All employers, regardless of their size, will need to collect and retain certain data relating to each member of staff that they employ.
HR records can cover a wide range of data relating to working for an organisation and arising naturally throughout the lifecycle of a person’s employment, from their job application and proof of their right to work in the UK to their leaver’s analysis or exit form. This information will then make up that individual’s HR records.
The following guide for employers examines the rules relating to retaining an employee’s HR records, including obligations on employers that arise under the data protection regime, as well as specific statutory retention periods of HR documents as required under separate pieces of UK legislation.
Why do HR records need to be kept?
The retention of HR records may be required by law, for internal purposes or in many cases, both. These records are not only essential in meeting the operational needs of your business and workforce, but in demonstrating compliance with your legal responsibilities as an employer.
Common examples of information kept within HR records includes information relating to recruitment, a person’s job title, pay levels, hours worked, holiday entitlement and any other benefits to which they are entitled, their sick leave or parental leave, their annual performance analysis, their training and career development, as well as details of any disciplinary or grievance matters.
For example, having accurate PAYE and payroll records is an essential part of running a business, ensuring that your employees receive the right amount of pay under their contracts of employment. Further, if you fail to keep records to show that you’ve accurately reported to HMRC what you’ve paid an employee, as well as what deductions you’ve made, HMRC may estimate what tax you have to pay and charge you a hefty penalty.
Equally, the retention of personnel records can help you to avoid a civil penalty under the illegal working regime. By law, all employers are required to conduct a right to work check on prospective employees to ensure that they are not disqualified from carrying out their job role by reason of their immigration status. By carrying out this check and retaining a copy of the relevant documentation, this will provide a statutory excuse against liability for any civil penalty if an employee is later found to be working illegally.
The retention of personnel records can also be used to defend employment rights claims brought against you by either an existing or former employee before the employment tribunal or civil courts. For example, in the context of a personal injury claim, certain personnel would need to be disclosed, including any accident report, safety training records, sick leave records and levels of statutory or contractual sick pay received by the claimant.
Retaining personal data
It is a necessary part of being an employer to request and retain certain information about your staff. However, data protection issues will have an impact on most HR activities, from handling recruitment to employee record-keeping, and even the provision of a reference after an individual’s employment has come to an end.
In the UK, there are strict rules under the data protection regime surrounding the retention of personal data, so understanding how these rules work, including your responsibilities and liabilities as a “data controller”, is a necessary part of being a responsible employer.
The main piece of UK legislation governing data protection is the Data Protection Act 2018 (DPA). This replaced the 1998 version and incorporates the UK General Data Protection Regulation (GDPR). The DPA and GDPR contain important rights for individuals concerning the processing of their personal data, covering both electronic and hard copy records.
Data protection is essentially about safeguarding personal and sensitive information, making sure it is used properly and legally, where the penalties for breaching the rules can be significant. The protection afforded to individuals under the legislation, including employees, is based on seven key principles, where personal data should be:
- Processed in a lawful, fair and transparent way (‘lawfulness, fairness and transparency’)
- Collected for specified, explicit and legitimate purposes (‘purpose limitation’)
- Adequate, relevant and limited to what’s necessary in relation to the purposes for which it’s processed (‘data minimisation’)
- Accurate and, where required, kept up-to-date (‘accuracy’)
- Kept in a form that only permits identification of the data subject for as long as is necessary based on the purposes for which the data is processed (‘storage limitation’)
- Processed in a way that ensures appropriate security of the data, including protection against either unauthorised and/or unlawful processing, and against accidental loss, destruction or damage (‘integrity and confidentiality’).
- Finally, the data controller shall be responsible for, and be able to demonstrate compliance with, all of the above (‘accountability’).
In the context of the retention of HR records, these principles mean that any personal data must not be kept for any longer than is necessary based on a legitimate purpose. This means that HR records must only be retained for as long as you have a clear business need for them.
You must also keep any data you collect on staff safe and secure, such as setting passwords for computer records or locking paper records in filing cabinets. Once the data is no longer needed, you must then dispose of it effectively, for example, using secure deletion software for online data or by shredding all paper records.
Statutory retention periods for HR documents
For many types of HR records there is no definitive retention period, where it is for the employer to decide the length of time they will keep specific records based on the nature of the information and the type of document. However, there are specific legislative provisions that require certain records to be kept for minimum periods of time. The provisions of the DPA and GDPR do not set out any specific minimum or maximum retention periods, nor expressly change retention periods as set out elsewhere.
Some of the main UK legislative provisions regulating statutory retention periods include:
- Under the Prevention of Illegal Working regime, right to work documents must be retained and stored securely for the duration of the individual’s employment and for a further two years after they have left the organisation.
- Under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR), you are required by law to keep for at least 3 years from the date on which they were made any reports of serious workplace accidents, the diagnosis of occupational diseases and incidents of specified dangerous occurrences.
- Under the Working Time Regulations 1998, you are required by law to keep working time records for a period of 2 years from the date on which the records were made that are adequate to show, where applicable, the maximum weekly limits are being complied with.
- Under the National Minimum Wage Regulations 2015, you are required by law to keep records for a period of 3 years after the end of the pay reference period following the one that the records cover, where these must be sufficient to establish that you’re remunerating a worker at a rate at least equal to the national minimum wage.
- Under the Statutory Maternity Pay (General) Regulations 1986, you are required by law to keep statutory maternity pay records for a period of 3 years after the end of the tax year in which the maternity pay period ends, including the medical certificate (Mat B1), together with records of leave dates and pay.
- Under the Statutory Paternity Pay and Statutory Adoption Pay (Administration) Regulations 2002, you are required by law to keep statutory paternity and adoption pay records for a period of 3 years after the end of the tax year in which the pay period ends.
- Under the Statutory Sick Pay (General) Regulations 1982, you are required by law to keep statutory sick pay (SSP) records for at least 3 years after the end of the tax year to which they relate, including records of dates of a person’s period of incapacity for work and records of all payments of SSP you made during that period.
- Under the Income Tax (Employments) Regulations 1993, you are required by law to keep pay-related records for income tax and national insurance purposes for not less than 3 years after the end of the financial year to which they relate.
This list of statutory retention periods of documents is not exhaustive. In some cases, records could be required to be retained for as long as several decades. For example, in the case of health records under the Control of Substances Hazardous to Health Regulations (COSHH) 2002, where an employee has been, or is liable to be, exposed to a substance hazardous to health, the statutory retention period is 40 years from the date of the last entry.
Equally, at the other end of the scale, and absent any statutory retention period, you don’t want to be retaining documents for any longer than is necessary, especially where there is no clear business reason to do so. For each category of personal data, the data protection regime requires you to demonstrate why it’s being kept and the reasons behind the retention period.
As a general rule of thumb, if data and documents are being retained after an employee has left the organisation for the purposes of defending possible tribunal and court claims, the time limit for bringing claims can be used to inform the retention period. Adopting this approach, many employers will retain HR records for a period of 6 years to reflect the length of time within which a claim for breach of contract can be instigated in the county or high court.
Because of the time limits in the various discrimination Acts, minimum retention periods for records relating to advertising of vacancies and job applications should be at least 6 months.
Advice for employers on retaining HR records
In most cases, where there’s no prescribed timeframe for the retention of certain documents, the question of what HR records to keep and how long to keep them will be a matter for your discretion. This means you must have a suitable system in place to determine how long certain data should be retained and at what stage records should be destroyed. You must also have suitable measures in place to securely retain and, where necessary, permanently delete data.
The following tips provide a useful reminder of those all-important data protection duties:
- Employers should regularly review the length of time that any personal data is kept, taking into account the purpose for which the information may be needed.
- Where data is retained, it must be held safely and securely, ensuring it cannot be stolen or tampered with, and access to personal data should be restricted only to those who need it.
- Employers should maintain up-to-date security systems, with regular reviews and risk assessments of those systems, taking action where needed
Where a decision is made that data is no longer needed, it must be securely deleted. - To manage data responsibly and to remain data protection compliant at all times, it’s also good practice to have a clear document retention policy that’s communicated to all staff. The policy should ensure that records are kept for as long as needed but no longer, with guidelines for managers and HR about how to manage and securely destroy data.
- Your policy should also include provision for ongoing monitoring of HR records, appointing a properly trained record keeper with responsibility for this area. In some cases, the appointment of a designated data protection officer may also prove necessary.
Need assistance?
DavidsonMorris are experienced legal advisers to employers on all aspects of employment and immigration compliance. Working closely with our HR adviser colleagues, we provide a holistic service to employers on personnel data and document retention practices and deliver training to HR teams to support effective implementation. For help and advice with a specific issue, speak to our experts.
Retention of HR records FAQs
What is the retention period for HR records?
There is no single definitive retention period for all HR records. Employers must consider legal requirements, the nature of the information, and business needs when deciding how long to retain specific records.
Do the GDPR and DPA specify retention periods?
The GDPR and DPA do not set specific retention periods. However, they require organisations to retain personal data only for as long as necessary and ensure it is securely stored and disposed of when no longer needed.
How long should right to work documents be kept?
Right to work documents must be retained for the duration of the individual’s employment and for at least two years after they leave the organisation.
What are the retention periods for payroll records?
Payroll records must be kept for at least three years under tax regulations. However, many organisations retain these for up to six years to comply with HMRC audit requirements.
How long should working time records be kept?
Under the Working Time Regulations, records must be kept for two years from the date they were made.
What is the retention period for health and safety records?
Health and safety records, including those under RIDDOR, must be kept for three years. For COSHH-related health records, the retention period is 40 years.
What should employers do when retention periods expire?
Employers should securely dispose of records that are no longer needed. Shredding physical records and permanently deleting digital files are recommended practices.
Can records be kept for longer than the statutory period?
Yes, employers may retain records for longer if they have a legitimate business need, such as defending potential legal claims. However, this must comply with data protection laws.
Are retention periods different for small businesses?
Retention periods are generally the same, regardless of the organisation’s size, as they are set by legal and regulatory requirements.
How should HR records be stored?
HR records should be stored securely, whether in physical or digital format, to prevent unauthorised access and ensure compliance with data protection regulations.
Glossary
| Term | Definition |
|---|---|
| Retention Period | The length of time HR records must be kept, either as mandated by law or determined by organisational policy. |
| HR Records | Documents related to employees, including contracts, payroll, performance reviews, and health and safety records. |
| Data Protection Act (DPA) | UK legislation governing the processing and protection of personal data, complementing the GDPR. |
| General Data Protection Regulation (GDPR) | EU regulation adopted by the UK, ensuring the lawful handling, storage, and disposal of personal data. |
| Right to Work Documents | Evidence that an employee has the legal right to work in the UK, such as passports or visa details. |
| RIDDOR (Reporting of Injuries, Diseases and Dangerous Occurrences Regulations) | Regulations requiring the reporting and retention of workplace accident and incident records for at least three years. |
| Working Time Records | Documents showing compliance with working time regulations, including hours worked and rest periods. |
| Payroll Records | Records of employee pay, including payslips, P60s, and tax-related documents, retained for tax and audit purposes. |
| COSHH (Control of Substances Hazardous to Health) | Regulations requiring the retention of health records for employees exposed to hazardous substances, often for 40 years. |
| National Minimum Wage Records | Documentation showing compliance with minimum wage laws, retained for at least three years. |
| Statutory Sick Pay (SSP) Records | Records of SSP payments, including dates of incapacity, retained for at least three years after the tax year they relate to. |
| Statutory Maternity Pay (SMP) Records | Documents showing SMP payments, leave dates, and medical evidence, retained for three years after the end of the tax year. |
| Data Minimisation | A GDPR principle requiring organisations to collect and retain only the data necessary for specific purposes. |
| Secure Disposal | The process of destroying HR records that are no longer needed, ensuring compliance with data protection laws. |
| Audit Requirements | Legal or organisational obligations to retain records for potential review by regulatory bodies, such as HMRC. |
| Health and Safety Records | Documents related to workplace safety, including incident reports and risk assessments, often retained for several years. |
| Employer Obligations | Legal duties of employers, such as maintaining accurate records and ensuring compliance with retention laws. |
| Retention Policy | An organisational document outlining how long different types of HR records will be retained and how they will be securely disposed of. |
Author
Founder and Managing Director Anne Morris is a fully qualified solicitor and trusted adviser to large corporates through to SMEs, providing strategic immigration and global mobility advice to support employers with UK operations to meet their workforce needs through corporate immigration.
She is a recognised by Legal 500 and Chambers as a legal expert and delivers Board-level advice on business migration and compliance risk management as well as overseeing the firm’s development of new client propositions and delivery of cost and time efficient processing of applications.
Anne is an active public speaker, immigration commentator, and immigration policy contributor and regularly hosts training sessions for employers and HR professionals
