Mandatory Record-Keeping
UK employment law requires employers to maintain specific records for defined periods. Failure to keep adequate records can result in HMRC penalties, Home Office fines, ICO enforcement, and a weakened position in employment tribunal claims.
Records by Category
Payroll and Tax Records
Legal basis: Income Tax (Pay As You Earn) Regulations 2003
| Record | Retention Period |
|---|---|
| Gross pay, deductions, net pay | Current year + 3 years |
| Tax codes and NI categories | Current year + 3 years |
| P45s, P60s, P11Ds | Current year + 3 years |
| Student loan deductions | Current year + 3 years |
| Pension contributions | 6 years |
Right-to-Work Records
Legal basis: Immigration, Asylum and Nationality Act 2006
- Copies of identity documents checked
- Date the check was conducted
- Must be retained for the duration of employment plus 2 years
- Failure to maintain these records removes your statutory excuse, exposing you to civil penalties of up to £45,000 per illegal worker (first offence) and potential criminal prosecution
Working Time Records
Legal basis: Working Time Regulations 1998
| Record | Retention Period |
|---|---|
| Hours worked (to show compliance with 48-hour limit) | 2 years |
| Opt-out agreements | 2 years after opt-out period ends |
| Night work health assessments | Duration of night work + 2 years |
Statutory Sick Pay Records
Legal basis: Statutory Sick Pay (General) Regulations 1982
- Dates of sickness absence
- SSP payments made
- Fit notes received
- Retention: 3 years after the end of the tax year they relate to
Pension Auto-Enrolment Records
Legal basis: Pensions Act 2008
| Record | Retention Period |
|---|---|
| Worker assessment records | 6 years |
| Enrolment and opt-out dates | 6 years |
| Contribution records | 6 years |
| Opt-out notices | 4 years |
| Communication records | 6 years |
Health and Safety Records
Legal basis: Various H&S regulations
| Record | Retention Period |
|---|---|
| Accident book / RIDDOR reports | 3 years from date of incident |
| Risk assessments | While relevant + 3 years |
| DSE assessments | Duration of employment |
| Health surveillance (general) | 40 years from last entry |
| Asbestos exposure records | 40 years |
Maternity/Paternity/Shared Parental Leave
- SMP/SPP/ShPP records: 3 years after the end of the relevant tax year
- MATB1 certificates: 3 years
- CURTAIL notices and SPL notices: 3 years
Best-Practice Records (Not Legally Required but Strongly Recommended)
Beyond statutory requirements, employers should maintain:
- Employment contracts and all amendments: 6 years after termination
- Absence records (dates, reasons, patterns): 6 years after termination
- Performance reviews and objectives: 6 years after termination
- Training records and certificates: Duration of employment + 6 years
- Disciplinary and grievance records: 6 years after termination
- Recruitment records (unsuccessful candidates): 6-12 months
The 6-year period aligns with the limitation period for most civil claims under the Limitation Act 1980.
GDPR Compliance
Key Principles
All employee records are personal data under UK GDPR:
- Data minimisation: Only collect and retain what is necessary
- Storage limitation: Delete records when the retention period expires
- Security: Appropriate technical and organisational measures to protect data
- Access controls: Role-based access so only authorised people can view records
- Audit trails: Log who accessed or modified records
Special Category Data
Health-related records (fit notes, absence reasons, disability information) are special category data requiring:
- An additional lawful basis (typically "employment, social security, and social protection")
- Enhanced security measures
- Restricted access
- Clear retention policies
Data Subject Access Requests
Employees can request all personal data held about them. You must respond within one calendar month.
Penalties for Poor Record-Keeping
| Area | Potential Penalty |
|---|---|
| Payroll records | HMRC penalties and interest |
| Right-to-work | Up to £45,000 per illegal worker (civil), criminal prosecution |
| Working time | Employment tribunal claims, HSE enforcement |
| GDPR breach | ICO fines up to £17.5 million or 4% of turnover |
| Pension records | TPR compliance notices and escalating daily penalties |
How Grove HR Helps
Grove HR provides GDPR-compliant digital storage for all employee records, automated retention scheduling with deletion reminders, audit trails for every access and modification, role-based access controls, built-in DSAR response tools, and encrypted storage with UK data residency.
Frequently Asked Questions
What is the longest retention period for any employee record?
Health surveillance records for employees exposed to hazardous substances must be kept for 40 years from the last entry. This is the longest mandatory retention period in UK employment law. General employment records should be kept for 6 years after termination.
Can I store employee records in the cloud?
Yes, provided the cloud service meets UK GDPR requirements. Data should ideally be stored in the UK or EEA. If using a non-UK/EEA provider, you need appropriate safeguards (such as Standard Contractual Clauses). You must also ensure encryption, access controls, and a data processing agreement with the cloud provider.
Do I need to keep records for employees who left years ago?
Yes, for the applicable retention period. The general recommendation is 6 years after the end of employment, covering the limitation period for most civil claims. Payroll records must be kept for the current year plus 3 years, and right-to-work records for the duration of employment plus 2 years.