Data Protection and GDPR
Learn how to mitigate the risk of breaching legislation through policies, processes and practices relating to Data Protection and GDPR in your organisation
Introduces the legal issues in the UK around effective retention and organisation of HR records
All organisations collect data relating to their employees – their HR records - including information on pay, sickness absence, or hours worked. HR records can be stored in hardcopy or electronically but it’s important for organisations to keep the information in a well-organised system so that it can be easily retrieved and managed.
This factsheet introduces the legal position on the retention of HR records in the UK, including the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). It offers two checklists: one giving statutory retention periods where these exist, and the other giving recommendations for keeping information such as application forms or parental leave details.
HR records include a wide range of data relating to individuals working in an organisation, for example hours worked and pay or absence levels. This information is usually stored electronically but may include paper records as well, so employers should use both physical and electronic data security methods.
All organisations should maintain effective systems for storing HR data and comply with all relevant legislation. It’s good practice to have a document retention policy and monitoring programme that’s communicated to all staff. The policy should ensure that records are kept for as long as needed but no longer, and that records are destroyed securely. It may involve training about the legal issues involved and address the benefits of sound personnel administration and broader HR strategy. Our workforce reporting factsheet has more details of how employee information can help HR and management improve business performance.
There’s a substantial amount of UK legislation that has an impact on the retention of personnel and other related HR records. Examples, dealing with particular categories of records are provided below.
From 25 May 2018, existing data protection duties in the UK were tightened up to adapt to the rapid expansion of technology and collection of data. The new Data Protection Act 2018 (DPA) incorporates the agreed provisions of the EU General Data Protection Regulation (GDPR) and applies to most HR records, whether held in paper, or digital format.
Data must not be kept any longer than is necessary for a legitimate purpose and it must not be excessive. The emphasis is on the employer (the data controller) to have systems in place to determine how long the data should be retained and when records should be destroyed.
Both computerised and manual systems can be covered by the law: to be covered, manual systems must be organised into a 'relevant filing system'. All employers must ensure they are data protection compliant and may need to designate a data protection officer, which could involve training and developing existing staff. See more in our factsheet on data protection and GDPR in the workplace.
Subject to certain exceptions under the DPA, employees have the right to access their records and the employer must ensure that the data is accurate. Before releasing data to a third party, the employer must seek the individual’s permission.
The DPA and GDPR do not expressly change retention periods and do not set out any specific minimum or maximum periods.
As well as the DPA rules, certain documents such as employment contracts, accident record books and other personnel records may be needed in a legal action. Original documents must usually be available, or the employer must explain what happened to the originals backed up by what is known as a 'statement of truth'.
When employers no longer need to keep certain data, destruction must take place securely and effectively, for example by shredding.
CIPD members can find out more on the legal aspects of data protection, including the difference between keeping records and being able to act on them, in our Data protection, surveillance and privacy at work law Q&As.
In the UK public sector there are many detailed rules about record retention. Part 1 of a statutory Code of Practice on the management of records sets out good practice in public authority records management. Part II deals with review of public records and transfer to the National Archives.
Many government departments publish their retention and disposal policies for all records which are reviewed annually and define how long records should be retained before they are either destroyed or transferred to the National Archives.
Further special provisions may affect the retention of, or access to, data. For example, the well-publicised Investigatory Powers Act 2016 (IPA), nicknamed the ‘Snooper's Charter’, deals with certain aspects of data retention, but also contains provisions extending to the interception of communications. The sections relating to data retention already apply, but the remaining provisions have been subject to legal challenge. Telecommunication companies must keep telephone call logs for one year. Internet service providers must retain communications data (including internet access, email and telephone calls - mobile and landline) for one year. The IPA enables specific government bodies to access internet connection records including information about which websites a user has visited (their internet browsing history). A special warrant is needed to access the actual content of any communication. In April 2020 the government introduced draft legislation attempting to increase the number of bodies who could obtain communications data from UK phone, mobile and broadband providers.
The UK Borders Act 2007 and the Immigration, Asylum and Nationality Act 2006 may permit access to HR records in certain circumstances relating to immigration checks.
The checklist below is divided into two parts:
The main UK legislation regulating statutory retention periods is summarised below. If in doubt, it's a good idea to keep records for at least 6 years (5 in Scotland), to cover the time limit for bringing any civil legal action.
Accident books, accident records/reports (See below for accidents involving chemicals or asbestos)
Accounting records
First aid training
Fire warden training
Health and Safety representatives and employees’ training
Income tax and NI returns, income tax records and correspondence with HMRC
Medical records and details of biological tests under the Control of Lead at Work Regulations
Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH)
Medical records under the Control of Asbestos at Work Regulations: medical records containing details of employees exposed to asbestos and medical examination certificates
Medical records under the Ionising Radiations Regulations 1999
National minimum wage records
Payroll wage/salary records (also overtime, bonuses, expenses)
Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH)
Records relating to children and young adults
Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity
Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence (also shared parental, paternity and adoption pay records)
Subject access request
Whistleblowing documents
Working time records including overtime, annual holiday, jury service, time off for dependents, etc
For many types of HR records, there is no definitive retention period: it is up to the employer to decide how long to keep them. Different organisations make widely differing decisions about the retention periods to adopt. Employers must consider what a necessary retention period is for them, depending on the type of record.
The advice in this factsheet is based on the time limits for potential UK tribunal or civil claims. The period is often a question of judgement rather than there being any definitive right answer. For example, some records managers in public sector organisations recommend keeping an employee’s records until they reach the age of 100, especially for pension purposes.
Employers should always review the length of time personal data is kept, consider its purpose when deciding how long to retain it, and update, archive or securely delete information if it goes out of date. It’s also important to remember that confidential data, for example sickness records, should have personally identifiable information removed where possible (pseudonymisation).
The UK Limitation Act 1980 contains a 6-year time limit for starting many legal proceedings. So where documents may be relevant to a contractual claim, it’s recommended that these are kept for at least a corresponding 6-year period. Under the same Act, the limit for defamation proceedings is one year although this has been extended in some cases. Defamation claims may be relevant to references or interview notes.
Actuarial valuation reports
Assessments under health and safety regulations and records of consultations with safety representatives and committees
Collective agreements
CCTV footage
Driving offences
Flexible working requests
Inland Revenue/HMRC approvals
Money purchase details
Parental leave
Pension records
Pension scheme investment policies
Personnel files and training records (including formal disciplinary records and working time records)
Recruitment application forms and interview notes (for unsuccessful candidates)
Redundancy details, calculations of payments, refunds, notification to the Secretary of State
References
Right to work in the UK checks
Senior executives' records (that is, those on a senior management team or their equivalents)
Statutory Sick Pay records, calculations, certificates, self-certificates, occupational health reports
Termination of employment, for example early retirement, severance or death in service
Terms and conditions including offers, written particulars, and variations
Time cards
Trade union agreements
Trust deeds and rules
Trustees' minute books
Works council minutes
GOV.UK - Data protection and your business
Information Commissioner: for organisations
ACAS. (2009) Personnel data and record keeping. Advisory Booklet. London: Acas.
This factsheet was last updated by Lisa Ayling, solicitor and employment law specialist. However, while every care has been taken in compiling the information, the CIPD cannot be held responsible for any errors or omissions and the information is not intended as a substitute for specific legal advice.
Lisa is a lawyer with many years’ experience of contentious and non‐contentious employment law. During her career she has advised companies and individuals on diverse legal issues including contractual disputes, restrictive covenants, TUPE, redundancy, unfair dismissal and discrimination. Her practical experience includes all stages of claims in the employment tribunal, High Court and Appeal courts and many negotiated settlement agreements.
As well as writing and editing employment law content for the CIPD, Lisa lectures extensively on employment law, including years as a senior lecturer and leader of the employment team at BPP University and on the LLM programme at Kingston University. She has delivered numerous professional development courses for other members of the law profession, as well as assessing trainees on their advocacy, research and drafting skills.
Learn how to mitigate the risk of breaching legislation through policies, processes and practices relating to Data Protection and GDPR in your organisation
Introduces data protection law in the UK, covering the obligations of employers and individual rights to accessing information
Commonly asked questions on the legal issues relating to data protection, surveillance and privacy in the workplace
Learn about defining, measuring and reporting human capital, and the value of external workforce reporting