How long should I keep HR records under UK GDPR?

The principle: no longer than necessary

UK GDPR doesn't tell you how long to keep HR records. It sets a principle: personal data must be kept "for no longer than is necessary for the purposes for which the personal data are processed" (Article 5(1)(e)).

Specific retention periods come from other legislation — the Income Tax Acts, the Working Time Regulations, the Pensions Act 2008, the Limitation Act 1980. Retention is the intersection of all these laws, and your retention schedule should be a deliberate, documented choice.

Why it matters

The Information Commissioner's Office (ICO) treats retention as a core compliance area. A documented retention schedule is one of the first things the ICO asks for in a complaint investigation. Holding HR data longer than necessary, with no documented basis, is a frequent route to enforcement action — and to significant fines under the £17.5m / 4% of turnover ceiling.

Beyond regulatory risk, over-retained data is also a breach risk. Every day you keep a record beyond its useful life is another day someone could steal it.

Recommended retention periods

These are practical defaults, derived from the legal frameworks. They are guidelines — your schedule should be reviewed against your specific business needs.

Recruitment

| Record | Period | Source | |--------|--------|--------| | Application forms, CVs, interview notes (unsuccessful candidates) | 6 months after role filled | Equality Act tribunal window (3 months) plus appeal time | | Interview notes (successful candidates) | Duration of employment + 6 years | Form part of HR record | | Right to work check evidence | Duration of employment + 2 years | Home Office requirement | | References (received) | 1 year after employment ends | Common practice; longer if dispute |

Active employment records

| Record | Period | Source | |--------|--------|--------| | Employment contract and Section 1 statement | Duration of employment + 6 years | Limitation Act 1980 | | Personnel file (general) | Duration of employment + 6 years | Limitation Act 1980 | | Performance reviews and appraisals | Duration of employment + 3 years | HR best practice | | Disciplinary records | Until expiry of warning under policy + 12 months | Internal policy | | Training records | Duration of employment + 6 years | Working Time Regulations / sector rules | | Working time records | 2 years | WTR 1998 |

Pay and tax

| Record | Period | Source | |--------|--------|--------| | Payroll records | 6 years from end of tax year | HMRC requirement | | PAYE records and P11Ds | 3 years from end of tax year | HMRC requirement (longer for cross-checks) | | Statutory Sick Pay records | 3 years from end of tax year | SSP regulations | | Statutory Maternity / Paternity Pay | 3 years from end of tax year | SMP / SPP regulations | | Pension records | Permanently, or 12 years after last contribution | Pensions Act |

Sickness and medical

| Record | Period | Source | |--------|--------|--------| | General sickness records | 3 years from end of tax year | SSP regulations | | Medical records (occupational health) | 7 years (general) or 40 years (asbestos, lead, ionising radiation) | COSHH / sector-specific | | Fit notes | 3 years from end of tax year | SSP regulations | | Accident records | 3 years from date of incident | RIDDOR |

Termination

| Record | Period | Source | |--------|--------|--------| | P45 copy | 6 years from end of tax year | HMRC requirement | | Settlement agreements | 6 years | Limitation Act | | Reference requests received post-termination | 1 year | Common practice |

Operational

| Record | Period | Source | |--------|--------|--------| | CCTV footage | 30 days (default) | ICO guidance | | Building access logs | 6 months | ICO guidance | | IT activity logs | 6 months | ICO guidance | | Email archives | 1–6 years depending on business need | Internal policy |

The "longer than necessary" trap

Two common patterns of over-retention:

Default to "permanent" when in doubt

Lots of HR systems are designed to retain data forever. Without an explicit deletion policy, the data accumulates indefinitely. ICO investigations frequently uncover records 15+ years old with no business justification.

The fix: every record category should have a defined retention period. "Indefinite" is not a valid choice.

"We might need it for litigation"

Many organisations cite the Limitation Act 1980 as justification for holding HR records for six years (the standard contract claim window). But the six-year window applies from the date of breach or termination, not from the date the record was created.

A 1995 disciplinary file held in 2026 because "we might be sued" is not a defensible position. It's been 30+ years; any claim is statute-barred.

Special categories

UK GDPR Article 9 defines "special category" data: health, religion, ethnicity, sexual orientation, political opinion, trade union membership, biometric and genetic data, criminal offence data.

Special category data needs a stronger lawful basis (one of the Article 9 conditions) and tighter retention. Health records held by occupational health are particularly tightly regulated under medical confidentiality rules — typically held by OH providers as third-party data processors, not by the employer directly.

Anonymisation as an alternative to deletion

For some uses (workforce analytics, longitudinal trend reporting), employers want to keep data beyond the active retention period. The right answer is anonymisation, not retention of identifiable data.

True anonymisation removes all identifiers — including indirect ones — and is irreversible. Pseudonymisation (replacing names with codes that can be reversed) is not anonymisation under UK GDPR; pseudonymised data is still personal data.

If you can't fully anonymise, you should delete.

Disposal mechanics

Documented retention requires documented disposal. Methods:

• Paper records — secure shredding (cross-cut, certified destruction)
• Digital records — secure deletion (not just "move to trash" — overwriting or hardware destruction for sensitive data)
• Backups — defined retention with automated rotation; backup data still counts as "held"
• Archived files — apply the same retention schedule to archives

Keep a deletion log. When the ICO asks "what happened to X's data?" the answer should be a date and a method, not a shrug.

Subject access requests (SARs)

Even data within retention can be requested by the data subject. UK GDPR gives individuals the right to:

• Know what data you hold about them
• Receive a copy
• Have inaccuracies corrected
• Request deletion (the "right to be forgotten" — limited in HR)

You have one calendar month to respond, extendable by two months for complex requests. Building SAR capability is a big project — much harder if you've over-retained data across many systems.

Putting it into practice

A robust retention programme:

1. Documents the retention period for every category of HR data
2. Assigns ownership for each category to a named role
3. Automates deletion where possible (system-driven, not human-driven)
4. Logs disposals for audit
5. Reviews the schedule annually against legal and business changes
6. Trains HR and managers on what they can and can't keep
7. Includes anonymisation as an option where the data has analytic value

Retention is the unsexy part of UK GDPR compliance. It's also where most enforcement comes from. Document the schedule, automate the deletion, and keep the log.