UK employers are legally required to maintain a range of HR records — employment contracts, payslips, right-to-work evidence, sick leave, accident reports, and pension records. The specific retention periods vary by record type, and failure to maintain them can result in penalties from HMRC, the Home Office, employment tribunals, or the Health and Safety Executive.
Why HR record keeping matters for small businesses
Large companies have HR departments dedicated to maintaining compliant records. Small businesses rarely do — and as a result, HR record-keeping is one of the most common compliance gaps found during HMRC inspections, employment tribunal proceedings and Home Office visits.
The practical risk is straightforward: if you cannot produce a required record, regulators treat it as if the record never existed. An employer who cannot produce right-to-work check evidence loses their statutory excuse. An employer who cannot produce payroll records faces HMRC penalties. An employer who cannot produce the accident book entry in a personal injury claim faces an adverse inference.
Good records are your first line of defence — and for small businesses, a simple digital system is significantly safer than paper files or spreadsheets.
The essential HR records every UK employer must keep
1. Employment contracts
Every employee must receive a written statement of employment particulars within 2 months of starting work — or on day one for key terms. This effectively means a written contract is mandatory.
What to keep: The signed contract, any variations, and written confirmation of any changes to terms.
How long: Duration of employment plus 6 years (to cover contract-based tribunal claims under the Limitation Act 1980).
2. Right-to-work check records
You must conduct a right-to-work check for every employee before they start work, and conduct follow-up checks for workers with time-limited immigration status.
What to keep: A copy of the document checked (or a screenshot of the online share code result), showing the date the check was conducted.
How long: Duration of employment plus 2 years (Home Office requirement).
3. Payroll and pay records
HMRC requires employers to maintain accurate payroll records to demonstrate compliance with minimum wage legislation and tax obligations.
What to keep: Payslips, P45s, P60s, National Minimum Wage records (hours worked, pay rate), statutory pay records (SSP, SMP).
How long: 3 years from the end of the relevant tax year (HMRC). Many employers retain for 6 years to align with the HMRC inspection window.
4. Working time records
Under the Working Time Regulations 1998, employers must keep records showing that workers are not exceeding the 48-hour average working week (unless they have opted out).
What to keep: Hours worked per week (or opt-out agreements), holiday entitlement and leave taken.
How long: 2 years from the date the records were made.
5. Holiday and leave records
There is no specific law requiring a holiday register — but without one, you cannot demonstrate compliance with the Working Time Regulations' minimum 5.6 weeks' annual leave entitlement, or defend holiday pay disputes.
What to keep: Holiday requests (approved and declined), actual leave taken, sick leave and dates, any carrying-over of leave.
How long: Duration of employment plus 2 years (best practice).
6. Disciplinary and grievance records
If you discipline or dismiss an employee and they bring a tribunal claim, your disciplinary records are your primary evidence. Without them, tribunal claims are significantly harder to defend.
What to keep: Written warnings, investigation notes, disciplinary hearing records, outcome letters, grievance submissions and responses, any appeals.
How long: Duration of employment plus 6 years (employment tribunal time limits).
7. Training and certification records
For roles requiring specific qualifications or training — food hygiene, first aid, licensed premises, healthcare — you must be able to demonstrate that staff are appropriately trained.
What to keep: Training completion certificates, certificate expiry dates, dates of refresher training.
How long: Duration of employment plus 3 years (best practice; longer for health & safety-specific training).
8. Accident and health & safety records
What to keep: Accident book entries (RIDDOR reportable incidents must also be reported to the HSE), risk assessments, health surveillance records.
How long: 3 years from the date of entry (40 years for records related to hazardous substance exposure).
9. Pension records
Since the rollout of auto-enrolment, all employers must automatically enrol eligible workers into a workplace pension scheme and maintain records of enrolment, opt-outs and contributions.
What to keep: Auto-enrolment records, opt-out notices, contribution records, letters to workers about pension scheme changes.
How long: 6 years (opt-out notices: 4 years).
Paper vs digital HR records
| | Paper records | Digital records | |---|---|---| | Security | Easy to lose, damage or access without authorisation | Encrypted, access-controlled, backed up | | Retrieval | Manual search through physical files | Instant search by employee name or record type | | Expiry reminders | No automatic reminder when retention period ends | Can trigger automatic deletion/review reminders | | Audit trail | Who accessed or changed a record is not trackable | Full access and change log | | GDPR compliance | Harder to demonstrate appropriate security | Easier to document and evidence | | Cost | Filing cabinets, admin time | Monthly software subscription |
For most small businesses with more than 5–10 employees, a digital HR system is now the practical standard — not just for efficiency, but because paper systems make it genuinely difficult to demonstrate compliance when inspected.
UK GDPR and employee records
All HR records are personal data under UK GDPR. Key obligations:
Transparency: Your employee privacy notice must explain what HR data you hold, why you hold it, how long you keep it, and who has access.
Security: HR records must be protected against unauthorised access, loss or destruction. For digital records, this means at minimum: password protection, limited user access, and encrypted storage.
Access requests: If an employee submits a Subject Access Request, you must provide all personal data you hold about them within 30 calendar days.
Deletion: When the retention period for a record expires, delete it. Keeping data indefinitely because it might be useful is not compliant with the storage limitation principle.
Frequently asked questions
Do I need to keep records for workers who only worked a short time? Yes — all retention obligations apply regardless of employment length. A worker who completed a 1-week trial still requires a right-to-work check record kept for 2 years post-employment.
Can I store HR records on a shared Google Drive or Dropbox? Yes, provided you have implemented appropriate access controls (only authorised users can access employee records) and the data is adequately protected. Ensure your privacy notice reflects where data is stored.
What if a former employee asks me to delete their records? Employees have a right to erasure under UK GDPR, but this right does not override legal retention obligations. You can — and should — decline erasure requests where you are legally required to retain the record (right-to-work evidence, payroll records, pension records).
Do HR records need to be signed originals? Not necessarily. Scanned or digital copies are generally acceptable for compliance purposes. The key requirement is that the record is legible, complete, and can be produced on request.