Legislative Framework for Record Retention Requirements
As most HR professionals know, document retention for employee-related records—such as personnel files, payroll information, benefits records, and background checks—is a particularly complicated process, required by law, with variations from country to country. Complicating the process further, each document in each country has its own individual retention requirements, and the financial penalties for noncompliance can be significant. A carefully designed and implemented HR record retention policy is a necessary step to support an employer’s robust compliance program.
While disposing of too many records can increase a company's legal exposure, disposing of too few records may also increase legal exposure as well as the cost of storage. Employers must identify which records should be retained, how long records should be retained and the different formats in which records may be stored. Employers must also determine how to ensure internal HR record retention policies comply with all applicable regulations and local laws.
General Recordkeeping Requirements
Keeping HR records through a robust document retention policy may be useful to employers for various reasons, including (a) maintaining the corporate memory of the company; (b) satisfying legal or regulatory requirements; (c) preserving documents with an enduring business value to the company; and (d) protecting the company against the risks of litigation and the need to preserve evidence and comply with disclosure obligations as necessary.
However, a balance must often be struck between keeping documents for a sufficiently long period of time, so as to meet an employer’s legitimate business objectives, and not keeping those documents unnecessarily, which could give rise to a breach of data protection laws or otherwise create unnecessary risk.
Under the UK’s Data Protection Act 2018, if an employer processes special categories of personal data (such as a criminal background check) the employer is required to: have an ‘appropriate policy document’ in place which outlines and explains the procedures for securing compliance with the principles in the UK GDPR, as well as a document that outlines company’s data retention policies.
Most countries have minimum and maximum retention periods for certain HR records. Even if there is no statutory minimum retention period for a certain category of records in a particular country, it is often recommended to retain records until the expiration of the relevant time limits for bringing legal actions or regulatory investigations (statutes of limitations).
In addition to maintaining minimum retention periods, some countries also have maximum retention periods. A record’s survival must often be limited so as to safeguard the privacy of persons whose personal data is contained in that record. In particular, records must be kept for no longer than is necessary for achieving the purposes for which the records were collected or subsequently used. After the maximum retention periods have expired, the documents should be either permanently deleted or anonymized (i.e., all references to data subjects should be redacted so that it is no longer possible to identify those persons).
Format of Records
Multiple laws, decisions, and even everyday life practices apply when assessing the retention period of a document. While it is generally permissible to retain only electronic copies of records, and these records are admissible in civil proceedings, it is recommended that English employers maintain archived copies of non–natively electronic (i.e. physical) employee-related records in the event a judge or authority specifically requests it.