All organisations collect data relating to their employees – their HR records - including information on pay, sickness absence, or hours worked. HR records can be stored in hardcopy or electronically but it’s important for organisations to keep the information in a well-organised system so that it can be easily retrieved and managed.

This factsheet introduces the legal position on the retention of HR records in the UK, including the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). It offers two checklists: one giving statutory retention periods where these exist, and the other giving recommendations for keeping information such as application forms or parental leave details.

See the full A-Z list of all CIPD factsheets

HR records include a wide range of data relating to individuals working in an organisation, for example hours worked and pay or absence levels. This information is usually stored electronically but may include paper records as well, so employers should use both physical and electronic data security methods.

All organisations should maintain effective systems for storing HR data and comply with all relevant legislation. It’s good practice to have a document retention policy and monitoring programme that’s communicated to all staff. The policy should ensure that records are kept for as long as needed but no longer, and that records are destroyed securely. It may involve training about the legal issues involved and address the benefits of sound personnel administration and broader HR strategy. Our workforce reporting factsheet has more details of how employee information can help HR and management improve business performance.

There’s a substantial amount of UK legislation that has an impact on the retention of HR records. Examples, dealing with particular categories of records are given below.

Access, storage, format and destruction

From 25 May 2018, existing data protection duties in the UK were tightened up to adapt to the rapid expansion of technology and collection of data. The new Data Protection Act 2018 (DPA) incorporates the agreed provisions of the EU General Data Protection Regulation (GDPR) and applies to most HR records, whether held in paper, or digital format.

Data must not be kept any longer than is necessary for a legitimate purpose and it must not be excessive. The emphasis is on the employer (the data controller) to have systems in place to determine how long the data should be retained and when records should be destroyed.

Both computerised and manual systems can be covered by the law: to be covered, manual systems must be organised into a 'relevant filing system'. All employers must ensure they are data protection compliant and may need to designate a data protection officer, which could involve training and developing existing staff. See more in our factsheet on data protection and GDPR in the workplace.

Subject to certain exceptions under the DPA, employees have the right to access their records and the employer must ensure that the data is accurate. Before releasing data to a third party, the employer must seek the individual’s permission.

The DPA and GDPR do not expressly change retention periods and do not set out any specific minimum or maximum periods.

As well as the DPA rules, certain documents such as employment contracts, accident record books and other personnel records may be needed in a legal action. Original documents must usually be available, or the employer must explain what happened to the originals backed up by what is known as a 'statement of truth'.

When employers no longer need to keep certain data, destruction must take place securely and effectively, for example by shredding.

CIPD members can find out more on the legal aspects of data protection, including the difference between keeping records and being able to act on them, in our Data protection, surveillance and privacy at work law Q&As.

Public sector records

In the UK public sector there are many detailed rules about record retention. The Freedom of Information Act 2000 places obligations on public authorities to maintain their records in line with a code of practice on records management issued under that legislation. The code sets out good practice in public authority records management.

Many government departments publish their retention and disposal policies for all records which are reviewed annually and define how long records should be retained before they are either destroyed or transferred to the National Archives.

Other special provisions

Further special provisions may affect the retention of, or access to, data. For example, the Investigatory Powers Act 2016 (IPA), nicknamed the ‘Snooper's Charter’, deals with certain aspects of data retention, but also contains provisions extending to the interception of communications. The sections relating to data retention already apply, but the remaining provisions have been subject to legal challenge. Telecommunication companies must keep telephone call logs for one year. Internet service providers must retain communications data (including internet access, email and telephone calls - mobile and landline) for one year. The IPA enables specific government bodies to access internet connection records including information about which websites a user has visited (their internet browsing history). A special warrant is needed to access the actual content of any communication.

New immigration rules may affect HR records relating to immigration checks in certain circumstances.

The checklist below is divided into two parts:

  • Records where there are UK statutory retention periods, with the statutory authorities.
  • Records where there are no UK statutory retention periods, with recommended retention periods.

The main UK legislation regulating statutory retention periods is summarised below. If in doubt, it's a good idea to keep records for at least 6 years (5 in Scotland), to cover the time limit for bringing any civil legal action.

Record types

Accident books, accident records/reports (See below for accidents involving chemicals or asbestos)

  • Statutory retention period: 3 years from the date of the last entry (or, if the accident involves a child/ young adult, then until that person reaches the age of 21).
  • Statutory authority: The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and Limitation Act 1980. Special rules apply concerning incidents involving hazardous substances (see below).

Accounting records

  • Statutory retention period: 3 years for private companies, 6 years for public limited companies.
  • Statutory authority: Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006.

Coronavirus Job Retention Scheme - records of the furlough agreement including:the amount claimed, claim period for each employee, the claim reference number and calculations in case HMRC need more information. For employees on flexible furlough - usual hours worked and the calculations required.
(See below for other types of COVID-19-related record keeping.)

  • Statutory retention period: 6 years for furlough records. (The guidance says employers should retain the written furlough agreement for 5 years. But HMRC can retrospectively audit all claims so it is important to keep a copy of all records for 6 years minimum.)
  • Statutory authority: The record keeping requirement appears to be in the statutory guidance 'Claim for wages through the Coronavirus Job Retention Scheme'.

First aid training

  • Statutory retention period: 6 years after employment.
  • Statutory authority: Health and Safety (First Aid) Regulations 1981.

Fire warden training

  • Statutory retention period: 6 years after employment.
  • Statutory authority: Fire Precautions (Workplace) Regulations 1997.

Health and Safety representatives and employees’ training

  • Statutory retention period: 5 years after employment.
  • Statutory authority: Health and Safety (Consultation with Employees) Regulations 1996; Health and Safety Information for Employees Regulations 1989.

Income tax and NI returns, income tax records and correspondence with HMRC

  • Statutory retention period: Not less than 3 years after the end of the financial year to which they relate.
  • Statutory authority: The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631).

Medical records and details of biological tests under the Control of Lead at Work Regulations

  • Statutory retention period: 40 years from the date of the last entry.
  • Statutory authority: The Control of Lead at Work Regulations 1998 (SI 1998/543) as amended by the Control of Lead at Work Regulations 2002 (SI 2002/2676).

Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH)

  • Statutory retention period: 40 years from the date of the last entry.
  • Statutory authority: The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677).

Medical records under the Control of Asbestos at Work Regulations: medical records containing details of employees exposed to asbestos and medical examination certificates

  • Statutory retention period: 40 years from the date of the last entry (medical records); 4 years from the date of issue (medical examination certificates).
  • Statutory authority: The Control of Asbestos at Work Regulations 2002 (SI 2002/ 2675). Also see the Control of Asbestos Regulations 2006 (SI 2006/2739) and the Control of Asbestos Regulations 2012 (SI 2012/632).

Medical records under the Ionising Radiations Regulations 1999

  • Statutory retention period: Until the person reaches 75 years of age, but in any event for at least 50 years.
  • Statutory authority: The Ionising Radiations Regulations 1999 (SI 1999/3232).

National minimum wage records

  • Statutory retention period: 3 years after the end of the pay reference period following the one that the records cover.
  • Statutory authority: National Minimum Wage Act 1998.

Payroll wage/salary records (also overtime, bonuses, expenses)

  • Statutory retention period: 6 years from the end of the tax year to which they relate.
  • Statutory authority: Taxes Management Act 1970.

Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH)

  • Statutory retention period: 5 years from the date on which the tests were carried out.
  • Statutory authority: The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677).

Records relating to children and young adults

  • Statutory retention period: until the child/young adult reaches the age of 21.
  • Statutory authority: Limitation Act 1980.

Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity

  • Statutory retention period: 6 years from the end of the scheme year in which the event took place.
  • Statutory authority: The Retirement Benefits Schemes (Information Powers) Regulations 1995 (SI 1995/3103)

Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence (also shared parental, paternity and adoption pay records)

  • Statutory retention period: 3 years after the end of the tax year in which the maternity period ends.
  • Statutory authority: The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended, Maternity & Parental Leave Regulations 1999.

Subject access request

  • Statutory retention period: 1 year following completion of the request. 
  • Statutory authority: Data Protection Act 2018.

VAT deferral (COVID-19) – to support businesses through the COVID-19 pandemic, the government allowed VAT payments due between 20 March and 30 June 2020 to be deferred until 31 March 2021.   

  • Statutory retention period: 6 years. 
  • Statutory authority: HMRC VAT deferral guidance.

Whistleblowing documents

  • Statutory retention period: 6 months following the outcome (if a substantiated investigation). If unsubstantiated, personal data should be removed immediately.
  • Statutory authority: Public Interest disclosure Act 1998 and recommended IAPP practice.

Working time records including overtime, annual holiday, jury service, time off for dependents, etc

  • Statutory retention period: 2 years from date on which they were made.
  • Statutory authority: The Working Time Regulations 1998 (SI 1998/1833).
Coronavirus Job Retention Scheme
  • Statutory retention period: 6 years for furlough records. The written furlough agreement should be retained for 5 years, but HMRC can retrospectively audit all claims, so employers should keep a copy of all records for 6 years minimum. This should include the amount claimed, the claim period, claim reference number, calculations, usual hours worked (including any calculations for furloughed employees) and actual hours worked for flexibly furloughed employees.
  • Statutory authority: The statutory guidance 'Claim for wages through the Coronavirus Job Retention Scheme'

For many types of HR records, there is no definitive retention period: it is up to the employer to decide how long to keep them. Different organisations make widely differing decisions about the retention periods to adopt. Employers must consider what a necessary retention period is for them, depending on the type of record.

The advice in this factsheet is based on the time limits for potential UK tribunal or civil claims. The period is often a question of judgement rather than there being any definitive right answer. For example, some records managers in public sector organisations recommend keeping an employee’s records until they reach the age of 100, especially for pension purposes.

Employers should always review the length of time personal data is kept, consider its purpose when deciding how long to retain it, and update, archive or securely delete information if it goes out of date. It’s also important to remember that confidential data, for example sickness records, should have personally identifiable information removed where possible (pseudonymisation).

The UK Limitation Act 1980 contains a 6-year time limit for starting many legal proceedings. So where documents may be relevant to a contractual claim, it’s recommended that these are kept for at least a corresponding 6-year period. Under the same Act, the limit for defamation proceedings is one year although this has been extended in some cases. Defamation claims may be relevant to references or interview notes.

Record types

Actuarial valuation reports

  • Recommended retention period: Permanently.

Assessments under health and safety regulations and records of consultations with safety representatives and committees. These include COVID-19 risk assessments.

  • Recommended retention period: Permanently. COVID-19 risk assessments should be kept as long as they remain relevant.

Collective agreements

  • Recommended retention period: 6 years after the agreement ends.

COVID-19 vaccination records - vaccination status is ‘special category’ data requiring extra protection. Under the DPA and GDPR employers can only keep this data for a good reason and if there is a lawful basis for processing it. For most employers, 'legitimate interests’ is an appropriate reason and the ‘condition for processing’ is likely to be the employment or public health condition. Vaccination status is confidential, only disclosed for a significant health reason, for example to avoid unvaccinated staff meeting vulnerable people where possible.

  • Recommended retention period: Specific legislation is expected governing covid status certification. It’s not yet known if this will cover record keeping as the NHS app is expected to be used as a COVID-19 vaccination status certification. Employers may decide to keep a record if they check employees’ status. It’s logical at the moment to keep records for 6 years to reflect the period another employee may have to claim an employer has failed to take care of their health and safety. If vaccination becomes an annual event, employers may only need to keep records for a year until the next vaccination. The situation is still evolving. If the pandemic retreats completely, the justification for keeping data may change.

CCTV footage

  • Recommended retention period: CCTV footage may be relevant to a disciplinary matter or unfair dismissal claim. Recommended Information Commissioner’s Office (ICO) retention practice is 6 months following the outcome of any formal decision or appeal.

Driving offences

  • Recommended retention period: Must be removed once the conviction is spent under the Rehabilitation of Offenders Act 1974.

Flexible working requests

  • Recommended retention period: 18 months following any appeal. This is because a further request cannot be made for 12 months following a request plus allowing for a 6 month tribunal limitation period on top.

Inland Revenue/HMRC approvals

  • Recommended retention period: Permanently.

Money purchase details

  • Recommended retention period: 6 years after transfer or value taken.

Parental leave

  • Recommended retention period: 18 years from the birth of the child.

Pension records

  • Recommended retention period: 12 years after the benefit ceases.

Pension scheme investment policies

  • Recommended retention period: 12 years from the ending of any benefit payable under the policy.

Personnel files and training records (including formal disciplinary records and working time records)

  • Recommended retention period: 6 years after employment ceases but note that it may be unreasonable to refer to expired warnings after two years have elapsed.

Recruitment application forms and interview notes (for unsuccessful candidates)

  • Recommended retention period: 6 months to a year. Because of the time limits in the various discrimination Acts, minimum retention periods for records relating to advertising of vacancies and job applications should be at least 6 months. A year may be more advisable as the time limits for bringing claims can be extended. Successful job applicants documents will be transferred to the personnel file in any event.

Redundancy details, calculations of payments, refunds, notification to the Secretary of State

  • Recommended retention period: 6 years from the date of redundancy.


  • Recommended retention period: At least one year after the reference is given to meet the limitation period for defamation claims.

Right to work in the UK checks

  • Recommended retention period: Home Office recommended practice is 2 years after employment ends.

Senior executives' records (that is, those on a senior management team or their equivalents)

  • Recommended retention period: Some records may be needed permanently for historical purposes. Retain personal records, performance appraisals, employment contracts etc for 6 years after the employee has left to reflect the main limitation period. Other retention periods depend on the records - data may include documents from the company’s incorporation, shareholdings, resolutions, memorandum and articles, annual returns, register of directors interests, share documents, accounts, liability policies, pension scheme documents etc most of which should be retained permanently.

Statutory Sick Pay (SSP) records, calculations, certificates, self-certificates, occupational health reports. Also COVID-19-related SSP claims including: the dates the employee was off sick, which of those dates were qualifying days, the reason they said they were off work, the employee’s National Insurance number.

  • Recommended retention period: The Statutory Sick Pay (Maintenance of Records) (Revocation) Regulations 2014 (SI 2014/55) abolished the former obligation on employers to keep these records. Although there is no longer a specific statutory retention period, employers must still keep sickness records to best suit their business needs. It's advisable to keep records for at least 6 months after the end of the period of sick leave in case of a disability discrimination claim. However, if there's a personal injury claim, the limitation is 3 years. If there's a contractual claim for breach of an employment contract, it may be safer to keep records for 6 years after the employment ceases. Employers should keep a record of SSP paid because of COVID-19 as this can be claimed back from HMRC for 3 years after the end of the tax year. HMRC may request records.

Termination of employment, for example early retirement, severance or death in service

  • Recommended retention period: At least 6 years although the ICO’s retention schedule suggests until employee reaches age 100.

Terms and conditions including offers, written particulars, and variations

  • Recommended retention period: Review 6 years after employment ceases or the terms are superseded.

Time cards

  • Recommended retention period: 2 years after audit.

Trade union agreements

  • Recommended retention period: 10 years after ceasing to be effective.

Trust deeds and rules

  • Recommended retention period: Permanently.

Trustees' minute books

  • Recommended retention period: Permanently.

Works council minutes

  • Recommended retention period: Permanently.


GOV.UK - Data protection and your business

Information Commissioner: for organisations

Journal articles

BEAUMONT, A. (2020) Staying GDPR compliant during Covid-19. People Management (online). 25 August.

CHURCHILL, F. (2020) Employers urged to focus on record keeping in wake of BBC equal pay row. People Management (online). 16 November.

PARKINSON, P. (2021) Handling personal data when working from home. People Management (online). 3 February.

CIPD members can use our online journals to find articles from over 300 journal titles relevant to HR.

Members and People Management subscribers can see articles on the People Management website.

This factsheet was last updated by Lisa Ayling, solicitor and employment law specialist. However, while every care has been taken in compiling the information, the CIPD cannot be held responsible for any errors or omissions and the information is not intended as a substitute for specific legal advice.

Lisa Ayling

Lisa Ayling: solicitor and employment law specialist

Lisa is a lawyer with many years’ experience of contentious and non‐contentious employment law. During her career she has advised companies and individuals on diverse legal issues including contractual disputes, restrictive covenants, TUPE, redundancy, unfair dismissal and discrimination. Her practical experience includes all stages of claims in the employment tribunal, High Court and Appeal courts and many negotiated settlement agreements.

As well as writing and editing employment law content for the CIPD, Lisa lectures extensively on employment law, including years as a senior lecturer and leader of the employment team at BPP University and on the LLM programme at Kingston University. She has delivered numerous professional development courses for other members of the law profession, as well as assessing trainees on their advocacy, research and drafting skills.

Explore our related content


Workforce reporting

Learn about defining, measuring and reporting on workforce matters, and the value of human capital reporting

Read more