

Keeping records about employees is a necessary part of running a business, however, the collection and use of personal data must be in compliance with data protection legislation. This places limits on the ways in which employers use personal information and seeks to balance reasonable use by the employer with the rights and fair expectations of individuals whose data the employer holds and uses. There are many different kinds of records which employers may need to keep throughout the employment lifecycle, from recruitment and right to work checks, through appraisal and performance data, sickness and absence records, information relating to pay and benefits and, ultimately, data about termination of service/leaver status.
As covered in our related note on “GDPR in the Workplace”, employers have to comply with various obligations when handling employees’ personal data including the “data protection principles”, the most relevant of which relating to employee records are:
- the data minimisation principle (personal data must be adequate, relevant and limited to what is necessary for the purposes for which the data are processed)
- the accuracy principle (personal data must be accurate and, where necessary, kept up to date)
- the storage limitation principle (personal data must be kept in a form which permits identification of the data subject for no longer than is necessary)
- the integrity and confidentiality principle (personal data must be processed in a manner that ensures appropriate security of the personal data)
Whilst all of the data protection principles are important, and there is some degree of “overlap” between certain of them, this note concentrates on the retention periods an employer may adopt for the purposes of complying with the storage limitation principle.
Employers should be aware that there is not necessarily a “right” or “wrong” answer when it comes to setting record retention criteria. Business need is likely to dictate the minimum “hold” period and will usually take account of the period within which litigation could be brought so be based on “statutory limitation” plus a margin. For some categories of employee data, there may be a mandatory minimum retention period such as in the case of records of deductions for tax and social security contributions. Beyond this, or where there is no mandatory retention period indicated, it is up to the employer to decide what is a reasonable (ie justifiable) period to keep records for.
We have prepared a table setting out common types of HR records and recommendations for retention periods. Please note that this is a guide only and retention policy/criteria are matters for the employer to determine. Nonetheless, we are happy to provide the benefit of our advice and experience in this area and to aid the employer’s decision making by helping weigh up the relevant considerations and risk factors involved.
Type of Record | Recommended Retention Period |
Recruitment records (unsuccessful candidates), i.e. job descriptions, advertisements, applications, CVs, interview questions and notes from interview and short-listing exercise, assessments or tests, details of reasonable adjustments etc | 6 months after notifying candidates of the outcome of the recruitment exercise |
Recruitment records (successful candidates), i.e. job descriptions, advertisements, application, CV, records of qualifications, references, offer letter, pre-employment verification checks and/or criminal records checks (including any DBS check) | During employment and for 7 years after employment ends |
Immigration records, including copies of identification documents (passports etc.) | During employment and for 3 years after termination of employment |
Directors’ service contracts and any variations | 7 years from termination or expiry of the contract, unless executed as a deed, in which case 21 years from termination or expiry (NB powers of attorney may be included regarding assignment of intellectual property or resignation from offices) |
Contract of employment, including any documented changes to terms and conditions | During employment and for 7 years after employment ends but NB the position with deeds, see above |
Employee performance and conduct records, i.e. probationary period review, appraisals and evaluations, promotions and demotions etc. | During employment and for 7 years after employment ends |
Annual and Family leave records | During employment and for 7 years after employment ends |
Sickness records | During employment and for 7 years after employment ends |
Collective agreements, i.e. workforce agreements (which typically apply to all or a relevant category of employee) | During the period for which the terms have effect and up to 7 years afterwards |
Payroll and wage records, i.e. details of overtime, bonuses, expenses, benefits in kind etc. | 3 years after the end of the tax year to which they relate, although advise 7 years after employment ends* *potential relevance to pay dispute
|
Employee bank details | As soon as possible after end of employment, once the final payment has been made |
ITIP records, i.e. employer income tax and NICs returns etc. | 3 years after the end of the tax year to which they relate, although advise 7 years after employment ends* *potential relevance to pay dispute |
Accident records, i.e. any documents created regarding any reportable accident, death or injury at work
|
At least 4 years from the date the report was made and to which the incident relates though NB exposure or injury which could give rise to a latent personal injury claim e.g. asbestosis where limitation runs from the date of diagnosis but can take many years to develop |
Once a relevant retention period has expired, the data or record should be reviewed and erased or anonymised unless there is a clear justification for keeping it longer. When personal data is deleted at the end of the retention period, the data should also be deleted from any back-up records. The exception to this is where litigation is likely or the employer has been notified of a potential claim in which case a “litigation hold” – i.e. pause on scheduled document destruction – should be applied. This serves to preserve evidence which may require to be disclosed in tribunal.
Guidance for employers
- An employer should implement a “records management” or “document retention” policy to ensure compliance with data protection legislation. The measures implemented should include a regular review of the types of personal data held, the purpose(s) for which the information may be required, and the length of time the information should be kept. Remember, personal data should only be retained for as long as is needed for the stated purposes of processing. This may require an employer to carry out periodic reviews and “trim down” the level of detail/extent of records kept. Is the data still relevant? Does it evidence something important that the employer may need to prove in the event of a dispute? Is it relevant to the organisation’s duty of care (to the employee or others)?
- Personal data that is retained during the working relationship may become out of date; there should be a mechanism to check it is still accurate at reasonable intervals either by a self-service system (with reminders to employees to review information) or at designated checkpoints eg annual review time.
- Where employee data is kept, it must be held safely and securely and access restricted to only those who need to refer to it, particularly in relation to any special category, confidential, or other “sensitive” information. Data protection and cyber security standards will require an employer to have in place technical and organisational measures to protect against loss, misuse and unauthorised access etc
- When it comes to the time for disposing of personal data, the records management or document retention policy should specify how to dispose of data securely having regard to its nature. Consider what standard of deletion is required for both physical and electronic records.