Why Employee Records Matter
Maintaining accurate employee records is not just good practice -- it is a legal requirement in the UK. Proper records protect both the employer and employee, support compliance with employment law, and provide essential evidence in the event of a dispute or tribunal claim.
What Records Must You Keep?
Statutory Requirements
Payroll Records (Income Tax (Pay As You Earn) Regulations 2003)
- Gross pay, deductions, and net pay for each pay period
- Tax code and National Insurance category
- Student loan deductions
- Pension contributions
- Must be kept for the current tax year plus 3 additional years
Working Time Records (Working Time Regulations 1998)
- Hours worked (to demonstrate compliance with 48-hour weekly limit)
- Opt-out agreements (kept for 2 years after the opt-out period ends)
- Night work assessments
- Rest break records
Right-to-Work Evidence (Immigration, Asylum and Nationality Act 2006)
- Copies of identity documents verified during the right-to-work check
- Date the check was carried out
- Must be kept for the duration of employment plus 2 years
Statutory Sick Pay Records
- Dates of absence and SSP paid
- Must be kept for 3 years after the end of the tax year they relate to
Auto-Enrolment Pension Records (Pensions Act 2008)
- Enrolment dates, opt-out notices, contribution records
- Must be kept for 6 years (except opt-out notices: 4 years)
Best Practice Records
Beyond statutory requirements, prudent employers also maintain:
- Employment contracts and any amendments
- Job descriptions and person specifications
- Absence records (dates, reasons, fit notes, return-to-work interview notes)
- Performance reviews and objective-setting records
- Training records and qualifications
- Disciplinary and grievance records
- Health and safety incident reports and risk assessments
- Equal opportunities monitoring data
GDPR and Data Protection
The UK GDPR Framework
Employee records contain personal data and are subject to the UK General Data Protection Regulation and the Data Protection Act 2018. Key principles:
- Lawfulness: You must have a lawful basis for processing (usually "legitimate interests" or "performance of a contract")
- Purpose limitation: Data should only be used for the purpose it was collected
- Data minimisation: Only collect what you need
- Accuracy: Keep records up to date and correct errors promptly
- Storage limitation: Do not keep data longer than necessary
- Security: Protect records from unauthorised access, loss, or damage
Data Subject Access Requests (DSARs)
Employees have the right to request a copy of all personal data you hold about them. You must respond within one calendar month. This includes emails, notes, performance reviews, and any other records that contain their personal information.
Special Category Data
Health information (such as fit notes and absence reasons) is special category data requiring extra protection. You need an additional lawful basis, typically "employment obligations," and must restrict access to those who genuinely need it.
Retention Periods
| Record Type | Minimum Retention Period |
|---|---|
| Payroll and tax records | Current year + 3 years |
| Right-to-work documents | Duration of employment + 2 years |
| Working time opt-out agreements | 2 years after opt-out ends |
| Pension auto-enrolment records | 6 years |
| Pension opt-out notices | 4 years |
| Accident and injury reports | 3 years from date of incident |
| Health records (hazardous substances) | 40 years |
| General employment records | 6 years after employment ends |
| Recruitment records (unsuccessful) | 6-12 months |
The 6-year retention period for general employment records aligns with the limitation period for most civil claims under the Limitation Act 1980.
Storage and Security
- Digital storage: Use encrypted, access-controlled systems with regular backups
- Physical storage: Locked cabinets with restricted key access
- Access controls: Role-based access so managers see only their team's records
- Audit trails: Log who accessed what and when
- Disposal: Shred physical documents; securely wipe digital records
How Grove HR Manages Employee Records
Grove HR provides GDPR-compliant digital storage for all employee records with role-based access controls, automated retention scheduling, audit trails for every record access, and built-in DSAR response tools. Documents are encrypted at rest and in transit, with data stored in the UK.
Frequently Asked Questions
How long should I keep employee records after they leave?
The general recommendation is 6 years after the end of employment, which covers the limitation period for most civil claims. Some records, such as pension records (6 years) and health surveillance records for hazardous substances (40 years), have specific statutory retention periods.
What happens if I do not keep adequate employee records?
Poor record-keeping can result in HMRC penalties for inadequate payroll records, civil penalties from the Home Office for missing right-to-work evidence, ICO enforcement action for GDPR breaches, and a weaker position in employment tribunal claims where records are needed as evidence.
Can employees see their own records?
Yes. Under UK GDPR, employees have the right to make a Data Subject Access Request (DSAR) to see all personal data you hold about them. You must respond within one calendar month. You can redact information about other individuals but cannot withhold the employee's own data.