Data Retention Policy
1. Introduction
WagePerks Ltd ("the Company") processes personal data as part of its operations in providing an employee management portal with employee benefits, 24/7 GP access, an Employee Assistance Programme ("EAP"), HR management tools, and shift scheduling services. This Data Retention Policy sets out the periods for which different categories of personal data are retained and the procedures for secure deletion when retention is no longer necessary or lawful.
The Company is committed to retaining personal data only for as long as necessary for the purposes for which it was collected, in compliance with data protection law.
2. Legal Framework
This policy is designed to ensure compliance with:
- The UK General Data Protection Regulation (UK GDPR) -- which requires that personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (Article 5(1)(e), the "storage limitation" principle).
- The Data Protection Act 2018 ("DPA 2018") -- which supplements the UK GDPR and makes provision for the processing of personal data in the United Kingdom.
- The Privacy and Electronic Communications Regulations 2003 (PECR) -- which governs the use of electronic communications for direct marketing and the use of cookies and similar technologies.
The Company also takes into account the requirements of other legislation that may impose minimum retention periods, including but not limited to:
- The Limitation Act 1980 (for claims in contract and tort).
- The Income Tax (Pay As You Earn) Regulations 2003.
- The Taxes Management Act 1970.
- The Companies Act 2006.
- The Employment Rights Act 1996.
- The Working Time Regulations 1998.
- The National Minimum Wage Act 1998.
- The Equality Act 2010.
3. Scope
This policy applies to all personal data processed by WagePerks Ltd, in any format, including data held:
- Within the WagePerks platform and databases.
- In electronic files and documents, including emails.
- In physical records, where these exist.
- By third-party processors acting on behalf of the Company.
It applies to the personal data of all data subjects, including employees of the Company, employees of employer clients who use the WagePerks platform, employer clients and their representatives, suppliers and their personnel, and any other individuals whose data the Company processes.
4. Principles
The Company applies the following principles to data retention:
- Necessity -- personal data is retained only for as long as it is needed for the purpose for which it was collected, or for an alternative compatible purpose.
- Legal compliance -- where legislation or regulation requires data to be retained for a minimum period, the Company will comply with those requirements.
- Minimisation -- data that is no longer required is deleted or anonymised promptly.
- Security -- retained data is stored securely and access is restricted to authorised Personnel on a need-to-know basis.
- Consistency -- retention periods are applied consistently across the organisation.
- Accountability -- the Company documents and can demonstrate its retention practices.
5. Data Categories and Retention Periods
5.1 Employee Data (WagePerks Staff)
| Data Category | Examples | Retention Period | Legal Basis / Justification |
|---|---|---|---|
| Recruitment records (unsuccessful candidates) | Applications, CVs, interview notes | 6 months from date of decision | Legitimate interest; defence of potential discrimination claims under the Equality Act 2010 |
| Employment contracts and terms | Contracts, amendments, offer letters | 6 years from end of employment | Limitation Act 1980 (contractual claims) |
| Payroll and tax records | Pay slips, P45, P60, P11D | 6 years from end of the tax year to which they relate | Income Tax (PAYE) Regulations 2003; Taxes Management Act 1970 |
| National Minimum Wage records | Pay calculations, hours records | 6 years from end of the pay reference period | National Minimum Wage Act 1998 |
| Working time records | Hours worked, rest breaks, annual leave | 2 years from date of creation | Working Time Regulations 1998 |
| Disciplinary and grievance records | Investigation notes, outcomes, warnings | Duration of employment plus 6 years | Limitation Act 1980; Employment Rights Act 1996 |
| Training records | Courses completed, certifications | Duration of employment plus 6 years | Legitimate interest; regulatory compliance |
| Health and safety records | Accident reports, risk assessments | 3 years from date of incident (40 years for incidents involving hazardous substances) | Limitation Act 1980; RIDDOR 2013 |
| Pension and benefits records | Enrolment records, contributions | 6 years from end of employment | Pensions Act 2008; Limitation Act 1980 |
| Right to work checks | Passport copies, visa documents | Duration of employment plus 2 years | Immigration, Asylum and Nationality Act 2006 |
5.2 Employer Client Data
| Data Category | Examples | Retention Period | Legal Basis / Justification |
|---|---|---|---|
| Client contracts and commercial terms | Service agreements, order forms, SLAs | 6 years from end of the contractual relationship | Limitation Act 1980 |
| Client account information | Company name, registered address, contact details | Duration of client relationship plus 6 years | Limitation Act 1980; contractual necessity |
| Billing and payment records | Invoices, payment records, bank details | 6 years from end of the financial year to which they relate | Taxes Management Act 1970; Companies Act 2006 |
| Correspondence and communications | Emails, letters, support tickets | Duration of client relationship plus 2 years (or 6 years where relating to contractual disputes) | Legitimate interest; Limitation Act 1980 |
| Due diligence records (AML/KYC) | Identity verification, beneficial ownership | 5 years from end of business relationship | Money Laundering Regulations 2017 |
5.3 Platform User Data (Employees of Client Employers)
| Data Category | Examples | Retention Period | Legal Basis / Justification |
|---|---|---|---|
| User account and profile data | Name, email, employee ID, job role | Duration of active account plus 12 months after employer client's contract ends, then deleted or anonymised | Contractual necessity; legitimate interest |
| Benefits usage data | Discount redemptions, voucher usage | Duration of active account plus 12 months after employer client's contract ends | Contractual necessity |
| Shift and attendance data | Shift schedules, clock-in/clock-out records, GPS location data | Duration of active account plus 12 months after employer client's contract ends (employer may request earlier deletion) | Contractual necessity; legitimate interest |
| HR document records | Documents uploaded by employer, acknowledgements | Duration of active account plus 12 months after employer client's contract ends | Contractual necessity |
5.4 Health Data
Health data is treated as special category data under Article 9 of the UK GDPR and is subject to heightened protection and strict access controls.
| Data Category | Examples | Retention Period | Legal Basis / Justification |
|---|---|---|---|
| 24/7 GP consultation records | Consultation notes, prescriptions, referrals | Retained by the GP service provider in accordance with NHS records management standards (typically 10 years for adults from last consultation) | Explicit consent; provision of healthcare; legal obligation |
| EAP usage data | Session records, case notes | Retained by the EAP provider in accordance with professional standards (typically 6 years for adults) | Explicit consent; provision of health services |
| EAP aggregate/anonymised data | Usage statistics, service utilisation reports (no identifying information) | Duration of client relationship plus 2 years | Legitimate interest (service improvement); data is anonymised |
| Sickness absence records (where held) | Self-certification, fit notes | Duration of employment relationship plus 6 years | Legitimate interest; Limitation Act 1980 |
Important: WagePerks Ltd does not routinely hold detailed health records. GP consultation records and EAP case notes are held by the respective service providers under their own data protection arrangements. The Company processes only the minimum data necessary to facilitate access to these services.
5.5 Financial Data
| Data Category | Examples | Retention Period | Legal Basis / Justification |
|---|---|---|---|
| Transaction records | Payment processing records, subscription payments | 6 years from date of transaction | Limitation Act 1980; Taxes Management Act 1970 |
| Bank account details | Client payment details, supplier bank details | Duration of active relationship plus 6 months (then securely deleted) | Contractual necessity |
| Financial accounts and records | Annual accounts, management accounts, VAT records | 6 years from end of relevant financial year | Companies Act 2006; Taxes Management Act 1970; VAT Act 1994 |
| Audit records | Internal and external audit reports | 6 years from date of report | Legitimate interest; regulatory compliance |
5.6 Technical and Operational Data
| Data Category | Examples | Retention Period | Legal Basis / Justification |
|---|---|---|---|
| System access logs | Login records, access logs, IP addresses | 12 months from date of creation | Legitimate interest (security) |
| Application error logs | Technical error reports, debugging data | 6 months from date of creation | Legitimate interest (service improvement) |
| Cookie and analytics data | Website usage data, session data | As set out in the Company's Cookie Policy (maximum 13 months for analytics) | Consent (PECR) |
| CCTV footage (if applicable) | Security camera recordings | 30 days unless retained for an investigation | Legitimate interest (security) |
6. Deletion and Anonymisation Procedures
6.1 Secure Deletion
When the retention period for any category of personal data expires, the data must be securely and irreversibly deleted or destroyed. Secure deletion methods include:
- Electronic data: overwriting with random data, cryptographic erasure, or physical destruction of storage media, in accordance with industry standards (such as NIST SP 800-88).
- Physical records: cross-cut shredding or incineration by an approved confidential waste provider.
6.2 Anonymisation
Where data is of value for statistical, analytical, or research purposes but is no longer required in an identifiable form, the Company may anonymise the data rather than delete it. Anonymisation must be carried out to a standard where the data subjects cannot be re-identified, whether directly or by combination with other data. Anonymised data is no longer personal data and falls outside the scope of the UK GDPR.
6.3 Retention Holds
Where the Company is aware of actual or reasonably anticipated litigation, regulatory investigation, or audit, a retention hold must be applied to all data that may be relevant. Data subject to a retention hold must not be deleted or destroyed until the hold is lifted by the Data Protection Officer or the Company's legal advisers.
7. Data Subject Rights
Data subjects have the right to request the erasure of their personal data under Article 17 of the UK GDPR (the "right to erasure" or "right to be forgotten"), subject to certain exemptions. The Company will respond to valid erasure requests within one month, or within an extended period of up to three months where the request is complex.
Erasure requests will be refused where the Company is required to retain the data for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for other grounds set out in Article 17(3) of the UK GDPR. In such cases, the data subject will be informed of the reasons for refusal and their right to complain to the Information Commissioner's Office.
8. Third-Party Processors
Where personal data is processed by third-party processors on behalf of the Company, the Company ensures through contractual provisions (data processing agreements under Article 28 of the UK GDPR) that:
- Processors retain data only for the periods specified by the Company.
- Data is securely deleted or returned to the Company at the end of the processing relationship.
- Processors implement appropriate technical and organisational measures to secure data during the retention period.
9. Responsibilities
9.1 Data Protection Officer
The Data Protection Officer ("DPO") is responsible for:
- Maintaining the data retention schedule and ensuring it remains current.
- Advising on retention periods and the application of this policy.
- Overseeing the implementation of deletion and anonymisation procedures.
- Monitoring compliance with this policy.
- Responding to data subject requests relating to retention and erasure.
9.2 All Personnel
All Personnel are responsible for:
- Complying with this policy and the data retention schedule.
- Not retaining personal data beyond the applicable retention period unless a retention hold applies.
- Reporting any concerns about data retention practices to the DPO.
10. Breaches
Failure to comply with this policy may result in disciplinary action and could expose the Company to regulatory action by the Information Commissioner's Office, including fines of up to seventeen million five hundred thousand pounds or four per cent of annual global turnover under the UK GDPR.
11. Review
This policy is reviewed annually by the Data Protection Officer and approved by the Board of Directors. It is updated as necessary to reflect changes in legislation, regulatory guidance, or the Company's data processing activities.
Policy Owner: Data Protection Officer, WagePerks Ltd
Last Reviewed: April 2026
Registered in Scotland