Employee Records - Retention Policies

Two instalments of the much delayed "Employment Practices Data Protection Code" (the "Code") have now been made available in "pre-publication" form on the Information Commissioner's website (they will be formally published and "in force" once Parts 3 and 4 are finalised), both touching on record-handling. Although not legally binding, the Code will set out the Commissioner's view of what employers need to do to comply with the Data Protection Act 1998 (the "DPA"). Employers have tended either to retain all records until they run out of space or discard them almost immediately. Few sift through the information held because of the time and costs involved. However, the DPA - and the need to defend discrimination and other claims - now demand a more sophisticated approach.

The risk of legal claims is one of the main reasons for retaining data no longer used for day-to-day administration. This risk has increased in recent years, with the introduction of new statutory rights, increases in compensation levels and a shift in the burden of proof for sex discrimination claims. Tribunals will look into incidents taking place over periods of several years if these could be relevant background from which an inference of discrimination could be drawn, making long-term document retention even more important to establish non-discriminatory reasons for long-since-made-and-forgotten decisions.

(Of course there is a converse risk in keeping documents for lengthy periods if they in fact incriminate the employer in unlawful conduct, particularly given the DPA rights to access - in a recent case a race discrimination claim was permitted out of time where, on examining his employment file in 1999, the employee discovered evidence that discriminatory conduct had occurred in 1990!)

Time limits for bringing legal claims will therefore be material to the decision how long to retain records: 3 months for unfair dismissal and discrimination, 6 months for statutory redundancy pay - although extensions of time are allowed in certain circumstances. Breach of contract claims can be made within 6 years and equal pay claims must be brought within 6 months of the end of the contract but can relate to damages backdated for up to 6 years. Once a claim has been brought in a tribunal, the employer will usually be notified within a few weeks; for court claims it could be 4 months.

There are also certain statutory requirements to retain records, including:

• records to show compliance with the Working Time Regulations 1998 must be kept for 2 years;
• records to show compliance with the National Minimum Wage Regulations 1999 must be kept for 3 years;
• records relating to statutory sick and maternity leave and pay must be kept for 3 years;
• records of certain specified types ofinjuries, diseases and other dangerous occurrences must be kept for 3 years;
• records of monitoring exposure to certain hazardous substances must be kept for 40 years (where the record shows personal exposures of identifiable employees) and 5 years in other cases;
• other requirements such as keeping tax records for the Inland Revenue.

The Secretary of State is empowered to require employers to keep records of employees’ parental leave (but has not yet made regulations doing so) and in April 2003 will have a similar power in relation to adoption and paternity leave and pay. Professional requirements may include records of continuous training, relevant convictions, and so on - these will be particularly relevant to FSA-regulated businesses.

The fifth data protection principle set out in the DPA provides that "personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes". The Code provides that, as no specific period is given in the DPA, it is for the employer to set retention periods based on real business need and taking into account any professional guidelines and statutory requirements.

The Code provides little specific guidance on formulating retention policies, save to note that retention times may vary from one employer to another (citing the difference between health and safety records kept for those working with hazardous materials and for office workers). However, it is clear that employers need to differentiate different types of information held on an individual, as it will be possible to justify keeping some types of information for longer than others. A need to retain some information in a file will not justify keeping all of it, so a system of periodic review would seem sensible. Employers may be able to make the "weeding" process more efficient by recording information with different retention periods on different pieces of paper, or filing records by retention period or category of document rather than by individual. Where information is stored electronically, IT systems could be used to flag when a retention period is about to expire. Particular care will be needed where records are held by managers and others as well as centrally.

In determining the periods, the Code states that information should not be retained simply because it might be useful one day, without any clear view as to when or why. The Commissioner suggests that employers "should establish how often particular categories of information are actually accessed after, say, 2,3,4 or 5 years" and "adopt a "risk analysis" approach to retention by considering what realistically would be the consequences for your business, for workers and former workers and for others, should information that is accessed only very occasionally be no longer available". The key concept should be proportionality - for example "records about a large number of workers should not be retained for a lengthy period on the off-chance one of them might at some point question some aspect of his or her employment."

The following suggests possible retention periods to deal with potential legal claims, based in part on discussions with the Legal Department of the Information Commissioner’s Office. Of course the Commissioner and/or courts could ultimately take a stricter line, on the basis that retention of documents needed to meet the risk of legal claims requires the employer to have assessed the risk of a particular claim as more than minimal given the individual involved and the particular situation - if this line is taken, it might be difficult to justify retaining records for an employee who has left amicably for more than, say, 1 year.

As a general point, the retention policy should provide that, if a claim is made before the expiry of the retention period, records needed for that claim will be retained until the claim is resolved.

The Code states that "retention of recruitment records may be necessary for the organisation to defend itself against discrimination claims or other legal actions arising from recruitment. However, the possibility that an individual may bring a legal action does not automatically justify the indefinite retention of all records relating to workers. A policy based on risk-analysis principles should be established."

In relation to any vacancy, there is a risk that unsuccessful applicants could claim unlawful discrimination on the grounds of sex, race or disability. This would normally need to be brought within 3 months of the date of rejection and the employer would need to be able to show that the qualities and experience of the successful applicant were more appropriate/better than those of the claimant.

It ought to be justifiable to retain some data relating to applicants for 12 months (to reflect the risk of time extensions being granted) but this should probably be restricted to information taken into account in reaching the decision whom to appoint. For example, the outcome of medical and other checks may be relevant, but the actual information obtained by a vetting exercise should not be retained (indeed the Code states that such information should be destroyed as soon as possible or in any case within 6 months).

Although data relating to other appointments could also be useful evidence of a non-discriminatory recruitment practice, this purpose would be adequately served by keeping the data in an anonymised form - properly anonymised data is not "personal data" protected by the DPA and can be retained indefinitely.

The Code is clear that employers should not retain data relating to unsuccessful applicants in order to consider them for future vacancies unless the applicant is aware and has agreed to this. Information about successful applicants that is not relevant to ongoing employment (eg former salary) should be deleted on appointment.

Retention required by statute (see above) will clearly be justified under the DPA, whether during or after employment.

The employer will also have a genuine business need to keep many types of records relating to an employee during his or her employment but should nevertheless check annually to see if records are still needed or could be relevant to a potential claim. Records which may not be needed throughout the employment or afterwards include:

• out-of-date personal information;
• information concerning unsubstantiated disciplinary charges;
• "spent" disciplinary warnings;
• parental leave records once the employee’s entitlement has expired. On termination, the employer might retain records of an outstanding entitlement for a short period, so as to be able to confirm the position to the employee’s next employer if required;
• maternity leave records (once the statutory requirements have been satisfied);
• holiday records are unlikely to be needed later than 1 year after the expiry of the year concerned, since the statutory entitlement expires if not taken within the relevant holiday year. The position is different where there is a contractual right to additional holiday which can be carried over for a number of years;
• requests for a reference from a mortgage provider or similar;
• records of convictions not relevant to the employee’s current duties or which have become "spent".

After employment has ended, an employer may be justified in retaining other records to protect itself against possible claims. Records that could be relevant to contract or equal pay claims (such as contractual documentation, pay and pension records, records relating to bonus decisions or dismissals) could probably be retained for 6 to 7 years after termination. Other records relevant to potential discrimination claims (such as appraisals, disciplinary records, records of promotion decisions etc) could probably be retained for 1 year after termination.

At the expiry of the relevant retention period, records must be securely and effectively destroyed. Sensitive or confidential information should be shredded on site or by a reputable contractor. Electronic records should be fully deleted, including any copies backed-up on separate servers or systems, and measures should be taken to fully delete records from any computer equipment sold or given away.

An employer in breach of the DPA may be subject to enforcement action by the Information Commissioner (as a result of a complaint by the job applicant or employee, or on her own initiative - she recently announced a policy to be more proactive in enforcement) or a claim for damages (by the job applicant or employee). An employer who continues to act in breach will be committing a criminal offence.

That said, complaints that information is being retained too long are perhaps not at the top of the list of usual applicant/employee gripes - their concern will more usually be to have access to such information as is held. Further, the fact that documents have been retained for too long should not prevent an employer using them in court or tribunal proceedings. As a result, some employers may well decide to wait and see what line the Information Commissioner takes in enforcing this aspect of the DPA, not leastas a new Commissioner will be taking over the role in December. Employers may be willing to gamble that the issue of retention of records is quite low down on the new Commissioner's list of priorities.

© Herbert Smith 2002

For more information on this or other Herbert Smith publications, please email us.