Having completed an audit of the data held by all of the companies in the ESP group (being The Employment Services Partnership Limited, ESP Law Limited, ESP Safeguard Limited and ESPHR Software Services Limited), the Data Protection Act 2018 requires us to have in place a data retention policy that clearly defines how long we will hold our personal data, together with the reasoning behind the decision to hold that data. For ease of reading we have separated the data we hold into 4 sub-categories.

Save for exceptional circumstances, which must be raised with, and approved by Peter Byrne, all personal data must be retained in accordance with this policy. Often, in respect of certain types of information, we are under a legal obligation to retain the information for a minimum period of time. Where this is the case, the minimum time we have stipulated is the same as the time required under law. Furthermore, there are occasions where it is appropriate for us to retain personal data for longer than the period prescribed in law (for example, where there may be a court case in process or expected where the data will form part of the evidence in the case). In such circumstances, the requirements of the court case will override the policies outlined below.

All personal data is held in accordance with ESP’s Privacy Policy, which can be found here https://esphr.co.uk/pages/privacy, Data Protection Policy, which can be found here https://esphr.co.uk/data-protection-policy and this Data Retention Policy. If you wish to exercise any of your legal rights, or have any questions, comments and requests regarding this policy, please contact us by writing to ESP House, 4 The Links Business Centre, Old Woking Road, Woking, Surrey GU22 8BF, or by emailing us at info@esphr.co.uk.

Where there is a requirement for ESP to retain information for longer periods of time, consideration must be given to whether any personal data within it should be ‘anonymised’ such that the data subject can no longer be identified but the contents and context of the document still reviewed and understood.  Where, in the table below, the data is identified as being capable of being anonymised, anonymisation should take place as soon as reasonably possible once the need for the personal data has expired.

Employees/Job Applicants

Type of Data Held

Location of Data

Reason for Data Being Held

Retention Period

Reason for Retention Period

Delete/Anonymise

Full Name

Ciphr, internal shared drive, Paper file

Contractual Obligations

6 years after having left employment

Claims can be brought up to 6 years after the end of employment so this information may be needed in the event of a claim being brought.

Delete

Date of birth

Ciphr, internal shared drive, Paper file

Contractual Obligations

6 years after having left employment

 

Delete

Full address

Ciphr, internal shared drive, Paper file

Contractual Obligations

6 years after having left employment

 

Delete

Previous addresses

Ciphr, internal shared drive, Paper file

Contractual Obligations

On leaving

 

Delete

Telephone numbers

Ciphr, internal shared drive, Paper file

Contractual Obligations

6 years after having left employment

 

Delete

Personal email address

Ciphr, internal shared drive, Paper file

Contractual Obligations

6 years after having left employment

 

Delete

Gender

Ciphr, internal shared drive, Paper file

Contractual Obligations

6 years after having left employment

 

Delete

Marital status and dependants

 

Ciphr, internal shared drive, Paper file

Contractual Obligations

On leaving

 

Delete

Next of kin and emergency contact information

Ciphr, internal shared drive, Paper file

Contractual Obligations

Vital Interests

On leaving

 

Delete

National Insurance Number

Ciphr, internal shared drive, Paper file, Paycheck

Contractual Obligations

Legal Obligations

7 years after having left employment for S: drive and Paycheck only, otherwise 6 years

Tax reporting purposes

Delete

Bank details

Ciphr, internal shared drive, Paper file

Contractual Obligations

Legal Obligations

6 months after having left employment

 

Delete

Tax Codes

Paycheck, internal shared drive

Contractual Obligations

Legal Obligations

7 years after having left employment

Tax reporting purposes

Delete

Payroll Information

Paycheck, internal shared drive

Contractual Obligations

Legal Obligations

7 years after having left employment

Tax reporting purposes

Delete

Copy of driving licence

Internal shared drive, Paper file

 

Contractual Obligations

Legal Obligations

1 year after having left employment

 

Delete

Medical information (i.e. information relating to disabilities or medical information that may be needed).

Ciphr, internal shared drive, Paper file

Contractual Obligations

Legal Obligations

Vital Interests

To enable us to ensure your health and safety in the workplace, to assess your fitness for work, to provide reasonable adjustments where necessary and to monitor and manage sickness absence and administer pay and benefits.

 

Upon leaving employment unless the data needs to be retained for the purposes of reporting or compliance with our legal obligations, in which case it will be retained for 6 years after leaving employment.

These records are classed as sensitive personal data, there is no need for the company to have any information relating to an employee’s medical history after they leave employment unless it needs to be retained in accordance with our legal obligations, including under the Equality Act 2010.

Delete

Race, religion, sexual orientation

Ciphr, internal shared drive, Paper file

Contractual Obligations

Legal Obligations

 

To ensure equal opportunities

6 years after leaving employment

Claims can be brought up to 6 years after the end of employment so this information may be needed in defence of a claim.

Delete

Contract of employment

Internal shared drive, Paper file

To ensure all employee records are accurate and to ensure both the company and its employees are complying with the terms of the contract of employment.

6 years after leaving employment

Claims can be brought up to 6 years after the end of employment so this information may be needed in defence of a claim.

Delete

Disciplinary history

Internal shared drive, Paper file

To ensure employee records are up to date and accurate.

Upon expiry of disciplinary action or 6 years after termination of employment, whichever is sooner.

Many disciplinary notes expire after a set period and should be removed from the record upon expiry.   Some, however, will need to be kept on record as evidence in the event of an employment tribunal claim or other litigation, or for regulatory reasons.

Delete

Performance Management Information

 

Internal shared drive, Paper file

Contractual Obligations

Legal Obligations

1 year after having left employment

 

Delete

Grievances

Internal shared drive, Paper file

Contractual Obligations

Legal Obligations

6 years after leaving employment

Claims can be brought up to 6 years after the end of employment so this information may be needed in the event of a claim being brought.

Delete

CVs

Paper file

To enable the assessment of candidates for jobs.

12 months after unsuccessful application

To enable the defence of any claims arising out of a rejected application.

Delete

Criminal records

Internal shared drive, Paper file

To ensure that the employee is not prohibited from undertaking the employment and to ensure the Company is not putting employees or third parties at risk.

Upon the expiry of the rehabilitation period or 6 months after termination of employment, whichever is sooner.

Criminal records are highly sensitive information and the retention period balances the requirements of the Company against the rights of the subject and the harm that could be caused by the loss of this data.

Delete

Right to work documentation

 

Internal shared drive, Paper file

Contractual Obligations

Legal Obligations

2 years after having left employment

 

Delete

Employment history (training records, working hours, job titles, salary information, details of family-related leave)

 

Ciphr, internal share drive, Paper file

Contractual Obligations

Legal Obligations

1 year after having left employment

 

Delete

Sickness and holiday records

Ciphr, internal shared drive, Paper file

To ensure employee records are up to date and accurate

6 years after leaving employment

 

Delete

Suppliers

Type of Data Held

Location of Data

Reason for Data Being Held

Length of Time Data to be Held

Reason for Length of Time

Delete/Anonymise

Key contact names

Internal shared drive, paper contracts in locked supplier cabinet, Outlook, office mobile phones

To enable communication with suppliers

6 months after termination or after specific contact has left the employ of the supplier, whichever is sooner

To enable referencing should the need arise.

Delete

Key contact email addresses

Internal shared drive, paper contracts in locked supplier cabinet, Outlook, office mobile phones

To enable communication with suppliers

6 months after termination or after specific contact has left the employ of the supplier, whichever is sooner

To enable referencing should the need arise.

Delete

Supplier contracts and documents

Internal shared drive, paper contracts in locked supplier cabinet

To enable monitoring of supplier performance and communication with suppliers

6 years after the end of the supplier relationship

Court claims can be brought up to 6 years after the contract has ended and the information may be required as evidence in any such claim.

Anonymise

Customers

Type of Data Held

Location of Data

Reason for Data Being Held

Length of Time Data to be Held

Reason for Length of Time

Delete/Anonymise

Key contact names

Internal shared drive, paper contracts in locked supplier cabinet, Outlook, office mobile phones

To enable communication with client

6 months after termination or after specific contact has left the employ of the client, whichever is sooner

To enable referencing should the need arise.

Delete

Key contact email addresses

Internal shared drive, paper contracts in locked supplier cabinet, Outlook, office mobile phones

To enable communication with client

6 months after termination or after specific contact has left the employ of the client, whichever is sooner

To enable referencing should the need arise.

Delete

Client contracts and documents

Internal shared drive, paper contracts in locked customer cabinet

To enable monitoring of supplier performance and communication with clients

6 years after the end of the client relationship

Court claims can be brought up to 6 years after the contract has ended and the information may be required as evidence in any such claim.

Anonymise

Prospects

Type of Data Held

Location of Data

Reason for Data Being Held

Length of Time Data to be Held

Reason for Length of Time

Delete/Anonymise

Names

Internal shared drive, CRM, Email marketing system, Outlook, Company mobiles

To enable the company to seek new business

3 years after last contact

After 3 years with no contact it is unlikely the prospect will convert and the data should no longer be retained.

Delete

Email addresses

Internal shared drive, CRM, Email marketing system, Outlook, company mobiles

To enable the company to seek new business

3 years after last contact

After 3 years with no contact it is unlikely the prospect will convert and the data should no longer be retained.

Delete

Documentation

Internal shared drive, Outlook

To enable the company to seek new business

3 years after last contact

After 3 years with no contact it is unlikely the prospect will convert and the data should no longer be retained.

Delete

 

Date Policy Last Updated: 10th May 2018