How long should employers retain information on employees?

BluePlanet

I believe with GDPR businesses hold onto customer information for 6 years?
But what about the personal information for employees?
Like photocopies of passports etc, how long should an employer retain those?

seamus

Good article here:
https://www.siliconrepublic.com/enterprise/gdpr-data-retention#:~:text=GDPR%20does%20not%20specify%20retention,for%20which%20it%20was%20processed.

GDPR doesn't tell businesses (or anyone) how long they should hold onto data. GDPR at a high level merely states that data can only be retained as long as is required to fulfill the original purpose.

So for a passport photocopy, which is intended to satisfy employment law, the employer is entitled to retain that copy for as long as is necessary to prove that individual was entitled to work in this country.

BluePlanet

seamus wrote: »

Good article here:
https://www.siliconrepublic.com/enterprise/gdpr-data-retention#:~:text=GDPR%20does%20not%20specify%20retention,for%20which%20it%20was%20processed.

GDPR doesn't tell businesses (or anyone) how long they should hold onto data. GDPR at a high level merely states that data can only be retained as long as is required to fulfill the original purpose.

So for a passport photocopy, which is intended to satisfy employment law, the employer is entitled to retain that copy for as long as is necessary to prove that individual was entitled to work in this country.

Sounds kind of nebulous.
So if an employee left the company a couple years ago, should such photocopies get shredded?

Claw Hammer

An employer can be sued by an employee years after the employee has gone from the business.

seamus

BluePlanet wrote: »

Sounds kind of nebulous.
So if an employee left the company a couple years ago, should such photocopies get shredded?

The statute of limitations (six years) is typically the going rate on these things. As the poster above me says, that's how long someone may come back and sue for breach of contract. If the company finds itself without adequate records, it may find itself in trouble.

Revenue generally ask for seven years of tax records, so most companies probably hold onto pay details and timesheets for seven years.

I don't know how long the department of employment can go back looking at employment records. But if they, e.g., were able to insist a company produce details of people employed in the previous ten years to ensure compliance with the law, then the company would be permitted under GDPR to hold onto those passport copies for ten years.

You're right, it is nebulous. In my above example, the company could hold onto passport details, but would probably be required to delete data relating to next-of-kin, qualifications, or other data which is not required.

So it's not as simple as "hold onto employee data for seven years". Some data you can, some data you must, and some data you shouldn't.

Retrospective GDPR compliance is hard because it requires a lot of sifting through data. But compliance for new data is generally straightforward so long as you know what you're collecting and why you're collecting it.