How long you should retain employee data under GDPR

The General Data Protection Regulation (GDPR) will come into force on 25th May 2018, legislation with new rules and guidelines on how to protect and process personal data. Employee personal data held may include: name, address, phone number, email address, emergency contact details, PPS number, bank account details etc.

The GDPR requires that when retaining and processing personal data there must be lawful reasoning for doing so. In terms of processing employee data employers are likely to rely on a number of lawful reasons, mainly: to fulfill contractual obligations, legal obligations or other legitimate interests. Under data protection legislation employee data should be kept for no longer than is necessary, for the purpose that it was retained. However, when deciding how long to retain personal data employers should be guided by employment legislation.

So how long should I retain employee data?

• Written Terms of Employment – 1 year
  
  Employers must retain a copy of this employee statement throughout the employee’s employment and for one year after termination at a minimum.
  
  
• Payroll details and Payslips – 6 years
  
  Records, calculations and documents relating to the value of benefits for employees must be kept for 6 years in the event of an audit by Revenue. The WRC may also inspect these in an audit and seek evidence that employees are supplied with payslips.
  
  
• Hours of Work – 3 years
  
  Details of days and hours worked each week, annual leave and public holidays taken and payment received for same. Rest break records and/or records of notification of employees being fully informed about rest break entitlement and procedures if rest break is unable to be taken.
  
  
• Maternity and Adoptive Leave Records – none
  
  While there is no set period of the retention of data on maternity leave or adoptive leave records, claims can be made within 6 months of employers being informed of an issue giving rise to a dispute or extended to 12 months in exceptional circumstances.
  
  
• Parental Leave – 8 years
  
  Records of Parental Leave, including the period of employment of each employee and the dates and times of the leave taken, must be retained for 8 years.
  
  

A more detailed list of Employee Record Keeping Requirements can be viewed here.

Where legislation gives no guidance on record keeping requirements, employers should carefully predetermine, and include in any employee privacy notice, how long and the grounds they will use for retaining that data. For example; an employer may decide to retain all performance review records for the entire duration of an employee’s employment to monitor employee performance.
Whatever the reasoning behind retaining employee data – whether it be legal or other business reasons, employers need to ensure they have a clear policy outlining their reasoning, that this is easily accessible to employees and that the policy is consistently applied.

Free GDPR Webinars

The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world. This webinar will explain everything payroll bureaus need to know about GDPR. This webinar is free to attend but places are limited.

Payroll Bureau Webinar | Employer Webinar

Related Articles:

• Will GDPR affect your employee payroll processing?
• PAYE Modernisation - An Introduction
• How BrightPay Connect can help with GDPR
  
  

Thesaurus Payroll Software | BrightPay Payroll Software

Posted byLauren ConwayinGDPR