Part of the GDPR requirements are to establish how long you keep records before disposing of them. This is sometimes hard to do. There are some statutory guidelines relating to records, however sometimes it is down to the business to establish its own rules. 

What does GDPR Say? 

You must not keep personal data for longer than you need it. 
 
You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data. 
 
You need a policy setting standard retention periods wherever possible, to comply with documentation requirements. 
 
You should also periodically review the data you hold, and erase or anonymise it when you no longer need it. 
 
You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if 
 
you no longer need the data. 
 
You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes. 

Care Records 

For some records as we said there are statutory requirements. For example social care records for adults are kept for three years from last date of entry. However, social care records for children should be kept or disposed of 80 years from last date of entry. 
Recruitment records 
The law has always required you to keep HR records. The Data Protection Act (DPA), stipulates statutory retention periods for some records – for example, P60s and P45s must be retained for at least six years. 
You should destroy information obtained by a vetting exercise as soon as possible, or in any case within 6 months. A record of the result of vetting or verification can be retained. 
 
Delete information about criminal convictions collected in the course of the recruitment process once it has been verified through a Criminal Records Bureau disclosure unless, in exceptional circumstances, the information is clearly relevant to the on-going employment relationship. 
 
But for other areas, such as CVs and interview notes, the DPA lays down no fixed regulation and instead advises that employee data should ‘not be kept longer than necessary for the purpose for which it was processed’. So, in many cases, you must use your discretion. 
 
There is slightly conflicting guidance on the exact length of data retention, and it very much depends on the specific nature of the individual record. Here’s a brief run-down on the typical record types that HR are likely to deal with and an indication of how long they should be retained for.  
 
Please note that this is purely a guide and you should seek specific guidance where possible: 
 
Accident Records: Minimum of 3 years since the last entry, or if it involves a child until they reach 21. 
 
Income Tax and NI: Minimum of 3 years from the end of the financial year to which they relate. 
 
Maternity and Paternity: Minimum of 3 years from the end of the tax year in which the leave ends. 
 
Salary and Pay: Minimum of 6 years. 
 
Working Time: 2 years. 
 
Application and Recruitment Records: 6-12 months. 
 
Parental Leave: 5 years from birth or adoption, or 18 years if the child receives a disability allowance. 
 
Pension Benefits: 12 years from the ending of any benefit payable. 
 
All Personnel Files and Training Records: 6 years from the end of employment. 
 
Redundancy Records: 6 years. 
 
Sickness Absence Records: A minimum of 3 months but potentially up to 6 years after employment ends. 
 
Financial Records 
 
You must keep records for 6 years from the end of the last company financial year they relate to, or longer if: 
 
they show a transaction that covers more than one of the company’s accounting periods 
 
the company has bought something that it expects to last more than 6 years, like equipment or machinery 
 
you sent your Company Tax Return late 
 
HMRC has started a compliance check into your Company Tax Return 
 
Business Meetings 
 
Whilst the Companies Act 2006 requires that board minutes must be retained for at least 10 years, ICSA recommends that they are retained for the life of the organisation. ICSA recommends that any written notes of the meeting should be retained until the minutes are approved and then destroyed. If the written notes are kept by the company secretary, these could be disclosable in any future litigation 
Where reference is made to any board papers signed by the chairman a hard copy of those board papers must be retained in addition to the hard copy of the minutes themselves. 
 
Sales & Marketing 
 
A key principle of the new legislation is how businesses should not be keeping data for ‘longer than necessary’. 
As your company probably holds several kinds of data e.g. prospect, customer, supplier – the approach should be to set up different retention periods for each of these. 
 
For example: 
 
You may need to retain some indefinitely to support the services you offer e.g. unsubscribing from marketing communications or opting out of certain types of processing. 
 
You may need to keep some for as long as someone is actively engaged with your business e.g. users of an active subscription, contacts for an active contract, active subscribers to a service such as newsletters. 
Tagged as: Document Retention
Share this post:

Leave a comment: 

Our site uses cookies. For more information, see our cookie policy. Accept cookies and close
Reject cookies Manage settings