Data
protection law now demands a far more sophisticated approach to records
retention. Anna Henderson offers policy advice based on her discussions with
the Information Commission
Two
instalments of the much delayed Employment Practices Data Protection Code have
now been made available in pre-publication form on the Information
Commissioner’s website. Both touch on records handling. Although not legally
binding, the code will set out the commissioner’s view of what employers need
to do to comply with the Data Protection Act 1998.
In
the past, HR departments have tended either to retain all records until they
run out of space or to discard them almost immediately. Few departments sift
through the information they hold because of the time and costs involved.
However, the DPA – and the need to defend discrimination and other claims – now
demands a more sophisticated approach.
Risk
of legal claims
The
risk of legal claims is one of the main reasons for retaining data no longer
used for day-to-day administration.
This
risk has increased in recent years with the introduction of new statutory
rights, increases in compensation levels and a shift in the burden of proof for
sex discrimination claims. Tribunals can look into incidents taking place over
several years if this is the relevant background from which an inference of
discrimination could be drawn. This means long-term document retention could be
vital to establish justified reasons for long-since-made-and-forgotten
decisions.
Of
course, there is a converse risk in keeping documents for lengthy periods if
they incriminate the employer in unlawful conduct, particularly given the
employees’ rights to access under the DPA.
A
recent race discrimination claim was permitted even though it was out of time
after a man discovered evidence, on examining his employment file in 1999, that
discriminatory conduct had occurred in 1990.
Time
limits
Time
limits for bringing legal claims are therefore a significant factor in deciding
how long to retain records. The most important are:
–
Three months for unfair dismissal and discrimination
–
Six months for statutory redundancy pay
–
Six years for breach of contract claims
–
Six months from the end of the contract for equal pay claims, but damages can
be backdated for up to six years
Once
a claim has been brought in a tribunal, the employer will usually be notified
within a few weeks; for court claims, it could be four months. Extensions of
time are allowed in certain circumstances.
There
are also certain statutory requirements to retain records:
–
Records to show compliance with the Working Time Regulations 1998 must be kept
for two years
–
Records to show compliance with the National Minimum Wage Regulations 1999 must
be kept for three years
–
Records relating to statutory sick and maternity leave and pay must be kept for
three years
–
Records of certain specified types of injuries, diseases and other dangerous
occurrences must be kept for three years
–
Records of monitoring exposure to certain hazardous substances must be kept for
40 years where the record shows personal exposures of identifiable employees,
and five years in other cases
–
There are other requirements such as keeping tax records for the Inland
Revenue.
The
Secretary of State has the power to require employers to keep records of
employees’ parental leave (but has not yet made regulations doing so) and in
April 2003, will have a similar power in relation to adoption and paternity
leave and pay.
Professional
requirements may include records of continuous training, relevant convictions,
and so on – these will be particularly relevant for businesses regulated by the
Financial Services Authority.
Formulating
a retention policy
The
fifth data protection principle set out in the DPA provides that "personal
data processed for any purpose or purposes shall not be kept for longer than is
necessary for that purpose or those purposes".
The
code of practice provides that as no specific period is given in the DPA, it is
for the employer to set retention periods based on real business need, taking
into account any professional guidelines and statutory requirements.
The
code provides little guidance on formulating retention policies, save to note
that retention times may vary from one employer to another (citing the
difference between keeping health and safety records for those working with
hazardous materials and keeping them for office workers).
It
is clear employers need to differentiate the types of information held on an
individual, as it will be possible to justify keeping some types for longer
than others.
The
need to retain some information in a file will not justify keeping all of it,
so employers will need to set up a system of periodic review. You may be able
to make the weeding process more efficient by recording information with
different retention periods on different pieces of paper, or filing records by
retention period or category of document rather than by individual. Where
information is stored electronically, IT systems can be used to flag when a
retention period is about to expire. Particular care will be needed where
records are held by managers and others as well as centrally.
In
determining the periods, the code states that information should not be
retained simply because it might be useful one day, without any clear view as
to when or why. The Information Commissioner suggests that employers
"should establish how often particular categories of information are
actually accessed after, say, two, three, four or five years".
She
also advises adopting a risk analysis approach to retention by considering
"what realistically would be the consequences for your business, for
workers and former workers and for others, should information that is accessed
only very occasionally be no longer available".
The
key concept here is proportionality – for example, "records about a large
number of workers should not be retained for a lengthy period on the off chance
one of them might at some point question some aspect of his or her
employment".
The
following suggests possible retention periods to deal with potential legal
claims, based in part on discussions with the legal department of the
Information Commission. Of course, the commissioner and/or courts could
ultimately take a stricter line, on the basis that retention of documents
needed to meet the risk of legal claims requires the employer to have assessed
the risk of a particular claim as more than minimal, given the individual involved
and the particular situation. If this line is taken, it might be difficult to
justify retaining records for an employee who has left amicably for more than,
say, a year.
As
a general point, the retention policy should provide that, if a claim is made before
the expiry of the retention period, records needed for that claim will be
retained until the situation is resolved.
Recruitment
records
The
code says that "retention of recruitment records may be necessary for the
organisation to defend itself against discrimination claims or other legal
actions arising from recruitment. However, the possibility that an individual
may bring a legal action does not automatically justify the indefinite
retention of all records relating to workers. A policy based on risk-analysis
principles should be established".
In
relation to any vacancy, there is a risk that unsuccessful applicants could
claim unlawful discrimination on the grounds of sex, race or disability. This
would normally need to be brought within three months of the date of rejection
and the employer would need to be able to show the qualities and experience of
the successful applicant were more appropriate/better than those of the
claimant.
It
ought to be justifiable to retain some data relating to applicants for 12
months (to reflect the risk of time extensions being granted) but this should
probably be restricted to information that has been taken into account in
reaching the appointment decision. For example, the outcome of medical and
other checks may be relevant, but the actual information obtained in a vetting
exercise should not be retained (the code states that such information should
be destroyed as soon as possible or, in any case, within six months).
Although
data relating to other appointments could also be useful evidence of a
non-discriminatory recruitment practice, this purpose would be adequately
served by keeping the data in an anonymous form – properly anonymous data is
not "personal data" protected by the DPA and can be retained indefinitely.
The code is clear that employers should not retain data relating to
unsuccessful applicants in order to consider them for future vacancies unless
the applicant is aware and has agreed to this.
Information
about successful applicants that is not relevant to their ongoing employment
(such as former salary) should be deleted on appointment.
Records
relating to employees
Retention
required by statute (see above) will clearly be justified under the DPA,
whether during or after employment.
The
employer will also have a genuine business need to keep many types of records
relating to an employee during his or her employment but should nevertheless
check annually to see if records are still needed or could be relevant to a
potential claim. Records which may not be needed throughout the employment or
afterwards include:
–
Out-of-date personal information
–
Information concerning unsubstantiated disciplinary charges
–
‘Spent’ disciplinary warnings
–
Parental leave records once the employee’s entitlement has expired. On
termination, the employer might retain records of an outstanding entitlement
for a short period, so it can confirm the position to the employee’s next
employer if required
–
Maternity leave records (once the statutory requirements have been satisfied)
–
Holiday records are unlikely to be needed more than a year after the expiry of
the year concerned, as the statutory entitlement expires if not taken within
the relevant holiday year. The position is different where there is a
contractual right to additional holiday, which can be carried over for a number
of years
–
Requests for a reference from a mortgage provider or landlord
–
Records of convictions not relevant to the employee’s current duties or which
have become ‘spent’
After
employment has ended, an employer may be justified in retaining other records
to protect against possible claims. Records that could be relevant to contract
or equal pay claims (such as contractual documentation, pay and pension
records, records relating to bonus decisions or dismissals) could probably be
retained for six or seven years after termination.
Other
records relevant to potential discrimination claims (such as appraisals,
disciplinary records or records of promotion decisions) could probably be
retained for one year after termination.
Disposal
of records
Once
the relevant retention period has expired, records must be securely and
effectively destroyed. Sensitive or confidential information should be shredded
on site or by a reputable contractor. Electronic records should be fully
deleted, including any copies backed-up on separate servers or systems, and
measures should be taken to fully delete records from any computer equipment
sold or given away.
Retaining
documents for too long
An
employer in breach of the DPA may be subject to enforcement action by the
Information Commissioner. This could come about as a result of a complaint by
the job applicant or employee, or on the commissioner’s own initiative – she
recently announced a policy to be more proactive in enforcement. It could also
result from a claim for damages by the job applicant or employee. An employer
who continues to act in breach will be committing a criminal offence.
That
said, complaints that information is being retained too long are perhaps not at
the top of the list of usual applicant/ employee gripes – their concern will
more usually be to have access to information that is held.
Furthermore,
the fact that documents have been retained for too long should not prevent an
employer using them in court or tribunal proceedings. As a result, some
employers may well decide to wait and see what line the Information
Commissioner takes in enforcing this aspect of the DPA, not least as a new
commissioner is expected to take over before the end of the year.
Employers
may be willing to gamble that the issue of retention of records is quite low
down on the new commissioner’s list of priorities.
Anna
Henderson is a professional support lawyer at Herbert Smith