Employers in the UK are legally required to retain ex-employee records for specific periods after employment ends. Personnel records include the employee’s personal details, pay and tax information, working time, absences, training, career progression and any disciplinary or grievance matters.
An employer’s duties to retain personnel records are governed by a combination of business and statutory requirements, as well as accepted best practice. For example, payroll records must generally be kept for at least 3 years from the end of the tax year they relate to, as required by HMRC. Records relating to workplace accidents must be retained for 3 years after the incident, while data linked to discrimination or unfair dismissal claims should be kept for 6 years to protect against potential legal disputes.
Key risks for employers include holding records longer than necessary, which breaches the UK GDPR rules on data minimisation, or failing to retain them for the required period, which can result in penalties or hinder legal defence. Employers should also securely store records to prevent unauthorised access and establish clear retention policies for all employee data.
This guide will consider the types of employee records and the differing obligations of the employer to retain each of them, as well as how to manage the personnel records in accordance with data protection legislation during and after an employee’s period of employment.
How long should you keep personnel files?
As an organisation you will hold different types of records about each former and current employees. The length of time for which you have to keep each type of record depends on whether it is set by statute, or by the length of time your business could be sued by the employee after they have left, or standard practices.
The following table sets out the key dates for retaining different types of employee records:
| Document Type | Retention Period |
|---|---|
| Working time records | 2 years from the date to which they relate. |
| Maternity, paternity, adoption and shared parental leave pay records | 3 years after the end of the tax year in which the pay ceased. Birth certificates must not be kept, only the child’s date of birth. |
| Income tax and National Insurance records | 3 years after the end of the tax year to which they relate. |
| National Minimum Wage records | 3 years from the end of the pay reference period. |
| Salary and pay records generally | 6 years. |
| Tachograph records (drivers’ working hours and rest breaks) | 1 year after use. |
| Records of accidents in the workplace | At least 3 years from the date the record was made. If a child is involved, retain until they turn 21. |
| Application and recruitment records | At least 6 months (to cover discrimination claims) and up to 12 months for unsuccessful candidates. |
| Parental leave records | 5 years from the birth or adoption, or until the child is 18 if they receive disability allowance. |
| Pension benefits records | 6 years; 4 years for employees who opt out of the pension scheme. |
| Disclosure and Barring Service (DBS) check | As long as necessary, usually no more than 6 months. |
| Right to work documents | Duration of employment plus 2 years after employment ends. |
| Personnel files and training records | 6 years from the end of employment. |
The six-year period is the limitation period in English civil law. This means that after six years the law would prevent a former employee making a claim against you for breach of contract; up until the six-year point, that claim could still be made.
The limitation period for claims in the Employment Tribunal is much shorter, three months for most claims, and six months for redundancy pay and discrimination claims. However, as the civil court limitation period is so much longer, it is advisable to be guided by that.
In relation to the right to work documents, it is not a legal requirement to keep such documents. However, if your organisation unknowingly employed someone who did not have the right to work in the UK and was prosecuted in the civil courts for this, then it could form a defence if you had these records to hand.
GDPR considerations
GDPR is a European regulation that applies in the UK by virtue of the Data Protection Act 2018, which came into effect on the 25th of May, 2018.
The GDPR requires your organisation to use data in a way that is lawful, fair and transparent. In addition, it requires you to identify the purpose for which you collect or hold the data, and not continue to process that data in a way that goes beyond your original purpose. For example, if you interview a person for a job and they are unsuccesful, you may well retain their email address for six months. However, it would be in breach of the GDPR for you to add the applicant’s email address to your marketing or promotions list. This was not the original purpose for which you collected the information and the applicant is unlikely to have been asked for or given their consent to this.
If your business is part of an international organisation, you should also be aware that the GDPR restricts to whom you can export your data. If the company with which you want to share the date is outside the European Economic Area, then you cannot share it unless the country in which the company is based has laws providing at least as much protection as the GDPR.
The penalties for breaching the GDPR are severe. Your organisation is required to notify the Information Commissioner’s Office of any data breaches within seventy-two hours of the breach. A breach includes not just the loss of personal data, but an attempted hack, instances of unauthorised access to data and instances of the destruction of data.
Depending on the severity of the breach, fines under the GDPR are divided into two tiers.
Lower tier fines can be up to €10 million or 2% of global annual turnover, whichever is greater. These typically apply to infringements of administrative requirements, such as failing to maintain proper records, failing to notify a data breach, or not implementing appropriate technical and organisational measures.
Higher tier fines can be up to €20 million or 4% of global annual turnover, whichever is greater. These relate to more serious breaches, such as failing to comply with the principles of data processing (e.g., processing data without a lawful basis) or failing to demonstrate valid consent where it is required.
Failure to demonstrate consent or processing data without a lawful basis could therefore fall into the higher tier of fines, as it breaches the fundamental principles of lawful, fair, and transparent data processing under the GDPR. The severity of the fine will depend on factors such as the nature, gravity, and duration of the breach, as well as whether the infringement was intentional or resulted from negligence.
Practical advice for employers to be compliant
In light of these levels of fines, it is highly advisable to ensure that you are compliant with the GDPR. Some important categories of compliance include:
Employee consent
Have all your employees given their consent to you to use their data? You cannot rely on consent given in contracts of employment in the past. All employees should be asked to fill in a separate, specific form giving their consent.
Employees should also be given information about their rights under the GDPR in the form of a ‘privacy notice’. For example, an employee can withdraw their consent to you holding certain items of sensitive personal data. Examples of such data include the employee’s religion, ethnicity, political opinions, trade union membership, biometrics, medical history and sexual history or orientation.
However, you can hold most other data without seeking your employee’s permission. This includes their address, tax code, date of birth, emergency contact details, sickness absence, accidents and training at work, and their disciplinary record.
Subject access requests
You must make sure that you have a procedure in place to handle subject access requests by current and former employees. A subject access request is a request by the subject of the data (your employee or former employee) to access the personal information you hold about them. You must respond to such requests within one month of receiving the request. You are allowed to ask the person who has made the subject access request for information to verify their identity. If you need to do this, your one month period for responding will not start until you have received the additional information you requested.
You need to consider how you will balance the privacy of third parties mentioned in the employee’s file, with the employee’s right to see their personal information. It is acceptable in some cases to withhold information that would disclose a third party’s identity, for example where that person has made an allegation of sexual harassment.
Finally, you should train managers as to the extent of the information that will be disclosed if an employee makes a subject access request. This will help them to consider carefully what they record, ensuring that it is relevant and professional in tone.
Scope of obligations
Employers owe general obligations under data protection legislation to a wide range of individuals, not just their current and former employees. These obligations extend to contract workers, agency staff, freelancers, and job applicants, regardless of whether their employment or engagement was successful, ongoing, or has ended.
Under the UK GDPR and the Data Protection Act 2018, all personal data collected, stored, and processed must be handled lawfully, fairly, and transparently. Employers must ensure that data is only retained for as long as necessary, used for its intended purpose, and protected from unauthorised access.
Contract workers and agency staff often have records similar to those of permanent employees, including pay details, contracts, and performance information. Similarly, applicants’ data—such as CVs, interview notes, and background checks—must be managed responsibly, even if they were not hired. Employers must consider retention periods for this data and delete it when it is no longer required.
Security of data
For current employees, as well as former employees about whom you will retain personal data long after they have ceased to work for you, you must ensure that their personal information is kept securely. The data should be backed up, again securely, and if you have paper records then these need to be kept in a locked filing cabinet. The number of people who have access to the data should be kept to a minimum.
In the case of ‘sensitive’ personal data, such as that relating to the health of an employee or criminal records, this should be kept separately with restricted access.
You can use computer programs to alert you as to when a file, or part of a file, can be deleted, thereby ensuring you are not keeping the file beyond its original purpose. Once you are ready to dispose of the file, this should be carried out in a secure fashion, using a shredder for hard copies and checking computers have completely removed a deleted item, as opposed to moving it to another folder.
Finally, it is important to identify the person, or people in a larger organisation, who have overall responsibility for managing data protection for your business. This role will include reporting obligations in the case of a data breach, as well as leading on data management and privacy.
Need assistance?
DavidsonMorris’ team of HR specialists and employment lawyers can help with all aspects of workforce management, including HR administration and compliance requirements. For help and advice on a specific issue, speak to our experts.
Retaining personnel records FAQs
How long should ex-employee records be kept in the UK?
The retention period depends on the type of record. Generally, payroll and tax records should be kept for 3 years after the tax year ends. Other records, such as those related to legal claims, may need to be kept for up to 6 years.
Why is it important to retain ex-employee records?
Keeping records ensures compliance with tax laws, employment regulations, and data protection requirements. It also helps defend against legal claims, such as unfair dismissal or discrimination cases.
What happens if records are kept for too long?
Holding ex-employee records longer than necessary breaches UK GDPR principles, which require data to be retained only for as long as needed. This could result in fines from the Information Commissioner’s Office (ICO).
How should ex-employee records be stored?
Records should be stored securely, whether in physical or digital format, to prevent unauthorised access. Access should be limited to relevant personnel only.
How should records be disposed of when no longer needed?
Once the retention period has passed, records must be disposed of securely. For physical documents, shredding is recommended, while digital records should be permanently deleted.
What if an ex-employee requests access to their records?
Under UK GDPR, former employees have the right to request access to their personal data. Employers must respond within one month and provide the requested information, unless exemptions apply.
Author
Founder and Managing Director Anne Morris is a fully qualified solicitor and trusted adviser to large corporates through to SMEs, providing strategic immigration and global mobility advice to support employers with UK operations to meet their workforce needs through corporate immigration.
She is a recognised by Legal 500 and Chambers as a legal expert and delivers Board-level advice on business migration and compliance risk management as well as overseeing the firm’s development of new client propositions and delivery of cost and time efficient processing of applications.
Anne is an active public speaker, immigration commentator, and immigration policy contributor and regularly hosts training sessions for employers and HR professionals
