The United Kingdom’s Information Commissioner’s Office recently issued guidance on how to keep employment records.
This is good advise for employers beyond Europe (and particularly in California). The data retention requirements of the California Privacy Rights Act are the same as GDPR.
Here are some key takeaways:
- You must take all reasonable steps to keep any personal information you hold about your workers accurate and up-to-date
- The more important it is that the personal information is accurate, the greater the effort you should put into ensuring its accuracy. So if you are using the information to make decisions that might significantly affect the worker concerned or others, you should put more effort into ensuring accuracy. This may mean you have to get independent confirmation that the information is accurate.
- You must not keep personal information for longer than you need it.
- You must consider any legal or regulatory requirements and seek advice on compliance, if necessary.
- You should set up a retention policy or schedule that lists: the types of record or information you hold; what you use it for; and how long you intend to keep it.
- You should not take a ‘one-size-fits-all’ approach to retention of workers’ personal information. While you may need to hold on to some types of information about previous workers, you may be able to delete other information as soon as the employment relationship ends.
- Different categories of personal information will need different retention periods.
- Where possible, you could set up automated systems to help with this process that flag when information you are holding is due to be reviewed or deleted
- You must provide a privacy notice
- You could provide it: as part of your staff privacy notice on your organization’s intranet; as part of your general data protection policy; as separate privacy information in a worker handbook; using ‘just in time’ notices if using online workshops, platforms or tools where personal information might be collected or shared with others; as a general notice on a staff notice board; or by sending a letter or email to workers.
Right of erasure
- In some circumstances, people have the right to have their personal information erased.
- It only applies in certain circumstances, many of which do not apply in an employment context.
- The right to erasure does apply where the personal information is no longer necessary for the purpose you collected it for.
- You must have appropriate measures and records in place to be able to demonstrate your compliance with your data protection obligations.