Is it satisfactory to review employment records each year under GDPR?Posted in : Seamus Says - Employment Law Discussion on 6 July 2018
Q: Is it satisfactory to do a review of employment records each year under GDPR and dispose of any that have exceeded the statutory or recommended retention periods during that year, or is it necessary to do this more often?
Seamus: I think a review annually is reasonable if the bottom line should be under GDPR, you shouldn't be retaining any information for longer than what you require, what you need it. Certainly, if you have the time and you can facilitate that review happening, then good, because you'll be going through your audit process under GDPR and you'll be actively taking the steps to comply.
But I think a yearly review is sensible. Certainly you would find that there might be an annual review of performance or reviews taking place. That might be a good opportunity that perhaps if it all falls within a certain month within the company, that that's a time also to look at the records and see what's worth retaining, what needs to be retained, and what we don't need to retain, that we're disposing of, and of course, disposing of it in a safe manner.
Scott: Yeah. I suppose the difference there would be if you've got a system that reminds you of certain times. So if you have, say, disciplinary issues, then they don't all take place on the one day, and therefore those warnings would run at different times. If you leave an expired warning on a file, then there's always a chance that the employee, if there's another disciplinary issue, is going to say, "You had recourse and you took account of that expired warning," because you didn't have a system to clean it out on time. That can be a bit of a danger, but in general, who has the time to go through all those things?
Seamus:Yeah, no, I never really actually thought about it in that sense of reviewing it from the aspect of when the warning has expired, and I suppose that that is an important point that, really, consideration should be given in terms of if the warning has expired, that the documentation should be removed from the file because it would leave the employer open there to say, well, while it's on the file, it's still a reminder. And if there's a change in personnel, change in management, it might colour the judgement. So I've never actually thought about it in that way, but certainly, like if you have an automated system, whether it's through a software case management system that will flag these things up for you or even if it's just a matter of putting it in a diary to say that this warning has expired, I think it's a good step to take. The GDPR will certainly keep us all on our toes, absolutely.
More on Data Protection & Freedom of Information
- Can an employer refuse a request from an unsuccessful job applicant to delete any of their data in its possession as it may be necessary for the defence of legal claims?
- If employees willingly provide personal email addresses at the start of their employment and their personal email addresses were used to contact them while they worked from home during the Coronavirus Lockdown, is this a breach of data protection?
- Can we ask staff to let us know if they have been vaccinated, and can we keep a record of this?
- Does the chief executive have the right to view sensitive personal data without an employee’s consent?
- Data Protection Implications of Selling From the UK into the EU after Brexit
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.