What should you do with old HR records?
HR records are varied, contain some of the most sensitive information an organisation can hold, and can be complex. All HR records, therefore, require adequate protection.
Some HR records must be kept for a certain amount of time in line with statutory retention periods. When retention periods are over, destruction is the best option. But with so many different pieces of information under the HR umbrella, how do we know which records to keep and which to destroy?
HR records at your organisation
Human Resources teams collect a huge amount of data, and what they collect will differ in every organisation. This is because HR often branches into other areas.
For example, your organisation may require workers to undergo random drug and alcohol testing. If so, your HR team may need to work closely with the Health and Safety team, communicating any potential risks while also protecting the staff members’ freedoms.
Or, maybe your organisation collects enhanced levels of data for security vetting. For example, you may perform enhanced DBS checks, financial history, credit checks, and more. If so, your HR team may need to work closely with department managers to ensure that all staff are adequately vetted whilst also not making this kind of information accessible to any unnecessary personnel. It may be the case that some of your vetting is conducted externally. If that’s the case, managers shouldn’t need access to the specifics of their workers’ credit history, for instance. The vetting company will be able to give you a simple pass or fail, and that is enough.
To ensure you are managing your organisation’s HR records effectively, it’s worth making a personalised data retention policy specific to your HR team. This will enable your HR function to stay on top of your organisation’s obligations when it comes to protecting this information and destroying it when it’s no longer needed.
How long should you keep HR records?
There is no straightforward answer to this question, as some records will need to be kept for statutory retention periods, and others you can destroy more or less immediately after an employee has left your business. However, the below will provide a rough outline:
Items you should keep for 40 years from the date of last entry:
- Medical records relating to hazardous materials, biological tests, COSHH, asbestos, and medical examination certificates. The reason for this is that illnesses related to exposure to hazardous materials don’t always appear straight away.
Keep for 50 years or until the worker reaches 75 years of age:
- Medical records under the Ionising Radiations Regulations 1999.
Documents you should retain for a minimum of 6 years from the end of employment:
- Salary and pay information
- Proof of an employee’s right to work in the UK
- Personnel files
- Training records, for example, first aid and fire warden training
- Redundancy records.
Keep for 3 years:
- Accident reports from the last date of entry
- Statutory maternity, paternity, and adoption pay records.
Other records to keep:
- Records relating to children and young adults – keep until they reach the age of 21
- Whistleblowing documents – keep for 6 months following any outcomes. Personal data should be anonymised if irrelevant to the case.
Principle e of the UK GDPR states that you “must be able to justify why you need to keep personal data in a form that permits identification of individuals. If you do not need to identify individuals, you should anonymise the data so that identification is no longer possible”.
What about super-sensitive information?
Another thing to bear in mind is special category information. This could be information collected for something like equal opportunities monitoring, for instance. Special categories include information about somebody’s:
- Race or ethnic origin
- Religion or philosophical beliefs
- Sexual orientation or data about someone’s sex life
- Health
- Genetics
- Political opinions
- Trade union memberships
- Biometric data (for instance, if you use fingerprint scanners to access buildings).
Special category information should be treated with additional security over personal information. This is because – according to the UK Government website – the “use of this data could create significant risks to the individual’s fundamental rights and freedoms”. For any special category information you keep about your employees, you should implement strict access controls, only keep it as long as necessary, and securely destroy or permanently remove it from digital systems when no longer needed. Better yet, if you can avoid collecting this information altogether, or anonymise the information at the point of collection, that is the ideal route to go down.
What to do with applicant CVs after interviews are over?
Most recruitment experts advise keeping applicant CVs for 6 months after recruitment ends. This is because unsuccessful applicants have 6 months to file any legal claims if they feel they were treated unfairly in your interviewing or hiring process based on unlawful discrimination. Most of the time, you would be fine to destroy unsuccessful CVs immediately. However, 6 months is generally best. With a candidate’s permission, you may also be able to retain CVs longer, especially if you think that a candidate could be perfect for a future position that may become available. If you do this, you should seek written permission from the candidate.
Can employees request copies of their HR files?
Yes. In the UK, your employees and ex-employees can request copies of their HR files under the legal right of access, also known as a subject access request (SAR). Bear in mind that sometimes your worker’s HR file may contain the personal information of someone else. For example, if someone made a formal complaint against a member of staff, the complaint will likely be in their HR file. You should redact the personal information of anyone else mentioned in your employee’s HR file before handing it over to them.
What are my company’s obligations around HR records and personal information?
Once you have identified the retention periods relevant to your company, you can get started with a destruction plan. This is because, when you no longer need HR records and personal or identifiable information, you must destroy this information securely. The best way to do this is by using a fully accredited shredding service supplier. The right supplier will help you with any questions you have about information destruction and will provide a Waste Transfer Note and Certificate of Destruction for your compliance records.
The Information Commissioner’s Office website has a huge vault of information for companies trying to understand their legal obligations when handling personal information. Its guidance on employment information can be found in the ‘Organisations’ section of the ICO website.
Sign up for our newsletter here to receive updates on blog articles, data protection advice, and Shred Station news.
Please note that the guidelines in this article are based on UK legislation and are correct at the time of writing: October 2024. To ensure your organisation fully complies with HR record keeping, we recommend seeking legal advice or advice directly from the Information Commissioner’s Office.
More information about record keeping in the UK can be found in the BSIA’s helpful guide around the retention of documents.