Does the UK GDPR affect for how long employers can keep data relating to former employees?
A key principle of the UK General Data Protection Regulation (retained from EU Regulation 2016/679 EU) (UK GDPR) is that personal data must be kept for no longer than is necessary for the purposes for which it is processed.
Employers must provide employees with a privacy notice when they collect personal data from them, providing information about how the data will be processed. This must include the period for which the data will be stored, or if that is not possible, the criteria used to determine the period. Therefore, employers must have a clear policy on the retention of personal data.
Employers can retain personal data relating to former employees only if one of the specified legal bases for processing applies. For example, retention for a certain period may be required for tax purposes, in which case the legal basis under the UK GDPR would be that it is necessary for compliance with a legal obligation. However, the employer could rely on this legal basis only for the retention of pay data relevant to that purpose, not for the retention of the former employee's entire personnel file.
Employers must have a system in place for identifying data that should be retained, identifying the purpose and legal basis for retaining it, determining for how long it should be retained and ensuring that it is deleted after the relevant period.
Former employees can request that the employer delete personal data it holds about them. The employer must comply with the request in certain circumstances, for example if the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.