Staff records

How long must staff records be kept?


When retaining any information you should remember that, under the Data Protection Act, you must not keep data any longer than is necessary for a particular purpose.

You need to:

  • review the length of time you keep personal data
  • consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it
  • securely delete information that is no longer needed
  • update, archive or securely delete information if it goes out of date

How long should employers keep employee records?

How long you retain different categories of information should be based on individual business needs.

The appropriate retention period is also likely to depend on:

  • what the information is used for
  • the surrounding circumstances
  • legal or regulatory requirements
  • specific business sector requirements

Personal data: deleting and archiving

At the end of the retention period, a record should be reviewed and deleted, unless there is a particular reason for keeping it.

You should only archive a document, rather than deleting it, if you still need to hold it.

If it is appropriate to delete a record from a live system, you should also ensure it is deleted from any back-up of the information.

Deletion can mean different things in relation to electronic data.

Read the Information Commissioner's Office (ICO) guidance storage limitation under GDPR.