HR records retention: data protection, health and safety, and legal obligations
Record retention mistakes cost businesses thousands in regulatory fines each year. The Information Commissioner's Office continues to issue penalties to organisations that fail to manage employee data properly. These failures often stem from keeping records too long, destroying them too early, or storing them insecurely.
Small businesses face particular challenges when balancing legal requirements with practical limitations. Storage costs money, whether physical or digital. Yet destroying records prematurely creates legal vulnerabilities that can prove far more expensive than maintaining proper retention systems.
In this article, we explore the legal retention periods for different HR records, the data protection principles that apply, and practical steps businesses can take to maintain compliance while safeguarding employee information.
Compliance challenges
HR records retention in the UK is regulated by data protection law - primarily the Data Protection Act 2018 and UK GDPR - which requires employers to keep personal data only as long as necessary for its original purpose (See: ICO guidance [1]). At the same time, there are a variety of statutory rules stemming from tax, health and safety, and other regulatory requirements that mandate minimum retention periods for specific categories of HR documents.
This presents a significant compliance challenge: retaining personal data beyond legal necessity breaches data protection legislation, while early disposal may violate statutory record-keeping duties. The solution is to implement precise retention schedules tailored to each record type. Every document category may have distinct legal guidelines determining how long you should keep it and when you must destroy it.
Core retention periods for employment records
Basic employment documentation
It is recommended that employment contracts and associated paperwork are retained for six or seven years after employment ends, reflecting the six-year limitation period for breach-of-contract claims under the Limitation Act 1980 [2] (five years in Scotland).
Payroll and tax records (e.g., P45s, P60s, payslips, wage records) commonly follow the "6 years + current accounting year" approach favoured by HMRC, even though the statutory minimum is three years from the end of the tax year they relate to. This extended practice helps safeguard against audits and claims [3].
Statutory leave and working time records
Maternity, paternity, and adoption leave records must be kept for three years from the end of the tax year to which they relate - a requirement of HMRC for statutory payment verification. Similar rules apply to statutory paternity leave records [4].
Sickness absence records (e.g. Statutory Sick Pay documentation) should likewise be retained for a minimum of three years.
Working time records fall under the Working Time Regulations 1998, requiring employers to keep some records for two years from the date they were made to prove that:
- workers are not working more than the 48-hour weekly maximum - this is unless they have an opt out agreement
- they are not breaking limits for night working
- they have offered regular health assessments for night workers
- young workers are not working too many hours.
See ACAS guidance [5].
Health and safety documentation requirements
Accident books and incident reports must be retained for at least three years from the date of the incident or entry; or longer if a claim has been started. This supports RIDDOR compliance and aligns with the Limitation Act for injury claims (See: HSENI guidance) [6]. The HSE's recordkeeping requirements reinforce this [7].
Risk assessments do not have a fixed statutory retention period, but best practice is to retain them for as long as they remain current plus at least three years after supersession.
Under COSHH regulations, health surveillance records and exposure-related documentation must be kept for 40 years, owing to the long latency of some occupational illnesses. See HSE health surveillance guidance [8].
First aid and medical surveillance records
- General first aid records: keep for at least three years.
- Exposure to hazardous substances: 40 years under COSHH.
- Asbestos exposure records: 40 years under asbestos regulations.
- Noise exposure records: 40 years as part of occupational health.
Data protection considerations
Lawful basis for retention
GDPR requires organisations to establish a lawful basis for processing personal data, which includes storage. ICO guidance on keeping employment records highlights that HR departments typically rely on legal obligation or legitimate interests [1].
Document your lawful basis clearly in a formal retention policy to show compliance intent and safeguard against regulatory scrutiny.
Data minimisation principles
Retaining entire personnel files indefinitely breaches GDPR's principles of data minimisation and storage limitation. Instead, categorise documents by retention period and destroy each category promptly when it expires. Some digital systems may simplify this via auto-deletion, while manual systems require vigilant record management.
Practical retention system implementation
Segregate documents by retention category from the outset [9]. Mixed archives become a compliance liability over time.
Date-stamp all incoming or created documents. Without clear dates, you cannot determine when to destroy records. Where possible, annotate retention periods visibly on file covers or metadata fields to avoid premature or prolonged retention.
Schedule annual retention reviews during quieter business periods. Track destruction via logs or certificates to evidence GDPR compliance if challenged.
Special circumstances and exceptions
Litigation holds override standard retention timelines. Once legal proceedings are anticipated - such as an employment tribunal claim - maintain all potentially relevant documents regardless of retention expiry.
Under TUPE, employee liability information provided during transfers must be retained. While government guidance doesn't specify a fixed period, in practice it's prudent to retain these records for at least six years post-transfer. See ICO TUPE guidance [9].
Pension records should be kept until six years after pension benefits cease, to support claims or disputes that may arise long after retirement.
Summary
- HR records retention is shaped by contract law, HMRC rules, and the Data Protection Act 2018; keeping data too long risks GDPR breaches, while deleting too soon may be risky.
- Core retention periods include:
- six years for contracts
- six years plus current for payroll/tax records
- three years for statutory leave/pay records
- two years for annual leave records.
- Health and safety documentation requirements range from three years for accident reports to 40 years for exposure and health surveillance records under COSHH.
- GDPR requires a lawful basis (usually legal obligation or legitimate interests) and adherence to data minimisation principles; retention policies must be clearly documented and consistently applied.
- Practical compliance steps include: categorising documents by retention period, date-stamping records, conducting annual reviews, and retaining documents longer in special circumstances such as litigation or TUPE transfers.
This article is intended for informational purposes only and does not constitute legal advice. The information is accurate at the time of writing but may be subject to change. For advice specific to your situation, please consult a qualified professional.
[1] ICO, Employment practices and data protection - Keeping employment records
[2] Legislation.gov.uk, Limitation Act 1980, Section 5
[3] HMRC, Records management and retention and disposal policy; PAYE record-keeping guidance
[4] GOV.UK, Statutory Maternity, Paternity and Adoption Pay records
[5] ACAS, Working time rules - employer guidance
[6] HSENI, Accident records retention
[7] HSE, RIDDOR recordkeeping requirements
[8] HSE, Health surveillance recordkeeping under COSHH
[9] GOV.UK, Records management policy and guidance