The legal obligations of processing data under GDPR: Part 2
Retention of the personal data is ‘lawful basis’ where it is necessary, for compliance with a legal obligation, for the exercise or defence of legal claims. For Payroll and HR reasons, employers must hold and retain personal information about their employees and former employees to meet these legal requirements.
In the United Kingdom, HM Revenue & Customs (HMRC) have a requirement on employers to record and retain certain personal information from a current and historic aspect and these legal requirements supersede an individual’s request for deletion or change where that information is being processed and kept for those legal reasons.
HMRC law requires employers to both record and report aspects of personal information such as: name, address, date of birth, gender, national insurance number and to report to HMRC using Real Time Information (RTI) under PAYE Regulation 67B or 67D, which must contain the information specified in Schedule A1 of the PAYE Regulations.
An individual cannot prevent their employer informing HMRC who then inform the Department for Work & Pension of their employment related earnings and personal information.
Equally, immigration law often requires 'Right to Work' identification documents for all new employees to be retained for potential inspection, excuse and/or defense in relation to showing that an illegal worker has not been employed by them. Such retention would be a 'lawful basis' and in the UK must be kept for a minimum of 2 years after they have finished employment with you.
Examples of ‘lawful basis’ within the UK
Working Time directors and Minimum Wage law, would require employers to retain and keep records of time and payments to employees to enable appropriate audit to take place. This also would be a 'lawful basis'. The following is a list of a few of the 'lawful basis' examples within the UK:
- Wages / salary record (also overtime, bonuses and expenses): 6 years: Taxes Management Act 1970
- Income tax and NI records: Not less than 3 years after the end of the financial year: The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended.
- National Minimum/Living Wage: 3 years after the end of the pay reference period: National Minimum Wage Act 1998
- Working time record: 2 years: The Working Time Regulations 1998 (SI 1998/1833)
Sometimes law may provide no definitive retention period indicated for some records and it is therefore up to the employer to appropriately decide and justify their basis of retention. These judgement time limits may be associated with claims limits allowed within GDPR. A common general position is indicated as a retention of personal information and records in the UK is for 6 years plus current based on the Limitation Act 1980 where legal proceedings would have to have commenced.
Similar requirements will exist throughout the European Union. Don't implement data deletion or change policies as a result of new GDPR processes which would breach the 'lawful basis' requirements. You could find yourselves in trouble with national tax collectors and immigration departments if you don't retain records required by law.