The GDPR gives people more control over their personal information and requires organisations to clarify exactly where Personally Identifiable Information (PII) is stored – and how it is used.
Less well-documented than data protection regulations, but no less important, are data retention regulations. To outline what your legal obligations are when it comes to keeping business records, we asked Paul Ravey of Access Records Management to explain.
One of the principles of the Data Protection Act 1998 is that personal records held for any purpose should not be kept for longer than is necessary for that purpose. This will remain a key principle under GDPR.
It’s essential to process, store, and handle information safely and compliantly: keeping information that you don’t need and destroying records that you do need can have operational and legal consequences.
Employee records (Risks of non-compliance)
GDPR and data protection regulations don’t just apply to the data that you have on your customers – they also apply to the data that you hold on your employees.
Not managing employee records effectively enough leaves you at risk of damaging employee morale and trust, losing important personal data, financial penalties due to non-compliance, and an increased administrative burden.
If you haven’t been running a business for very long, it can be hard to know what you need to do to ensure compliance – or what rules you’re required to comply with. Indeed, small businesses are less likely have a dedicated HR manager who can handle records management and compliance.
There are important statutory retention periods in place for different employee records. If you can make sure you’re holding on to documents for the length of time that is legally required, you are on your way to being compliant.
To help you stay on the right side of the law, here are some of the most important business records you need to keep in relation to your employees;
1. Tax records
Income tax involves a large volume of paperwork. As the pile of files and documents increases, it gets harder to keep track of retention periods.
The Income Tax (Employments) Regulations provides a good rule of thumb: hold onto your records relating to employees’ income tax for at least three years after the end of the financial year they relate to.
2. Wage & salary records
Wage and salary records include numerous factors such as overtime, bonuses and expenses. According to the Taxes Management Act 1970, these records need to be kept for six years.
3. Health and safety records
There is no set retention period for health and safety records. This puts the onus on each employer to decide how long they should hold onto the files.
Considering that claims can – and do – occur without warning, it’s best to hang onto these records permanently.
Companies of a certain size in the UK are legally required to provide an Auto-Enrolment employee pension scheme. As it becomes an increasingly popular benefit, a growing number of smaller organisations are offering pensions schemes too.
In terms of retention periods, it is advisable that companies hang onto pensions records for 12 years from the policy end date.
5. Accident books
The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations states that accident books and records must be kept for three years from the date of the last entry.
However, specific situations – such as an accident involving a child or chemicals – come with different retention requirements. In the case of an accident involving a child or young adult, the records must be kept until the person turns 21 years old.
Should an incident occur involving chemicals or asbestos, the records need to be kept for 40 years from the date of the last entry.
6. Statutory maternity pay records
Maternity pay records need to be kept specifically according to the tax year, rather than the date of the entry.
The Statutory Maternity Pay (General) Regulations states that records must be kept three years after the end of the tax year in which the maternity period ends – so make sure you double check you have chosen the right year.
7. Retirement benefit schemes
Records relating to retirement will need to include notifiable events relating to, for example, incapacity. The Retirement Benefits Schemes (Information Powers) Regulations state that these records need to be kept six years from the end of the scheme year in which the event took place.
8. Systems & equipment examination records
If you are working in the manufacturing or industrial industries, you will likely be working with systems and equipment that need to be tested for health and safety reasons.
In this case, The Control of Substances Hazardous to Health Regulations states that records relating to this will need to be kept for five years from the date on which the tests were carried out.
9. Records relating to children & young adults
If your line of work involves having records on children and young adults, then the Limitation Act states that the records must be kept until the child or young adult reaches the age of 21 (not 18, as some might assume).
Non-statutory retention periods
There is no legally prescribed retention period for many types of personnel records. This makes it tricky for some employers to determine how long they should hold onto various documents.
Most organisations set their own rules depending on what suits their needs and the type of records in question.
In terms of best practice, it’s important that you consider the time limits for potential tribunal or civil claims when determining retention periods. When in doubt, you should simply draw a line in the sand and hold onto records for at least six years – or five if the business is based in Scotland.
Getting to grips with regulations and retention periods may seem like a minefield. It’s tempting to just ignore or skirt the issue, but this will just cause huge problems for your business.
Data protection and retention requirements are more relevant today than ever before, and businesses need to stay on top of the legislation. Understanding how long you need to hold onto records for is the first step to making sure your company is compliant – and stays compliant.