UK employers must retain most HR records for six years after employment ends to cover tribunal limitation periods, with shorter periods for specific record types (right-to-work documents: duration of employment plus two years; PAYE records: three years from tax year end; RIDDOR: three years). Subject Access Requests must be responded to within 30 calendar days at no charge. ICO enforcement of data breach obligations has included HR-specific cases. A written retention schedule and an HR system with automated deletion is the minimum standard for a UK GDPR-compliant HR function.
Last reviewed May 2026
Employee data sits at the intersection of employment law, tax law, and data protection law in a way that creates genuine complexity for UK HR teams. The retention periods that apply to different categories of HR record are not consolidated in a single piece of legislation - they are scattered across the Employment Rights Act, HMRC PAYE regulations, the Limitation Act 1980, RIDDOR, and UK GDPR itself. This article consolidates the key retention obligations, explains what Subject Access Requests require of the HR function, and sets out the ICO's current enforcement position on employment data. For software that automates these requirements, see best HR software UK, HR document management software, and HR compliance software.
Retention Periods by Record Type
The ICO's employment practices guidance does not prescribe fixed retention periods for most HR records - it requires employers to retain records only as long as necessary for a specified purpose and to document their reasoning in a retention schedule. However, several legal frameworks create minimum or recommended periods that a well-structured HR policy should reflect.
Employment contracts and written statements: the Limitation Act 1980 sets a six-year limitation period for contractual claims in England and Wales (five years in Scotland). Employment lawyers consistently recommend retaining contracts for at least six years after employment ends, to cover potential breach of contract or wrongful dismissal claims in the civil courts alongside any employment tribunal proceedings.
Payroll and PAYE records: HMRC requires employers to retain payroll records for a minimum of three years from the end of the tax year to which they relate (Regulation 97 of the Income Tax (PAYE) Regulations 2003). For workers paid at or near the National Minimum Wage, records sufficient to demonstrate compliance must be kept for six years.
Right-to-work documents: the Home Office requires these to be kept for the duration of employment plus two years. This is a shorter period than the general six-year employment record recommendation. After this point, retaining identity documents beyond their purpose constitutes a breach of the data minimisation principle under UK GDPR.
Accident and health records: RIDDOR 2013 requires accident records to be kept for three years from the date of the incident. Health records created in the context of a health surveillance programme under COSHH Regulations must be kept for 40 years from the date of last entry.
Sickness absence records: no statutory minimum, but six years is the standard recommendation to cover potential disability discrimination claims. Records should be stored separately from the main employee file and access restricted, as they are likely to contain special category health data.
Subject Access Requests: What the 30-Day Rule Requires in Practice
Under Article 15 of UK GDPR, employees and former employees have the right to request a copy of all personal data held about them. The employer must respond within one calendar month of receipt (extendable by two months for complex or numerous requests, with notification of the extension within the first month). The response must be provided free of charge. Charging a fee is only permissible where a request is manifestly unfounded or excessive, and the employer must be able to evidence this.
In practice, a Subject Access Request (SAR) from a current or former employee in the context of an employment dispute can require the HR function to search and compile data from multiple systems: the HRIS, payroll software, email archives, performance management tools, disciplinary records, and any shared drives where HR correspondence is stored. The ICO's right of access guidance clarifies that the duty extends to all personal data about the individual held in any format, including informal notes, instant messages, and emails in which the individual is identifiable.
Several ICO enforcement cases have involved failures in the employment context. Common failings include: missing the 30-day deadline; failing to search all relevant systems (particularly email and instant messaging archives); and improperly withholding data on the basis of third-party exemptions without adequate justification. The third-party exemption allows employers to redact information that would identify another individual, but it cannot be used to redact the substance of management decisions about the data subject.
|
Special Category Data in HR Records
UK GDPR identifies nine categories of special category data that attract enhanced protection: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for identification purposes, health data, sex life or sexual orientation, and criminal convictions data (which is subject to separate provisions under Schedule 1 of the Data Protection Act 2018).
HR functions routinely hold special category data in several forms. Sickness absence records frequently contain health diagnoses. Equal opportunities monitoring data contains racial and ethnic origin information. Pre-employment criminal records checks (via the Disclosure and Barring Service) involve criminal conviction data. Biometric clocking systems create biometric data. Each of these requires a specific lawful basis under Article 9 of UK GDPR in addition to the standard lawful basis under Article 6.
For employment-related special category data, the most commonly applicable Article 9 condition is Schedule 1, Part 1 of the Data Protection Act 2018: processing is necessary for the purposes of obligations or rights in the field of employment law, and the employer has an appropriate policy document in place. The ICO's special category guidance sets out the requirements for this policy document - it must explain the employer's procedures for securing compliance with the data protection principles and the employer's policy for retention and erasure of the special category data.
Building a GDPR-Compliant HR Retention Schedule
A retention schedule is a document that lists each category of HR record, the retention period, the legal basis for retention, and the deletion method. It is not a legal requirement to maintain a retention schedule, but in practice it is the primary evidence an employer can produce to demonstrate compliance with the storage limitation principle under UK GDPR, and it is the first document the ICO is likely to request in an investigation.
The CIPD recommends that HR retention schedules are reviewed at least annually to reflect changes in legislation and case law. The schedule should be linked to the organisation's data protection policy and Records of Processing Activity (ROPA), which is required for organisations with more than 250 employees or those processing special category data regularly.
HR software can automate enforcement of the retention schedule by flagging records approaching their deletion date and (in more advanced systems) initiating a deletion workflow that requires sign-off from the HR manager before records are permanently deleted. Automated deletion is superior to manual processes because it removes the dependency on individual HR team members remembering to act on a schedule - a dependency that consistently fails in practice.
| Record type | Minimum retention | Recommended (legal risk) | Legal basis |
|---|---|---|---|
| Employment contracts | None statutory | 6 years post-termination | Limitation Act 1980 |
| PAYE/payroll records | 3 years (HMRC) | 6 years (NMW) | PAYE Regs 2003 |
| Right-to-work docs | Employment + 2 years | Employment + 2 years | Home Office guidance |
| Sickness absence | None statutory | 6 years post-termination | DDA/EqA limitation |
| RIDDOR accident records | 3 years | 3 years | RIDDOR 2013 |
| Health surveillance records | 40 years | 40 years | COSHH Regs 2002 |
ICO Enforcement Trends in Employment Data
The ICO has taken enforcement action in employment contexts across a range of scenarios. Enforcement Notices and reprimands have been issued for failures including: excessive CCTV retention covering employee areas without a legitimate basis; failure to conduct Data Protection Impact Assessments before deploying employee monitoring software; and failure to respond to SARs within the statutory timeframe. The ICO's enforcement tracker, published on its website, includes employment-sector cases and is a useful reference for HR compliance teams benchmarking their exposure.
The introduction of the Data Protection and Digital Information Act (which received Royal Assent in 2025 and is being implemented in stages) has updated some aspects of UK data protection law. HR teams should review the ICO's updated guidance when assessing the lawful basis for automated decision-making in HR contexts (performance management algorithms, absence trigger systems) and the requirements for privacy notices delivered to employees.
FAQ
How long should UK employers keep employee personnel files?
There is no single statutory answer. Employment lawyers recommend six years from the end of employment for most records, to cover the Limitation Act 1980 window for contractual claims. Specific record types have different periods: right-to-work documents (employment plus two years), PAYE records (three to six years depending on record type), and RIDDOR accident records (three years).
Can an employee request all HR records held about them?
Yes. Under Article 15 of UK GDPR, any individual (including current and former employees) can submit a Subject Access Request for all personal data held about them. The employer must respond within one calendar month, free of charge, and must search all systems including email archives, performance records, and informal notes where the individual is identifiable.
What happens if an employer fails to respond to a SAR within 30 days?
The individual can complain to the ICO, which may issue an Enforcement Notice requiring compliance. The ICO can also impose fines under UK GDPR - up to £17.5 million or 4% of global annual turnover for serious breaches, though employment-related SAR failures typically result in lower-level enforcement action including reprimands and Enforcement Notices rather than maximum fines.
Does UK GDPR apply to paper HR records as well as digital ones?
Yes. UK GDPR applies to paper records held in a structured filing system - any filing system that allows personal data to be located by reference to specific criteria (alphabetical by name, chronological by date) is covered. Unstructured paper records (such as random unsorted notes) may fall outside the regulation's scope but this is a narrow exception that should not be relied upon in practice.
What is an appropriate policy document for special category HR data?
An appropriate policy document, required under Schedule 1 of the Data Protection Act 2018 when processing special category data for employment purposes, must explain the employer's compliance procedures for each data protection principle, and the employer's retention and erasure policy for the special category data concerned. The ICO's guidance specifies the minimum content. It should be reviewed annually and updated when processing activities change.
How We Verified
This article draws on ICO guidance on employment practices and data protection, CIPD resources on HR record-keeping, HMRC guidance on PAYE record retention, and primary legislation including the Limitation Act 1980, RIDDOR 2013, COSHH Regulations 2002, and the Data Protection Act 2018. Legislation was verified against current text on legislation.gov.uk. No vendor paid for inclusion in this article.
