Getting to grips with GDPR data retention rules Getting to grips with GDPR data retention rules

Getting to grips with GDPR data retention rules
14 Dec 2017

A major topic of discussion among payroll professionals these days is the European Parliament-approved General Data Protection Regulations (GDPR). After four years of preparation and debate, the legislation was finally approved on 14 April 2016 and is due to come into force on 25 May 2018.

The Regulations, which will replace the former Data Protection Directive 95/46/EC, are designed to “harmonise data privacy laws across Europe”, and organisations that fail to comply could face heavy fines.

In an HR and payroll context, employers act as “controllers” and bureau, cloud or outsourced service providers are known as “processors”. Controllers dictate how and why personal data is processed, while processors act on the controller’s behalf.

For processors, GDPR imposes legal obligations on how to maintain records about personal data and processing activities. They are now subject to significantly more legal liabilities and are also responsible for breaches.

For controllers, the legislation places more obligations on them than previously to ensure that contracts with processors comply with GDPR. This situation includes processing carried out not only by organisations operating within the European Union (EU), but also by those based outside of the EU that offer services to individuals within the region. These measures will still apply to the UK when it leaves the European Union in 2019.

For employers that keep HR records and process payroll, such data falls within the scope of GDPR. It applies to both automated personal data and to manual filing systems. Personal data that has been pseudonymised – eg key-coded – may also fall within the scope of GDPR, depending on how difficult or easy it is to attribute the pseudonym to a particular individual.

The importance of lawful basis

GDPR does not apply to all activities. Examples of those that are not covered include any data processing undertaken for national security purposes that is covered by the Law Enforcement Directive. The legislation also does not apply to data processing carried out by individuals purely for personal/household reasons.

But HR and payroll are key areas that must be covered in any GDPR assessment. For example, it may be necessary to put new procedures in place to deal with the legislation’s provisions around transparency and individuals’ rights.

GDPR places greater emphasis on the documentation that data controllers need to keep in order to demonstrate their accountability. As a result, it may be necessary to review contracts and other arrangements when sharing data with third party organisations that are assisting in processing your HR and payroll records.

A lot of payroll activities relate to legal compliance issues and involve dealing with national tax collectors, social or national insurance agencies and the courts. Personal records that are used in this way will not necessarily have to be deleted under the “right to be forgotten” clause if the information is required for legal record-keeping purposes. The same applies to requests for changes.

This means it is important to identify what the “lawful basis” is for undertaking processing activity, to document it and update privacy notices to explain your rationale.

HR and payroll functions will need to explain what the lawful basis for processing personal data is in relation to any privacy notice and when answering a subject access request. 

How GDPR applies in the UK

Retaining personal data has a lawful basis if such activity is required to comply with legal obligations or to exercise or defend legal claims. In an HR and payroll context, employers must hold and retain personal information about their employees and former employees in order to meet their legal requirements.

For example, in the UK, Her Majesty’s Revenue & Customs (HMRC) requires employers to record and retain certain personal information from a current and historical perspective. These legal requirements supersede an individual’s request to delete that information or change where it is being processed and kept.

HMRC also mandates that employers both record and report certain aspects of personal information such as name, address, date of birth, gender and national insurance number. This information must be reported to HMRC using its Real Time Information system under Pay-As-You-Earn (PAYE) Regulation 67B or 67D and must contain the information specified in Schedule A1 of the PAYE Regulations.

Individuals cannot prevent their employers from providing HMRC with this data. HMRC will also subsequently inform the Department for Work & Pensions of their employment-related earnings and personal information too.

UK immigration law likewise often requires that “Right to Work” identification documents be retained for potential inspection in relation to all new employees for a minimum of two years after their employment has been terminated. Such documentation should also be kept to demonstrate that you have not employed illegal workers and, as such, comes under the “lawful basis” category.

Rules on retaining records

Working Time directives and Minimum Wage law require that employers retain records on the amount of time employees have worked and what they have been paid in order to ensure an appropriate audit can take place. As a result, this situation would also be classified as having a lawful basis. Other UK examples of lawful basis include:

• Wages/salary, overtime, bonus and expenses records: They must be kept for six years under the Taxes Management Act 1970;
• Income tax and national insurance records: These need to be retained for no less than three years following the end of the financial year under The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended;
• National minimum/living wage records: They should be kept for three years after the end of the pay reference period under the National Minimum Wage Act 1998;
• Working Time records: These must be retained for two years under The Working Time Regulations 1998 (SI 1998/1833).

In some instances the law provides no definitive retention period. It is then up to individual employers to take a view on the situation, but they do need to justify the basis on which they retain data and for how long. One way of approaching the matter is to link chosen time limits with the time limits for claims allowed under GDPR.

A common general position is that personal information and records in the UK should be retained for six years plus as it is within this timeframe that legal proceedings must commence under the Limitation Act 1980. Similar requirements also exist throughout the rest of the EU.

So in summary, it is important not to delete data or change policies as a result of new GDPR processes that could breach “lawful basis” requirements. Failing to retain records required by law could lead to you getting into trouble with both national tax collection agencies and immigration departments.

 

Simon Parsons has contributed greatly to SD Worx’s payroll expertise since 1984. Besides being influential in the development of the company’s payroll services, he is also involved in a number of HMRC and government consultative groups and committees.

A fellow of the Chartered Institute of Payroll Professionals and one of the original Masters of Science in Payroll Management, Simon is a regular author and speaker on payroll matters. He is also chair of both IReeN, the electronic exchange with government user network, and the BCS’ (the Chartered Institute for IT) Payroll Group.

A major topic of discussion among payroll professionals these days is the European Parliament-approved General Data Protection Regulations (GDPR). After four years of preparation and debate, the legislation was finally approved on 14 April 2016 and is due to come into force on 25 May 2018.

The Regulations, which will replace the former Data Protection Directive 95/46/EC, are designed to “harmonise data privacy laws across Europe”, and organisations that fail to comply could face heavy fines.

In an HR and payroll context, employers act as “controllers” and bureau, cloud or outsourced service providers are known as “processors”. Controllers dictate how and why personal data is processed, while processors act on the controller’s behalf.

For processors, GDPR imposes legal obligations on how to maintain records about personal data and processing activities. They are now subject to significantly more legal liabilities and are also responsible for breaches.

For controllers, the legislation places more obligations on them than previously to ensure that contracts with processors comply with GDPR. This situation includes processing carried out not only by organisations operating within the European Union (EU), but also by those based outside of the EU that offer services to individuals within the region. These measures will still apply to the UK when it leaves the European Union in 2019.

For employers that keep HR records and process payroll, such data falls within the scope of GDPR. It applies to both automated personal data and to manual filing systems. Personal data that has been pseudonymised – eg key-coded – may also fall within the scope of GDPR, depending on how difficult or easy it is to attribute the pseudonym to a particular individual.

The importance of lawful basis

GDPR does not apply to all activities. Examples of those that are not covered include any data processing undertaken for national security purposes that is covered by the Law Enforcement Directive. The legislation also does not apply to data processing carried out by individuals purely for personal/household reasons.

But HR and payroll are key areas that must be covered in any GDPR assessment. For example, it may be necessary to put new procedures in place to deal with the legislation’s provisions around transparency and individuals’ rights.

GDPR places greater emphasis on the documentation that data controllers need to keep in order to demonstrate their accountability. As a result, it may be necessary to review contracts and other arrangements when sharing data with third party organisations that are assisting in processing your HR and payroll records.

A lot of payroll activities relate to legal compliance issues and involve dealing with national tax collectors, social or national insurance agencies and the courts. Personal records that are used in this way will not necessarily have to be deleted under the “right to be forgotten” clause if the information is required for legal record-keeping purposes. The same applies to requests for changes.

This means it is important to identify what the “lawful basis” is for undertaking processing activity, to document it and update privacy notices to explain your rationale.

HR and payroll functions will need to explain what the lawful basis for processing personal data is in relation to any privacy notice and when answering a subject access request. 

How GDPR applies in the UK

Retaining personal data has a lawful basis if such activity is required to comply with legal obligations or to exercise or defend legal claims. In an HR and payroll context, employers must hold and retain personal information about their employees and former employees in order to meet their legal requirements.

For example, in the UK, Her Majesty’s Revenue & Customs (HMRC) requires employers to record and retain certain personal information from a current and historical perspective. These legal requirements supersede an individual’s request to delete that information or change where it is being processed and kept.

HMRC also mandates that employers both record and report certain aspects of personal information such as name, address, date of birth, gender and national insurance number. This information must be reported to HMRC using its Real Time Information system under Pay-As-You-Earn (PAYE) Regulation 67B or 67D and must contain the information specified in Schedule A1 of the PAYE Regulations.

Individuals cannot prevent their employers from providing HMRC with this data. HMRC will also subsequently inform the Department for Work & Pensions of their employment-related earnings and personal information too.

UK immigration law likewise often requires that “Right to Work” identification documents be retained for potential inspection in relation to all new employees for a minimum of two years after their employment has been terminated. Such documentation should also be kept to demonstrate that you have not employed illegal workers and, as such, comes under the “lawful basis” category.

Rules on retaining records

Working Time directives and Minimum Wage law require that employers retain records on the amount of time employees have worked and what they have been paid in order to ensure an appropriate audit can take place. As a result, this situation would also be classified as having a lawful basis. Other UK examples of lawful basis include:

• Wages/salary, overtime, bonus and expenses records: They must be kept for six years under the Taxes Management Act 1970;
• Income tax and national insurance records: These need to be retained for no less than three years following the end of the financial year under The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended;
• National minimum/living wage records: They should be kept for three years after the end of the pay reference period under the National Minimum Wage Act 1998;
• Working Time records: These must be retained for two years under The Working Time Regulations 1998 (SI 1998/1833).

In some instances the law provides no definitive retention period. It is then up to individual employers to take a view on the situation, but they do need to justify the basis on which they retain data and for how long. One way of approaching the matter is to link chosen time limits with the time limits for claims allowed under GDPR.

A common general position is that personal information and records in the UK should be retained for six years plus as it is within this timeframe that legal proceedings must commence under the Limitation Act 1980. Similar requirements also exist throughout the rest of the EU.

So in summary, it is important not to delete data or change policies as a result of new GDPR processes that could breach “lawful basis” requirements. Failing to retain records required by law could lead to you getting into trouble with both national tax collection agencies and immigration departments.

 

Simon Parsons has contributed greatly to SD Worx’s payroll expertise since 1984. Besides being influential in the development of the company’s payroll services, he is also involved in a number of HMRC and government consultative groups and committees.

A fellow of the Chartered Institute of Payroll Professionals and one of the original Masters of Science in Payroll Management, Simon is a regular author and speaker on payroll matters. He is also chair of both IReeN, the electronic exchange with government user network, and the BCS’ (the Chartered Institute for IT) Payroll Group.