All organisations collect data relating to their employees – their HR records - including information on pay, sickness absence, or hours worked. HR records can be stored in hardcopy or electronically but it’s important for organisations to keep the information in a well-organised system so that it can be easily retrieved, and to comply with relevant legislation.

This factsheet introduces the legal position on the retention of HR records in the UK, including the Data Protection Act 2018, the General Data Protection Regulation (GDPR) and the employment practices code. It offers two checklists: one giving statutory retention periods for information where these exist, and the other giving recommendations for keeping information such as application forms or parental leave information.

Retention of people records is an extremely complex and constantly changing area. Organisations following good practice should have a document retention policy and monitoring programme that’s communicated to all staff. They should also follow both physical and electronic data security methods. The policy should ensure that records are kept as long as needed but no longer, and that records are destroyed securely. Such programmes may involve training not only about the legal issues involved, but also why having organised records benefits the business.

HR records include a wide range of data relating to individuals working in an organisation, for example, pay or absence levels, hours worked and trade union agreements. This information is usually stored electronically but may include paper records as well.

It is important for all organisations to maintain effective systems for storing HR data, both to ensure compliance with all relevant legislation (for example in respect of the minimum wage or working time regulations) as well to support sound personnel administration and broader HR strategy. Our human capital factsheet has more details of how employee information can help HR and management improve business performance.

Complex regulations may govern the length of time for which HR records should be stored.

There’s a substantial amount of UK legislation that has an impact upon the retention of personnel and other related HR records. Examples, dealing with particular categories of records are provided below.

Access, storage, format and destruction

From 25 May 2018, existing data protection duties in the UK were tightened up to adapt to the rapid expansion of technology and collection of data. The new Data Protection Act 2018 (DPA) incorporates the agreed provisions of the EU General Data Protection Regulation (GDPR) and applies to most HR records, whether held in paper, or digital format. Data mustn’t be kept any longer than is necessary for a legitimate purpose. Both computerised and manual systems can be covered by the law: to be covered, manual systems must be organised into a 'relevant filing system'. All employers must ensure they are data protection compliant and may need to designate a data protection officer, which could involve training and developing existing staff. See more in our factsheet on data protection and GDPR in the workplace.

Subject to certain exceptions under the DPA, employees have the right to access their records and the employer must ensure that the data is accurate. Before releasing data to a third party, the employer must seek the individual’s permission.

The DPA and GDPR do not expressly change retention periods and do not set out any specific minimum or maximum periods.

The Information Commissioner has issued The employment practices code, together with additional guidance notes, which employers should follow carefully. It’s in four parts:

  • Part 1: Recruitment and selection
  • Part 2: Employment records
  • Part 3: Monitoring at work
  • Part 4: Information about workers health.

As well as the DPA rules, certain documents such as employment contracts, accident record books and other personnel records may be needed in a legal action. Original documents must usually be available, or the employer must explain what happened to the originals backed up by what is known as a 'statement of truth'.

When employers really no longer need to keep certain data, destruction must take place securely and effectively, for example by shredding.

CIPD members can find out more on the legal aspects of data protection, including the difference between keeping records and being able to act on them, in our Data protection, surveillance and privacy at work law Q&As.

Public sector records

In the UK public sector there are many detailed rules about record retention. Part 1 of a statutory Code of Practice on the management of records sets out good practice in public authority records management. Part II deals with review of public records and transfer to the National Archives.

Many government departments publish their retention and disposal policies for all records which are reviewed annually and define how long records should be retained before they are either destroyed or transferred to the National Archives.

Other special provisions

Further special provisions may arise affecting the retention of, or access to, data. For example, the well publicised Investigatory Powers Act 2016 (IPA), nicknamed the ‘Snooper's Charter’, deals with certain aspects of data retention, but also contains provisions extending to the interception of communications. The sections relating to data retention already apply, but the remaining provisions have been subject to legal challenge and are not yet fully in force. Telecommunication companies must keep telephone call logs for one year. Internet service providers must retain communications data (including internet access, email and telephone calls - mobile and landline) for one year. The IPA enables the government to issue notices in relation to internet connection records including information about which websites a user has visited (their internet browsing history). If authorities wish to obtain details of the content of any communications, a special warrant will be required.

The UK Borders Act 2007 and the Immigration, Asylum and Nationality Act 2006 may enable access to HR records in certain circumstances relating to immigration checks.

The checklist below is divided into two parts:

  • Records where there are statutory retention periods, with the statutory authorities.
  • Records where there are no statutory retention periods, with recommended retention periods.

The the main UK legislation regulating statutory retention periods is summarised below. If employers are in doubt, it's a good idea to keep records for at least 6 years (5 in Scotland), to cover the time limit for bringing any civil legal action.

Record types

Accident books, accident records/reports
Statutory retention period: 3 years from the date of the last entry (or, if the accident involves a child/ young adult, then until that person reaches the age of 21). (See below for accidents involving chemicals or asbestos).
Statutory authority: The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and Limitation Act 1980. Special rules apply concerning incidents involving hazardous substances (see below).

Accounting records
Statutory retention period: 3 years for private companies, 6 years for public limited companies.
Statutory authority: Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006.

Income tax and NI returns, income tax records and correspondence with HMRC
Statutory retention period: not less than 3 years after the end of the financial year to which they relate.
Statutory authority: The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631).

Medical records and details of biological tests under the Control of Lead at Work Regulations
Statutory retention period: 40 years from the date of the last entry.
Statutory authority: The Control of Lead at Work Regulations 1998 (SI 1998/543) as amended by the Control of Lead at Work Regulations 2002 (SI 2002/2676).

Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH)
Statutory retention period: 40 years from the date of the last entry.
Statutory authority: The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677).

Medical records under the Control of Asbestos at Work Regulations: medical records containing details of employees exposed to asbestos and medical examination certificates
Statutory retention period: (medical records) 40 years from the date of the last entry; (medical examination certificates) 4 years from the date of issue.
Statutory authority: The Control of Asbestos at Work Regulations 2002 (SI 2002/ 2675). Also see the Control of Asbestos Regulations 2006 (SI 2006/2739) and the Control of Asbestos Regulations 2012 (SI 2012/632)

Medical records under the Ionising Radiations Regulations 1999
Statutory retention period: until the person reaches 75 years of age, but in any event for at least 50 years.
Statutory authority: The Ionising Radiations Regulations 1999 (SI 1999/3232).

National minimum wage records
Statutory retention period: 3 years after the end of the pay reference period following the one that the records cover.
Statutory authority: National Minimum Wage Act 1998.

Payroll wage/salary records (also overtime, bonuses, expenses) 
Statutory retention period: 6 years from the end of the tax year to which they relate. 
Statutory authority: Taxes Management Act 1970.

Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH)
Statutory retention period: 5 years from the date on which the tests were carried out.
Statutory authority: The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677).

Records relating to children and young adults
Statutory retention period: until the child/young adult reaches the age of 21.
Statutory authority: Limitation Act 1980.

Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity
Statutory retention period: 6 years from the end of the scheme year in which the event took place.
Statutory authority: The Retirement Benefits Schemes (Information Powers) Regulations 1995 (SI 1995/3103)

Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence
Statutory retention period: 3 years after the end of the tax year in which the maternity period ends.
Statutory authority: The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended.

Working time records
Statutory retention period: 2 years from date on which they were made.
Statutory authority: The Working Time Regulations 1998 (SI 1998/1833).

For many types of HR records, there is no definitive retention period: it is up to the employer to decide how long to keep them. Different organisations make widely differing decisions about the retention periods to adopt. Employers must consider what a necessary retention period is for them, depending on the type of record.

The advice in this factsheet is based on the time limits for potential UK tribunal or civil claims. The period is often a question of judgement rather than there being any definitive right answer. For example, some records managers in public sector organisations recommend keeping an employee’s records until they reach the age of 100, especially for pension purposes.

Employers should always review the length of time personal data is kept, consider the purposes of information when deciding how long to retain it, and update, archive or securely delete information if it goes out of date.

The UK Limitation Act 1980 contains a 6-year time limit for starting many legal proceedings. So where documents may be relevant to a contractual claim, it’s recommended that these are kept for at least a corresponding 6-year period.

Record types

Actuarial valuation reports
Recommended retention period: permanently.

Assessments under health and safety regulations and records of consultations with safety representatives and committees
Recommended retention period: permanently.

Inland Revenue/HMRC approvals
Recommended retention period: permanently.

Money purchase details
Recommended retention period: 6 years after transfer or value taken.

Parental leave
Recommended retention period: 18 years from the birth of the child.

Pension records 
Recommended retention period:  until the employee reaches age 100.

Pension scheme investment policies
Recommended retention period: 12 years from the ending of any benefit payable under the policy.

Personnel files and training records (including formal disciplinary records and working time records)
Recommended retention period: 6 years after employment ceases.

Recruitment application forms and interview notes (for unsuccessful candidates)
Recommended retention period: 6 months to a year. (Because of the time limits in the various discrimination Acts, minimum retention periods for records relating to advertising of vacancies and job applications should be at least 6 months. A year may be more advisable as the time limits for bringing claims can be extended. Successful job applicants documents will be transferred to the personnel file in any event.

Redundancy details, calculations of payments, refunds, notification to the Secretary of State
Recommended retention period: 6 years from the date of redundancy

Senior executives' records (that is, those on a senior management team or their equivalents)
Recommended retention period: permanently for historical purposes.

Statutory Sick Pay records, calculations, certificates, self-certificates
Recommended retention period: The Statutory Sick Pay (Maintenance of Records) (Revocation) Regulations 2014 (SI 2014/55) abolished the former obligation on employers to keep these records. Although there is no longer a specific statutory retention period, employers still have to keep sickness records to best suit their business needs. It is advisable to keep records for at least 3 months after the end of the period of sick leave in case of a disability discrimination claim. However, if there is a contractual claim for breach of an employment contract it may be safer to keep records for 6 years after the employment ceases.

Terms and conditions
Recommended retention period: review 6 years after employment ceases or the terms are superseded.

Termination of employment, for example early retirement, severance or death in service
Recommended retention period: at least 6 years although the ICO’s retention schedule suggests until employee reaches age 100.

Time cards
Recommended retention period: 2 years after audit.

Trade union agreements
Recommended retention period: 10 years after ceasing to be effective.

Trust deeds and rules
Recommended retention period: permanently.

Trustees' minute books
Recommended retention period: permanently.

Works council minutes
Recommended retention period: permanently.

Contacts

GOV.UK - Data protection and your business

Information Commissioner: for organisations

Books and reports

ACAS. (2009) Personnel data and record keeping. Advisory Booklet. London: Acas.

Journal articles

ALMOND, J. (2015) Data subject access: fishing for a settlement. Tolley's Employment Law Newsletter. Vol 20, No 7, May. pp51-53.

HARKER, S. and TOSTIVIN, M. (2011) Handle with care. Tolley's Employment Law Newsletter. Vol 17, No 3, September. pp19-21.

HARTLEY, A. (2013) Protecting confidential information in the digital workplace. Employers' Law. February. pp14-15

CIPD members can use our online journals to find articles from over 300 journal titles relevant to HR.

Members and People Management subscribers can see articles on the People Management website.

This factsheet was last updated by Lisa Ayling, solicitor and employment law specialist. However, while every care has been taken in compiling the information, the CIPD cannot be held responsible for any errors or omissions and the information is not intended as a substitute for specific legal advice.

Lisa Ayling

Lisa Ayling: solicitor and employment law specialist

Lisa is a lawyer with many years’ experience of contentious and non‐contentious employment law. During her career she has advised companies and individuals on diverse legal issues including contractual disputes, restrictive covenants, TUPE, redundancy, unfair dismissal and discrimination. Her practical experience includes all stages of claims in the employment tribunal, High Court and Appeal courts and many negotiated settlement agreements.

As well as writing and editing employment law content for the CIPD, Lisa lectures extensively on employment law, including years as a senior lecturer and leader of the employment team at BPP University and on the LLM programme at Kingston University. She has delivered numerous professional development courses for other members of the law profession, as well as assessing trainees on their advocacy, research and drafting skills.

Explore our related content

Top