How Long Should Employers Keep Ex-Employee Records In The UK?

When someone leaves your business, it’s tempting to “close the file” and move on. But in practice, ex-employee records can come back to bite you months (or even years) later - whether that’s an HMRC query, an Employment Tribunal claim, or a UK GDPR subject access request.

So, how long should UK employers keep ex-employee records after termination?

The frustrating (but honest) answer is: there isn’t one single retention period that applies to every type of employee record. Different laws and guidance point to different timeframes, and UK GDPR overlays everything with the principle that you shouldn’t keep personal data longer than you actually need it.

In this guide, we’ll break down common UK retention periods for ex-employee records, explain what’s a legal requirement versus a risk-based choice, and give you a practical approach to setting up a retention schedule that works for small businesses.

Why Keeping Ex-Employee Records Matters (And Why Deleting Too Early Can Be Risky)

Most small employers keep employee records for a simple reason: you may need them later.

Common situations where ex-employee files become important include:

• Responding to legal claims (e.g. unfair dismissal, discrimination, unpaid wages, breach of contract).
• HMRC audits and payroll queries (PAYE, NIC, statutory payments).
• Providing references or confirming employment history.
• Handling disputes about holiday pay, commission, bonuses, or expenses.
• Dealing with GDPR rights requests, including subject access requests.

At the same time, keeping files “just in case” forever can create its own problems. Under UK GDPR and the Data Protection Act 2018, you’re expected to keep personal data no longer than necessary for the purpose you collected it.

That means the best approach is to keep ex-employee records for a clear, justifiable retention period - and then securely delete or anonymise them when that period expires.

If you’re building or refreshing your HR framework, it often helps to align your retention approach with your broader workplace documentation (for example your Staff Handbook and internal HR policies) so your team handles records consistently.

What UK Laws Affect How Long You Should Keep Ex-Employee Records?

When business owners ask how long employers should keep employee records after termination, they’re usually really asking: “what’s the minimum I need to keep to stay compliant and protect my business?”

Several legal frameworks influence retention periods:

UK GDPR And The Data Protection Act 2018

UK GDPR doesn’t give you a neat table of fixed time limits. Instead, it sets principles, including:

• Storage limitation: don’t keep personal data longer than necessary.
• Purpose limitation: only use data for the purpose you collected it.
• Security: keep it secure, restrict access, and dispose of it safely.

In other words, your retention period needs to be intentional. It should be documented, and it should match your real business and legal needs.

If your business collects and manages personal data more broadly (customers, prospects, staff), having a clear Privacy Policy and internal data protection approach makes retention decisions much easier to defend if you’re challenged.

Employment Law Limitation Periods (Time Limits For Claims)

Retention is often influenced by how long someone has to bring a claim.

Some employment claims must be started quickly (often within around 3 months, subject to ACAS Early Conciliation and any extensions). But others (like breach of contract claims in the civil courts) can potentially be brought much later.

That’s why many employers choose to keep certain core ex-employee records for up to 6 years as a risk-management baseline. This isn’t a universal legal “minimum” for all personnel files - it’s a common approach because it broadly aligns with limitation periods that can apply to contractual claims.

HMRC, PAYE And Statutory Payment Rules

Payroll records, statutory sick pay, maternity pay, and similar documents often have specific retention expectations linked to HMRC record-keeping rules.

Even if you outsource payroll, you’re still responsible for ensuring your business can produce records if required.

Note: this article is general information (not tax advice). If you’re unsure what HMRC requires for your particular situation, it’s worth getting advice from an accountant or tax adviser.

Health And Safety Record-Keeping

If your workplace involves higher risk activities, accident records and certain health surveillance information may have their own retention expectations. These can be especially important if an incident is reported later.

Because the right retention period depends on what you do and what data you hold, many businesses document their approach in a dedicated retention policy (sometimes included within a wider GDPR package) and maintain a consistent process for deleting old files.

Legal Retention Periods: How Long Should You Keep Ex-Employee Records In The UK?

Here’s a practical guide to common categories of ex-employee records and how UK employers often approach retention.

Important: some retention periods are driven by specific legal or regulatory record-keeping duties, but others are simply common, risk-based practice. Your ideal retention schedule may be longer or shorter depending on your industry, the type of claim risk you face, and what the data is used for.

Record Type	Typical Retention Period (UK)	Why This Period Is Common
Core personnel file (contract, role changes, key correspondence, disciplinary/grievance outcomes)	Often up to 6 years after employment ends	Common risk-based retention to help respond to contractual claims and defend disputes (not a single universal legal minimum for all personnel records).
Payroll records (PAYE, deductions, pay history)	Commonly at least 3 years from the end of the relevant tax year (many businesses keep longer, e.g. up to 6 years)	Helps meet HMRC expectations and supports pay queries/disputes. (Not tax advice - requirements can vary.)
Statutory payments records (SSP, SMP, etc.)	3 years after the end of the tax year they relate to	HMRC-related evidence and audit trail.
Working time records (hours worked, opt-outs, rest breaks where recorded)	2 years	Working Time Regulations record-keeping expectations.
Right to work checks	Length of employment + 2 years	Home Office guidance commonly expects you to keep evidence after termination.
Pension auto-enrolment records (enrolment, contributions, communications)	Up to 6 years (some records may be shorter, e.g. 4 years)	Common retention expectations under pension record-keeping rules.
Accident/incident records (including RIDDOR-related records)	At least 3 years (often longer depending on context)	Evidence for HSE reporting and potential later claims.
Recruitment records for unsuccessful candidates	Usually 6–12 months	Defending discrimination claims while minimising data retention.

So if you’re asking how long an employer should keep employee records in the UK, a realistic answer is:

• Some records: 2–3 years (e.g. working time; some payroll/statutory payment categories)
• Some core employment records: often up to 6 years (commonly kept for risk management, depending on what’s in the file)
• Some items: employment duration + 2 years (right to work checks)

If you want a deeper GDPR-focused breakdown, this approach is also consistent with common guidance on ex-employee records, particularly where businesses need a clear purpose and retention schedule.

What Counts As “Ex-Employee Records” In Practice?

When people search how long a company keeps employee records, they often assume it’s just the contract and payslips.

But ex-employee records can include a lot more than you think, such as:

• Employment documents: offer letters, variations, promotion letters, probation notes, the Employment Contract, policies acknowledged by the employee.
• Performance management and conduct records: warnings, investigation notes, PIP documents, disciplinary meeting notes.
• Grievances and complaints: grievance outcomes, witness statements, meeting notes.
• Payroll and benefits: salary, bonus/commission records, pension communications, expenses.
• Leave and absence records: holiday records, sickness records (note these can be special category health data under GDPR).
• Right to work and ID records: copies of documents checked, dates of checks.
• IT and access logs: equipment logs, system access records (where applicable and proportionate).

A helpful way to manage this is to split your HR file into:

• Core HR file (kept longer, often up to 6 years where justified)
• Time-limited compliance records (e.g. working time records kept for 2 years)
• High sensitivity data (e.g. medical/health data, kept only if genuinely needed)

This matters because UK GDPR expects you to minimise data - so you don’t want sensitive documents lingering in an inbox or shared drive long after they’ve stopped being relevant.

Best Practice For Storing And Deleting Ex-Employee Records (Without Falling Into GDPR Traps)

Knowing how long employers keep records of past employees is only half the story. The other half is: how are you storing them while you have them, and how do you securely dispose of them when the time comes?

1. Have A Written Retention Schedule

Even a simple one-page retention schedule can make a big difference. It should list:

• categories of employee records you keep
• where they are stored
• how long you keep them
• how you delete or anonymise them

This is especially useful if you ever need to justify your retention choices to a regulator, a former employee, or during litigation disclosure.

2. Lock Down Access (And Avoid “Everyone Can See Everything”)

Ex-employee files should be accessible only to the people who genuinely need them (usually HR, the business owner, finance/payroll, and relevant senior managers).

It’s easy for small businesses to accidentally create a risk by storing HR files in a shared folder that “the whole admin team” can access.

3. Be Careful With Health Data And Other Special Category Data

Sickness records, fit notes, occupational health reports, and medical information are usually treated as special category data under UK GDPR. That means you need a stronger legal basis and tighter handling.

You should only keep health-related documents for as long as you actually need them, and ideally separate them from the general HR file.

4. Prepare For Subject Access Requests (SARs)

Former employees can submit a subject access request asking for their personal data. If your records are messy or spread across emails, Slack messages, and multiple devices, responding becomes a time-consuming project.

Having a clean retention policy and well-organised HR storage makes it much easier to respond to a subject access request in a compliant way.

5. Delete Securely (Not Just “Drag To Bin”)

When the retention period ends, you should delete in a way that reflects the sensitivity of the records. For example:

• securely wipe electronic files where appropriate
• shred paper files using cross-cut shredding or a secure disposal provider
• remove permissions and access tokens linked to old accounts

If you ever have a data incident involving employee information, a clear process and documentation helps you respond quickly and appropriately. Many businesses build this into a Data Breach Response Plan.

Common “Tricky” Scenarios: When You Might Keep Records Longer (Or Shorter)

Retention isn’t one-size-fits-all. Here are a few common situations where you may need to rethink your default timeframe.

1. If There’s An Ongoing Dispute Or Threatened Claim

If a former employee has raised a grievance, threatened legal action, or you’re in settlement discussions, deleting documents can be a serious mistake.

In this situation, it’s common to apply a litigation hold (meaning you suspend deletion until the dispute is resolved).

2. If You’re Dealing With Highly Sensitive Allegations

Where there are allegations involving harassment, discrimination, safeguarding, or serious misconduct, you may need to keep a careful record for longer - but you also need to limit access and ensure you’re not keeping unnecessary detail.

It’s a balance between defending your business and minimising personal data.

3. If You’re Selling The Business Or Going Through Due Diligence

Business sales and investment due diligence can create pressure to produce HR records quickly.

Keeping a well-organised (and properly retained) set of employee records can make the process smoother - but remember, you should only share what’s necessary, and ideally with appropriate confidentiality protections in place.

4. If You’re Using Contractors Or Mixed Employment Status Arrangements

If you’ve engaged a mix of employees, workers, and contractors over time, keeping clear records can matter later if employment status is challenged.

Clear written agreements are key here. If you engage non-employees, having a proper Contractor Agreement can reduce disputes about entitlements and also helps you identify what records you need to retain.

5. If Your Contracts Or Policies Require A Specific Retention Period

Sometimes the answer to how long UK businesses should keep ex-employee records is partly internal: your contract terms and internal policies might set expectations around records, references, investigations, or confidentiality.

If you’re updating your HR documents, it’s worth ensuring your policies align with your real retention practices - and that they don’t accidentally promise things you can’t deliver.

Key Takeaways

• If you’re asking how long to keep ex-employee records in the UK, the practical answer depends on the type of record - there isn’t one universal time limit.
• UK GDPR requires you to keep personal data no longer than necessary, so “keep it forever just in case” is not a great strategy.
• Many small businesses keep certain core HR/personnel records for up to 6 years after termination as a risk-based approach (rather than a blanket legal minimum), while other records (like working time) are often kept for 2 years.
• Some records have widely accepted timeframes, like right to work checks (employment duration + 2 years) and many statutory pay records (often 3 years after the end of the relevant tax year). Payroll/PAYE retention can be more nuanced - consider HMRC guidance and professional advice.
• A clear retention schedule, restricted access, and secure deletion process will help you stay compliant and reduce the risk of mishandling sensitive ex-employee information.
• If there’s an active dispute or threatened claim, you may need to pause deletion and preserve records until the matter is resolved.

If you’d like help putting together a retention approach that fits your business (including UK GDPR compliance and practical HR documentation), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.