How Long Should You Keep Ex-Employee Records In The UK?

If you’ve had staff leave your business, you’ll be sitting on a stack of paperwork and HR files. The big question: how long should you keep ex-employee records in the UK without risking either data breaches or losing crucial evidence for disputes?

Don’t stress - with a clear retention schedule and some smart processes, you can stay compliant, reduce storage costs and protect your business.

Why Retention Periods Matter For Ex-Employee Records

Keeping employee records for the right length of time is a balancing act. Hold on to files for too long and you risk breaching UK GDPR’s “storage limitation” principle. Delete things too early and you may not be able to defend a claim, pass a tax audit, or show you met your legal duties as an employer.

Getting this right helps you to:

• Prove compliance with employment, tax and health & safety laws if questioned later.
• Defend claims (for example, discrimination, personal injury or breach of contract) within the relevant limitation periods.
• Reduce risk and cost by not storing personal data longer than necessary.
• Answer requests from ex-employees quickly, including Subject Access Requests and requests for deletion.

The key is to set (and actually follow) a written retention schedule that’s aligned to UK law and your business risks.

What The Law Says: GDPR, Employment And Tax Time Limits

There isn’t one single law that sets all retention periods. Instead, you need to layer several rules together and choose a period that is “no longer than necessary.” Here are the main sources to consider.

UK GDPR And The Data Protection Act 2018

Under UK GDPR, you must only keep personal data for as long as you need it for the original purpose you collected it. This is the “storage limitation” principle. You should set out your approach in your privacy documentation and a retention schedule, and ensure secure deletion when the period ends. If you’re collecting employee data, having an up-to-date Privacy Policy and practical retention processes is essential.

Employment And Civil Limitation Periods

• Employment tribunal time limits are short (often three months less one day), but claims such as discrimination can be brought up to six months, and delays can be extended by Acas early conciliation.
• Civil claims (for example, breach of contract) are generally six years under the Limitation Act 1980.
• Personal injury claims are generally three years from the date of injury or date of knowledge.

In practice, many employers choose to retain core personnel and disciplinary records for up to six years after employment ends to cover potential contractual claims.

Tax, Payroll And Pension Rules

• HMRC requires you to keep PAYE records for three years after the end of the tax year they relate to (many businesses keep them for six years to mirror general tax record practices).
• Statutory Sick Pay (SSP), Statutory Maternity/Paternity/Adoption Pay records should generally be kept for at least three years after the end of the relevant tax year.
• Auto-enrolment pension records must be kept for prescribed periods - commonly six years for most records, and four years for opt-out notices (per The Pensions Regulator’s guidance).

Working Time And National Minimum Wage Records

• Working Time Regulations records (e.g. hours worked, night work assessments) must be kept for two years.
• National Minimum Wage records must typically be kept for three years after the end of the pay reference period.

Health & Safety, Medical And Insurance Records

• Accident book entries should be kept for at least three years (longer if there’s a risk of litigation).
• Where employees are exposed to hazardous substances, some medical surveillance and exposure records must be kept much longer - often 40 years (e.g. under COSHH and asbestos regulations).
• Employers’ liability insurance certificates are often retained for up to 40 years as a matter of best practice to evidence cover for long-tail injury claims.

These periods vary depending on your industry and risks, so take tailored advice if you handle hazardous work environments.

Recommended Retention Periods By Record Type

Below is a practical, employer-friendly schedule you can adapt. It blends GDPR’s “no longer than necessary” test with typical limitation periods and regulator expectations. Always adjust for your sector, claims history and risk profile.

1) Recruitment And Right To Work

• CVs/Applications (unsuccessful): 6–12 months after decision. This allows you to defend discrimination claims but avoids holding data indefinitely.
• Interview Notes (unsuccessful): 6–12 months after decision.
• Right To Work Checks (successful hires): Throughout employment and two years after it ends (Home Office guidance).

2) Core Personnel Files

• Employment Contracts and Variations: Up to six years after employment ends (to cover breach of contract claims). If you’re updating terms during employment, ensure your Employment Contract clearly explains what you’ll retain and why.
• Contact Details, Next Of Kin: Delete when no longer necessary after employment ends, unless needed for a short period in case of outstanding matters.
• Performance Reviews, Appraisals: Typically six years after employment ends.
• Disciplinary/Grievance Records: Generally six years after employment ends. Follow any stated “spent” periods for warnings, but keep a minimal record of outcomes for litigation defence.

3) Pay, Leave And Benefits

• Payroll/PAYE: At least three years after the end of the tax year (many employers standardise on six years).
• SSP, SMP, SPP, SAP Records: Three years after the end of the tax year to which they relate.
• Holiday/Working Time Records: Two years under the Working Time Regulations.
• Auto-Enrolment Pension Records: Six years (and four years for opt-out notices).
• Expense Claims: Six years (to align with tax/audit needs).

4) Health, Safety And Medical

• Accident Reports/RIDDOR: At least three years (consider longer if litigation is possible).
• Health Surveillance/Exposure Records (e.g. hazardous substances, asbestos, ionising radiation): Up to 40 years as required by specific regulations.
• Occupational Health Reports: Retain only as long as necessary for the employment purpose and potential claims, then delete securely. If exposure-related, follow the longer regulatory period.

5) Training, Licences And Compliance

• Training Records (e.g. H&S, safeguarding, driving): Six years after employment ends (or longer if specific regulation requires).
• Professional Licences/Certificates: Throughout employment and for a short period after departure if needed for handover or audit trails.

6) IT, Security And Access

• System Access Logs: Short, defined period (e.g. 3–12 months) unless needed for incident investigation. Reduce scope via minimisation.
• ID Badges, Access Tokens: Revoke immediately on exit; destroy any personal copies promptly.

7) References And Exit Documents

• Resignation/Exit Interview Notes: Six years to align with general contractual claims.
• Settlement Agreements: Six years from the date of the agreement (or longer if terms require).
• References Given: Keep a copy for up to two years to evidence what was said.

Tip: Keep everything proportionate. If a category doesn’t serve a legal or business need post-employment, shorten the period and document your rationale.

Building A Clear Data Retention Policy And Schedule

A written retention schedule turns all of the above into a simple, repeatable process your team can follow - and it’s exactly what the ICO expects to see if they ask how you manage personal data. Here’s how to build one that works.

Map Your HR Data

List the categories you hold across the employee lifecycle: recruitment, onboarding, personnel, performance, pay/benefits, H&S, IT logs, exit documentation. For each, note where it’s stored (HRIS, email, shared drives, paper files).

Assign Retention Periods And Justifications

For each category, set a retention period (for example “six years post-termination”) and write down the legal basis or business need (e.g. “limitation period for contractual claims” or “HMRC requirement”). If you collect special category data (e.g. health), be particularly strict about minimisation and security.

Bake It Into Everyday Processes

• Use HRIS features to tag “termination dates” and trigger scheduled deletions or reviews.
• Set calendar reminders for end‑of‑tax‑year review of payroll and statutory pay records.
• Train managers and HR on what to keep, where to store it, and when to delete it. Your Staff Handbook can signpost the basics for consistent practices.
• Make sure your Workplace Policy framework covers data protection, retention and secure disposal.
• Document your approach inside a practical Data Protection Pack so you can show your workings if the ICO or a tribunal asks.

Align Your Privacy Notices

Your employee privacy information should explain categories of data you collect, why you process them, who you share them with and high-level retention periods. Make sure this aligns with your internal schedule and your public-facing Privacy Policy.

Secure, Documented Deletion

When the period ends, delete securely and record what you did (date, data categories, method). For paper, use cross-cut shredding or a certified disposal provider. For digital, ensure permanent deletion from backups where feasible or use reasonable alternatives documented in your policy.

Handling Requests, Deletions And Special Cases

Even with a schedule, real life throws curveballs. Here’s how to handle the common ones.

Subject Access Requests (SARs)

Ex-employees can ask for copies of their data. Build a simple process to find and extract relevant records quickly, redact third-party data where appropriate, and respond within the statutory timeframe. It’s helpful to have a checklist for Subject Access Requests and a handle on SAR response deadlines.

Right To Erasure (The “Right To Be Forgotten”)

Ex-employees may ask you to delete their data. You must delete personal data where there’s no overriding legal basis to keep it, but you can refuse (or limit) deletion if you need the data to comply with a legal obligation or to establish, exercise or defend legal claims. Having a clear view of your lawful grounds makes processing these requests far simpler - our guide to GDPR data deletion covers the common scenarios.

Litigation Holds

If you reasonably anticipate a claim or investigation, suspend normal deletion for the relevant records (“legal hold”) until the matter concludes. Document the hold, scope it narrowly, and lift it promptly afterwards.

Criminal Records And DBS Checks

Be especially cautious with criminal records data. You should not store full DBS certificates; keep only minimal details (certificate number, decision, date) and for the shortest time necessary (commonly up to six months unless there’s a clear need).

Health And Safety Exposures

If your workforce is exposed to substances or environments with long-term health risks, follow the specific regulations on retention (often 40 years for medical surveillance and exposure records). This overrides your general schedule for those categories.

Consistency Across Contracts And Policies

Make sure your employment documentation and internal policies reflect your retention approach. It’s normal to reference retention at a high level in your Employment Contract, then point staff to your privacy information and internal policies for details.

FAQs: How Long Do Employers Keep Records Of Past Employees?

Below are quick answers to the common questions we get from small business owners.

How Long To Keep Employee Records In The UK After They Leave?

For core personnel and disciplinary files, many employers keep records for up to six years post-employment to cover contractual claims, unless a shorter period is justified. Some categories are shorter (two years for Working Time records, three years for PAYE/SSP/SMP, four years for pension opt‑outs) and some are much longer (up to 40 years for certain health surveillance/exposure records). Always apply the GDPR “no longer than necessary” test.

How Long Do Companies Keep Payroll Records?

Keep PAYE and statutory pay records for at least three years after the end of the tax year they relate to. Many businesses standardise on six years to align with general tax and audit practices.

Do We Need A Written Retention Policy?

While UK GDPR doesn’t literally say “write a policy”, the ICO expects you to document how long you keep different categories and why, and to be able to show you follow it. A documented schedule within your Data Protection Pack makes this straightforward.

What If An Ex-Employee Asks Us To Delete Everything?

Assess the request against your legal obligations and your need to keep data for claims or compliance. If you have a valid basis to retain certain records, explain this and delete anything you no longer need. For practical guidance, see our overview on how long to keep personal data.

Do We Need To Keep Employers’ Liability Insurance Certificates Forever?

The strict legal requirement to keep physical certificates has changed, but it’s widely recommended to retain accessible proof of cover for up to 40 years, due to long-tail personal injury claims. Storing digital copies and keeping your insurer/broker details is sensible risk management.

Practical Tips To Stay Compliant And Reduce Risk

• Keep it simple: Fewer categories, clear timeframes. Make the schedule usable for busy managers.
• Minimise from day one: Don’t collect more than you need. Where feasible, anonymise or aggregate data so GDPR no longer applies.
• Automate deletion: Use HRIS and IT tools to trigger reviews and removal at set dates, with light-touch approvals.
• Train your team: Build data hygiene into onboarding/manager training and include a summary in your Staff Handbook.
• Be ready for SARs: Have a playbook for locating emails, chat logs, shared drives, and redacting third-party data - see our guidance on SAR deadlines.
• Review annually: Put a diary note to sanity-check your schedule each year, especially if laws or your operations change.

Key Takeaways

• There’s no single rule - retention periods come from UK GDPR’s “no longer than necessary” test plus employment, tax and H&S rules. Choose periods that are justified and documented.
• As a rule of thumb, keep core personnel and disciplinary records for up to six years after employment ends. Use shorter periods for Working Time (two years) and statutory pay/PAYE (three years), and much longer where H&S laws require (often 40 years).
• Write a clear retention schedule, align it with your employee privacy information and Privacy Policy, and build secure deletion into your HR processes.
• Be prepared for Subject Access Requests and erasure requests - have a practical process and know when you can retain data to meet legal obligations or defend claims.
• Train managers and HR, automate what you can, and review annually. Good data hygiene reduces risk, saves time and shows accountability to the ICO.
• If your operations involve special risks (e.g. hazardous substances), follow the specific regulations that require extended retention for health surveillance and exposure records.

If you’d like tailored help drafting a retention schedule, aligning your HR files with UK GDPR, or updating your employee privacy documentation, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.