GDPR: Should I delete training records for ex-employees?

Posted 4 years ago

GDPR: Should I delete training records for ex-employees?

I’d like to give you a clear-cut, definitive answer to this question, but really there isn’t one. Certain HR organisations offer recommendations on retention periods, but these are just recommendations, and not set in stone.

The only stipulations set out by the GDPR with regards to retaining personal data are that:

a) You hold on to personal data for no longer than is necessary, and
b) That you are open about your retention policies from the moment you collect data (transparency).

As you can see, this is prescriptive, yet vague. You need to be able to inform your employees exactly how long you’ll be keeping their data, but it’s up to you to decide how long that is – and only as long as that length of time can be considered necessary.

Now, sometimes it’s obvious why data may be necessary to keep hold of for a period of time after an employee leaves – for example, financial information (statutory mandatory pay, data relating to PAYE etc.) should be kept for around 3 years. This is the period in which HMRC may need the data to conduct an audit – any more than three years and you’ll be hard-pressed to justify keeping it.

Training Records

So what about training records? Well, these fall into general employee records, along with performance appraisals, employment contracts etc. Industry recommendations state a retention period of about 6 years after the employee leaves. This period takes into account the 3-month risk period in which an ex-employee might bring a case against your organisation for unfair dismissal. It also considers a reasonable length of time in which other claims, or access requests, might be made.

Imagine if, for example, an organisation provided safety training of some description to an employee who then left for a new company. A few years down the line the employee has an accident and needs to legally prove they’ve been adequately trained. That company’s training records will be needed to help that ex-employee (and potentially themselves) defend against legal action.

Conclusion

At the beginning of this blog, I stated that there was no “clear-cut and easy” answer to this question. Then I threw out the pretty “clear-cut and easy” answer of 6 years. But you must remember, this is just a general recommendation. If the training records you hold are particularly important, legally binding, or far-reaching then you may need to keep hold of them for longer than 6 years. If the training was something relatively trivial, perhaps it isn’t necessary to keep for as long. One thing the GDPR excels at is telling organisations what they need to do, but never how to do it. You’ll need to decide for yourself, and you should be on solid ground as long as you can justify your decision.

Remember you can get free trial access to our GDPR eLearning courses at any time!

GDPR Training Promotional Image