GDPR looming (General Data Protection Regulation)
The GDPR maintains the DPA’s notion that “[data should] not be kept longer than necessary for the purpose for which it was processed”. But how does this relate to the different elements of personal data placed in HR’s care?
How long to keep hiring & applicant data
During your recruitment process, there’s a lot of data that comes your way. For example:
- CVs
- Interview notes or recordings
- Cover letters
Ideally, you’ll want to keep this information for at least 6 months. This is the period of time during which a discrimination claim could be brought against your organization. The data you collect during your recruitment process is important for defending any of these potential claims.
Because you have a legitimate interest to hold this data for this amount of time, it could easily be argued under the GDPR that the risk to the applicant is minimal compared to the benefit for the applicant.
If you want to keep CVs on file longer than six months, for example in a talent pool for future opportunities, then you’ll want consent from applicants. In the interest of keeping the information you hold up-to-date, you might want to consider asking applicants in your talent pool to review and update their CV, as well as asking them to re-issue their consent. If you do not gain the applicant’s consent, you should remove their CV from your system.
How long to keep payroll data
Data relating to PAYE, maternity pay or SMP (statutory mandatory pay) need only be kept for 3 years after an employee leaves your company, as that is how long the HMRC may be interested in the information for conducting reviews or audits.
Beyond this, you are unlikely to have a legitimate interest reason for holding pay information for ex-employees. You should, therefore, remove this information.
How long to keep employee records
Data such as employees’ personal records, performance appraisals, employment contracts, etc. should be held on to for 6 years after they have left. This is partly because of potential tribunals for the 3-month risk period during which terminated employees can bring a claim against you, but it could be used for defending a county court or high court claim, which can occur many years down the line. Under the GDPR, the condition for processing would be a legal obligation or legitimate interest.
You’ll need to consider both your legal and business requirements when deciding how long to keep data. If your employee data is being stored off-site in a third-party system, you might want to download an archive of ex-employee files, which you can store on site, rather than maintaining and paying for online storage for 6 years.
Pingback: Why you need to know about Penetration Testing and Compliance Audits? - WebOrion™ Cyber Security and Vulnerability Assessment Services