What do we mean by retention of employee records and what are the types of HR data?

Understanding what counts as employee records is the first step in meeting your legal obligations as an employer. This section outlines what record retention involves and the different kinds of HR data you are required to manage, store and protect. Becoming familiar with these categories will help you meet statutory retention periods and follow best practices.

What is the retention of employee records?

In the UK, retention of employee records refers to the process of storing, managing and safeguarding information about your workforce for a legally required period of time. These records may include personal details, contracts, attendance data, performance reviews, payroll information and any other documents created during the employment relationship.

It is the employer’s responsibility to keep this information for specific statutory retention periods and handle it in compliance with the Data Protection Act 2018, ensuring it is accurate and secure. Effective record retention supports compliance, protects your organisation during disputes and helps maintain clear, reliable HR documentation throughout the employee life cycle.

Different kinds of HR data

There are several kinds of data covered by HR records. The kinds of data covered which you may need to make yourself familiar with include:

• Personnel files
• Personnel records
• Working time records (including working time and rest breaks)
• Interview notes
• Hours worked by employees
• Employee pay
• Recruitment data
• Absence or sick leave
• Statutory parental leave pay records
• Training records
• Employee turnover

Your HR team may include other kinds of employee data, and you should make sure that you understand the law around retaining these different types of data. This is because they have different retention periods.

What the UK law says about employee records retention

The UK law on records retention was updated with the introduction of the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). Employers have legal obligations to retain certain records for statutory retention periods, including those related to statutory sick pay, statutory maternity pay and national insurance.

The new GDPR covers more types of data. Although UK legislation requires you to keep a record of your employee data, the GDPR makes doing so more complicated, as the UK GDPR and Data Protection Act 2018 broaden the definition of personal data and introduce stricter requirements for its handling and documentation.

It is important to have procedures in place to handle subject access requests from employees. To stay compliant, employers need to consider data transfer rules when sharing employee data outside the European Economic Area.

What is the difference between the UK and EU GDPR?

In the UK, the original EU GDPR 2018 was replaced by the UK GDPR in January 2021, with a few updates to make it more relevant to the UK and reflect the UK’s exit from the EU. If you also run a business in Europe, you will need to comply with both EU and UK GDPR rules.

The GDPR means that your employees have the right to access employee data that you hold on them. It also means that this data must be managed correctly, should only be held for good reason and only for a certain length of time.

The EU GDPR superseded the original DPA in 1998 and came into force in May 2018 alongside the DPA 2018. The UK GDPR works in tandem with the DPA 2018, and although there are subtle differences between them, you need to comply with both in the UK.

What is the DPA?

The first Data Protection Act (DPA) was introduced in 1994, well before the GDPR, and set out employees’ rights regarding how their personal data is processed.

The DPA 2018, introduced alongside the UK GDPR, retains much of the 1998 framework while updating rules to align with modern data protection standards.

It covers more types of data, including national security and defence, and strengthens protections for sensitive characteristics such as race, religion, trade union membership and health.

Under the DPA 2018, employers must follow specific rules when processing employee data, ensuring it is accurate, lawfully handled and accessible to employees who want to know what data is held and why.

UK data retention periods

There are many rules governing how long employee records can be retained, with most requiring storage for a specific number of years after employment ends or the relevant tax year. Retention cannot be excessive, and the exact time frame depends on the type of record.

Once the retention period has expired, records should be permanently deleted to ensure compliance with data protection laws.

Statutory retention of records

Statutory retention periods apply to records relating to health and safety, payroll and other legal requirements based on health and safety regulations, HMRC rules and limitation periods. These have different statutory UK data retention periods, which you are legally obliged to adhere to.

The following is a list of both statutory UK data retention periods and some best-practice data retention periods:

• Accident reports: three years
• First aid reports: six years
• Fire warden training: six years following employment
• Income tax records, returns and any communications with HMRC: should be kept for six years plus the current accounting year, also known as 6 years + 1
• Medical records and biological test information: certain health records relating to health surveillance for exposed workers are to be kept for 40 years from the date of the last entry
• Information relating to whistleblowing: may be kept up to six months after a case outcome, or deleted immediately following an unsubstantiated investigation
• Employee training: five years following employment

From the above, you can understand that in certain circumstances, some records on previous employees may be kept even after they have left. They may be needed, for example, if employees make claims against you or to help former employees in future legal disputes with other workplaces.

However, not all types of records have a statutory UK data retention period. In this case, you will have to decide how long to retain the record for.

Retaining non-statutory records

Some records do not have to be retained by law but you may want to keep them for other reasons. For example, you may choose to retain the following records:

• CCTV footage, for unfair dismissal claims
• requests for flexible working
• parental leave
• training records
• references
• right to work in the UK checks
• redundancy information

HR documents, including those related to employee leaves, should be retained for an appropriate period to support compliance and resolve potential disputes. Based on the UK Limitation Act 1980, there is usually a six-year time limit for starting legal proceedings, though the time period varies depending on the type of claim.

For records you hold for extended periods, such as personnel files or long-term sickness documentation, you may consider removing personal information wherever possible. This helps reduce risk and ensures you only retain what is necessary.

Managers should not have access to confidential data such as detailed sickness records if they only require information relating to employee absences.

Permanent records

There are some records that you may wish to retain permanently. This includes actuarial valuation reports. These reports help your business’s accountants to keep track of future financial liabilities payable to employees, such as pensions.

Public sector records

According to the Freedom of Information Act 2000, any public sector records that you have must comply with Section 46 of the Freedom of Information Code of Practice. Each UK Government department has its own rules around the retention of records and you should familiarise yourself with them.

The best practices around employee records retention that we discussed in this article may help ensure compliance, reduce legal risks and strengthen your organisation’s data governance by keeping HR documentation accurate, secure and aligned with statutory retention periods.

Clear processes, regular policy reviews and manager training could help create a reliable framework that supports compliance and operational efficiency, whilst also building employee trust by demonstrating responsible handling of personal data under the Data Protection Act 2018 and UK GDPR.