GDPR – Managing HR & Payroll records

As preparations for GDPR continue, All employers must be aware of which employee data is covered by the Data Protection Act and have a specific policy on the retention times for particular types of employee data.

As a general rule, information should only be retained as long as there is a clear business need for it and it should be securely destroyed (e.g. by shredding) after that period has passed.

Minimum retention times for employee data are as follows:

  1. Salary Records and Deductions

Records to be retained: Employers must collect and keep records of what they pay their employees and the deductions made, including a record of employee leave and sickness absence (see below).

Retention period: Three years after the end of the tax year to which the records relate. If full records are not kept, HM Revenue and Customs (HMRC) may estimate what the employer has to pay and charge a penalty of up to £3,000.

  1. Incapacity for Work

Records to be retained: Employers should keep Statutory Sick Pay (SSP) records (calculations, certificates, self-certificates: all sickness periods lasting at least four days; statutory sick pay (SSP) payments; and weeks for which SSP was not paid and why.

Retention period: Three years after the end of the tax year in which the sickness periods occurred and SSP payments were made.

  1. Working Time

Records to be retained: Records that are adequate to show that the requirements of the Working Time Regulations are being/have been met e.g. the limits on weekly working time, daily and weekly working time for young workers, and night work.

Retention period: Two years from the date on which the records were made.

  1. National Minimum Wage

Records to be retained: Records that are adequate to establish that every worker is being, or has been, paid at a rate at least equal to the National Minimum Wage.

Retention period: Three years from the day the pay reference period immediately following that to which the records relate ends.

  1. Absence during Pregnancy and Statutory Maternity Pay (SMP)

Records to be retained:

  • the date of an employee’s first day of absence from work, wholly or partly because of pregnancy or childbirth and, if different, the date of the first day when such absence commenced;
  • the weeks in that tax year in which Statutory Maternity Pay (SMP) was paid to that employee and the amount paid in each week;
  • any week in that tax year within the employee’s maternity pay period for which no payment of SMP was made (and the reasons why); and
  • any medical certificate or other evidence relating to the employee’s expected week of childbirth.

Retention period: Three years after the end of the tax year in which the employee’s maternity pay period ended.

  1. Statutory Paternity Pay, Statutory Shared Parental Pay and Statutory Adoption Pay

Records to be retained:

  • the date the paternity pay period, shared parental pay period or adoption pay period began;
  • the evidence provided by the employee in support of his or her entitlement to statutory paternity pay (SPP), statutory shared parental pay (ShPP) or statutory adoption pay (SAP);
  • the weeks in that tax year in which payments of SPP, ShPP or SAP were made and the amount paid in each week; and
  • any week in that tax year which was within the employee’s paternity pay period, shared parental pay period or adoption pay period but for which no payment was made (and the reasons why).

Retention period: Three years after the end of the tax year in which payments of SPP, ShPP or SAP were made.

  1. Employee HR files

Records to be retained:  HR files, including employee contracts.

Retention period: Six years after the employment terminates. This takes into account that there is the possibility that any documents relating to an employee could be relevant to a Tribunal, County Court or High Court claim, for up to six years after termination of employment. The Information Commissioner considers this as acceptable on the basis that an employer is keeping information to protect against legal risk.

  1. Job Applications

Records to be retained: CVs/application forms and interview records of unsuccessful candidates.

Retention period: Six months after notifying unsuccessful candidates of the outcome of their application. This takes into account the fact that a job applicant can bring a claim for discrimination in an Employment Tribunal within three months from the date of the rejection for the role, but also that this time limit can be extended where a Tribunal feels it is just and equitable to do so.

  1. Accident Records

Records to be retained: Records of accidents in the workplace.

Retention period: At least three years from the date on which the accident record was made.

Accident records are considered sensitive data and so employers must ensure that the personal information involved is not seen by other members of staff.

Leave a Reply