Most of the talk so far has been about privacy for data subjects in a marketing sense. But there is another very important class of people whose privacy an employer has to respect – employees, past and present. It’s essential to have a privacy policy for them as well.
Apart from fending off any legal challenges, you will want to keep data accurate and up-to-date for your employees, which is a standard GDPR requirement anyway. Be careful that you don’t keep it for too long. This is also a common mistake when you are sent a CV, interview a candidate then decide not to employ them.
There are legal minimum limits for keeping data relating to employment and pay. For a candidate who’s been unsuccessful, it would be sensible to keep the data for 6 months, because after that date they usually cannot bring a claim for discrimination. Its important that not only employees have a privacy notice, but all candidates too. A privacy notice is easy enough to incorporate into an email or letter arranging the interview.
Here are some retention dates you may find useful.
Main retention dates for employment related activities |
|
|
Personnel records |
6 years after employment finishes |
|
Contracts of employment |
6 years after employment finishes |
|
Annual leave |
6 years or longer if leave can be carried over |
|
Payroll for unincorporated businesses |
5 years from 31st of January after tax year |
|
Payroll for companies |
6 years after the end of the financial year |
|
PAYE records |
3 years after the end of the tax year |
|
Maternity records |
3 years after the end of the tax year |
|
Sickness records |
3 years after the end of the tax year |
|
Working time opt out |
2 years after the date it started |
|
Immigration checks |
2 years after the end of employment |
|
Reportable accidents and injuries |
3 years after the date of the incident |
|
DBS (Disclosure & Barring) |
Immediately after recruitment unless necessary for ongoing employment |
Other retention dates (not necessarily GDPR related) |
|
|
Money laundering & identity checks |
5 years |
|
Accounts, tax returns, bank statements (including invoices and statements) |
6 years |
|
Legal contracts |
6 years unless executed by deed in which case 12 years |
|
Board and shareholders minutes |
10 years |
Save time on policy documents
We have discovered a good source of policies that complement Hixsons extensive GDPR checklists. The policies are lawyer drafted and will save you a whole load of time giving you peace of mind that you’ve got it right. The policies include website privacy, email privacy, employee privacy and a whole lot more.
Whilst a number of your providers may be updating policies on your behalf, it’s good to know that you have something to compare them with to make sure that the policy e.g. your web site provider suggests for you will not cause you any problems.
Keep yourself on the right side of the law
You still need to document what you’ve done and why through the use of checklists, available for everyone (just send us an email), but you have to write your own procedures as well. These needn’t be perfect English or even particularly long, but they do have to be done.
GDPR comes in on 25 May, and it will be an ongoing requirement. As we’ve said before, if you show willing and make the effort it is unlikely that a small business is going to end up with a problem. But as ever, it’s all in the procedures. If you haven’t got any, you haven’t completed the checklist, you haven’t updated websites etc. then you are open to complaint and potential fines.
Make life easy for yourself and save yourself some time and hassle.