Data Retention Rules for Small Businesses: What Should You Be Storing, and When Should You Delete It?

The Data Protection Act 2018 governs what types of employee records small businesses should be storing, how you should be storing them, and for how long to keep them. Maintaining accurate records supports compliance, safeguards your organisation, and helps ensure staff information is managed lawfully.

What types of HR data might you hold?

Types of records include, but are not limited to:

• Personal information

• Personnel records

• Contracts

• Performance reviews

• Working time records, including time worked and breaks taken

• Notes taken during interviews, along with other information obtained during recruitment such as CVs

• Salary and pay information, including any statutory pay entitlements such as parental leave

• Absence information and sickness records

• Training records

What does ‘retention’ mean, and what does the law say?

Retention simply means storing, managing and safeguarding employee information. The law defines how long you should securely store this information for and clear procedures support compliance and protect your organisation during disputes.

The amount of time documents are retained for should not be excessive, but the amount of time defined by law depends on the type of data. Once the period of retention has expired, documents should be securely and permanently disposed of to ensure compliance.

How long should you hold records for?

• Accounting and Income Tax Records: These should be kept for 6 years from the end of the last company financial year.

• Contracts: 6 years following the end of the contract

• Personnel files: 6 years following the end of employment, but consider removing personal information wherever possible to reduce risk

• Health & Safety Records:

  • Accident reports: 3 years

  • First aid reports: 6 years

  • Records related to exposure to dangerous substances including medical records and biological test information: 40 years

The following data does not have to be retained by law but should be retained for an appropriate period to support compliance and resolve disputes.

The UK Limitation Act 1980 states that there is usually a deadline of 6 years following the end of employment for an employee to bring a dispute, however this can vary depending on the type of claim.

• CCTV footage related to unfair dismissal claims

• Flexible working requests

• Parental leave records

• Training records

• References obtained during recruitment

• Proof of Right to Work in the UK

• Information related to redundancy

What should you do?

1. Complete annual reviews of the data you’re holding to identify any records that are due for disposal

2. Dispose of documents safely – shred physical documents and permanently delete digital files

3. Let staff know why you collect their data and clarify the complaints process they should follow if needed with a GDPR & Privacy Notice

4. Inform employees how long you will hold their records for with a Data Retention Policy

Do you want to implement a GDPR compliant record storage system for your personnel records?

Simply pick up the phone 01793 311937 or email us via clientservices@robinsongracehr.com.

Frequently Asked Questions:

1. What happens if a business keeps employee records for too long?

Answer: Keeping employee records longer than necessary can create unnecessary compliance risks under the Data Protection Act 2018 and UK GDPR. Employers must follow the principle of data minimisation, which means personal data should only be retained for as long as there is a legitimate business or legal reason to do so. Failure to dispose of records appropriately could increase the risk of data breaches, regulatory complaints, and potential enforcement action. Regular reviews of employee records can help ensure that outdated information is securely deleted when retention periods expire.

2. Do employers need a Data Retention Policy?

Answer: While not every organisation is legally required to have a formal Data Retention Policy, having one is considered best practice and helps demonstrate compliance with UK GDPR and the Data Protection Act 2018. A Data Retention Policy should explain what employee data is collected, how long records are kept, the reasons for retention, and how information is securely disposed of. For small businesses, a clear policy can improve consistency, reduce compliance risks, and provide transparency for employees.

3. Can employees request access to their HR records?

Answer: Yes. Under UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, employees have the right to submit a Data Subject Access Request (DSAR) to obtain a copy of the personal data their employer holds about them. This may include personnel records, performance reviews, absence records, training records, and other employment related information. Employers are generally required to respond within one month and provide the information unless a legal exemption applies. Maintaining accurate and organised HR records can help businesses respond efficiently to Subject Access Requests and demonstrate compliance.

Check out other Blogs in our series:

How Using HR Software Can Benefit Your Organisation

What UK Small Businesses Need to Know to Stay Legally Compliant as They Grow

AI in the Workplace: A Real Opportunity for Small Businesses

The content of our blogs is intended for general information and not to replace legal or other professional advice.

Data Retention Rules for Small Businesses: What Should You Be Storing, and When Should You Delete It?