Skip to content

How Long Should My Business Keep Employee Records in England?

Table of Contents

Your business likely stores a significant amount of employee data within personnel files. Therefore, it is essential that you meet all requirements to avoid fines for improper use of employee data. The General Data Protection Regulation (GDPR) and Data Protection Act provide organisations with data protection rules in England. In particular, the GPDR includes directions on how long your organisation can process and store employee records. This article will explain the main data protection principles relating to employee information, so your business can safely delete staff data when you no longer need it. 

Importance of Compliance

Any breach of the GDPR can lead to an investigation by the Information Commissioner’s Office (ICO). Moreover, the ICO can issue fines up to £17.5m to any organisation that breaches the GDPR. Therefore, your business should make every effort to comply with data protection rules, including those relating to employee records. For simplicity, this article will focus on the information within employee personnel files only.

Handling Employee Data

The ICO and GDPR expect your business to do the following:

  • only record relevant personal information concerning staff;
  • record such data securely and safely; 
  • keep staff information up-to-date; and 
  • safely delete employee records when no longer required.

This article will focus on the last expectation, the safe deletion of employee data. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

When Records Are No Longer Required

Naturally, your company should keep employee records of current staff. The main question is, how long after their departure should your business delete their information?

Our data protection laws do not provide an exact time period to delete data after a staff member’s departure. Instead, English law expects companies to calculate how long they need to keep employee data, and then ensure speedy deletion when they no longer it. Notably, the GDPR does not require companies to immediately delete all information relating to an employee upon their departure. Your business should not do so as it may prevent it from being able to provide a:

  • P45;
  • reference; or
  • fighting any legal action down the line.

Instead, companies should consider deleting certain sections of a personnel file before others.

The ICO acknowledges that the deletion of electronic data can be interpreted in various ways. For example, the ICO accepts that deletion can include deleting information from your primary IT system and files but retaining it within a backup hard drive (usually used to guard against accidental system corruption).

Example

Suppose you have an employee named Lisa who has worked for your company for nine years. Unfortunately, she suffered a leg injury in the workplace five months ago and resigned last week. Your first action is not to delete her personnel file upon her departure. Instead, you are likely to keep it in place to ensure you can provide an accurate reference and P45 documentation in the immediate future.

However, your company could consider deleting the following documents upon reaching the sixth anniversary of her departure:

  • any records of any performance improvement plans or disciplinaries;
  • her payslips;
  • copies of any grievances or medical information concerning her injury; and 
  • other miscellaneous documentation.

In this case, the company should wait six years before deleting any of Lisa’s information as she would have three years to bring a personal injury claim against the business. Therefore, the company could potentially use those documents in any legal dispute.

If Lisa did not suffer a workplace injury and left on excellent terms, you could probably delete her documents sooner (perhaps after four years). So, why not less than four years? Because this allows HMRC to query any taxation of her wage or perform an audit of that tax year.

Key Takeaways

Data protection laws do not outline a specific period for which employers must retain employee information. Therefore, companies can determine how long to retain different types of data, depending on the employee’s departure and any legal or financial circumstances. Some business owners engage specialist lawyers to help them with these decisions.

If you need help with data protection principles and the calculation of data retention dates, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

How can my company safely delete digital data?

If you wish to delete digital information, you should consider using specialist deletion software to ensure the data is irrecoverable and delete the data from any backups on your IT system. The ICO also recommends avoiding re-selling your electronic equipment to others unless you securely and thoroughly wipe all data from it.

What happens if I’m unsure how long to keep a particular employee’s records?

You can consult the ICO website and review their guidance documents or obtain advice from a specialist lawyer. If you are unsure whether the information remains potentially useful, you should keep it and record the reasons for doing so within the employee file.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards