HR teams in NI and ROI are facing rapid changes around what employee information can be gathered, stored and kept. This free webinar is designed to guide you through what’s required and what to avoid.

Julie Holmes from Legal Islandis joined by Crystel Robbins Rynne, CEO of HRLocker, for a focused 45‑minute session that walks you through the full employee journey, from job ads to post‑employment. With Crystel’s background as both a CEO and a senior HR leader, you’ll get real‑world insight into what you can collect, what you shouldn’t keep, and how long each record can stay on file.

We cover:

✔ What you must record

✔ What you should avoid keeping

✔ How long each item can stay on file

You will receive two handy takeaway documents:
• An NI/ROI split retention schedule
• A simple checklist you can use straight away

Perfect for anyone handling employee information in Northern Ireland or the Republic of Ireland.

Employee Data Checklist

Employee Data Decision

Employee Data Lawful Basis Annex

Employee Data Retention Schedule ROI NI

Transcript:

Julie: Welcome to the webinar "Employee Data: What Employers Must Collect, Keep, and Delete". It's really good to have you with us.

Now, I want you to be honest. Your systems are probably a little bit like that cupboard or that drawer at home. You know the one, where you keep things just in case. So interview notes? Just in case. Disciplinary record that's maybe expiring soon? Just in case.

Why do we keep them? Because we think that they might be relevant someday. And before you know it, "just in case" turns into "why on earth are we still holding on to this?"

So, data protection laws, including GDPR, tell us that personal data shouldn't be kept any longer than necessary, it needs to be kept for a legitimate purpose, and of course, it certainly shouldn't be excessive. At the same time, though, employers need to retain information to protect themselves against potential legal risks. So where's the balance? Well, that's what we're going to look at today.

Crystel is CEO of HRLocker, and she brings a wealth of experience from senior HR roles. Some of you may also recognise her as the voice behind our HR Agony Aunt articles on our Knowledge Hub. I just want you to know, though, that today Crystel's focussed on data protection, and she's been asked not to answer questions about anything else. So data retention only.

Today, she's going to guide us through the full employee journey from job adverts right through to post-employment. So she's going to talk a little bit about what you must record, what you should avoid keeping, and how long all those records should be kept on file. She's also going to be sharing some really practical takeaway resources, which look fantastic.

The first one is a Northern Ireland/Ireland split retention schedule, so breaking down each of the records and about how long you should keep each of those. A simple checklist as well that you'll be able to use to help you make decisions about what you need to keep and what you should actually be collecting or not collecting as well.

So, before we begin, I'd also like to take a moment to thank our sponsor. This may sound familiar. HRLocker is an all-in-one HR software platform that simplifies people management for growing businesses. From leave requests and time tracking to performance reviews and employee records, it brings everything into one easy-to-use system. And as your system grows, scaling with HRLocker is scaling with confidence.

Now, when Crystel does her presentation, you will see that there's the Q&A box. So please make sure that you add your questions there.

You will also get a recording of the webinar shared with you afterwards, and we'll make sure that we attach those handy documents that Crystel is referring to today as well. So don't worry about that.

Before we get into the actual presentation, would love to get a quick sense of where you are today so that Crystel and I can see where you are. So it's a bit of an honesty moment.

How confident are you at the moment in your organisation's HR data retention practices? So first of all, we have the gold star people who say, "Yep, very confident, Julie. We have clear policies and follow them". Next would be people that are somewhat confident. "We have guidelines, but they're not maybe always followed consistently, or maybe not 100% of the time". Other people may not be very confident. They know that they need improvement. That's why they're here today. And other people are saying, "Julie, we're really starting off. Not really too sure what we currently keep, and we need to start auditing that".

So we can see from the results that most of you are around the second answer, which is somewhat confident. "We have guidelines, but they're not always followed consistently".

I was telling Crystel the other day about my own data protection experience where I found that managers of some of our satellite offices were keeping their own records. So not only HR records that I had, but they were keeping them in other places as well. So that's always a nice discovery whenever you think that you're following data protection to the letter. Hope none of you have surprises like that.

With those answers, we will just move on to our next one. For those of you that said that you may keep hold of stuff longer than is absolutely necessary, why is it that you think? What is the main cause? So is it fear of future legal claims and you're hanging on to things just in case? Is it unclear retention guidelines, because it's easy to get confused or get caught up in what else needs to be done as a priority? Is it systems or processes that make it difficult for you to manage that data? Or is it habit? "We just haven't really consciously thought about it. We've just always done it this way".

And so we can see from the answers that, again, most of you are around the second one about unclear retention guidelines. I'm really glad to say that I think that Crystel's presentation today is really going to help with that.

So thanks very much for answering the questions. Appreciate that.

Crystel, that gives you a bit of a marker as to where everybody is. I am going to disappear from screen. Again, remember to drop your questions in and I'll moderate those. When I join Crystel at the end of it, we'll go through as many of those as we can.

Thanks very much and over to you, Crystel.

Crystel: Thank you very much, Julie, for that great intro. I'm looking forward to the next 40 to 45 minutes. Like Julie said, there is Q&A, so please drop in as many questions as you have in the Q&A section.

I did joke with Julie earlier that I think this is a little bit of a boring topic, so hopefully I will make it as simple to follow and make it a little bit exciting as well.

So my main focus is really focussing on companies who are looking at their own data protection, whether you are in the Republic of Ireland or Northern Ireland, or whether you have employees in both regions as well, and to make it as practical as possible. And like Julie said, there will be some downloads as well that we'll share after.

I suppose the main reason is why do we care? Why do we care about data? So practically, from three specific reasons. If we look at this, kind of three main things that have changed over the last, let's say, 24 months is that from a regulation perspective, the inspections have increased.

WRC inspections from the Republic of Ireland have increased significantly, and similarly, the industrial tribunal claims went up in NI on the back of the LRA early conciliation, and the DPC and ICO and the Equality Commission of NI have all tightened their guidance around HR data.

So we know it's there, and what I want is that by the end of this webinar, you're in a position where you're not afraid if you're ever audited. And that's where we should be, is that when an audit comes, we have all our ducks in a row and we're not afraid of it.

The second thing is employees are getting, I think, a little bit smarter. So the Subject Access Requests in HR have roughly doubled since 2023. A lot of it arrives after leavers, if there's a dispute. And if your records are scattered, it's difficult to find the information. Exactly like Julie said, sometimes we think we have a good process in place, but we don't realise that there's a manager who's keeping data somewhere else.

And I actually shared this with Julie yesterday. I remember talking to an HR consultant at the time when GDPR came in, and her advice to people was just to have a second little cabinet where you keep information. Then it's out of reach from a GDPR perspective. And I was like, "Please, not a great idea".

So I think the clear thing is to make sure that the rest of your managers understand what the retention policy is. It's fine that we put in these retention policies, but it has to be carried out throughout the organisation. You don't want to be in a position where you've had a data Subject Access Request and all of a sudden, you realise that there's all this other information. Employees are definitely asking for their information specifically if there's a dispute going on.

The third side of things is also from an AI perspective. AI has changed the tools that we're using. A lot of HR tools now are using AIs. They could be CV screeners or AI note-takers. Sometimes it's kind of some sentiment analysis on the chats or things like that. So each one of these should have a DPA in place. And also, to be very clear that you're following the guidelines. So you shouldn't be using AI for any decision-making either.

These are kind of three areas, I think, and definitely from a 2026 perspective, that we should be focussing on why it's important that we have the correct processes in place and the correct foundation in place at this stage.

In terms of the employee journey, I would like to focus on that there are five specific stages when we talk about the employee journey. And at each stage, there's going to be data that's passed from one side to the next and how long we hold data in each one of the stages as well.

 If we look at your pre-employment stage, that's your recruitment side of things, your onboarding, when you're hiring people. This is where we start to see a little bit of nuances in regards to when we look at the Republic of Ireland and Northern Ireland in regards to what's required at each section as well.

So from an onboarding perspective; during employment as well, so it's your day-to-day side of things; health and safety, which brings its own obligations; and offboarding, so when somebody's leaving as well.

I'm going to spend the next while looking at the records that can cause trouble and the one that shows up in cases as well where you don't want to be getting fined.

I have a handout that I'm going to give. It's around decision. So I'm actually going to quickly find it here. It's a little bit of . . . here's one I prepared earlier. Sorry, just two seconds. And these are all going to be shared with you, but I hope it's a little handy handout to go, "Okay . . ."

It's a five-question test. So you need to run every record that you have against each one of these questions. And it says if there's a no against any of these from a GDPR perspective, it needs to be deleted.

Can I name an Article 6 GDPR? So do you have a lawful basis to process this? If it's something outside of it, it could be a medical record or something like that, no, you do not have a lawful basis. So get rid of it.

Is the data special category under Article 9? So is it health, religion, political opinion, trade union, biometrics, sex life, anything like that? Do you have a reason to keep it? Again, from a Northern Ireland perspective, during the monitoring, yes, you do. So there are some nuances around that.

If basis is Article 6 legitimate interest, do I have written three-part LIA on file? Is retention anchored to a specific claim window or statutory duty in the country of work? So for example, are you going through . . . is there a WRC dispute or something like that? Should you be keeping the information? Yes or no.

If processing is likely high risk, for example, AI screening, do I have a DPIA on file?

Just a kind of handy thing to go through. If you're not sure about whether you should keep something or not, then just bring these through the five questions.

 So lawful basis first. Let's talk about basically the three principles that kind underlie any of these. So lawful basis, retention second. Every piece of employee data needs an Article 6 basis under GDPR. And that's both from the UK GDPR and EU GDPR.

For example, there's legal obligation from a statutory records perspective, legitimate interest for the rest, with kind of a balancing test as well.

So, consent as well, which is interesting from an employer-to-employee relationship side of things. Consent from an employer to employee rarely works for employees because of the power imbalance. So if you cannot name the basis, you cannot keep the record. That's really, really important. Bring it through those five questions. From a lawful basis perspective, you need to say, "Does it fit under Article 6? Article 6 is why I'm keeping it".

The interesting thing then, as well, around . . . Minimums are minimums. I couldn't have a clearer word to say to people. So it's important that when two laws apply and they're conflicting from an ROI to an NI perspective, you keep the record for the longer period.

Payroll is the obvious one from an ROI perspective. So the National Minimum Wage Act says we keep it for three years. Revenue say six. So default to the six, whatever is the longer period. If there is a conflicting legislation, you go with the longer period.

So, default to delete. I think that, as HR people and perhaps as business owners, a lot of the time we err on the side that we like to hoard data. I am one of those people. I like to keep it, I don't like to delete it. However, I'm going to hopefully try to change your mind to say that we want to flip to a . . . your default is to delete the data.

From a GDPR perspective, you need to limit the data that you hold. If you cannot justify keeping it, you need to delete it.

There's a huge risk of holding on to the information if you're holding it on for too long. So you need to, I suppose, have a proper schedule in regards to the documented retention rules and make sure that you're keeping the data in regards to . . . Even if you think, "Maybe I just might hold on to this a little bit longer", if the rule says you need to delete it after six years, then you're deleting it after six years. There's no reason to keep it, if that makes sense.

A quick note. So before we get into these next stages, if you only operate in one jurisdiction, the next two slides will be probably a little bit more information than you require, but the principle on Slide 7 will apply to you. So what I'd like to say is stay with us. Stay with us for the next two slides, specifically if you are employing people from across the border. And once we get to Slide 7, we'll all be back into it.

Most of the session, I suppose, assumes your employer and employee are in the same place. And so that covers some people. The other two slides . . . I suppose, first, we'll look at the NI employees. So if you are an NI employer of NI staff, apply NI rules only. We use the NI column.

Obviously, then, if you use the NI column in the schedule, you report to ICO, the Equality Commission, HMRC, disputes go to the Industrial Tribunal and the Fair Employment Tribunal. So, from an NI perspective, you understand where you're sitting from that.

If you're an ROI employer of ROI staff, you obviously apply ROI rules. Report to the DPC, the HSA, Revenue, disputes go to the WRC and the Labour Court. So we understand from a specific, very pure side of things, that's where those two employers sit.

Where it gets a little bit murky is if you are an ROI employer of staff in Northern Ireland. The Northern Ireland rules apply to that employee. So the country of habitual work wins.

Under that side of things, your HMRC, UK for auto-enrolment, ICO for data, NI Working Time Act, things like that.

If you are an NI employer of Republic of Ireland staff, again, the reverse applies. So it's the ROI rules. From a revenue perspective, the MyFutureFund auto-enrolment, the DPC data, and for any WRC claims as well. So it is where the employee is habitually working, so where they're getting paid.

The line in red at the bottom, I suppose, is the rule that does the work. So Rome I, retained EU law in the UK, choice of law in the contract cannot remove mandatory protections of the country in which the employee habitually works.

Even if you say, "Well, that's fine. We are going to use ROI legislation for somebody in NI. As a company, that's the decision we've made", you just can't, basically. The choice of law in the contract cannot remove the mandatory protections of the country in which the employee habitually works.

So you can pick the law of the contract, but the floor underneath is the floor of the country where the work is done. And that's important.

There's also a handout I'm going to give to you in regards to that, which is the cross-border check lines, which will go out after this as well. It kind of goes through everything in regards to if you're an NI employer, ROI, ROI employer of NI, and NI employee of ROI, and you kind of go through from a . . . So when you look at the scope, what applies from an NI perspective, what applies from both regions, what just applies from an ROI perspective. You're going to go through each of them and you can kind of tick them as you go.

So cross-border day one, set this up before payroll runs. Again, if you fall into any one of these two categories . . . So obviously, if you have payroll perspective from an ROI employer with NI staff, you need a HMRC PAYE. You need to register with HMRC. Likewise with NI, you're going to register with Revenue here.

Some things have changed from our regards. We've seen this over a while. So from an ROI perspective, we now have auto-enrolment from MyFutureFund. I know that came in quite a while back from an NI perspective. I'm not going to spend too much time on this. It's just to be clear on how it affects you if you've got employees cross-border.

This is the bit where I really, really want you to concentrate on. Even though your contracts might say that it's covered under UK legislation or it's covered under Republic of Ireland legislation, it doesn't matter. It cannot remove the mandatory protection of the country in which the employee habitually works.

This is what the contract can do. It can set bespoke terms, it can choose the forum, it can choose the law. What the contract cannot do is remove the statutory floor, remove the regulator, strip the tribunal. So it can't do that.

For example, Dublin homeworker. So the Dublin homeworker for a Northern Ireland employer gets a five-day statement, the ROI working time with no opt-out, WRC jurisdiction, DPC for data, HSA for safety. So you can see the kind of differences there as well.

Now we're going to go into a little bit of the checklist of things that you can collect and what you shouldn't collect. I'm going to go into each one of the stages.

I suppose, just to caveat, if we go back, there are kind of four types of employers here today. We've got employers who are just employing people in the Republic of Ireland. We have employers who are just employing people in Northern Ireland. We have employers who are based out of Northern Ireland and employing people in the Republic of Ireland. And we have employers who are based in Republic of Ireland and employing people in Northern Ireland. So if we take that and we kind of red circle that, the same stages still apply from an employment perspective, but some rules may differ.

Let's get into it. Stage 1, pre-employment. So what you need to collect is first your job advert wording. So you need to keep a copy of every advert in case an employee claims discrimination.

Your right to work, the rules differ. From an ROI perspective, we only need to look at the documentation. From an NI perspective, you take it and retain a clear copy or share code for everyone. So first difference we see.

Your reference check, the same. Document the consent. You cannot rely on assumed consent.

Vetting, where required. So your Garda Vetting is Republic of Ireland, AccessNI is Northern Ireland. Only for roles that legally require it.

And Article 55 monitoring. Obviously, this is a different side of things, again, where we differ. So that is obviously based for companies in Northern Ireland with 11 and over staff.

What you must not collect is the date of birth on the application form. Age is a protected ground. Collect only after offer if pension or under 18 requires it.

Marital status. So again, there's no legal basis for asking it.

Health information beyond what's needed in the role.

And this is an interesting one for me. It's photo on CV beyond ID purposes. So sometimes it can be seen as a discrimination risk. Now, what does that mean? It means that lots of people submit CVs all the time with their photographs on it. When you're screening people or when you're creating the interviews, you should take off the photo just to avoid any reason for discrimination.

So if you see here, from a pre-employment perspective, the things that you cannot collect, which applies to all employers, and things that you can collect differs somewhat. Specifically around the right to work as well, the Article 55 monitoring, but the right to work is a big one as well. From a Republic of Ireland perspective, if there is no reason for you to keep a copy of the person's passport, do not keep it on file. From a right-to-work perspective, in NI, you do need to retain it.

How long? This is where life gets a little bit complicated. So this is where I suppose if we look at from job adverts . . . I'm not going to go through all these, but you can see here I've looked at ROI and NI. So job advert, one year. Unsuccessful CVs and interview notes, one year. You see here between the differences, and the explanation as to why we need to keep them.

Right to work, this is the row people get wrong a lot of the time. Again, ROI is sight only, no copy retained. NI, copy retained for employment plus two years.

Sponsored workers, five years minimum in Republic of Ireland, and duration of sponsorship plus one year in NI under the UK Skilled Worker regime.

Garda vetting, somewhat similar, do not need beyond purpose.

And Article 55 monitoring, obviously not applicable from an ROI perspective. We're not going to spend too much time going into Article 55, but from a Northern Ireland perspective, obviously there's a three-year obligation for that.

For example, ROI hiring of Northern Ireland residents. British and Irish citizens have Common Travel Area rights, no visa needed, no passport copy retained. So there's a lot to do. It's actually one of the biggest things that I see from employers in Republic of Ireland, is that we think we need to keep a record of the person's passport on file. You don't, and you shouldn't keep it on file. Again, different from an NI perspective.

So Stage 2, we're going to go into onboarding. From an onboarding perspective, this is where there's sometimes a little bit of different . . . A day one done well saves you years of clean-up. I'm going to coin that phrase.

Sometimes there is best practice and there's also statutory. In the Republic of Ireland, there's no statutory requirement for a signed contract before day one, but the five-day statement of core terms is mandatory.

Now, I would always advocate for that you should have a contract for somebody on day one, because I think that your employer-to-employee relationship starts off well when somebody understands what's in the contract, they understand what's expected of them, and that you're ready on day one, rather than having the five-day statement of core terms. So again, that's where best practice and statutory sometimes . . . we can lean into that best practice side of things.

NI, obviously different. Contract terms in the written statement within two months, but treat day one as best practice, is what I would really recommend.

And then obviously, all your payroll notices and things like that.

Also, this is something that people often forget in terms of your privacy notice and policy acknowledgments. So again, it's what we should be doing from a best practice perspective. Privacy notice tells the employees what you're holding, why, for how long, and their rights around it. And that's covered from a GDPR perspective, both from an EU and UK side of things.

The articles are the same, but the supervisory authority is not. So when I do talk about GDPR, I am speaking about both my UK perspective and an EU perspective. So the articles are the same, but obviously UK GDPR is under ICO and EU GDPR is under the DPC.

The other bit which . . . auto-enrolment has come in as well in both. So it's a new one for ROI. The MyFutureFund, it forces people, I suppose, to opt into pension, eligible workers between 23 and 60 earning over €20,000. The UK has been in this regime since 2012. So important each employee goes into the correct scheme.

Again, I'm going to quote this. I think this could be my new tagline. A day one done well saves you years of clean-up. So if you get all your data correct, you've got all your privacy notices and policies signed down, so that's your handbook, your IT use, your data policies, everything's on file, everything's signed, if there are ever any questions later on, you can see that everything has been signed by this employee. You have all their correct bank details to ensure that you've got them all signed up for payroll correctly, and you've got your contracts issued on day one as well.

So, now they've come back to work, now they've started working, so we're talking about Stage 3. This is during employment, so it's the biggest volume of records, and it's also the biggest split that we see between ROI and NI. Again, we've got our two columns here, ROI and NI. And again, if we go back to what we spoke about previously, it's the habitual residence of the employee.

From a Working Time Act, three years in ROI under Organisation of Working Time Act, and two years in NI under the Working Time Regs.

Payslips and wages, three years in ROI, six years in Revenue, and six years in NI under HMRC.

And this is where we talk about the minimum side of things. So three years under the National Wage Act, six years recommended from Revenue. You're going to take the longer version up here, so we're going to retain it for six years.

The statutory sick pay as well, it's around three years for both.

So, the other kind of interesting one here as well from a cross-border note is an NI individual working time opt-out cannot be applied to an ROI-based worker because ROI does not have one. So the opt-out is a Northern Ireland feature.

Now, I hope you're all still sticking with me here. Another interesting one, leave records. So the eight-year question. Parental and family leave have the longest statutory retention in ROI, eight years under the Parental Leave Act, and that's because it goes up to when a child is 8. Eight years for paternity leave under the Parental Leave Act 2016. Adoptive Leave Act only requires one year for notices. Maternity Protection Acts are silent.

NI, six years recommended. So it's no specific statute. HMRC requires records for three years and after end of tax year.

It's eight years versus six years. Most employers default to six years, and that's important from a parental leave perspective that that is actually eight years.

Now, this is one where I have lots of people who don't agree with me or have said that they don't want to do this. And when we actually audit people's records, this is most of the time where people fall down on, and it's the performance training. Well, it's mostly the performance and disciplinary.

Performance reviews and one-to-ones, you should keep that for employment plus six years. It could support or defend a claim. It's important that you're using the systems that you have and that they're not sitting in people's emails, because then unfortunately perhaps a claim can happen, the manager has gone, and the information is gone forever. The notes are gone forever from a performance perspective. So make sure you are retaining it in a central place.

Disciplinary, this is really important, and it kind of really jars with people a lot, is that you need to disregard it on the expiry date in regards to . . . So if somebody's had a disciplinary and it sits in their file for six months, it gets disregarded. That is really important.

I know most companies are like, "No, we just want to keep them so that we know that there was a written letter of warning or something that was on the employee's file". Once it is over, it gets taken off the person's file. So you kind of set the calendar the day you issue the warning, and then it gets deleted. If somebody has a verbal warning for six months, it gets deleted afterwards.

A disciplinary dismissal, six years for both. It defends breach of contract and wrongful dismissal.

Grievance records, employment plus six years. Defends you from future claims.

And training and certification, employment plus six years, longer for some safety side of things.

I had a company before who said that they keep all the employee records in health and safety for 40 years. I was like, "What?" But that is actually because they were using asbestos. So unless you're using some kind of chemical, asbestos or something like that . . . well, you fall into the critical hazardous under 40 years. But I would presume most people here today are falling into the regular six years. So that's why we won't spend too much on the health and safety side of things.

But 10 years for workplace accidents, 3 years for accidents in NI. Many employers default to six years where civil claims are likely. So that's where we're talking about the longer period applies.

 Under 18s, three years.

CCTV of staff, I'm not going to go into that too much, but that's a really important aspect because obviously you need to make sure that you made people aware of CCTV, made people aware what you're going to be using the CCTV for, and that you're only keeping it for 30 days. It needs to be a documented reason if you're keeping it for longer than that.

One more for cross-border, the DSE assessment for homeworker. The workplace is the worker's home, you need to apply the rules of the country where the work happens. So HSA for ROI, and HSENI for NI.

Offboarding. So this is where everybody again falls down on because people don't want to delete any records.

Delete on the day. So if you've made your final payroll, you do not require their bank details anymore, so make sure that they are deleted. Again, where people fall down on that is these bank details are sitting in somebody's email. Make sure that you have a central database so that when you're deleting records, it becomes easy.

Emergency contact details, you no longer require that information. Delete it out of your HRIS.

Access to emails. Obviously delete the building or office access. Any personal notes outside of the HRIS. So make sure that if your manager has some . . . Like I said earlier, in case that manager has some kind of sneaky notes on the side, make sure that you're purging the documents.

Sensitive medical or occupational health details not needed for liability. So yeah, just do a data cleanse. If you do not need it, get rid of the information.

Things that you need to keep for six years is a signed contract, a written statement, the personal files, the payroll tax filings, disciplinary records that were used for a dismissal, any redundancy calculations, settlement, compromise agreements, longer where there are continuing obligations. So those are the things you want to keep. Six years apply for both jurisdictions. The same number, I suppose, but different statutes.

One thing worth flagging on the redundancy specifically is Northern Ireland has kind of twin clocks, six months to claim statutory redundancy entitlement, three months less a day to claim unfair selection at the Industrial Tribunal. Different claims, different windows, so you keep selection criteria and consultation records for the longer of the two.

Five things employers get wrong, and there's one for cross-border.

One, keeping spent disciplinary warnings. So six-month warning still on file for two years later breaches GDPR, more than likely. I will say may breach GDPR storage limits. So it may weaken the next disciplinary case if you rely on it.

For example, if you have given somebody a written warning three years ago, you cannot use that for another warning. You cannot reference it. So it needs to be taken off the person's file.

I know lots of people are sitting there saying, "Well, we're going to keep that information". You can't. If it's a written warning and it stays on your file for six months, it only stays on your file for six months.

Bank details and PPS. We live in a world of Teams, Slack, WhatsApp. None of those are appropriate channels from a payroll perspective. So it is restricted information. You need to be using secure channels. And I see it a lot of the time that somebody has sent on their bank details through Teams chat or sent it through a Slack chat, and those bank details stay there forever and a day. And two years later, they're still sitting there. So really, really important that you're using the correct channels in place.

There are lots of things that you can do from a . . . So for example, here we use Office 365, where Microsoft has . . . We're actually just not allowed to send any bank details. It stops you from sending them.

There are practical tools, things like that you can do, but just make sure that . . . This is where the education kind of comes in from a management perspective, is that you're telling managers what they can and can't do. So we just shouldn't be sharing that kind of detail through all the Teams channels.

The other thing from an offboarding perspective is the day somebody leaves, you should start putting your calendar dates in place. There are a couple of clocks that start working at that stage, so start to put some timers on that.

Without a calendar, none of them get actioned. And who's responsible? Actually, the biggest thing I've seen is that there's nobody actually responsible for deleting the data, or there's nobody responsible for actually doing that offboarding. HR might come in and the person's offboarded from a people perspective, but actually from a data perspective, that hasn't kicked in yet.

And again, a big one here is CVs in personal inboxes. Hiring managers forward CVs to themselves. Two years later, those CVs are still in there. So if you ever get a data Subject Access Request, that information is still sitting in somebody's inbox. So again, it's turning to . . . Should I say again? You're educating your managers to make sure that they're not using the systems in place that are able to, I suppose, mandatory delete things. So try not to be using your messengers and your Outlook for those kind of things.

Then the fifth one really is that we treat ROI and NI as the same around working time, parental leave. Northern Ireland has Article 55, ROI has the gender pay gap reporting that's come in now for companies of 50-plus employees. So regardless of if you write a contract to say that they are all treated the same, there are some statutory requirements that enforce that they are not treated the same. And so that's really important.

And then a little bonus for cross-border, applying your country's rules to a worker who habitually works in the other country. Country of habitual work wins every time. So that's a very important one. You just can't ignore it, basically.

So what to do tomorrow. Obviously, quick word before we get into the to-do list. If you've been listening and counting things that you're not doing, that is normal. Every HR team I work with has loads of things they're not doing, but it's fixable. And it is really, I suppose, firstly, focussing on the things that you can do really easily.

Making sure that you're putting rules in place of things that can be shared and can't be shared, what channels you actually use, and making sure that you're assessing, I suppose, where your data is and how long you're keeping it for and what you do when somebody leaves. How long are you keeping information for? So kind of doing an audit of where your data is.

But what I would start with is firstly pick your last five leavers or pick the last leaver that you've had, but look at it maybe from 2018, let's say, and see what's there. See what information you have on the person, and see if their attention schedules have been applied. And then kind of, I suppose, stress test that to see if you actually have the information that you should on the person, and do you have more information than you should of the person?

Audit your active disciplinary records. So that is where the majority of companies fall down, is pull every warning on file, check each one against the policy expiry date, and delete the ones that are spent. You can document the decision, but delete . . . there shouldn't be a warning on people's files still.

And the third one is, again, something that we should be doing on an ongoing basis. It's checking who has access to pay and disciplinary records. Access sometimes can creep in. So make sure that you're seeing who has permissions from the people team and the IT team.

A lot of the time, you're going to be surprised at what IT have access to. Should they have access to all that kind of high-risk information? Is there a function within your systems that they are able to be the IT support, but that they're not able to see disciplinary records or performance improvement plans or salary information, things like that? So just to make sure that you see what people have access to specifically around pay and disciplinary.

I suppose four key takeaways. I'm going to share everything with you after this. It's the retention schedule for ROI and NI side by side. I've tried to kind of look at most of the records that I can think of and compare to your own retention policy.

Document 2 is the quarterly checklist. So over 50, I hope, practical actions that we can use once a quarter just to kind of focus on that employee lifecycle to see where people are at.

And then Document 3 really is around, I suppose, what you should be keeping from a lawful basis perspective. So kind of focus on that and look at that from an understanding of why you're keeping something. If there's a lawful basis, should I be keeping it or not? And if there isn't, delete it. So if you answer yes to all five, you can keep it.

I think, Julie, I've kind of come to the end of that. I hope that was okay for everybody and they're not like, "Oh my goodness".

Julie:  No, not at all, Crystel. Thanks so much for that guide. It was so clear, and it was interesting to see some of the differences as well. But just going to keep you on to answer a couple of questions for us.

I hope that everybody has liked Crystel's new trademark statement, which is about if you get it right on day one . . . What was it? Then it saves you years of clean-up later on. So that's the main takeaway from today, if nothing else.

All right. So we have one question about, "From the payroll perspective, we only need to retain six years, current year and previous six years, regardless of whether the employee is current or past?" That's the question. And, "Is it the same retention period for Ireland and Northern Ireland?"

Crystel: Yes, I think that's where we got into and actually shared that minimum wage perspective, which is a good one to look at.

Julie:    Just to remind everybody, Gosia has been dropping the documents into the materials for you, and then they'll be sent as well as part of the recording and the email. So you can go back through as well. But sure, we'll put Crystel on the spot in the moment.

Crystel:    So from a payroll perspective, it's six years across both. Where people sometimes get a little bit mixed up from an ROI perspective is there is a legislation around three years for the National Minimum Wage Act. However, your payslips are linked to your payroll. So yes, this is relevant, but the three years . . . It doesn't matter, but yes, you're keeping both for six years.

Julie:  All right. So short answer, six years. But remember to just check that documentation because there are some surprises in there as well, like about that parental leave.

And then somebody's asking, so don't leave that document yet, Crystel, "Are we to keep notes taken on pre-employment reference checks or written reference statements for the duration of the employment?"

Crystel: I suppose it depends on what you're keeping it for. So for example, we are ISO 27001 and 9001, and when we get audited, we have to show that we do reference checks. But the reference checks that we keep on file are that, "Julie did a reference check on this date with this information, and the information was positive".

I want you to take a step back and go, "If the notes were, 'Well, Julie said that Jane is a really nice person and she did a great job and she actually should work on these three things', why are you keeping that information?" There is no legal basis for you to actually keep that individual personal information.

It's not that it's not a one-size-fits-all, but anything like that, from a process perspective, keep that you've done the reference. But if the information is going to potentially keep you at risk for something, that you're holding more on the information, don't keep it.

What I would say is no. Trim it down. Do not keep the personal notes. Trim it down.

Julie:  Thanks very much. So as I said, everybody, you're going to get the recording in a couple of days with those documents. And a big thank you, Crystel, for making that so clear.

Just a reminder, I mentioned that Crystel's writing the HR Agony Aunt column. So if you haven't checked out our Hub, this would be the time to take a look and see what you're missing out on.

And then remember that also we're talking about GDPR, but if you're looking at enhancing what your staff know, then remember that Legal-Island provides all-staff training in eLearning form.

You can go onto our website and find out more about that. And I know Glen and Debbie would be very happy to speak to you and arrange free trials and be able to talk to you a little bit more about the content.

But other than that, folks, we have one short poll question left. It is not about data protection, you'll be glad to hear. It is actually about AI. Just trying to find out, while we have you here, what way you are using it at the moment. Thank you very much for people voting on that.

So which topics would you most like covered at a future AI event? Is it around policy, governance, GDPR and data protection . . . and Crystel, you may have to keep on the slide for that, on the slide button . . . employment law implications, or prompting and practical productivity tools?

Thanks very much, everybody, for doing that for us. Big thank you to Crystel, as I said, and to HRLocker, our sponsors. And then Gosia, who works tirelessly behind the scenes to keep us right, share the polls, drop in the materials, and she'll be organising that post-webinar email for you as well.

Thank you very much for your time and for joining us, and have a great rest of the morning. See you soon. Thanks again, Crystel.

Crystel: Take care. Bye-bye.
 

Sponsored by: