By law, employers in Ireland must keep certain records on file relating to their employees for specific minimum periods. These records must be kept at the place of employment. The Workplace Relations Commission, Office of the Revenue Commissioners, and other bodies may request these records during an inspection. In addition, it is recommended that the employer keep certain documentation for support in the event of a dispute.
Various minimum retention periods flow from numerous separate statutes, and lack any obvious consistency or underpinning logic. While the most important of the current retention periods are set out below, these retention periods are not exhaustive and are subject to change. We would strongly advise that employers seek out specific and specialist legal advice to confirm how the various periods may apply to their given situation.
Where employee records are not required to be held by law or to defend future proceedings, employers may retain the relevant data for so long as is necessary for the purpose or purposes for which they were collected or legitimately further processed. This needs to be ascertained on the facts of each specific case; there are no concrete periods of time on which data controllers can rely to comply with this requirement. The Data Protection Commissioner’s (‘DPC’) approach to this issue is best seen in his published Audit Report into the activities of Facebook Ireland Limited. On page 74 of this report, the DPC noted that “all periods chosen for the retention of personal data must be fully evidence based, and the period chosen cannot seek to cover all possible eventualities where personal data may be useful to the company.”
Employer registration number from the Office of the Revenue Commissioners
The client will receive this when registering with Revenue. If the client has multiple employer registration numbers, then they should keep a record of all of them.
List of all employees with their basic details
The client must have a list of all employees that includes each employee’s full name, address, PPS number, and job classification. This list must include all current employees as well as all former employees who commenced work within the past 3 years.
Dates of commencement and termination of employment
The client must keep date of commencement and, if applicable, date of termination of each current employee and each former employee who commenced work within the past 3 years.
Written terms of employment
The client must keep the terms and conditions of employment for each employee during the employee’s entire duration of employment and, then, should be retained for 7 years after termination. This must be created within the first two months of employment and include the following:
- Full names of the employer and the employee
- Address of the employer
- Place of work, or where there is no main place of work, a statement indicating that an employee is required or permitted to work at various places
- Job title or nature of the work
- Date of commencement of employment
- Expected duration of employment (if the contract is temporary)
- Expected date on which the contract expires (if the contract is fixed-term)
- Rate of pay or method of calculating pay
- Right to a written statement of the average hourly rate of pay for any reference period upon request
- Whether pay is weekly, monthly, or otherwise
- Terms or conditions relating to hours of work, including overtime
- Terms or conditions relating to paid leave (other than paid sick leave)
- Terms or conditions relating to incapacity for work due to sickness or injury
- Terms or conditions relating to pensions and pension schemes
- Periods of notice or method for determining periods of notice
- Reference to any collective agreements which affect the terms of employment
- Whether board and/or lodgings are provided and relevant details
- Holiday and Public Holiday entitlements received by each employee
- Any documentation necessary to demonstrate compliance with employment rights legislation
Additional records may be required to be held depending on the sector/business involved.
(Note – An Inspector from the Workplace Relations Commission (WRC) has the power to seek full access to these records in the course of an inspection.) National Employment Rights Authority
Record of parental, carers, or force majeure leave taken by employees
If you have a family crisis the Parental Leave Acts 1998 and 2006 give an employee a limited right to leave from work. This is known as force majeure leave. It arises where, for urgent family reasons, the immediate presence of the employee is indispensable owing to an injury or illness of a close family member.
The maximum amount of leave is 3 days in any 12-month period or 5 days in a 36-month period. You are entitled to be paid while you are on force majeure leave
The Carer’s Leave Act 2001 allows employees to leave their employment temporarily to provide full-time care for someone in need of full-time care and attention. You are entitled to take carer’s leave of at least 13 weeks up to a maximum of 104 weeks. If you ask to take less than 13 weeks’ carer’s leave, your employer may refuse your request – see ‘Taking carer’s leave’ below.
Carer’s leave from employment is unpaid but the Carer’s Leave Act ensures that people who want to take carer’s leave will have their jobs kept open for them while they are on carer’s leave. You may be eligible for Carer’s Benefit if you have enough PRSI contributions. If you do not qualify for Carer’s Benefit you may qualify for Carer’s Allowance which is a means-tested payment. You can take carer’s leave even if you do not qualify for these payments.
The Parental Leave Act 1998, as amended by the Parental Leave (Amendment) Act 2006, allows parents to take parental leave from employment in respect of certain children. A person acting in loco parentis with respect to an eligible child is also eligible.
Extension of parental leave to 18 weeks
On 8 March 2013 the European Union (Parental Leave) Regulations 2013 increased the amount of parental leave available to each parent per child from 14 weeks to 18 weeks. (Those who have taken or are taking 14 weeks’ parental leave are also entitled to this extra 4 weeks.) The Regulations extended the age limit for a child with a long-term illness to 16 years. They also provide that a parent returning from parental leave may request a change in working hour.
The client must keep a record of the dates and times of any parental, carers, or force majeure leave taken by employees. This information must be kept 8 years from the date of the leave. In addition, the required notices associated with each type of leave must be retained for 3 years.
Hours of work, annual leave, and public holidays taken by each employee
The client must keep a detailed record of the hours of work for each employee. These must include start and finish times and rest periods; records on rest periods do not need to be kept if there is evidence of employees being fully informed about rest break entitlement and procedures. If the client does not have an electronic system in place, paper forms (OWT1 Form) with a detailed breakdown of hours should be kept on file. In addition, records of annual leave and public holidays and associated payment should be kept. All of these records should be retained for 3 years.
Payroll details for each employee and evidence of payslips
The client must keep records of payroll and benefit details for employees, including gross to net, rate per hour, overtime, deductions, commissions, bonuses, service charges, board and lodgings, etc. This information must be retained for 6 years. In addition, the client must keep copies of all payslips for 3 years.
Register of any employees under 18 years of age
The client must keep a record of employees under 18 years of age. This information must be kept for 3 years from the date of creation.
The client must keep records of employment permits for non-EEA nationals or, if applicable, evidence that a permit is not required for non-EEA nationals. This must be retained for the duration of employment and, then, 5 years after termination of employment.
Records of accidents
Records containing full details of all accidents or dangerous occurrences must be kept for a minimum of 10 years (and in many cases it may be necessary to keep such records for a longer period particularly if the issue relates to a child under 18 years old or a student of any age with special educational needs). Relevant workplace incidents must be notified to the Health and Safety Authority at the time of the incident.
The legal requirement to notify the Health & Safety Authority of deaths, accidents and dangerous occurrences relates to employees, self-employed people and others e.g. pupils and members of the public.
Records of personal injury claims
The Personal Injuries Assessment Board (PIAB), is an independent statutory body set up under the Personal Injuries Assessment Board Act 2003. All personal injury claims in Ireland (except for cases involving medical negligence) must be submitted to PIAB.
PIAB provides an independent assessment of personal injury claims for compensation following road traffic, workplace or public liability accidents. Where the person you hold responsible (the respondent) does not consent to PIAB assessing your claim for compensation, PIAB will allow you to pursue your claim through the courts.
Claims through PIAB are assessed on average within 7 months of the respondent consenting. Personal injury claims through litigation (that is, the courts) can take up to 36 months (3 years).
The client should keep records of any personal injury claims by employees for 3 years after the date of the incident.
Records of collective redundancies
The Protection of Employment Act, 1977 Act (as amended)1 makes it mandatory on
employers proposing a collective redundancy: (a) to engage in an information and
consultation process with employees’ representatives and (b) to notify the Minister for
Enterprise, Trade and Employment of the proposed collective redundancy.
The client must keep records relating to any collective redundancies for 3 years from the date of creation.
Unsolicited Application forms/CVs should be retained for 1 year. All documentation relating to an advertised position and the decision making process should be retained for 2 years.
Records of tax payment
The client must keep all tax payment information for 6 years from the end of the tax year.
You must obtain written permission from the relevant Revenue office to be permitted retention of documents for a shorter period.
If you issue invoices in paper form, they must be retained in paper form.
Paper records must be stored within the State. Exceptions to this require Revenue agreement and are subject to conditions.
Electronic records must be recorded and stored in accordance with the electronic invoicing rules.
Section 285 of the Companies Act 2014 requires that companies retain and maintain accounting records for a period of at least 6 years after the end of the financial year containing the latest date to which the record, information or return relates.
Employers are obliged to arrange that a written statement of wages be given to every employee with every payment of wages. If wages are paid by credit transfer, the statement of wages should be given to the employee as soon as possible after the credit transfer has taken place. In every other case, the statement of wages must accompany the wage payment. It can be provided either in electronic format or in hard copy. The Payment of Wages Act places an obligation on the employer to treat the information contained in a pay statement with confidentiality.
Every statement of wages must show the gross amount of the wages payable to the employee before taxes and itemize the nature and amount of each deduction. Typically, an Irish payslip includes the following:
- Employer name
- Employee name
- Pay period dates
- Date of actual payment
- Pay frequency (monthly, weekly, fortnightly, four-weekly, or bi-monthly)
- Employee’s PPS number
- Employee’s employee number (assigned by the employer, if applicable)
- Department of employee
- Itemized and gross payment details (salary, wages, benefits-in-kind, bonuses, etc.)
- Itemized and total deduction details (PAYE, PRSI, USC, pension, etc.)
- Payment method (directly to bank or by check)
- Cumulative details (year-to-date earnings, deductions, credits, etc)
- Tax status and PRSI contribution details
- Employer contribution details (PRSI, pension, benefits-in-kind, etc.)
Payslips and related above mentioned records for employee wages. are required to be kept for a minimum of 3 years.
In Summary employee records are required to be kept for the following period.
New GDPR Regulations enacted in 2018
The General Data Protection Regulation (GDPR) came into force across the EU on 25 May 2018. This regulation significantly increases employers’ obligations and responsibilities in relation to how they collect, use and protect personal data.
Employees must understand their responsibilities under data protection law and employers need to have adequate data protection policies and procedures in place. It is important that organisations tell their employees about GDPR and provide training on the new regulation.
This document gives an overview of some of the main obligations for employers and outlines the rights of employees.
Key GDPR terms include:
Personal data: data that relates to or can identify a living person, either by itself or together with other available information. Examples include a person’s name, phone number, bank details and medical history.
Data subject: the person to whom the personal data relates. Casual workers, agency workers and other independent contractors have the same rights as any other data subject under GDPR.
Sensitive data (special category data): data relating to a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual orientation and genetic or biometric data. Generally, sensitive data cannot be processed without the data subject’s explicit consent, but employers can process sensitive data where necessary to carry out an employment contract or to fulfil collective agreement obligations.
Data controllers and data processors: organisations that collect or use personal data.
Processing any operation or set of operations which is performed on personal data, for example, collecting, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, restriction, erasure or destruction.
Employees’ rights: Employees have a number of rights under GDPR, including the right to:
Information about the collection and processing of their personal data
Access the personal data and supplementary information held about them by the data controller
Have their personal data rectified by the data controller if the personal data they have is inaccurate or incomplete
Have their personal data erased by the data controller
Restrict a data controller from processing their data if they consider it is unlawful or the data is inaccurate
Object to their personal data being processed for direct marketing, scientific or historical research
Data portability – this allows them to get data from their employer and reuse it.
As an employer, you must be transparent about how you are using and safeguarding your employees’ personal data, inside, and outside the organisation. You must be accountable for your data processing activities and be able to show how you meet data protection principles.
You should make an inventory of all the personal data that you hold. You should then check it under the following headings, and ensure that you have the required consent and legal basis to process the data:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties and on what basis might you do so?
Legal basis (legitimate reason) for processing personal data
Your organisation needs a legal basis (a legitimate reason) to process an employee’s personal data. Legitimate reasons include:
- The employee has given their consent to the processing
- Processing is necessary to fulfil parts of an employee’s contract
- Processing is necessary in order to take steps at the request of the employee before entering into a contract. (For example, on matters of pay in an employment context)
- Complying with a legal obligation (For example, a statutory requirement to keep employee records)
- Processing is necessary to comply with the employee’s vital interests. (For example, where an individual’s medical history is disclosed to the hospital treating them after a serious road accident)
- For the purposes of the legitimate interests of the organisation.
Consent is a legitimate reason for processing employee data and you should get consent, if none of the other legal grounds above apply. You need to be aware of your obligations when requesting consent from employees. The GDPR states that consent must be ‘freely given, specific, informed and unambiguous’. This means that the data subject must be aware that they are consenting to have their data processed and should not be forced into giving consent.
Before an employee gives consent to have their data processed, the employer must show that they told employees why their personal data is being collected, and how it will be used and handled. Silence, pre-ticked boxes or inactivity cannot be taken as consent. A data subject can withdraw consent at any time, and it must be as easy to withdraw consent as it is to give it.
GDPR training and communication with employees and prospective employees
As an employer, you must inform employees about:
- What personal data you will be collecting (or if it will be collected by a third party)
- How the data will be processed
- Why the data will be processed
- You could have a Data Protection Notice displayed in your office to meet this obligation.
- You should also have a data protection policy in place and provide training to employees on GDPR.
GDPR requires that certain information must be supplied to job candidates, before their personal data is collected and processed. This information must be clear and accessible and may be a privacy notice on the website and a letter to the candidate. Employee training on data protection policies takes place once the candidate is an employee.
Data Subject Access Requests (DSARs)
Employers must have procedures in place to respond to personal data access requests from employees within 1 month. This can be extended by a further 2 months if requests are complex or numerous.
Data must be protected by ‘appropriate technical and organisational measures’. Data must be kept secure, for example, by using anonymisation, encryption, anti-virus security measures, or by backing up data. Employers must test these security measures and be able to show that they have complied with GDPR security obligations.
Record-keeping and the right to correct
Organisations should only keep data for as long as it takes to complete the task it was collected for, or as required by law. Employers should have a retention policy in place and be able to justify why data was retained.
Employees have the right to know what data an employer has on file about them and they also have the right to correct this data. What happens to employee data when a contract of employment is terminated should be documented in the HR policies.
Sharing and transferring personal data
Organisations using third parties, such as recruitment agencies or payroll providers to process employee data will be responsible for ensuring the third party is GDPR compliant and they must have appropriate agreements in place. You must also comply with GDPR obligations about transferring data outside of the EU.
Data protection officer
Under GDPR some organisations must appoint a Data Protection Officer, for example, public authorities and bodies, government departments, organisations involved in large-scale data processing, and organisations that process sensitive or special category data.
You must report data breaches to the Data Protection Commission (DPC) within 72 hours of becoming aware of a breach. If you do not notify the DPC within 72 hours, you must provide a justification for the delay. Breaches that may harm a data subject, for example, identity theft, must also be reported to the person concerned.
It is important that you comply with the legislation and put adequate policies and procedures in place. Your organisation can be inspected and could face significant penalties if your practices are in breach of GDPR.
How to apply
If you have a complaint about how your personal data has been proccessed, you should contact the DPC. The website is dataprotection.ie.
Where to apply
Data Protection Commission
Tel:+353 57 868 4800
Fax:+353 57 868 4757
Email: [email protected]