top of page
Search

Retaining HR Records

Updated: Apr 21

What are HR records?

 

HR records include a wide range of data relating to individuals working in an organisation, for example hours worked, pay rates or absence levels. This information is usually stored electronically but may include paper records as well, so employers should use both physical and electronic data security methods.


All organisations should maintain effective systems for storing HR data and comply with legislation. They should regularly review the length of time and purpose of retaining any personal data.

 


Risk assessments of the organisation's systems should also be undertaken regularly. It’s good practice to have a document retention policy and monitoring programme that’s communicated to all staff and summarises the relevant retention periods. The policy should ensure that records are kept for as long as needed but no longer, and that records are destroyed securely. It may involve training about the legal issues involved. Access to personal data should be restricted to those who need it.  

 

The UK legal position

 

There’s a substantial amount of UK legislation concerning HR records.

 

The Data Protection Act 2018 (DPA) tightened the law to deal with technological and data developments and incorporated the agreed provisions of the EU General Data Protection Regulation (GDPR). It applies to most HR records, whether held in paper or digital format.

 

Data must not be kept any longer than is necessary for a legitimate purpose and it must not be excessive. The emphasis is on the employer (the data controller) to have systems in place to determine how long the data should be retained and when records should be destroyed.

 

To be covered, manual systems must be organised into a 'relevant filing system'. All employers must ensure they are data protection compliant and may need to designate a data protection officer, which could involve training and developing existing staff.

Subject to certain exceptions, employees have the right to access their records and the employer must ensure that the data is accurate and seek the employee’s permission before releasing it.

 

The DPA and GDPR do not expressly set out any specific minimum or maximum retention periods, although there is some guidance from the Information Commissioner’s Office (ICO).

 

Overall, records should not be kept for longer than is necessary for their particular purpose. However, employers are entitled to keep information to protect against their legal risks. 

 

Certain documents such as employment contracts, accident record books and other personnel records may be needed outside the DPA in a legal action. Original documents must usually be available, or the employer must explain what happened to the originals, backed up by a 'statement of truth'.

 

When employers no longer need to keep certain data, destruction must take place securely and effectively, for example by shredding.

 

Statutory retention periods

 

Examples of statutory retention periods are summarised below.

 

If in doubt, keeping records for at least 6 years (5 in Scotland), covers the standard time limit for any civil legal action. However, the recommended default retention period for records with financial or tax implications may be the six-year limitation period plus one for the current financial year, with a review or destruction to be carried out in the additional (+ 1) accounting year.



Record types

 

Accident records/reports for any reportable work accident, death or injury

 

  • Statutory retention period: At least 4 years from the date the report was made (or until any younger person involved in the accident reaches 21).

  • See: The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and Limitation Act 1980. Special rules apply concerning hazardous chemicals or substances.

 

Accounting records

 

  • Statutory retention period: 3 years for private companies, 6 years for public limited companies.

  • See: Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006.

 

Coronavirus furlough records

 

  • Statutory retention period: 6 years for furlough records including amounts claimed, claim period per employee, reference number and calculations. For flexible furlough - usual and actual hours worked. 

  • See: former statutory guidance 'Claim for wages through the Coronavirus Job Retention Scheme'.

 

First aid training

 

  • Statutory retention period: 6 years after employment.

  • See: Health and Safety (First Aid) Regulations 1981.

 

Fire warden training

 

·       Statutory retention period: 6 years after employment.

See: Fire Precautions (Workplace) Regulations 1997.

 

Health and Safety representatives and employees’ training

 

  • Statutory retention period: 5 years after employment.

  • See: Health and Safety (Consultation) Regulations 1996; Health and Safety Information for Employees Regulations 1989.

 

Immigration checks

 

  • Statutory retention period: for the duration of employment and then 2 years after the termination of employment.

 

Income tax and NI returns, income tax records and correspondence with HMRC

 

  • Statutory retention period: Not less than 3 years after the end of the relevant financial year.

  • See: The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended.

 

Medical records and details of biological tests under the Control of Lead at Work Regulations

 

  • Statutory retention period: 40 years from the date of the last entry.

  • See: The Control of Lead at Work Regulations 1998 (SI 1998/543) as amended by the Control of Lead at Work Regulations 2002 (SI 2002/2676).

 

Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH)

 

  • Statutory retention period: 40 years from the date of the last entry.

  • See: The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677).

 

Medical records under the Control of Asbestos at Work Regulations:

 

  • Statutory retention period: 40 years from the date of the last entry (medical records); 4 years from the date of issue (medical examination certificates).

  • See: The Control of Asbestos at Work Regulations in 2002, 2006 and 2012  (SI 2002/ 2675) (SI 2006/2739) and  (SI 2012/632).

 

Medical records under the Ionising Radiations Regulations 1999

 

  • Statutory retention period: Until the person reaches 75 years of age, but in any event for at least 50 years.

  • See: The Ionising Radiations Regulations 1999 (SI 1999/3232).

 

National minimum wage records

 

  • Statutory retention period: 6 years after the end of the pay reference period following the one that the records cover.

  • See: National Minimum Wage Act 1998 and The National Minimum Wage (Amendment) Regulations 2021.

 

Night workers health assessments 

 

  • Records to show health assessment records for night workers should be kept at least three years after the relevant period.

 

Payroll wage/salary records (also overtime, bonuses, expenses, benefits in kind)

 

  • Statutory retention period: At least 3 years after the end of the tax year to which they relate. However, given their potential relevance to pay disputes seven years after employment ends may be justified.

  • See: Taxes Management Act 1970.

 

Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH)

 

  • Statutory retention period: 5 years from the date on which the tests were carried out.

  • See: The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677).

 

Records relating to children and young adults

 

  • Statutory retention period: until the child/young adult reaches the age of 21.

  • See: Limitation Act 1980.

 

Retirement Benefits Schemes

 

  • Statutory retention period: 6 years from the end of the scheme year in which the event took place.

  • See: The Retirement Benefits Schemes (Information Powers) Regulations 1995 (SI 1995/3103)

 

Statutory Maternity Pay records including Mat B1s, dates of maternity leave, certificates showing the expected week of confinement (also shared parental, paternity and adoption pay records)

 

  • Statutory retention period: 3 years after the end of the tax year in which the maternity period ends.

  • See: The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended, Maternity & Parental Leave Regulations 1999.

 

Special category or personal data consents 


  • Consents for the processing of special categories of personal and sensitive data should be retained while the data is being processed. Keeping the consents may be justified for six to seven years after employment ends.

 

Subject access request

 

  • Statutory retention period: Records should be kept as long as they are needed after the last communication concerning a subject access request. A period of a year may be advisable. For example, If there is a refusal notice, complaints normally arise within three months of the review decision. However, there may be appeals to the information rights tribunal or the courts. The ICO recommend the requested information is retained for a minimum of six months after any internal review provided it is clear that no further action will take place. However, if further action seems likely, a year or longer may be advisable. 

  • See: Data Protection Act 2018 and ICO guidance.

 

VAT deferral (COVID-19) 

 

  • Statutory retention period: 6 years. 

  • See: HMRC VAT deferral guidance.

 

Whistleblowing documents

 

  • Statutory retention period: 6 months following the outcome (if a substantiated investigation). If unsubstantiated, personal data should be removed immediately.

  • See: Public Interest Disclosure Act 1998 and recommended IAPP practice.

 

Working time records including overtime, annual holiday, time off for dependents, opt outs etc

 

  • Statutory retention period: 2 years from date on which they were made. Records in relation to hours worked should currently be kept for 3 years, beginning with the day on which the pay reference period ends. From 1 January 2024, the requirement to specifically maintain reliable records of all workers’ daily working and rest hours was replaced with a requirement to keep ‘adequate’ records to demonstrate compliance with the regulations including the weekly 48 hour working limit, opt-out agreements, length of night work and health assessments for night workers. Given the risk of pay disputes, six to seven years after the working relationship ends may be justified for some working time records.

  • See: The Working Time Regulations 1998 (SI 1998/1833) and Employment Rights Regulations 2023.

 

 

 

 
 
 

Komentáře

bottom of page