This is the next in our series of posts on questions raised at our recent GDPR webinar. If you have any views or further queries in these areas, please do get in touch.
What impact will the GDPR have on Model Clauses?
Model Clauses are standard contractual terms adopted by the European Commission for the transfer of personal data outside the European Economic Area. They are one of several approved ways of ensuring adequate safeguards for personal data transferred outside the EU. Those clauses will continue to be valid under the GDPR.
In a departure from the current position, however, they will no longer require authorisation from the relevant data protection authority. In future, the European Commission may also update or replace the existing Model Clauses as it sees fit from time to time. Notwithstanding the UK Government wittering about “taking back control”, it is highly likely that post-Brexit the UK will still slavishly follow the current and future versions of the Model Clauses so as not to create any perception that our protections for employee data are weaker than the rest of Europe.
In addition, it will remain the case that merely having those clauses in your contracts with overseas (non-EU) processors – cloud suppliers, group companies, payroll providers, etc. – will not be enough. Reasonable steps should also be seen to be taken to monitor that third party’s compliance with those clauses and, if necessary, to enforce them by commercial and/or legal threat.
Are there any rules under the GDPR as to how long you can keep an employee’s personal data after he has left the business?
The GDPR will not prevent employers from collecting, maintaining and using records about employees. As with the current Data Protection Act, it aims to strike a balance between an employer’s need to keep records and an employee’s right to respect for his or her private life.
The GDPR does not set out any fixed timescales for retaining employment records. It remains to be seen whether the Information Commissioner’s Office will provide further domestic UK guidance on the retention of those records when the GDPR comes into force, but it is unlikely to differ in practical terms from the advice already contained in the Employment Practices Code. This recommends that employers establish and adhere to standard retention times for the various categories of information to be held on workers and former workers. These should be “based on business need”, taking into account relevant professional guidelines. In practical terms, this means that employers should ideally only retain staff personal data for as long as is necessary (a) for the purposes for which it was collected in the first place; (b) as is required by law; or (c) in order to establish, exercise or (most importantly) defend legal claims.
For example, under UK tax law employers are required to keep payroll and wage records for a minimum of six years. However, an equal pay claim would consider not just who got paid what over the last six years, but also why. Therefore, it will be sensible for the employer to retain not just six years’ payroll and wage records but also evidence of any factors which led to salary or bonus decisions in relation to its employees over the same period. Logically, this must include in particular the negative factors in that assessment, such as appraisals, PIPs, disciplinary matters, time keeping and attendance records, etc. Similarly, while market pay information is not about individuals and so falls outside the GDPR, any analysis of how a particular employee is paid relative to market may well be relevant to the legitimacy of his/her salary level compared to someone else if challenged at a later stage. Therefore it can and should be retained.
Equal pay claims are fairly unique in terms of how far back they can go. Most employee claims must be brought or referred to ACAS within three months of the termination, so even allowing for possible extensions of time in cases where it was not practicable to bring claims earlier, there will rarely be a need to keep much else for more than, say, nine or twelve months post-departure. However, do make sure that you keep an eye on retaining the records relating to benefits which may vest after the employee leaves, such as pension contribution records or any deferred equity or bonus schemes. It is also worth retaining health and safety records against the possibility that the employee makes a claim many years after leaving in relation to some latent industrial injury where your treatment of him at the time may come under challenge.
As a general rule, we would recommend over- rather than under-retaining employee records if there is a half-way decent reason for doing so. If there is no challenge by the employee, then no complaint arises. If there is a challenge and you are unable to persuade the ICO of the necessity to retain the piece of data in question, then (provided you have otherwise handled it appropriately in the meantime) you will simply be able to delete it at that stage without material risk of sanction.