The Matheson team discusses best practices for data retention under GDPR.
GDPR does not specify retention periods for personal data. Instead, it states that personal data may only be kept in a form that permits identification of the individual for no longer than is necessary for the purposes for which it was processed.
Therefore, in deciding how long to retain personal data for, employers will make their decision based on statutory retention periods, limitation periods for claims, individual business needs and the data quality principles.
We have set out a table below for employers outlining their obligations to retain employment data as per certain employment statutes. We recommend employers use these statutory retention periods as a guide for the minimum period of time the relevant employee data should be kept.
In most cases, the most relevant criteria will be how long the records may be needed to defend against any potential claims.
Personal injuries claims
For example, in the event of a potential personal injuries claim, relevant records for the purpose of defending such a claim would ideally be available for a three-year period. A potential breach-of-contract claim would require retaining the relevant records for seven years from the date of breach.
If the claim is specifically threatened or issued, then the employer may hold the records for longer, as is necessary.
|Example of employee data||Statutory retention period|
|Payslips and records relating to wages||3 years|
|Weekly working hours, name and address of employee, PPS numbers, and statement of duties||3 years|
|Records relating to employees under 18 years||3 years|
|Records relating to collective redundancies||3 years|
|Records relating to parental leave||8 years|
|Tax records||6 years|
|Records relating to workplace accidents||10 years|
|Employment permit records||5 years or duration of employment|
In practice, we find that most employers delete former employee data at some point after the end of the minimum required statutory period, but long before the expiry of a seven-year period (six years being the period within which an employee could issue a breach-of-contract claim plus one year for the period of time they are allowed to notify the employer of it).
There is no exact science in respect of determining the retention period appropriate for an individual organisation, as it involves a balancing of the data protection risk (ie, of not keeping data for too long) against the risk of being sued by an employee before the expiry of the relevant limitation period.
As such, our recommended approach to satisfy both Irish employment law and GDPR requirements would be to retain the data for the statutory minimum required period. In circumstances where at the end of that period the employer is still concerned about a particular employee bringing a claim, we would recommend extending that timeframe (to up to seven years). However, in our experience, unless an employee has issued proceedings within the statutory minimum period for bringing a claim (usually six months), the likelihood of a claim is not very high.
The exception to this is occupational injuries claims. We expect that employers will develop a practice of reviewing employee data on a regular or annual basis, for example, and, if there is no good reason for retaining such data, such information or any unnecessary element of it will be routinely deleted.
Identifying appropriate retention periods
Hopefully, at this point your organisation has either determined, or is in the process of determining, the reasons it holds employee data. Your organisation should by now also be able to identify the legally appropriate retention periods for this employee data, and what your data retention policy will be.
In keeping with the transparency requirements of GDPR and in order to be able to demonstrate compliance, it is vital that employers communicate to employees, among other things, their reasons for holding employee data and the accompanying applicable retention periods.
A version of this article originally appeared on Matheson’s website.