Retention of employment records – Are you compliant?
By Michelle Ryan
21 March, 2017
"I have heard there are specific rules regarding retention of employment records, but I am unsure how this interacts with my obligations under Data Protection Legislation. How do I handle it?"
With less than fifteen months until the General Data Protection Regulation (“GDPR”) comes into force on 25 May 2018, it is an important time for all employers to assess their data obligations and review the records they are retaining.
The Data Protection Acts, 1988 and 2003 (“the DPA”), currently require that personal data is retained “for no longer than is necessary” for the purpose or purposes for which it was obtained. This principle is unchanged by GDPR, however it enhances the existing provisions set out in the DPA and has also introduced a new requirement for data controllers to be able to demonstrate compliance with GDPR. Of note, Article 30, GDPR, provides for record keeping and obliges data controllers, where possible, to set out the envisaged time limits for erasure of the different categories of data. Employers, as data controllers, must be clear about the length of time for which employment records comprising of personal and sensitive personal data relating to their employees, are retained and also why that information is being retained.
Coupled with this requirement, certain employment legislation prescribe a statutory minimum period to retain records and these statutory obligations constitute a lawful basis for the mention of those records, such as to be compliant with the DPA and GDPR.
The following statutory obligations apply to employers in relation to retention of employment records:
- The Terms of Employment (Information) Act, 1994 require that an employee’s terms and conditions of employment be retained for the duration of their employment.
- The National Minimum Wage Act, 2000, at section 22, provides for a 3 year retention period to show compliance with the Act’s provisions, for example, payslips showing the employees were paid at least minimum wage.
- The Organisation of Working Time Act, 1997, at section 25, and the Organisation of Working Time (Records) Prescribed Form and Exemptions) Regulations 2001, provide for a 3 year retention period for records of weekly working hours, the name and address of employee, the employee’s PPS numbers and a statement of their duties.
- The Protection of Young Persons (Employment) Act, 1996, at section 15, provides for a 3 year retention period of employment records relating to persons under 18 years of age.
- The Protection of Employment Acts, 1977-2007, at section 18, provides that where an employer has collective redundancies, it must retain the records to show that the provisions of the Act were complied with for a 3 year period
- The Parental Leave Acts 1998-2006, at section 27, provide for an 8 year retention period of records showing the dates and times an employee availed of parental or force majeure leave.
- The Companies Acts and Taxes Consolidation Act, 1997 provide for a 6 year retention period of tax records.
- The Safety, Health and Welfare at Work (General Applications) Regulations 1993, at section 60, provides for a 10 year retention period from the date of an accident.
It is clear that retention of employment records involves a balancing exercise between data protection principles on the one hand and the employment legislative requirements set out above, on the other. It is important for employers to ascertain on what basis they are retaining records.
Where an employer believes that records may be required to defend litigation that has been threatened or commenced, then those records should be retained in order to assist in the defence of those proceedings. Records should not be retained indefinitely on the chance that proceeding may be issued, but rather where there is a high risk. The most common applicable records would be concerning personal injuries or actions for breach of contract. The retention period in these cases are determined by the relevant limitation period set out in the Statute of Limitations, 1957.
For personal injuries, this is 2 years from date of cause of action and a period of 3 years is the general recommended retention period to allow time for proceedings to be served. Employers should note that in order to defend a potential breach of contract action, the Statute of Limitations 1957 provides for a limitation period of 6 years from the date of breach. Contracts should be retained for a period of at least 7 years from the date of termination of the employment, again to allow for proceedings to be served.
Employers should also be live to the provisions of the Employment Equality Acts, 1998 to 2015, which provide for a right of action, for disgruntled candidates for employment who allege they were discriminated against in accessing employment, within 12 months from the last act of alleged discrimination. Consequently, records relating to a recruitment process should be retained for a 1 year period.
Under GDPR, failure to retain records that are both necessary and proportionate to the purpose for which they were created, could lead to a maximum fine of €20,000,000. It is advisable for all employers to have a policy on retention of records and that someone in the organisation is assigned specific responsibility of ensuring those records are not retained for longer than is necessary and that they are securely disposed of. Employers should also note that GDPR introduces the concept of the “right to be forgotten” under which data subjects have the right to erasure of personal data.
As part of GDPR, all employers need be aware of the enhanced obligations on them as data controllers and adequate and proper retention of employee records is just one aspect of ensuring compliance.
Employers are advised to integrate a Data Protection Impact Assessment in their risk management process to allow identification of potential privacy issues before they arise and to come up with ways to mitigate them.
For further information on retention of employment records and getting GDPR ready, contact:
Michelle Ryan, Associate Solicitor and member of Ronan Daly Jermyn’s Cyber & Data Protection Team, email@example.com or +353 21 2332883