How Long Do You Have To Keep Accounts In The UK?

Keeping good records isn’t just about staying organised - it’s a legal requirement that protects your business if HMRC, Companies House or an insurer asks questions down the track.

The tricky bit is that different laws have different timelines. So if you’ve ever wondered “how many years do you need to keep accounts for?” or “how long should a business keep records?”, you’re in the right place.

Below, we break down exactly what you need to keep, how long to keep it under UK law, and some simple best practices to make retention painless and compliant.

What Counts As “Accounts” And Business Records?

When we talk about “accounts”, we’re not just talking about a set of annual financial statements. In practice, your “accounting records” and “business records” include anything that shows your business’s income, expenses, assets, liabilities and key decisions.

Common examples include:

• Sales and purchase records: invoices, credit notes, receipts, delivery notes, order confirmations and bank statements. If you issue invoices, make sure they meet UK invoice requirements.
• Cash and banking: petty cash books, cash register rolls, till Z‑read summaries, merchant statements, reconciliations.
• VAT and Making Tax Digital (MTD) data: VAT returns, digital links/audit trails, VAT account and adjustments.
• Payroll and HR: PAYE records, payslips, Real Time Information (RTI) filings, pensions auto‑enrolment records, employment contracts, working time records and absence notes.
• Corporation tax/self assessment: computations, returns, ledgers, fixed asset registers, loan agreements and supporting calculations.
• Company secretarial: statutory registers, minutes, resolutions, share allotment/transfer paperwork and share certificates.
• Health & safety: accident book, risk assessments, exposure monitoring and training records.
• Commercial contracts and operational records: customer/supplier contracts, leases, insurance policies, stock records.
• Data protection logs: consent records, privacy notices, retention policy and deletion logs (important for GDPR).

You can keep records in paper or digital form. HMRC accepts digital copies if they’re accurate, legible and can be produced on request. If you’re VAT-registered, MTD rules require digital records and digital links between the records and your VAT return.

How Many Years Do You Need To Keep Accounts For?

Here’s the short answer first: while the minimum legal periods vary, most UK small businesses keep their accounting and tax records for at least six years. That single, consistent policy covers the strictest routine requirements and keeps you safe if HMRC reviews earlier periods due to an error or compliance check.

Now for the detail by record type and law.

Companies Act 2006 – Accounting Records

• Private companies: at least 3 years from the date the records are made (Companies Act 2006).
• Public companies: at least 6 years.

However, HMRC’s tax rules are stricter than the Companies Act for most companies (see below). In practice, companies adopt the longer HMRC period (6 years) so there’s one policy across finance files.

Corporation Tax (Companies)

• Keep corporation tax records for at least 6 years from the end of the accounting period. HMRC can ask for longer if they’re checking your tax position or if you file late or make a careless/deliberate error.

Self Assessment (Sole Traders and Partners)

• Keep business records for 5 years after the 31 January submission deadline for the relevant tax year. That’s close to 6 years in practice. HMRC can extend this in cases of suspected error or fraud.

VAT

• At least 6 years (or 10 years if you use VAT MOSS/One‑Stop Shop), including the VAT account, invoices, and all adjustments. Under MTD, these must be kept digitally.

PAYE and Payroll

• PAYE records (tax, NI, statutory payments): at least 3 years from the end of the tax year.
• National Minimum Wage: 6 years from the day the pay reference period ends (keeping 6 years for payroll across the board is simplest).
• Pensions auto‑enrolment: 6 years for most records (except opt‑out notices, 4 years).

Construction Industry Scheme (CIS)

• At least 3 years after the end of the tax year to which they relate (records of payments to subcontractors, deductions, verification).

Grants, State Aid And COVID‑Support

• Follow the scheme guidance. Where no period is specified, 6 years is a sensible default.

Two practical tips:

• If your returns were late or amended, extend your retention period. HMRC can open enquiries beyond standard windows in some cases.
• If you’re in an ongoing dispute, audit or litigation, place a “legal hold” on all relevant records and suspend destruction until it’s resolved.

Company Secretarial Records: Minutes, Registers And Resolutions

Company secretarial files have their own timelines under the Companies Act 2006. These records are often forgotten but they matter - missing paperwork can delay deals, funding or due diligence, and can attract penalties.

• Minutes of directors’ meetings: keep for at least 10 years.
• Minutes of general meetings and written resolutions: keep for at least 10 years.
• Register of members (shareholders): must be kept available; details of former members must be retained for 10 years after they cease to be a member. In practice, businesses keep a complete historic register for the life of the company.
• Register of directors, secretaries and charges (where relevant): maintain for the life of the company and update promptly on changes.
• PSC register (Register of People with Significant Control): maintain and keep current for the life of the company.
• Share allotment/transfer documents, stock transfer forms and share certificates: keep permanently with the member register and board files.
• Board and shareholder decisions: keep the signed documents together with a clear indexing system; see a simple overview of board resolutions.

If you ever sell the company, bring in new investors or appoint a bank facility, these records will be checked closely. Keeping them in order from day one saves significant time and cost later.

HR, GDPR And Health & Safety: Retention Essentials

Employment and safety records have a mix of hard deadlines and “as long as necessary” rules. Here are the key ones small employers should know.

Employment And Payroll (Selected Rules)

• Right to work checks: keep copies for the duration of employment and 2 years afterwards.
• Working time records (hours, night work, opt‑outs): keep for 2 years.
• Sickness/SSP records: 3 years from the end of the tax year.
• Grievance/disciplinary: for as long as needed to manage employment and defend potential claims (often 6+ years, aligned to limitation periods).
• National Minimum Wage: 6 years from the end of the pay reference period.

If you’re unsure what to keep and for how long, it’s worth reviewing your policy for ex‑employee records so you don’t keep sensitive data longer than necessary.

Data Protection (UK GDPR And Data Protection Act 2018)

GDPR doesn’t set a fixed “X years” number for most data. Instead, it requires you to keep personal data only for as long as you need it for the purpose you collected it (the storage limitation principle). That means you should:

• Have a written retention schedule that sets time limits for each category of personal data (customers, staff, candidates, marketing lists, CCTV, etc.).
• Delete or anonymise data when it’s no longer needed, and document deletion decisions.
• Be ready to pause deletion if a subject access request or litigation means you need the data.

If you’re building or refreshing your policy, this practical guide to data retention is a helpful starting point.

Health & Safety (Selected Rules)

• Accident book: at least 3 years from the date of the last entry (many keep 6 years to align with claims limitation).
• RIDDOR reports: at least 3 years.
• COSHH health records and exposure monitoring: usually 40 years (due to long‑term health risk tracking).
• Employers’ liability insurance certificates: keep indefinitely or at least 40 years (to evidence cover if a historic claim arises).
• Training records and risk assessments: keep for as long as they are current and then for a reasonable period afterwards (often 3–6 years).

It can feel like a lot, but remember you don’t have to keep everything forever - just long enough to comply with law, defend potential claims and operate safely.

Best Practice For Record Retention (Digital Vs Paper, Disposal And Audits)

Once you know the legal minimums, the next step is to make retention simple, consistent and low‑effort. Here’s a practical approach you can roll out quickly.

1) Set A Clear Retention Policy

Write a simple schedule that lists each record type and how long you’ll keep it (e.g. “Accounting and tax records - 6 years”; “Payroll - 6 years”; “Board minutes - 10 years”; “Former staff files - 6 years”). Build in exceptions for legal holds and HMRC checks.

Align your schedule with GDPR so you’re not holding personal data longer than necessary. It’s also sensible to add a short procedure covering how you respond to requests for personal data, including subject access request deadlines.

2) Go Digital (Properly)

Paper files are easy to lose and hard to search. Scan and store documents in structured folders with consistent naming conventions and access controls. If you’re VAT‑registered, make sure your system complies with MTD and keeps the necessary digital links between records and returns.

Keep reliable backups (including off‑site/cloud) and test recovery. If you close or mothball the business, plan your recordkeeping after closing a business so you still meet HMRC and Companies Act timelines.

3) Standardise Your Inputs

Most retention pain starts with inconsistent paperwork. Standardise how you capture transactions and approvals:

• Use consistent invoice templates that meet the legal basics and your invoice law obligations.
• Adopt cloud accounting, HRIS and payroll software that timestamps, indexes and retains records for the right periods.
• File board and shareholder documents immediately after signing so your company records are always complete.

4) Train Your Team And Lock Down Access

Everyone who processes accounts, HR or company documents should know your retention timelines and where to store files. Use role‑based access so only the right people can see sensitive data.

5) Review Annually And Dispose Securely

Once a year, run an archive review: identify what can be deleted, what must be kept and where you’re approaching a deadline. When destroying records, use secure methods (cross‑cut shredding for paper; certified deletion or encryption‑at‑rest policies for digital). Document what you delete and why - it’s part of good GDPR hygiene.

6) When In Doubt, Keep Six Years (Or Hold)

If a rule isn’t clear for a particular document type, six years is a sensible default for most business and contractual records, extended where limitation periods are longer (e.g. deeds - typically 12 years). If there’s any chance of a dispute, claim, HMRC enquiry or ongoing audit, keep the records on hold until the matter is closed.

7) Common Pitfalls To Avoid

• Keeping everything forever “just in case” - this creates GDPR risk and drives storage cost.
• Deleting records while an HMRC check or legal claim is in play - always apply a hold.
• Forgetting statutory registers and company minutes - these are often requested in financing or sale processes.
• Relying on a single staff member’s inbox as the “filing system” - centralise and control access.

A simple, written policy plus light‑touch habits can keep you compliant without drowning in admin. If you need to update company ownership details while you’re tidying your registers, it may also be a good moment to reconcile your member registers with filings and your PSC register.

Key Takeaways

• For most small businesses, a six‑year retention period for accounts, VAT and tax records is a safe, simple baseline. Companies must also keep board and shareholder minutes for at least 10 years.
• Payroll has mixed timelines: keep PAYE for 3 years, but align to 6 years to cover National Minimum Wage and pensions records.
• Company secretarial files matter: maintain minutes, resolutions, the PSC register and member registers accurately - these are routinely checked in funding, banking and sale processes.
• GDPR doesn’t set one number; you must keep personal data only as long as necessary. Adopt a written retention schedule and document secure deletion. Useful starting points are practical guides on data retention and ex‑employee records.
• Use digital systems that meet MTD and audit requirements, back everything up, and review annually to delete what you no longer need. If there’s an HMRC enquiry or dispute, place a legal hold and pause destruction.
• If you’re closing or pausing your business, plan how you’ll meet record obligations post‑closure - see practical notes on recordkeeping after closing a business.

If you’d like help setting a compliant retention policy, sorting company registers or drafting practical document procedures for your team, we’re here to help. You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.