Most of the talk so far has been about privacy for data subjects in a marketing sense. But there is another very important class of people whose privacy an employer has to respect – employees, past and present. It’s essential to have a privacy policy for them as well.

Apart from fending off any legal challenges, you will want to keep data accurate and up-to-date for your employees, which is a standard GDPR requirement anyway. Be careful that you don’t keep it for too long. This is also a common mistake when you are sent a CV, interview a candidate then decide not to employ them.

There are legal minimum limits for keeping data relating to employment and pay. For a candidate who’s been unsuccessful, it would be sensible to keep the data for 6 months, because after that date they usually cannot bring a claim for discrimination. Its important that not only employees have a privacy notice, but all candidates too. A privacy notice is easy enough to incorporate into an email or letter arranging the interview.

Here are some retention dates you may find useful.

 Main retention dates for employment related activities

 Personnel records                                     

 6 years after employment finishes

 Contracts of employment

 6 years after employment finishes

 Annual leave

 6 years or longer if leave can be   carried over

 Payroll for unincorporated businesses    

 5 years from 31st of January after tax   year

 Payroll for companies                               

 6 years after the end of the financial     year

 PAYE records                                              

 3 years after the end of the tax year

 Maternity records                                     

 3 years after the end of the tax year

 Sickness records                                        

 3 years after the end of the tax year

 Working time opt out                               

 2 years after the date it started

 Immigration checks                                   

 2 years after the end of employment

 Reportable accidents and injuries           

 3 years after the date of the incident

 DBS (Disclosure & Barring)                       

 Immediately after recruitment unless   necessary for ongoing employment      

 Other retention dates (not necessarily GDPR related)

 Money laundering & identity checks      

 5 years

 Accounts, tax returns, bank   statements (including invoices and   statements)        

 6 years

 Legal contracts                                          

 6 years unless executed by deed in   which case 12 years

 Board and shareholders minutes            

 10 years


Save time on policy documents

We have discovered a good source of policies that complement Hixsons extensive GDPR checklists. The policies are lawyer drafted and will save you a whole load of time giving you peace of mind that you’ve got it right. The policies include website privacy, email privacy, employee privacy and a whole lot more.

Whilst a number of your providers may be updating policies on your behalf, it’s good to know that you have something to compare them with to make sure that the policy e.g. your web site provider suggests for you will not cause you any problems.


Keep yourself on the right side of the law

You still need to document what you’ve done and why through the use of checklists, available for everyone (just send us an email), but you have to write your own procedures as well. These needn’t be perfect English or even particularly long, but they do have to be done.

GDPR comes in on 25 May, and it will be an ongoing requirement. As we’ve said before, if you show willing and make the effort it is unlikely that a small business is going to end up with a problem. But as ever, it’s all in the procedures. If you haven’t got any, you haven’t completed the checklist, you haven’t updated websites etc. then you are open to complaint and potential fines.

Make life easy for yourself and save yourself some time and hassle.