Retention of HR records

Retention of people records is an extremely complex and constantly changing area. Organisations following good practice should have a document retention policy and monitoring programme that’s communicated to all staff. They should also follow both physical and electronic data security methods. The policy should ensure that records are kept as long as needed but no longer, and that records are destroyed securely. Such programmes may involve training not only about the legal issues involved, but also why having organised records benefits the business.

HR records include a wide range of data relating to individuals working in an organisation, for example, pay or absence levels, hours worked and trade union agreements. This information is usually stored electronically but may include paper records as well.

It is important for all organisations to maintain effective systems for storing HR data, both to ensure compliance with all relevant legislation (for example in respect of the minimum wage or working time regulations) as well to support sound personnel administration and broader HR strategy. Our human capital factsheet has more details of how employee information can help HR and management improve business performance.

Complex regulations may govern the length of time for which HR records should be stored.

There’s a substantial amount of UK and EU legislation that has an impact upon the retention of personnel and other related records. Examples, dealing with particular categories of records are provided below.

Access, storage, format and destruction

In the UK, the Data Protection Act 1998 (DPA) applies to most personnel records, whether held in paper or digital format. Data mustn't be kept any longer than is necessary for a particular purpose. Both computerised and manual systems can be covered by the law: to be covered, manual systems must be organised into a 'relevant filing system'.

Subject to certain exceptions under the DPA, employees have the right to access their records and the employer must ensure that the data is accurate. Before releasing data to a third party, the employer must seek the individual’s permission.

From 25 May 2018, existing data protection duties will be tightened up under the EU General Data Protection Regulation (GDPR). The UK government has committed to implementing the GDPR irrespective of Brexit and has a new Data Protection Bill currently progressing through Parliament. This will amend the existing DPA in line with the new rules, as well as introducing a few additional changes. Employers must ensure they are data protection compliant and may need to designate a data protection officer, which could involve training and developing existing staff.

See more on data protection in the workplace generally. CIPD members can find more detail in our GDPR factsheet.

The Information Commissioner has issued The employment practices code, together with additional guidance notes, which employers should follow carefully. It’s in four parts:

• Part 1: Recruitment and selection
• Part 2: Employment records
• Part 3: Monitoring at work
• Part 4: Information about workers health.

As well as the DPA rules, certain documents such as employment contracts, accident record books and other personnel records may be needed in a legal action. Original documents must usually be available, or the employer must explain what happened to the originals backed up by what is known as a 'statement of truth'.

When employers really no longer need to keep certain data, destruction must take place securely and effectively, for example by shredding.

CIPD members can find out more on the legal aspects of data protection, including the difference between keeping records and being able to act on them, in our Data protection, surveillance and privacy at work law Q&As.

Public sector records

In the UK public sector there are many detailed rules about record retention. Part 1 of a statutory Code of Practice on the management of records sets out good practice in public authority records management. Part II deals with review of public records and transfer to the National Archives.

Many government departments publish their retention and disposal policies for all records which are reviewed annually, and define how long records should be retained before they are either destroyed or transferred to the National Archives.

Other special provisions

Further special provisions may arise affecting the retention of, or access to, data. For example, the well publicised Investigatory Powers Act 2016 (IPA), nicknamed the ‘Snooper's Charter’, deals with certain aspects of data retention, but also contains provisions extending to the interception of communications. The sections relating to data retention already apply, but the remaining provisions have been subject to legal challenge and are not yet fully in force. Telecommunication companies must keep telephone call logs for one year. Internet service providers must retain communications data (including internet access, email and telephone calls - mobile and landline) for one year. The IPA enables the government to issue notices in relation to internet connection records including information about which websites a user has visited (their internet browsing history). If authorities wish to obtain details of the content of any communications, a special warrant will be required.

The checklist below is divided into two parts:

• Records where there are statutory retention periods, with the statutory authorities.
• Records where there are no statutory retention periods, with recommended retention periods.

The the main UK legislation regulating statutory retention periods is summarised below. If employers are in doubt, it's a good idea to keep records for at least 6 years (5 in Scotland), to cover the time limit for bringing any civil legal action.

Record types

Accident books, accident records/reports
Statutory retention period: 3 years from the date of the last entry (or, if the accident involves a child/ young adult, then until that person reaches the age of 21). (See below for accidents involving chemicals or asbestos).
Statutory authority: The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and Limitation Act 1980. Special rules apply concerning incidents involving hazardous substances (see below).

Accounting records
Statutory retention period: 3 years for private companies, 6 years for public limited companies.
Statutory authority: Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006.

Income tax and NI returns, income tax records and correspondence with HMRC
Statutory retention period: not less than 3 years after the end of the financial year to which they relate.
Statutory authority: The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631).

Medical records and details of biological tests under the Control of Lead at Work Regulations
Statutory retention period: 40 years from the date of the last entry.
Statutory authority: The Control of Lead at Work Regulations 1998 (SI 1998/543) as amended by the Control of Lead at Work Regulations 2002 (SI 2002/2676).

Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH)
Statutory retention period: 40 years from the date of the last entry.
Statutory authority: The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677).

Medical records under the Control of Asbestos at Work Regulations: medical records containing details of employees exposed to asbestos and medical examination certificates
Statutory retention period: (medical records) 40 years from the date of the last entry; (medical examination certificates) 4 years from the date of issue.
Statutory authority: The Control of Asbestos at Work Regulations 2002 (SI 2002/ 2675). Also see the Control of Asbestos Regulations 2006 (SI 2006/2739) and the Control of Asbestos Regulations 2012 (SI 2012/632)

Medical records under the Ionising Radiations Regulations 1999
Statutory retention period: until the person reaches 75 years of age, but in any event for at least 50 years.
Statutory authority: The Ionising Radiations Regulations 1999 (SI 1999/3232).

National minimum wage records
Statutory retention period: 3 years after the end of the pay reference period following the one that the records cover.
Statutory authority: National Minimum Wage Act 1998.

Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH)
Statutory retention period: 5 years from the date on which the tests were carried out.
Statutory authority: The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677).

Records relating to children and young adults
Statutory retention period: until the child/young adult reaches the age of 21.
Statutory authority: Limitation Act 1980.

Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity
Statutory retention period: 6 years from the end of the scheme year in which the event took place.
Statutory authority: The Retirement Benefits Schemes (Information Powers) Regulations 1995 (SI 1995/3103)

Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence
Statutory retention period: 3 years after the end of the tax year in which the maternity period ends.
Statutory authority: The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended.

Wage/salary records (also overtime, bonuses, expenses)
Statutory retention period: 6 years.
Statutory authority: Taxes Management Act 1970.

Working time records
Statutory retention period: 2 years from date on which they were made.
Statutory authority: The Working Time Regulations 1998 (SI 1998/1833).

For many types of HR records, there is no definitive retention period: it is up to the employer to decide how long to keep them. Different organisations make widely differing decisions about the retention periods to adopt. Employers must consider what a necessary retention period is for them, depending on the type of record.

The advice in this factsheet is based on the time limits for potential UK tribunal or civil claims. The period is often a question of judgement rather than there being any definitive right answer. For example, some records managers in public sector organisations recommend keeping an employee’s records until they reach the age of 100, especially for pension purposes

The UK Limitation Act 1980 contains a 6-year time limit for starting many legal proceedings. So where documents may be relevant to a contractual claim, it’s recommended that these are kept for at least a corresponding 6-year period.

Record types

Actuarial valuation reports
Recommended retention period: permanently.

Application forms and interview notes (for unsuccessful candidates)
Recommended retention period: 6 months to a year. (Because of the time limits in the various discrimination Acts, minimum retention periods for records relating to advertising of vacancies and job applications should be at least 6 months. A year may be more advisable as the time limits for bringing claims can be extended. Successful job applicants documents will be transferred to the personnel file in any event.

Assessments under health and safety regulations and records of consultations with safety representatives and committees
Recommended retention period: permanently.

Inland Revenue/HMRC approvals
Recommended retention period: permanently.

Money purchase details
Recommended retention period: 6 years after transfer or value taken.

Parental leave
Recommended retention period: 18 years from the birth of the child.

Pension scheme investment policies
Recommended retention period: 12 years from the ending of any benefit payable under the policy.

Pensioners' records
Recommended retention period: 12 years after benefit ceases.

Personnel files and training records (including disciplinary records and working time records)
Recommended retention period: 6 years after employment ceases.

Redundancy details, calculations of payments, refunds, notification to the Secretary of State
Recommended retention period: 6 years from the date of redundancy

Senior executives' records (that is, those on a senior management team or their equivalents)
Recommended retention period: permanently for historical purposes.

Statutory Sick Pay records, calculations, certificates, self-certificates
Recommended retention period: The Statutory Sick Pay (Maintenance of Records) (Revocation) Regulations 2014 (SI 2014/55) abolished the former obligation on employers to keep these records. Although there is no longer a specific statutory retention period, employers still have to keep sickness records to best suit their business needs. It is advisable to keep records for at least 3 months after the end of the period of sick leave in case of a disability discrimination claim. However if there were to be a contractual claim for breach of an employment contract it may be safer to keep records for 6 years after the employment ceases.

Time cards
Recommended retention period: 2 years after audit.

Trade union agreements
Recommended retention period: 10 years after ceasing to be effective.

Trust deeds and rules
Recommended retention period: permanently.

Trustees' minute books
Recommended retention period: permanently.

Works council minutes
Recommended retention period: permanently.

Contacts

GOV.UK - Data protection and your business

Information Commissioner: for organisations

Books and reports

ACAS. (2009) Personnel data and record keeping. Advisory Booklet. London: Acas.

Journal articles

ALMOND, J. (2015) Data subject access: fishing for a settlement. Tolley's Employment Law Newsletter. Vol 20, No 7, May. pp51-53.

HARKER, S. and TOSTIVIN, M. (2011) Handle with care. Tolley's Employment Law Newsletter. Vol 17, No 3, September. pp19-21.

HARTLEY, A. (2013) Protecting confidential information in the digital workplace. Employers' Law. February. pp14-15

CIPD members can use our online journals to find articles from over 300 journal titles relevant to HR.

Members and People Management subscribers can see articles on the People Management website.