Introduction

All organisations collect data relating to their employees – their HR records - including information on pay, sickness absence, or hours worked. HR records can be stored in hardcopy or electronically but it’s important for organisations to keep the information in a well-organised system so that it can be easily retrieved, and to comply with relevant legislation.

This factsheet introduces the legal position on the retention of HR records in the UK, including the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). It offers two checklists: one giving statutory retention periods for information where these exist, and the other giving recommendations for keeping information such as application forms or parental leave details.

CIPD viewpoint

Retention of people records is an extremely complex and constantly changing area. Organisations following good practice should have a document retention policy and monitoring programme that’s communicated to all staff. They should also follow both physical and electronic data security methods. The policy should ensure that records are kept for as long as needed but no longer, and that records are destroyed securely. Such programmes may involve training about the legal issues involved and why having organised records benefits the business.

HR records include a wide range of data relating to individuals working in an organisation, for example, pay or absence levels, hours worked and trade union agreements. This information is usually stored electronically but may include paper records as well.

It's important for all organisations to maintain effective systems for storing HR data, both to ensure compliance with all relevant legislation (for example in respect of the minimum wage or working time regulations) as well to support sound personnel administration and broader HR strategy. Our human capital factsheet has more details of how employee information can help HR and management improve business performance.

There’s a substantial amount of UK legislation that has an impact upon the retention of personnel and other related HR records. Examples, dealing with particular categories of records are provided below.

Access, storage, format and destruction

From 25 May 2018, existing data protection duties in the UK were tightened up to adapt to the rapid expansion of technology and collection of data. The new Data Protection Act 2018 (DPA) incorporates the agreed provisions of the EU General Data Protection Regulation (GDPR) and applies to most HR records, whether held in paper, or digital format.

Data mustn’t be kept any longer than is necessary for a legitimate purpose and it must not be excessive The emphasis is on the employer (the data controller) to have systems in place to determine how long the data should be retained and when records should be destroyed.

Both computerised and manual systems can be covered by the law: to be covered, manual systems must be organised into a 'relevant filing system'. All employers must ensure they are data protection compliant and may need to designate a data protection officer, which could involve training and developing existing staff. See more in our factsheet on data protection and GDPR in the workplace.

Subject to certain exceptions under the DPA, employees have the right to access their records and the employer must ensure that the data is accurate. Before releasing data to a third party, the employer must seek the individual’s permission.

The DPA and GDPR do not expressly change retention periods and do not set out any specific minimum or maximum periods.

As well as the DPA rules, certain documents such as employment contracts, accident record books and other personnel records may be needed in a legal action. Original documents must usually be available, or the employer must explain what happened to the originals backed up by what is known as a 'statement of truth'.

When employers no longer need to keep certain data, destruction must take place securely and effectively, for example by shredding.

CIPD members can find out more on the legal aspects of data protection, including the difference between keeping records and being able to act on them, in our Data protection, surveillance and privacy at work law Q&As.

Public sector records

In the UK public sector there are many detailed rules about record retention. Part 1 of a statutory Code of Practice on the management of records sets out good practice in public authority records management. Part II deals with review of public records and transfer to the National Archives.

Many government departments publish their retention and disposal policies for all records which are reviewed annually and define how long records should be retained before they are either destroyed or transferred to the National Archives.

Other special provisions

Further special provisions may arise affecting the retention of, or access to, data. For example, the well publicised Investigatory Powers Act 2016 (IPA), nicknamed the ‘Snooper's Charter’, deals with certain aspects of data retention, but also contains provisions extending to the interception of communications. The sections relating to data retention already apply, but the remaining provisions have been subject to legal challenge and are not yet fully in force. Telecommunication companies must keep telephone call logs for one year. Internet service providers must retain communications data (including internet access, email and telephone calls - mobile and landline) for one year. The IPA enables the government to issue notices in relation to internet connection records including information about which websites a user has visited (their internet browsing history). If authorities wish to obtain details of the content of any communications, a special warrant will be required.

The UK Borders Act 2007 and the Immigration, Asylum and Nationality Act 2006 may enable access to HR records in certain circumstances relating to immigration checks.

The checklist below is divided into two parts:

  • Records where there are UK statutory retention periods, with the statutory authorities.
  • Records where there are no UK statutory retention periods, with recommended retention periods.

The the main UK legislation regulating statutory retention periods is summarised below. If employers are in doubt, it's a good idea to keep records for at least 6 years (5 in Scotland), to cover the time limit for bringing any civil legal action.

Record types

Accident books, accident records/reports
Statutory retention period: 3 years from the date of the last entry (or, if the accident involves a child/ young adult, then until that person reaches the age of 21). (See below for accidents involving chemicals or asbestos).
Statutory authority: The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and Limitation Act 1980. Special rules apply concerning incidents involving hazardous substances (see below).

Accounting records
Statutory retention period: 3 years for private companies, 6 years for public limited companies.
Statutory authority: Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006.

First aid training 
Statutory retention period: 6 years after employment
Statutory authority: Health and Safety (First Aid) Regulations 1981.

Fire warden training
Statutory retention period: 6 years after employment
Statutory authority: Fire Precautions (Workplace) Regulations 1997.

Health and Safety representatives and employees’ training
Statutory retention period: 5 years after employment
Statutory authority: Health and Safety (Consultation with Employees) Regulations 1996; Health and Safety Information for Employees Regulations 1989.

Income tax and NI returns, income tax records and correspondence with HMRC
Statutory retention period: not less than 3 years after the end of the financial year to which they relate.
Statutory authority: The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631).

Medical records and details of biological tests under the Control of Lead at Work Regulations
Statutory retention period: 40 years from the date of the last entry.
Statutory authority: The Control of Lead at Work Regulations 1998 (SI 1998/543) as amended by the Control of Lead at Work Regulations 2002 (SI 2002/2676).

Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH)
Statutory retention period: 40 years from the date of the last entry.
Statutory authority: The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677).

Medical records under the Control of Asbestos at Work Regulations: medical records containing details of employees exposed to asbestos and medical examination certificates
Statutory retention period: (medical records) 40 years from the date of the last entry; (medical examination certificates) 4 years from the date of issue.
Statutory authority: The Control of Asbestos at Work Regulations 2002 (SI 2002/ 2675). Also see the Control of Asbestos Regulations 2006 (SI 2006/2739) and the Control of Asbestos Regulations 2012 (SI 2012/632)

Medical records under the Ionising Radiations Regulations 1999
Statutory retention period: until the person reaches 75 years of age, but in any event for at least 50 years.
Statutory authority: The Ionising Radiations Regulations 1999 (SI 1999/3232).

National minimum wage records
Statutory retention period: 3 years after the end of the pay reference period following the one that the records cover.
Statutory authority: National Minimum Wage Act 1998.

Payroll wage/salary records (also overtime, bonuses, expenses) 
Statutory retention period: 6 years from the end of the tax year to which they relate. 
Statutory authority: Taxes Management Act 1970.

Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH)
Statutory retention period: 5 years from the date on which the tests were carried out.
Statutory authority: The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677).

Records relating to children and young adults
Statutory retention period: until the child/young adult reaches the age of 21.
Statutory authority: Limitation Act 1980.

Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity
Statutory retention period: 6 years from the end of the scheme year in which the event took place.
Statutory authority: The Retirement Benefits Schemes (Information Powers) Regulations 1995 (SI 1995/3103)

Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence (also shared parental, paternity and adoption pay records)
Statutory retention period: 3 years after the end of the tax year in which the maternity period ends.
Statutory authority: The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended, Maternity & Parental Leave Regulations 1999.

Subject access request 
Statutory retention period: 1 year following completion of the request
Statutory authority: Data Protection Act 2018.

Whistleblowing documents
Statutory retention period: 6 months following the outcome (if a substantiated investigation). If unsubstantiated, personal data should be removed immediately
Statutory authority: Public Interest disclosure Act 1998 and recommended IAPP practice.

Working time records including overtime, annual holiday, jury service, time off for dependents, etc
Statutory retention period: 2 years from date on which they were made.
Statutory authority: The Working Time Regulations 1998 (SI 1998/1833).

For many types of HR records, there is no definitive retention period: it is up to the employer to decide how long to keep them. Different organisations make widely differing decisions about the retention periods to adopt. Employers must consider what a necessary retention period is for them, depending on the type of record.

The advice in this factsheet is based on the time limits for potential UK tribunal or civil claims. The period is often a question of judgement rather than there being any definitive right answer. For example, some records managers in public sector organisations recommend keeping an employee’s records until they reach the age of 100, especially for pension purposes.

Employers should always review the length of time personal data is kept, consider its purpose when deciding how long to retain it, and update, archive or securely delete information if it goes out of date. It’s also important to remember that confidential data, for example sickness records, should have personally identifiable information removed where possible (pseudonymisation).

The UK Limitation Act 1980 contains a 6-year time limit for starting many legal proceedings. So where documents may be relevant to a contractual claim, it’s recommended that these are kept for at least a corresponding 6-year period. Under the same Act, the limit for defamation proceedings is one year although this has been extended in some cases. Defamation claims may be relevant to references or interview notes.

Record types

Actuarial valuation reports
Recommended retention period: permanently.

Assessments under health and safety regulations and records of consultations with safety representatives and committees
Recommended retention period: permanently.

Collective agreements
Recommended retention period: 6 years after the agreement ends.

CCTV footage
Recommended retention period:CCTV footage may be relevant to a disciplinary matter or unfair dismissal claim. Recommended Information Commissioner’s Office (ICO) retention practice is 6 months following the outcome of any formal decision or appeal.

Driving offences
Recommended retention period: Must be removed once the conviction is spent under the Rehabilitation of Offenders Act 1974.

Flexible working requests
Recommended retention period: 18 months following any appeal. This is because a further request cannot be made for 12 months following a request plus allowing for a 6 month tribunal limitation period on top.

Inland Revenue/HMRC approvals
Recommended retention period: permanently.

Money purchase details
Recommended retention period: 6 years after transfer or value taken.

Parental leave
Recommended retention period: 18 years from the birth of the child.

Pension records 
Recommended retention period:  12 years after the benefit ceases.

Pension scheme investment policies
Recommended retention period: 12 years from the ending of any benefit payable under the policy.

Personnel files and training records (including formal disciplinary records and working time records)
Recommended retention period: 6 years after employment ceases but note that it may be unreasonable to refer to expired warnings after two years have elapsed.

Recruitment application forms and interview notes (for unsuccessful candidates)
Recommended retention period: 6 months to a year. Because of the time limits in the various discrimination Acts, minimum retention periods for records relating to advertising of vacancies and job applications should be at least 6 months. A year may be more advisable as the time limits for bringing claims can be extended. Successful job applicants documents will be transferred to the personnel file in any event.

Redundancy details, calculations of payments, refunds, notification to the Secretary of State
Recommended retention period: 6 years from the date of redundancy

References
Recommended retention period:At least one year after the reference is given to meet the limitation period for defamation claims.

Right to work in the UK checks
Recommended retention period: Home Office recommended practice is 2 years after employment ends.

Senior executives' records (that is, those on a senior management team or their equivalents)
Recommended retention period: permanently for historical purposes.

Statutory Sick Pay records, calculations, certificates, self-certificates, occupational health reports
Recommended retention period: The Statutory Sick Pay (Maintenance of Records) (Revocation) Regulations 2014 (SI 2014/55) abolished the former obligation on employers to keep these records. Although there is no longer a specific statutory retention period, employers must still keep sickness records to best suit their business needs. It's advisable to keep records for at least 6 months after the end of the period of sick leave in case of a disability discrimination claim. However, if there's a personal injury claim, the limitation is 3 years. If there's a contractual claim for breach of an employment contract, it may be safer to keep records for 6 years after the employment ceases.

Termination of employment, for example early retirement, severance or death in service 
Recommended retention period: at least 6 years although the ICO’s retention schedule suggests until employee reaches age 100.

Terms and conditions including offers, written particulars, and variations
Recommended retention period: review 6 years after employment ceases or the terms are superseded.

Time cards
Recommended retention period: 2 years after audit.

Trade union agreements
Recommended retention period: 10 years after ceasing to be effective.

Trust deeds and rules
Recommended retention period: permanently.

Trustees' minute books
Recommended retention period: permanently.

Works council minutes
Recommended retention period: permanently.

This factsheet was last updated by Lisa Ayling, solicitor and employment law specialist. However, while every care has been taken in compiling the information, the CIPD cannot be held responsible for any errors or omissions and the information is not intended as a substitute for specific legal advice.

Lisa Ayling

Lisa Ayling: solicitor and employment law specialist

Lisa is a lawyer with many years’ experience of contentious and non‐contentious employment law. During her career she has advised companies and individuals on diverse legal issues including contractual disputes, restrictive covenants, TUPE, redundancy, unfair dismissal and discrimination. Her practical experience includes all stages of claims in the employment tribunal, High Court and Appeal courts and many negotiated settlement agreements.

As well as writing and editing employment law content for the CIPD, Lisa lectures extensively on employment law, including years as a senior lecturer and leader of the employment team at BPP University and on the LLM programme at Kingston University. She has delivered numerous professional development courses for other members of the law profession, as well as assessing trainees on their advocacy, research and drafting skills.

Explore our related content

Top