Refusal to give reference "due to GDPR "

The original employer was correct. An employer needs a legitimate reason to retain an employees data and for the purpose it was intended, it can't be kept "just in case". The recommended norm we always got from employment solicitors would be 7 years. Employee data is subject to GDPR just like any other data

The HSE will have a records retention policy for staff data but as this was a private hospital, that policy wouldn't apply
 
No, they are not correct. The employer doesn't have to retain personal information in order to give a letter verifying that somebody was working there more than 7 years ago.
 
arbitron said:
How would they confirm that you had worked there if they have none of your personal data on file?
Click to expand...
They should have a record of paying you. Your employee number etc. If Revenue did an audit or there was a legal claim against them for your actions etc they'd need that data. Those are valid reasons for holding it. In fact it would be foolish not to. Your personal data such as holidays, sick notes etc should be disposed of.
 
There are valid reasons for holding it but there are also statutory timeframes around when, for example, a revenue audit can take place or a former staff member can make a claim in certain circumstances. Once those periods have elapsed, the employer has no valid reason to retain and thus should delete.
 
A Revenue audit can go back a lot further than the standard period of 4 years if there are grounds for suspicion of fraud or neglect on the part of the taxpayer. In fact, the timeframe is open-ended. In this context, I'd consider it foolhardy to delete employment records after only 7 years.
 
Me too. I'm only guessing but I see a lot of private hospitals are part of one group. They will likely have one HR/payroll system and used GDPR to justify deleting the records. I really don't think that was the objective of the act.
 
The OP’s initial query would suggest otherwise.
 
Also, if employers take a minimalist approach to retaining employee records, it is those employees who will lose out. A few years ago, my office was contacted by an ex-employee of a long-defunct client company for which we had done work approx 15 years previously. He was retiring and needed confirmation of his service with this company to secure an OAP pension. We were delighted to be able to confirm these details for him based on the historic records we had on file.

If employers persist in purposely deleting this potentially valuable information, it is only a matter of time before some are successfully sued by ex-employees for failing to treat their historic records with due care
 
T McGibney said:
If employers persist in purposely deleting this potentially valuable information, it is only a matter of time before some are successfully sued by ex-employees for failing to treat their historic records with due care
Click to expand...
I cannot agree more.

Over the last 25 years the state has spent hundreds of millions of years trawling through historical archives in the course of various tribunals and commissions of inquiry. In many cases records were over seven years old were essential to reach any kind of meaningful conclusions.

Commissions of inquiry will happen in future for activity that (today) seems perfectly innocent. The biggest scandal will be that records were deliberately destroyed out of deference to a pretty vague legal framework (GDPR).
 
I'm not arguing with any of the sentiments put forward here and there are indeed sound and logical reasons for holding data for a period. The legal advice we were always given was 7 years. However, the harsh and cold reality is that you are potentially breaking the law if you hold onto personal data for no discernable reason indefinatly, just in case something might happen. The only real exceptions to that are where the data is retained for the following reasons
  • Compliance with a legal obligation or for the performance of a task carried out in the public interest.
  • Archiving or statistical purposes in the public interest.
  • The establishment, exercise or defence of legal claims
 
The scenario I mentioned earlier this morning is not at all uncommon (far more common indeed than the territory of "just in case something might happen") and as such the similarly common practice of employers retaining past employment service records for at least as long as they remain in business clearly falls within the ambit of the first and third reasons you have listed.

If your legal advice is to the contrary, you need to interrogate it as it is clearly deficient.
 
becky said:
They will likely have one HR/payroll system and used GDPR to justify deleting the records. I really don't think that was the objective of the act.
Click to expand...

T McGibney said:
If employers persist in purposely deleting this potentially valuable information, it is only a matter of time before some are successfully sued by ex-employees for failing to treat their historic records with due care
Click to expand...

NoRegretsCoyote said:
The biggest scandal will be that records were deliberately destroyed out of deference to a pretty vague legal framework (GDPR).
Click to expand...

I don't think the much-maligned GDPR is the main culprit here: the HSE's 7-year limit for retaining staff data was in place long before GDPR was created never mind enacted. I did a quick search of my own emails and I see a note from 2012, so it's at least a decade. Private hospitals follow many HSE guidelines and processes, including for HR and data protection, so they have probably aligned with this.

That said, I asked a former HSE colleague about this yesterday who told me that in her time they routinely archived payroll and pension data for this very reason, so the OP might strike it lucky.
 
arbitron said:
I don't think the much-maligned GDPR is the main culprit here: the HSE's 7-year limit for retaining staff data was in place long before GDPR was created never mind enacted.
Click to expand...
That's interesting, thank you.

I know of other organisations with this seven-year deletion rule in the context of GDPR compliance.
 
NoRegretsCoyote said:
That's interesting, thank you.

I know of other organisations with this seven-year deletion rule in the context of GDPR compliance.
Click to expand...
A friend of mine tried to get a copy of a document recently - she was told they shred everything after 1 month due to GDPR!!!
 
You must log in or register to reply here.
Menu
Log in
Register