10. How long is an employer allowed to keep the personal data of former employees?
Data protection principle 2 requires that personal data should not be kept for any longer than is necessary to fulfill the purposes for which the data were to be used, or a directly related purpose. Whether personal data can be retained for a long time will depend on whether or not the purposes for which the data were collected have already been exhausted, or whether there is any public interest reason for keeping the data (see section 26 of the Ordinance).
The Code of Practice on Human Resource Management specifies that the personal data of former employees may be retained for a period of up to seven years from the date the former employee ceases employment. The data may be retained for a longer period if it is necessary for the employer to fulfill contractual or legal obligations, or the former employee has voluntarily given express consent for such retention.