Storage retention period of employee personal data
The legislation of the Russian Federation defines the concept of personal data (PD) as information that relates to an individual (named by the subject of personal data), is provided to other individuals or legal entities. In order to ensure the safety of citizens and protect against illegal receipt of personal data, legislation develops regulations governing the procedure for working with such data.
The procedure for storing personal data of employees of the enterprise
Any labor relationship must begin with the signing of documents (on the provision of services, on lending, etc.), the conclusion of labor contracts, orders with the obligatory entry in these papers of personal information about employees (last name, first name, patronymic, address - actual and place of registration, information about the previous workplace, experience, etc.). Therefore, every employer is required by law to know the procedure for processing personal data of his employees and to follow it.
There are a number of requirements and standards, taking into account which the employer undertakes to store and use such information:
- the period of finding personal information in the database should not exceed the time allotted for the implementation of the goals and objectives for which the processing of this information is necessary;
- immediately after solving these problems and achieving the goals, all used information about the employee must be depersonalized and deleted or destroyed;
- if the need for further storage and use of PD has disappeared, such data is also subject to destruction.
The head of the organization is appointed a responsible person (operator), who is entrusted with the function of protecting personal data of the entire state (storage, processing, use, correction, transfer, deletion). If at some point the operator cannot fulfill his duties, he must delegate these powers to another employee of the company with the preparation and signing of an official order.
Such an order indicates the obligation to ensure absolute confidentiality and security of stored PD.
Who has the right to use personal data
Federal law established a list of persons who can perform actions with confidential data of employees:
- employee appointed to the position of PD operator;
- Deputy Director for Administrative Affairs;
- HR manager;
- head of the personnel department.
However, the rest of the company's employees also periodically come across personal information of employees when working with documents. These are accountants, secretaries, database management specialists, personnel specialists.
All company officials who process employees' personal data are obliged to ensure the safety of documents in which personnel records are kept, payroll schedules, work shifts and other personnel information.
Limiting the storage time of PD
The legislation of the Russian Federation provides that the storage of personal information should not be carried out longer than the time allotted to achieve the purposes for which they were processed. In some cases, this time is set by the PD subject himself or by law. In all other cases, the operator determines and sets the period for which the data will remain in the database, as well as the conditions for their deletion (termination of use).
The law provides for the right to choose one of these conditions: either to set the storage period, or to establish the fact of interruption of processing after a certain circumstance occurs. The choice of option depends directly on the type of activity of the organization. For example, for the compilation of statistical reports at the end of the year, the data are no longer needed, so they must be destroyed.
Medical institutions are obliged to store PD for a long time. That is why the legislation of the Russian Federation allows operators to choose a time frame or a specific event to stop processing available information.
But still, the law establishes a period within which the storage of personal data is allowed. Therefore, all work books and employment contracts that the subject did not take away must be placed in a special archive of the organization until they are requested. If the documents are no longer needed, they must still be kept for at least 50 years.
Where else are employees' personal data stored?
The employee pension insurance system also has employee data. Documents with such information must be kept in the structure for at least 60 years and must meet the following criteria:
- contain information about the personal account of the insured subject;
- correspond to a certain form (necessarily written) and have the signature of the subject;
- have your own electronic duplicate with the corresponding digital signature of the PD owner;
- contain all information about taxes and contributions withheld from wages or other payments to the employee at the expense of the Pension Fund;
- be submitted by the head of the enterprise to the social insurance fund for maintaining individual registration of citizens in the social insurance system.
Permission to use PD
A prerequisite for ensuring the correct work with employee information is permission to use it. Such permission is taken from the PD subject by the operator, it indicates the validity period and the term for revoking this permission.
There are two ways to set the duration of the permit: by designating a specific date or by using a legal phrase: "This agreement is valid from the day it is signed until the moment this decision is revoked."
So how long should confidential information be kept? The content of the data in the database is provided by the operator for the period that is necessary for the use of PD.
There are situations when an enterprise does not use data continuously. In this case, access to them is provided at any time when they are needed.
Also, the operator designates specific actions that will be taken with PD upon reaching the end of their use - anonymize or destroy. Anonymizing information means changing its form, which will not allow the data subject to be recognized.
The processing of personal materials is directly related to their storage. And if the use of PD ends when a specific goal is achieved, the operator is obliged not to store them further.
You cannot specify different terms or conditions for stopping the storage or use of personal information. For example, when the PD storage period has expired, then their processing cannot and should not be carried out in the future.
Extension of the term of permission
If necessary, the operator can extend the period for processing and storing PD. But for this, the company must fulfill certain conditions set out in the policy regarding the processing of personal data . The employee, whose data is stored in the database, has the right to study this document.
Extension of the terms for using PD is allowed by federal law only if the motives for these actions are completely legal, and if there are compelling reasons for this.
An enterprise that stores personal data of employees has the opportunity to choose the automatic extension of the term of permission to process the data of the subject. In this case, the subject at any time has the right to terminate this permission.
The labor legislation of the Russian Federation has designated specific norms regarding the storage and processing time of personal materials of workers, but the state does not establish the storage time itself. There is only one requirement - to have access to the data no longer than required.
Information about the employees of the enterprise must be attached to the personal file. The head, in accordance with Art. 87 of the Labor Code, independently establishes the procedure and process for the application of personal data of employees. But this procedure is limited by the framework of the legislation of the Russian Federation.
Features of storing paper documents
Information on paper should be kept in the company's safes. If the data about employees is processed electronically, they are stored in the database on the computer of the operator authorized to ensure their safety.
When an employee is dismissed, his personal file must be in the personnel department until the end of the calendar year, after which the head of the personnel department carries out archival and technical processing of PD and sends all documentation about the dismissed employees to the archive.