This means that after six years the law would prevent a former employee making a claim against you for breach of contract; up until the six-year point, that claim could still be made.
The limitation period for claims in the Employment Tribunal is much shorter, three months for most claims, and six months for redundancy pay and discrimination claims. However, as the civil court limitation period is so much longer, it is advisable to be guided by that.
In relation to the right to work documents, it is not a legal requirement to keep such documents. However, if your organisation unknowingly employed someone who did not have the right to work in the UK and was prosecuted in the civil courts for this, then it could form a defence if you had these records to hand.
GDPR is a European regulation that applies in the UK by virtue of the Data Protection Act 2018, which came into effect on the 25th of May, 2018.
The GDPR requires your organisation to use data in a way that is lawful, fair and transparent. In addition, it requires you to identify the purpose for which you collect or hold the data, and not continue to process that data in a way that goes beyond your original purpose. For example, if you interview a person for a job and they are unsuccesful, you may well retain their email address for six months. However, it would be in breach of the GDPR for you to add the applicant’s email address to your marketing or promotions list. This was not the original purpose for which you collected the information and the applicant is unlikely to have been asked for or given their consent to this.
If your business is part of an international organisation, you should also be aware that the GDPR restricts to whom you can export your data. If the company with which you want to share the date is outside the European Economic Area, then you cannot share it unless the country in which the company is based has laws providing at least as much protection as the GDPR.
The penalties for breaching the GDPR are severe. Your organisation is required to notify the Information Commissioner’s Office of any data breaches within seventy-two hours of the breach. A breach includes not just the loss of personal data, but an attempted hack, instances of unauthorised access to data and instances of the destruction of data.
Depending on the severity of the offence, fines can be up to EUR 10 million or 2% of global turnover, whichever is the greater, or EUR20 million or 4% of global turnover, whichever is the greater. The former category includes the offence of processing data without the consent of the data subject. The latter category includes failure to demonstrate that the data subject has consented to the processing of their data.
Practical advice for employers to be compliant
In light of these levels of fines, it is highly advisable to ensure that you are compliant with the GDPR.
Some important categories of compliance include:
Have all your employees given their consent to you to use their data? You cannot rely on consent given in contracts of employment in the past. All employees should be asked to fill in a separate, specific form giving their consent.
Employees should also be given information about their rights under the GDPR in the form of a ‘privacy notice’. For example, an employee can withdraw their consent to you holding certain items of sensitive personal data. Examples of such data include the employee’s religion, ethnicity, political opinions, trade union membership, biometrics, medical history and sexual history or orientation.
However, you can hold most other data without seeking your employee’s permission. This includes their address, tax code, date of birth, emergency contact details, sickness absence, accidents and training at work, and their disciplinary record.
Subject access requests
You must make sure that you have a procedure in place to handle subject access requests by current and former employees. A subject access request is a request by the subject of the data (your employee or former employee) to access the personal information you hold about them. You must respond to such requests within one month of receiving the request. You are allowed to ask the person who has made the subject access request for information to verify their identity. If you need to do this, your one month period for responding will not start until you have received the additional information you requested.
You need to consider how you will balance the privacy of third parties mentioned in the employee’s file, with the employee’s right to see their personal information. It is acceptable in some cases to withhold information that would disclose a third party’s identity, for example where that person has made an allegation of sexual harassment.
Finally, you should train managers as to the extent of the information that will be disclosed if an employee makes a subject access request. This will help them to consider carefully what they record, ensuring that it is relevant and professional in tone.
Security of data
For current employees, as well as former employees about whom you will retain personal data long after they have ceased to work for you, you must ensure that their personal information is kept securely.
The data should be backed up, again securely, and if you have paper records then these need to be kept in a locked filing cabinet. The number of people who have access to the data should be kept to a minimum.
In the case of ‘sensitive’ personal data, such as that relating to the health of an employee or criminal records, this should be kept separately with restricted access.
You can use computer programs to alert you as to when a file, or part of a file, can be deleted, thereby ensuring you are not keeping the file beyond its original purpose. Once you are ready to dispose of the file, this should be carried out in a secure fashion, using a shredder for hard copies and checking computers have completely removed a deleted item, as opposed to moving it to another folder.
Finally, it is important to identify the person, or people in a larger organisation, who have overall responsibility for managing data protection for your business. This role will include reporting obligations in the case of a data breach, as well as leading on data management and privacy.
DavidsonMorris’ team of HR specialists and employment lawyers can help with all aspects of workforce management, including HR administration and compliance requirements. For help and advice on a specific issue, speak to our experts.
Retaining personnel records FAQs
How long do you have to keep employee records UK?
The length of time for which you have to keep employee records depends on what the record is. Some records, such as those relating to pay, tax and national insurance have to be kept for three years by law. Others, such as those relating to working time, only need to be kept for two years. However, in the case of the whole of the employee’s record, it is sensible to keep it for six years after they have left, as until that time has passed, the former employee may sue you for breach of contract and you would need the personnel file to provide evidence for your defence.
How long can you keep personal data GDPR?
The GDPR does not state minimum or maximum times for keeping personal data. However, it requires all organisations that hold personal data to review and keep under review the purposes for which they are holding that data. In some cases, for example pay and tax records, there are already laws stating that these must be kept for three years. However, in the case of incidental information, such as emergency contact numbers, you should make sure that these are deleted from your system once the employee has left, as they are no longer necessary.
How long should I keep employee personnel files?
You should keep an employee’s personnel files for six years after the employee has left your organisation. The reason for this is that up until six years has passed, the former employee may sue you for breach of contract in the county court.
What should be kept in a personnel file UK?
An employee’s personnel file should include details of their salary, pay, working time, sickness absence, annual appraisals and emergency contact details. After an employee has left your employment you should consider whether it is necessary to keep all the information contained in the file. For example, emergency contact telephone numbers are no longer necessary. Howevber, the law states that employers must retain employee records in certain situations (for example working time and tax) and employers are advised to retain the records for themselves for six years in case they are sued for breach of contract.
Last updated: 5 May 2020