How Long Should You Keep Ex-Employee Records? A GDPR Compliance Guide for UK Employers

If you’ve recently waved goodbye to an employee, you might be left wondering: how long should you keep their records on file? Like many UK employers, you know holding onto documents "just in case" isn’t a GDPR-compliant plan. But getting those retention periods right – especially for ex-employees – can feel like navigating a legal maze. Don’t stress – with the right information, you can confidently manage old employee records and easily demonstrate compliance if the Information Commissioner's Office (ICO) ever comes knocking. In this guide, we’ll break down the essentials of data retention under the GDPR, the specific legal timeframes for different employment documents, and the practical steps you need to take as an employer. Let’s walk through what you actually need to do to keep your business protected, your processes efficient, and your ex-employees’ data handled lawfully.

What Does the GDPR Say About Keeping Ex-Employee Records?

The UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 set the rules for how you manage any personal information – including that of your ex-employees. At its core, the law states you should only keep personal data for as long as it is necessary for the original purpose it was collected. Holding onto data "just because" is not enough. This principle is often referred to as data minimisation. In plain English: if you no longer have a good reason to hold on to an ex-employee’s information, you should securely delete or anonymise it. But, in practice, things aren’t always so black and white. There are a number of legal, tax, and business reasons you’ll need to retain certain records for longer.

How Long Should You Keep Ex-Employee Records in the UK?

The big question: how long do employers keep employee records? The GDPR doesn’t set out exact timeframes for each type of record. Instead, it requires you to justify your retention periods based on legal obligations, regulatory requirements, and legitimate business needs. Below are the most common categories of ex-employee records, the typical statutory timeframes, and some best practice suggestions:

• Payroll and tax records (e.g. P60, P45, payslips): Keep for 6 years from the end of the tax year to which they relate (in line with HMRC requirements and the Limitation Act 1980). This also applies to records relevant to income tax and National Insurance contributions.
• Proof of right to work in the UK (e.g. passport, visa copies): Retain for 2 years after employment ends.
• Pension records and auto enrolment: Keep for 6 years after the end of the scheme (or longer in some cases – check with your scheme provider).
• Health and safety records (accident books, reports): Usually 3 years after the date of the last entry. For employees exposed to hazardous substances, some records must be maintained for up to 40 years. Read more about health and safety records.
• Recruitment records (interview notes, applications from unsuccessful candidates): 6 months to 1 year after the recruitment process ends, in case of potential discrimination claims. Only keep longer if you have consent or a clear business need.
• Records relevant to statutory sick pay (SSP), maternity, adoption, or shared parental leave: Keep for at least 3 years after the end of the tax year in which payments were made.
• Employment contracts and changes to terms: 6 years after employment ends (in line with potential limitation periods for breach of contract claims).
• Disciplinary, grievance, and performance management records: Usually kept for 6 to 12 months after conclusion, unless part of an ongoing issue.

As you can see, there’s no one-size-fits-all rule. When it comes to other documents (such as training records or performance reviews), use your best judgement based on legal risks and business needs.

Is There Ever a Reason to Keep Ex-Employee Records Longer?

You may sometimes need to keep certain records for longer than the minimum statutory period, especially if:

• There is an ongoing dispute, grievance, or investigation involving the ex-employee.
• You need the records for pending litigation or in case of a tribunal or discrimination claim (these can be raised months – or, in rare cases, years – after employment ends).
• A regulator instructs you to keep data for auditing or compliance purposes.

But, be careful: you should always be able to explain why you’re holding onto specific records beyond the usual periods. Review these decisions regularly, document your reasoning, and don’t keep anything "just in case" forever.

What Happens If You Keep Ex-Employee Data for Too Long?

Under GDPR, holding on to personal data longer than necessary is a breach of the law. The risks include:

• Regulatory fines from the ICO (up to millions in extreme cases, though more commonly up to £8.7 million or 2% of your annual global turnover).
• Reputational damage if ex-employees make complaints about you mishandling their data.
• Legal claims from ex-employees if they believe you’re keeping or using their data unfairly.
• Data breach risks – the longer you store data, the higher the chance it will be lost, hacked, or disclosed by mistake.

That’s why establishing and following a clear data protection policy is so important for UK businesses.

What Is a Data Retention Policy – And Why Do You Need One?

A data retention policy is your company’s written guide explaining what categories of employee data you keep, the reasons for keeping each type, and for how long. GDPR expects employers to document retention periods and the lawful bases for their decisions. This can protect your business if your practices are ever questioned by the ICO or by employees. An effective retention policy should cover:

• A list of the types of employee (and ex-employee) data you hold (payroll, HR files, contracts, grievances, etc.)
• The lawful justification for keeping each type (statutory requirement, claims defence, legitimate interest)
• Specific retention periods (e.g. "payslips – 6 years after employment ends")
• The process for securely destroying or anonymising records at the end of the retention period
• How often you’ll review and update the policy

See our full guide on customer data protection and deletion for practical tips that also apply to staff data.

How Should You Delete or Anonymise Ex-Employee Records?

Once the retention period passes, you have two main options:

• Permanent deletion: Completely remove or shred all paper and digital copies so the data can’t be reconstructed or recovered.
• Anonymisation: Scramble personal identifiers (names, NI numbers, addresses) so the data can no longer be linked to an individual. This is especially useful for old statistical, diversity, or performance data you want to retain for analytics or business planning.

It’s vital that you keep evidence of the destruction (such as logs, certificates, or email confirmation) for your GDPR accountability records. Don’t forget to delete data from backup systems and any third-party platforms (like external payroll services).

How Can You Demonstrate Compliance with Ex-Employee Record Retention?

If you’re ever investigated by the ICO or an ex-employee exercises their data protection rights, you may need to prove you’ve followed the right procedures. Here’s how to demonstrate you’ve met your obligations:

• Keep an up-to-date data retention schedule, or document retention table (listing types of records with reasons and timeframes)
• Make retention policies available in your employee handbook or workplace policy
• Regularly train HR/admin staff on GDPR requirements, including record retention and deletion
• Audit your records periodically to check for data held past its expiry date
• Keep records of when and how data was deleted or anonymised

If you’re unsure, it’s always wise to discuss your approach with a legal expert familiar with data protection or employ a professional review of your compliance programme.

What Else Should You Know About Ex-Employee Records and GDPR?

A few additional pointers for employers:

• Right to erasure: Ex-employees may ask you to delete their data. Unless you have a clear lawful reason to keep specific records (like defending a legal claim), you must comply.
• Subject access requests (SARs): If an ex-employee requests a copy of their data, you must be able to provide what you still hold – so ensure records are well organised and retrievable.
• Data minimisation principle: Avoid collecting or storing more information than required in the first place – don’t keep notes or personal data you don’t really need.
• Review regularly: Set a calendar reminder to review your employee data at least once a year. The more regularly you purge old data, the easier ongoing compliance becomes.

For more on managing leaver processes and data protection, check out our guidance on how to offboard an employee smoothly and legally.

Best Practices Checklist: Ex-Employee Records Retention

• Keep retention schedules and justifications for all categories of ex-employee records
• Follow the statutory minimum periods and do not keep records unnecessarily
• Destroy or anonymise outdated records in a secure, auditable way
• Document every step of your personal data handling for accountability
• Communicate your retention and privacy policies to both current and departing staff
• Review your procedures as laws, business needs, and technology change

Need help getting started? Explore our GDPR compliance packages or speak to our data protection team.

Key Takeaways: How Long Do Employers Keep Employee Records?

• Only keep ex-employee records as long as they’re needed – follow statutory requirements, then delete or anonymise.
• Retention periods vary by document type – no universal timescale fits all.
• Set and document clear retention schedules in a written policy. Review and update these regularly.
• Complying with GDPR avoids regulatory fines and reputational risks.
• If in doubt, seek professional legal guidance to tailor your approach and protect your business.

---

If you need expert advice on GDPR data retention or want help setting up or reviewing your data protection policies, our friendly team is just a call or email away. Get in touch at 08081347754 or team@sprintlaw.co.uk for a free, no-obligation chat about your obligations as an employer.