• What do employers need to know about data protection?

    Published: January 13 2022

    Data privacy has always been important. However, the importance of data protection has become more prominent in recent years, with the implementation of the General Data Protection Regulation (GDPR) and as more aspects of our lives incorporate digitalisation.

    On a personal level, some people may not give much thought to data privacy until that data has been compromised. However, as an employer it is critical that you understand your responsibilities and liabilities under the GDPR, to ensure you protect the personal information you are responsible for.

    What is data protection?

    The laws surrounding data protection control how personal information is used by organisations, with a focus on safeguarding sensitive information from misuse. The implementation of the GDPR gave people more control over their data, with more transparency around how the data will be collected, used and stored.

    How long do I need to store employee data?

    Data protection impacts most HR activities, starting at the beginning of the employee life cycle during recruitment, through to when employees leave, for example if exit interviews are conducted. Even after an employee has left, data protection remains relevant for as long as a company stores their personal records.

    For employee data there are a number of records that have specific legal requirements around the length of time they should be stored.

    • Working time records – two years from the date the records refer to
    • Payroll records – three years from the end of the tax year they relate to
    • Maternity, paternity or shared parental pay records – three years after the end of the tax year the payments stopped

    However, for other records there are no specific time frames for storing, especially when it comes to a past employee’s details. The guidance says you should not keep data for any longer than is necessary. For example you may want to think about destroying next of kin details for former staff when they leave.

    One major factor in deciding how long to keep a former employees data is employment tribunal claims. A past employee can make a claim within three months of their employment ending, but depending on the claim, the limit can be six months or longer.

    For a breach of contract case, a former employee can make a claim any time up to six years after the alleged breach. This information generally guides employers to keep records of past employees for six years post termination date.

    It is also good to remember that any person that you hold data on may submit a Subject Access Request (SAR). This is a legal right that everyone has to make a written request asking for access to their personal information held by an organisation.

    Non-employee data

    HR collect a lot of information even before someone before becomes an employee. This includes information collected on CVs, application forms and interview notes. In many instances that person may never go on to become an employee.

    Any discrimination claims pertaining to recruitment need to be logged within six months less one day of when the discrimination took place. In light of this it is recommended that pre-employment data is kept for six months, after which it should be destroyed.

    How to ensure your company is compliant with data protection regulations

    There are heavy penalties for organisations that do not comply with data protection legal obligations. This can range from reputational damage to financial penalties and prosecution.

    There are a number of ways that you can ensure your organisation is meeting your data protection responsibilities. This includes:

    • Appoint a data protection officer where appropriate
    • Hold records of the information systems that hold what data and why
    • Be aware of who has access to data and how it is used
    • Issue guidelines to those managing data
    • Carry out regular audits to monitor data compliance
    • Ensure all information collected complies with the DPA and GDPR
    • Check system security regularly
    • Check your organisation’s use of automated decision making
    • Regularly review policies and procedures to ensure it references the latest technology or organisation changes. For example, many people now hold data at home due to the increase in home working since the start of the pandemic. Do your policies cover this?

    Further data protection support

    The legislation surrounding data protection is highly technical, so you should seek appropriate legal advice with any queries you may have.

    Kent HR can offer template policies for both data protection and employee privacy. We can also review any existing policy you have in place to provide you with complete peace of mind.

    Our sister company, award-winning law firm Brachers, can also provide advice and guidance on all aspects of data protection that might affect businesses on a day-to-day basis, from ensuring compliance to dealing with data breaches, as well as delivering training and risk audits.  

    • Get in touch

      Please fill out the below form or alternatively you can call us on
      01622 776445

      Contact form