To ensure GDPR is met, basic employee records should be kept for six years. However, there are a wide range of employee data types, which affects how long you should keep employee records for.
Some of these require a much shorter retention period to protect employee data, while others must be retained for longer to cover the company during potential legal proceedings.
In this guide, we’ll cover:
- What’s included in employee records
- How GDPR affects record retention timeframes
- An overview of statutory and recommended record-keeping timescales
What are employee records?
Throughout an employee’s time with your company, you will amass a wide range of information. This information can relate to their personal data, their performance or their role.
The detail involved in each part of your employee records will differ depending on the business you run. Some information, such as payroll records, has a mandatory legal structure to follow. Other information, for example, appraisal history, will be determined by your own in-house processes.
Information that can be included in employee records includes, but is not limited to:
- Personal information
- Contact details
- Background checks
- Sickness or absence levels
- Annual leave
- Work-related accidents or injuries
- Contracts of employment
- Disciplinary documentation
As you can see, the list of documentation HR teams needs to keep on each employee is wide-ranging. Understanding and adhering to restrictions on how long you can keep each piece of data is vital to remain compliant.
The attraction stage of the recruitment process is where you will first start to collect employee records. There are a huge number of steps involved in the recruitment process, so you’ll amass a large amount of data before an employee even joins your team.
The types of personal data that you’ll collect for recruitment records include:
- Job application
- Cover letter
- Background checks
- Job offer terms
- Salary benchmarking
Of course, not all job applicants are successful. If you’re interviewing multiple candidates for a role, the majority will not become an employee.
Candidates who join your company should have their pre-employment data added to their employee records for future reference. However, it’s important to make sure you’re only retaining totally relevant information from those who you do not choose to hire.
Once your new hire is onboarded, their employee records will start growing. You’ll build a well-rounded set of personnel files for each member of your team, documenting their time and progress at your company.
Current employee files documented in your HR records will typically include:
- Medical records
- Training information
- Working time documentation
- Performance and disciplinary procedures
- Payroll and accounting history
When an employee leaves your company, the information you’ve collected during their employment history is still relevant. Immediately deleting it once they’ve left is not good practice, as you may need to reference it in the future. This could be by providing future reference requests, collecting information for possible lawsuits or responding to a subject access request.
Plus, you’ll gather even more information to add to the record of your former employee at the point of exit. This will include:
- Letter of resignation
- Payroll documents such as P45
- Exit process documentation
- Offboarding checklist
During offboarding, it’s a good idea to review all of the information you hold on the employee to ensure you’re adhering to the timeframes below.
The General Data Protection Regulation (GDPR) and Data Protection Act
As of May 2018, the legalities surrounding the handling of personal data changed. A new set of regulations were introduced to the Data Protection Act, commonly known as GDPR. They were introduced to reflect the growth in data collection and use via technology.
The aim of the regulations is to protect people from the misuse of their personal information. It also grants them the ability to request insight into what data a company holds on them.
GDPR compliance is enforced by a series of fines for companies in breach of the rules. Businesses must ensure that any data they hold is given willingly, for a legitimate reason, and is held for no longer than necessary.
For HR records, this means that your employees should understand exactly how their data will be collected, stored, processed and used. They must give consent to all of these data collection activities, and be able to access the data held on them through a formal request process.
They must also adhere to the guideline of ‘held for no longer than necessary’. This may seem to be flexible, with the scope for records to be kept indefinitely. However, in order to comply with GDPR, businesses must be able to explicitly justify why they are holding any piece of employee data.
Subject access requests
Under GDPR, any potential, current and former employees are entitled to receive a copy of all information you hold on them. This allows them to gain an understanding of what data is being held, why it’s being stored and how it may be used.
However, there are some exemptions that apply. According to workplace law experts, Davidson Morris, businesses can be exempted from providing data if a substantiated investigation finds that:
- The data requested identifies another employee
- The data is subject to legal or professional privilege
- The data is processed for crime or taxation reasons
- The data being released would compromise business conduct
- The data requested is excessive or unfounded
Businesses must comply with requests in a timely manner, making sure that they respond to a subject access request accurately and comprehensively. If an exemption must be made, HR teams must document the reasons why and explain this to the person who made the request.
Subject access requests must also be stored under employee records. The Data Protection Act of 2018 states that all requests must be retained for one year following completion.
Statutory Retention Periods
When assessing the vast amount of HR records collected per employee, understanding how long you’re able to retain the information can seem overwhelming. Unfortunately, there’s no simple ‘one size fits all’ approach to statutory retention periods, and each piece of your employee’s personal details is assessed separately.
We’re here to help, with a simple guide on the statutory retention periods and how long you should hold personal data.
Application and recruitment records
Data collected during recruitment could include interview notes, CV copies or records relating to contracts. Following an unsuccessful recruitment process, candidates have six months to raise a dispute or discrimination claim. Therefore, GDPR would state that this is the length of time that recruitment data should be held.
This could be extended if an unsuccessful applicant agrees for their information to be held for future opportunities. You must get their consent to do so, and it’s worth checking in at least once a year to ensure the data is correct and they’re still happy for you to hold it.
Background checks and criminal records
These pre-employment essential checks should remain highly confidential, and this employee data should only be retained for one year after they leave your company.
There is no statutory guideline around this, however, it’s recommended that new employee references should be kept for one year from the date provided.
For some roles, you must be sure that an employee is physically capable of performing. If an employee is required to undergo a testing process, their medical examination certificates are sensitive data that must be treated with care and stored for three years from the date on the certificate.
Any documents relating to a workplace accident or injury should be kept for three years from the date logged. For younger employees, the records relating to their accident should be kept until they turn 21.
Sickness / absence records
There is no defined time limit on holding sickness details, however, you should follow the guidelines around potential claims timeframes when storing records relating to sickness absence. Discrimination or disability claims can be made up to six months after a period of sickness absence ends, while injury claims can be made up to three years from the date of the incident.
There is a wide range of records that fall under this category. Depending on the type of data stored, it’s important to adhere to statutory guidelines to remain GDPR compliant.
The length of time full accounting records should be kept depends on the company’s status. The statutory retention period for public limited companies is six years, while the statutory retention period for private companies is three years.
This category includes information on salary, alongside overtime, bonus and expense payments. These records should be kept for six years from the date of the tax year in question.
Statutory maternity pay records
Statutory guidelines state that information regarding maternity records should be kept for three years after the tax year of the maternity period ends. This timeframe also applies to paternity leave, adoption pay records and shared parental leave information.
National minimum wage records
Information relating to the national minimum wage should be kept for three years from the date of the pay reference period.
There are no statutory requirements in place for pension records, but the CIPD recommends keeping details of employees’ workplace pensions for 12 years following the end of the benefit.
Income tax records should be stored for no fewer than three years from the date of the accrued financial tax year.
Workplace employee records
During their tenure with your company, you will likely amass a vast number of employee files. While the guidelines for some workplace employee records are simply recommended rather than under a defined statutory retention period, it’s important to keep on top of updating personnel files.
The outcome of appraisals should be documented and stored for six years after your employee leaves. This information is useful in responding to any claims that may arise.
As above, any documentation relating to disciplinaries should be kept for six years in case a claim or employment tribunal should arise.
There is a wide range of training that an employee may undergo. For role-related courses or in-house training, there are no requirements for storing information. However, First Aid and Fire Warden training records must be kept for six years after your employee leaves, while the training records of Health and Safety representatives must be kept for five years.
With no statutory regulations around contracts, it is widely recommended to retain a copy of them for six years from the date an employee leaves your company.
Working time information
This includes any employee data including, but not limited to, time worked, overtime and annual leave. You should retain employee records surrounding time worked for two years from the date they were made.
Further reading recommendations
- For further information on adopting a GDPR-compliant data recording process, view the CIPD Data Protection factsheet
- To view a full list of the personal data you can collect from employees, visit the Gov.UK article: Get your business ready to employ staff: step by step
Disclaimer: This publication is intended as guidance and ideas only and isn’t a substitution for the services of professional bodies. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. StaffCircle shall not be responsible for any loss sustained by any person who relies on this publication. All information is correct as of June 2022.