employment records can be costly – both financially and administratively. But
throw them out too early and it could cost you. Matthew Rigg and Andrew Morgan
should keep personal data for no longer than is necessary – a worthy aim. Nevertheless,
this key principle of data protection legislation is leading to a new culture
of document destruction that could have unforeseen damaging consequences. Using a hypothetical example, let’s examine
potential risks of this new enthusiasm for proactive housekeeping.
2033 it is accepted that excessive exposure to some computer monitors can cause
cancer. The cancer commonly takes 20 to 40 years to develop. These types of
monitor have now been banned, but they were in common use as late as 2010.
Smith has been diagnosed with cancer. He claims to have worked for Deskjob Ltd
between 2000 and 2005 and believes that his exposure to computer monitors
during this period is the cause of his disease. He sues Deskjob for personal
what it believes to be best practice, Deskjob destroys its employment records
six years after the end of employment. It does not know whether it employed
Smith and has no record of what Smith might have done for the company.
employee who develops a work-related disease may commence court proceedings at
any time within three years of the date he knew or should have known that he
was suffering from a significant condition. The estate of a deceased employee
can bring court proceedings within three years of the employee’s death. The
court has discretion to allow claims to proceed when court proceedings are
commenced outside the three-year period and have generally allowed disease
claims to proceed when there has been a delay of several years.
diseases develop insidiously so the employee’s health might deteriorate slowly
over the years before he first sees his GP. If the GP diagnoses the condition
correctly, then the employee may have a further three years to start court proceedings.
diseases do not start to develop until some years after first exposure. In the
case of mesothelioma (an asbestos-related cancer of the lining of the lung),
the malignant transformation may not start until 30 or 40 years after first
exposure. The cancer will grow unseen for about 10 years before the employee
develops clinical symptoms. Death will usually follow within 12 to 18 months.
certain classes of records helps employers to develop a considered approach to
any claim. First, can the employer confirm from its own records that it
employed the employee? If so, then the claim is prima facie genuine. Do
employment records identify any previous or subsequent employer from whom a
contribution can be sought? Do they show the employee was on secondment or
contracted-in or out so that an indemnity can be sought? These records count as
personal data for the purposes of Data Protection legislation. There is an
argument that such records be retained for many years or decades, but the document
retention policy must be justifiable within the matrix of the Data Protection
are other potentially relevant documents that do not contain personal data.
Insurance policies are the obvious candidate for retention. If a claim fails to
be met under an insured risk then the employer avoids all liability if the
insurer is known and the policy available.
shows that some employers have failed to keep track of their own insurance
policies over the decades so they have to defend claims and pay damages out of
their own funds. The protection they purchased through the payment of premiums
has evaporated because they retain no documentary proof of their entitlement.
documents may help employers decide whether or not to defend a bona fide claim.
Such documents might include records of atmospheric sampling, noise level
readings, radiation levels and similar quantities in environments where there
is a known risk. They might include details of training and warnings given or
written records of best practice. These might not be conclusive evidence in the
employer’s defence but they might be persuasive in court or might simply help
the employer decide how to manage the claim.
recent employment tribunal case has shown that it is not just personal injury
claims that can be brought many years after the events that gave rise to
them. Generally, claims brought in the
employment tribunals must be brought within three months of the date of
termination of employment (unfair dismissal claims) or within three months of
the act of which the applicant complains (discrimination claims). These time
limits can be extended in certain circumstances. In a recent case involving
race discrimination, the Court of Appeal refused to overturn a tribunal’s decision
that it was just and equitable to allow the claim when it was brought nine
years after the acts of which the applicant complained (Southwark London
Borough Council v. Afolabi (CA, 24/01/2003)).
why are employers destroying employment records? Cost. Historically, businesses
destroyed documents to reduce storage costs. Computer databases, scanning
technology, CD-Roms and DVDs now make it possible to store and retrieve vast
amounts of employment records cheaply and conveniently. Cost is no longer the only
factor pushing employers to destroy employment records.
Data Protection Act 1998
Data Protection Act 1998 regulates the processing of personal data. The Act’s
definition of ‘processing’ is extremely wide and covers any handling of data,
including simply storing it. To qualify as ‘personal data’, information must be
held on computer or recorded as part of a ‘relevant filing system’ and relate
to a living individual who can be identified from the data (or can be
identified from the data and other information that is in the possession of or
is likely to come into the possession of the data controller).
practice, almost all information that an employer holds about its employees
will be personal data. The definition of ‘relevant filing system’ would include
an organised set of personnel files. E-mails relating to named employees and
payroll information that names employees will also be personal data.
Information that cannot lead to the identification of a living individual is
not personal data. This might include, for example, data collected for ethnic
monitoring purposes that is held in an anonymised form.
backbone of the Act is eight data protection principles. The fifth principle
provides that ‘personal data processed for any purpose or purposes shall not be
kept for longer than is necessary for that purpose or those purposes’.
most of the other data protection principles, there is no further explanation
of the fifth principle in the Act. However, where the data controller is an
employer, the data subject is an employee and the personal data in question are
records relating to employment, the employer can refer to Part 2 of the
Employment Practices Data Protection Code, which gives guidance on the
retention of employment records.
Code makes clear that it falls primarily to the employer to set the periods for
which it will retain employment records, but that any period that is set must
be based on business need and should take into account any professional
code advises employers to establish and adhere to standard retention times for
categories of information held. In setting these retention times, employers are
advised to ensure that personal information is not kept for longer than is
necessary, but equally that it is not deleted where there is a real business
need to retain it.
code states that information should not be retained simply on the basis that it
might come in useful one day without any clear view of when or why. Instead,
employers should consider what realistically will be the consequences for their
business, and for the individuals concerned, should information that is
accessed only very occasionally be no longer available. This principle is easy
to expound in theory but harder to implement in practice, as the example of
Smith and Deskjob shows.
code does not give any indication of what the standard retention times might
be. The draft version of the code, published in October 2000, gave employers
more assistance. While acknowledging that these were guidelines only and that a
specific business case could support a longer period, the draft code specified
lengths of time for which certain types of employment records should usually be
follow the draft code would involve a yearly weeding of employee files (which,
for large employers with paper files, could be time consuming) and would leave
the employer with no record of an employee
10 years after the employee’s departure. This may be the reason why this method was dropped in favour of
the less prescriptive approach in the final version of the code. The draft did
give some much-needed practical guidance on the sorts of retention times that
the Information Commissioner might consider reasonable.
Act does not override any statutory requirement to retain records. Employers
have statutory obligations to keep certain records relating to statutory sick
pay, statutory maternity pay, wages and hours of work. Health and safety
legislation also imposes record-keeping requirements on employers. Under the
Employers Liability (Compulsory Insurance) Regulations 1998, employers are
required to obtain a Certificate of Employers Liability Insurance for 40 years
beginning on the date on which the insurance that it relates commences or is
there has been a known exposure to a noxious substance then further
record-keeping duties may arise. For instance, under Reg 16(1) of the Control
of Asbestos at Work Regulations 1987, employers may have to create a health
record relating to each affected employee and keep it for at least 30 years
from the date of the last entry made in it. Under Reg 21(1) of the Control of
Asbestos at Work Regulations 2002, the employer may have to create a record for
each employee who is exposed to asbestos at a level above the ‘action level’
and keep a copy in a suitable form for at least 40 years from the date of the
last entry made in it.
statutes are relevant to particular risks and industries, such as the Control
of Substances Hazardous to Health Regulations 1999 and the Offshore
Installations (Safety Zones) Orders 1999. The legislature is sometimes quick to
respond to health and safety issues as they arise by issuing secondary
legislation on an ‘issue-by-issue’ or ‘industry-by-industry’ basis. It pays to
keep informed, not only to comply with
the legislation but also to keep in step with or ahead of best practice. Any
document retention policy should evolve in step with developments in scientific
knowledge, public policy and perception and legislative change.
would have been sensible for Deskjob to retain basic employment details
(including names, dates of employment, National Insurance numbers and dates of
birth) indefinitely. These details would at least have enabled Deskjob to admit
or deny that it employed Smith. Because the court has discretion to allow late
claims to proceed, there is no fixed period after employment has ended at which
it is safe to destroy all records.
far as more detailed records are concerned, Deskjob should have balanced the
risk of a future claim against the cost and administration involved in
retaining records and the possibility of enforcement action or a claim for
damages under the Act. If there is a known risk, employers should make greater
efforts to retain information relevant to that risk.
considering the risk of a future claim, employers might also like to consider
the likely consequences of a breach of the Data Protection Act. It is difficult to see how simply keeping records
could lead to any actual loss to the employee or ex-employee, so a damages
claim is unlikely. If the Information
Commissioner decides that the employer is in breach of the Act by retaining
records, he may issue an ‘enforcement notice’ requiring the employer to destroy
the records. However, provided that the employer complies with this notice, it
is unlikely that there will be any further consequences.
Rigg is an employment lawyer and Andrew Morgan is a personal injury lawyer at
City solicitors Field Fisher Waterhouse. firstname.lastname@example.org