As mentioned in our previous GDPR update, this update will deal with the retention of employee records / data in the workplace under the GDPR.
The GDPR does not specify retention periods for personal data. Instead, it states that personal data may only be kept in a form which permits identification of the individual for no longer than is necessary for the purposes for which it was processed.
Therefore, in deciding how long to retain personal data for, employers will make their decision based on statutory retention periods, limitation periods for claims, individual business needs and, the data quality principles. We have set out below a table for employers outlining their obligations to retain employment data as per certain employment statutes. We recommend employers use these statutory retention periods as a guide for the minimum period of time the relevant employee data should be kept.
In most cases, the most relevant criteria will be how long the records may be needed to defend against any potential claims. For example, in the event of a potential personal injuries claim, relevant records for the purpose of defending such a claim would ideally be available for a three year period and a potential breach of contract claim would require retaining the relevant records for seven years from the date of breach. If the claim is specifically threatened or issued, then the employer may hold the records for longer, as is necessary.
In practice we find that most employers delete former employee data at some point after the end of the minimum required statutory periods but long before the expiry of a seven year period (six years being the period within which an employee could issue a breach of contract claim plus one year for the period of time they are allowed to notify the employer of it). There is no exact science in respect of determining the retention period appropriate for an individual organisation as it involves a balancing of the data protection risk (ie, of not keeping data for too long) against the risk of being sued by an employee before the expiry of the relevant limitation period. As such, our recommended approach to satisfy both Irish employment law and GDPR requirements would be to retain the data for the statutory minimum required period. In circumstances where at the end of that period, the employer is still concerned about a particular employee bringing a claim, we would recommend extending that timeframe (to up to seven years). However, in our experience unless an employee has issued proceedings within the statutory minimum period for bringing a claim (usually six months), the likelihood of a claim is not very high. The exception to this is occupational injuries claims. We expect that employers will develop a practice of reviewing employee data on a regular or annual basis for example and if there is no good reason for retaining such data, that such information or any unneccessary element of it will be routinely deleted.
Hopefully at this point your organisation has either determined or is in the process of determining the reasons it holds employee data. Your organisation should by now also be able to identify the legally appropriate retention periods for this employee data, and what your data retention policy will be.
In keeping with the transparency requirements of the GDPR and in order to be able to demonstrate compliance, it is vital that employers communicate to employees, amongst other things, their reasons for holding employee data and the accompanying applicable retention periods. As such, our next update will guide you as an employer as to the types of documentation you should put in place (or confirm you already have in place!) to demonstrate compliance with the GDPR.
If you are interested in further detail of the overview of HR and the GDPR, you can access a recent discussion on this from the Matheson Employment Law Podcast series.