There’s a substantial amount of UK legislation concerning HR records and the Data Protection Act 2018 (DPA) tightened the law to deal with technological and data developments and incorporated the agreed provisions of the EU General Data Protection Regulation (GDPR). It applies to most HR records, whether held in paper or digital format.
Data must not be kept any longer than is necessary for a legitimate purpose and it must not be excessive. The emphasis is on the employer (the data controller) to have systems in place to determine how long the data should be retained and when records should be destroyed.
The DPA and GDPR do not expressly set out any specific minimum or maximum retention periods, although there is some guidance from the Information Commissioner’s Office (ICO).
Overall, records should not be kept for longer than is necessary for their particular purpose. However, employers are entitled to keep information to protect against their legal risks.
Certain documents such as employment contracts, accident record books and other personnel records may be needed outside the DPA in a legal action. Original documents must usually be available, or the employer must explain what happened to the originals, backed up by a ‘statement of truth’.
When employers no longer need to keep certain data, destruction must take place securely and effectively, for example by shredding.
Examples of statutory retention periods are summarised below. If in doubt, keeping records for at least 6 years.
Up to 1 year
- Whistleblowing documents
6 months following the outcome (if a substantiated investigation). If unsubstantiated, personal data should be removed immediately.
- Subject access requests
Records should be kept as long as they are needed after the last communication concerning a subject access request. A period of a year may be advisable. For example, if there is a refusal notice, complaints normally arise within three months of the review decision. However, there may be appeals to the information rights tribunal or the courts. The ICO recommend the requested information is retained for a minimum of six months after any internal review provided it is clear that no further action will take place. However, if further action seems likely, a year or longer may be advisable.
2 years
- Immigration checks
For the duration of employment and then 2 years after termination.
3 years
- Income tax and NI returns, income tax records and correspondence with HMRC
Not less than 3 years after the end of the relevant financial year.
- Payroll wage/salary records (also overtime, bonuses, expenses, benefits in kind)
At least 3 years after the end of the tax year to which they relate. However, given their potential relevance to pay disputes seven years after employment ends may be justified.
- Maternity records
- Night workers health assessments
5 years
- Health and Safety representatives and employees’ training
6 years
- Coronavirus furlough records
Including amounts claimed, claim period per employee, reference number and calculations. For flexible furlough – usual and actual hours worked.
- First Aid and Fire Warden training
- National minimum wage records
6 years after the end of the pay reference period following the one that the records cover.
- Working time records including overtime, annual holiday, time off for dependents, opt outs etc
2 years from date on which they were made. Records in relation to hours worked should currently be kept for 3 years, beginning with the day on which the pay reference period ends. From 1 January 2024, the requirement to specifically maintain reliable records of all workers’ daily working and rest hours was replaced with a requirement to keep ‘adequate’ records to demonstrate compliance with the regulations including the weekly 48 hour working limit, opt-out agreements, length of night work and health assessments for night workers.
Given the risk of pay disputes, six to seven years after the working relationship ends may be justified for some working time records.
- Special category or personal data consents
Consents for the processing of special categories of personal and sensitive data should be retained while the data is being processed. Keeping the consents may be justified for six to seven years after employment ends. - Retirement Benefits Schemes
6 years from the end of the scheme year in which the event took place.
40 years
Some medical records relating to COSHH, Asbestos etc