All employers, regardless of their size, will need to collect and retain certain data relating to each member of staff that they employ.
HR records can cover a wide range of data relating to working for an organisation and arising naturally throughout the lifecycle of a person’s employment, from their job application and proof of their right to work in the UK to their leaver’s analysis or exit form. This information will then make up that individual’s HR records.
The following guide for employers examines the rules relating to retaining an employee’s HR records, including obligations on employers that arise under the data protection regime, as well as specific statutory retention periods of HR documents as required under separate pieces of UK legislation.
Why do HR records need to be kept?
The retention of HR records may be required by law, for internal purposes or in many cases, both. These records are not only essential in meeting the operational needs of your business and workforce, but in demonstrating compliance with your legal responsibilities as an employer.
Common examples of information kept within HR records includes information relating to recruitment, a person’s job title, pay levels, hours worked, holiday entitlement and any other benefits to which they are entitled, their sick leave or parental leave, their annual performance analysis, their training and career development, as well as details of any disciplinary or grievance matters.
For example, having accurate PAYE and payroll records is an essential part of running a business, ensuring that your employees receive the right amount of pay under their contracts of employment. Further, if you fail to keep records to show that you’ve accurately reported to HMRC what you’ve paid an employee, as well as what deductions you’ve made, HMRC may estimate what tax you have to pay and charge you a hefty penalty.
Equally, the retention of personnel records can help you to avoid a civil penalty under the illegal working regime. By law, all employers are required to conduct a right to work check on prospective employees to ensure that they are not disqualified from carrying out their job role by reason of their immigration status. By carrying out this check and retaining a copy of the relevant documentation, this will provide a statutory excuse against liability for any civil penalty if an employee is later found to be working illegally.
The retention of personnel records can also be used to defend employment rights claims brought against you by either an existing or former employee before the employment tribunal or civil courts. For example, in the context of a personal injury claim, certain personnel would need to be disclosed, including any accident report, safety training records, sick leave records and levels of statutory or contractual sick pay received by the claimant.
Retaining personal data
It is a necessary part of being an employer to request and retain certain information about your staff. However, data protection issues will have an impact on most HR activities, from handling recruitment to employee record-keeping, and even the provision of a reference after an individual’s employment has come to an end.
In the UK, there are strict rules under the data protection regime surrounding the retention of personal data, so understanding how these rules work, including your responsibilities and liabilities as a “data controller”, is a necessary part of being a responsible employer.
The main piece of UK legislation governing data protection is the Data Protection Act 2018 (DPA). This replaced the 1998 version and incorporates the UK General Data Protection Regulation (GDPR). The DPA and GDPR contain important rights for individuals concerning the processing of their personal data, covering both electronic and hard copy records.
Data protection is essentially about safeguarding personal and sensitive information, making sure it is used properly and legally, where the penalties for breaching the rules can be significant. The protection afforded to individuals under the legislation, including employees, is based on seven key principles, where personal data should be:
- Processed in a lawful, fair and transparent way (‘lawfulness, fairness and transparency’)
- Collected for specified, explicit and legitimate purposes (‘purpose limitation’)
- Adequate, relevant and limited to what’s necessary in relation to the purposes for which it’s processed (‘data minimisation’)
- Accurate and, where required, kept up-to-date (‘accuracy’)
- Kept in a form that only permits identification of the data subject for as long as is necessary based on the purposes for which the data is processed (‘storage limitation’)
- Processed in a way that ensures appropriate security of the data, including protection against either unauthorised and/or unlawful processing, and against accidental loss, destruction or damage (‘integrity and confidentiality’).
- Finally, the data controller shall be responsible for, and be able to demonstrate compliance with, all of the above (‘accountability’).
In the context of the retention of HR records, these principles mean that any personal data must not be kept for any longer than is necessary based on a legitimate purpose. This means that HR records must only be retained for as long as you have a clear business need for them.
You must also keep any data you collect on staff safe and secure, such as setting passwords for computer records or locking paper records in filing cabinets. Once the data is no longer needed, you must then dispose of it effectively, for example, using secure deletion software for online data or by shredding all paper records.
Statutory retention periods for HR documents
For many types of HR records there is no definitive retention period, where it is for the employer to decide the length of time they will keep specific records based on the nature of the information and the type of document. However, there are specific legislative provisions that require certain records to be kept for minimum periods of time. The provisions of the DPA and GDPR do not set out any specific minimum or maximum retention periods, nor expressly change retention periods as set out elsewhere.
Some of the main UK legislative provisions regulating statutory retention periods include:
- Under the Prevention of Illegal Working regime, right to work documents must be retained and stored securely for the duration of the individual’s employment and for a further two years after they have left the organisation.
- Under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR), you are required by law to keep for at least 3 years from the date on which they were made any reports of serious workplace accidents, the diagnosis of occupational diseases and incidents of specified dangerous occurrences.
- Under the Working Time Regulations 1998, you are required by law to keep working time records for a period of 2 years from the date on which the records were made that are adequate to show, where applicable, the maximum weekly limits are being complied with.
- Under the National Minimum Wage Regulations 2015, you are required by law to keep records for a period of 3 years after the end of the pay reference period following the one that the records cover, where these must be sufficient to establish that you’re remunerating a worker at a rate at least equal to the national minimum wage.
- Under the Statutory Maternity Pay (General) Regulations 1986, you are required by law to keep statutory maternity pay records for a period of 3 years after the end of the tax year in which the maternity pay period ends, including the medical certificate (Mat B1), together with records of leave dates and pay.
- Under the Statutory Paternity Pay and Statutory Adoption Pay (Administration) Regulations 2002, you are required by law to keep statutory paternity and adoption pay records for a period of 3 years after the end of the tax year in which the pay period ends.
- Under the Statutory Sick Pay (General) Regulations 1982, you are required by law to keep statutory sick pay (SSP) records for at least 3 years after the end of the tax year to which they relate, including records of dates of a person’s period of incapacity for work and records of all payments of SSP you made during that period.
- Under the Income Tax (Employments) Regulations 1993, you are required by law to keep pay-related records for income tax and national insurance purposes for not less than 3 years after the end of the financial year to which they relate.
This list of statutory retention periods of documents is not exhaustive. In some cases, records could be required to be retained for as long as several decades. For example, in the case of health records under the Control of Substances Hazardous to Health Regulations (COSHH) 2002, where an employee has been, or is liable to be, exposed to a substance hazardous to health, the statutory retention period is 40 years from the date of the last entry.
Equally, at the other end of the scale, and absent any statutory retention period, you don’t want to be retaining documents for any longer than is necessary, especially where there is no clear business reason to do so. For each category of personal data, the data protection regime requires you to demonstrate why it’s being kept and the reasons behind the retention period.
As a general rule of thumb, if data and documents are being retained after an employee has left the organisation for the purposes of defending possible tribunal and court claims, the time limit for bringing claims can be used to inform the retention period. Adopting this approach, many employers will retain HR records for a period of 6 years to reflect the length of time within which a claim for breach of contract can be instigated in the county or high court.
Because of the time limits in the various discrimination Acts, minimum retention periods for records relating to advertising of vacancies and job applications should be at least 6 months.
Advice for employers on retaining HR records
In most cases, where there’s no prescribed timeframe for the retention of certain documents, the question of what HR records to keep and how long to keep them will be a matter for your discretion. This means you must have a suitable system in place to determine how long certain data should be retained and at what stage records should be destroyed. You must also have suitable measures in place to securely retain and, where necessary, permanently delete data.
The following tips provide a useful reminder of those all-important data protection duties:
- Employers should regularly review the length of time that any personal data is kept, taking into account the purpose for which the information may be needed.
- Where data is retained, it must be held safely and securely, ensuring it cannot be stolen or tampered with, and access to personal data should be restricted only to those who need it.
- Employers should maintain up-to-date security systems, with regular reviews and risk assessments of those systems, taking action where needed
Where a decision is made that data is no longer needed, it must be securely deleted.
- To manage data responsibly and to remain data protection compliant at all times, it’s also good practice to have a clear document retention policy that’s communicated to all staff. The policy should ensure that records are kept for as long as needed but no longer, with guidelines for managers and HR about how to manage and securely destroy data.
- Your policy should also include provision for ongoing monitoring of HR records, appointing a properly trained record keeper with responsibility for this area. In some cases, the appointment of a designated data protection officer may also prove necessary.
DavidsonMorris are experienced legal advisers to employers on all aspects of employment and immigration compliance. Working closely with our HR adviser colleagues, we provide a holistic service to employers on personnel data and document retention practices and deliver training to HR teams to support effective implementation. For help and advice with a specific issue, speak to our experts.
Retention of HR records FAQs
How long should HR records be kept?
How long HR records should be kept will depend on the type of record. In some cases, there may be a statutory retention period, for example, under RIDDOR 2013, accident reports must be kept for at least 3 years, in other cases it would usually be 6-12 months to comply with data protection rules.
Which employee records should be kept?
Most employee records must be kept during the course of a person’s employment. What information should be retained post-employment will depend on whether there is a business need for that information and whether any statutory provisions apply, such the right to work requirement to retain documents for up to two years after the individual has left an organisation.
Last updated: 22 March 2021