Legal Requirements for Document Retention in the UK

As a business owner it is important to understand the legal requirements for document retention that apply in the UK. 

It can be tempting to destroy or delete documents that are no longer in use, rather than store or archive them. However, doing so can leave your business exposed, and in certain cases liable to prosecution and a fine.

Implementing a robust document retention and management policy can bring efficiencies to your business, as well as meet the legal compliance requirements.

The legal retention requirements vary depending on the document type and the legislation that applies to the document. These requirements form a key part of a business’ legal compliance requirements.

In this guide we review the legal document retention requirements relevant to those documents applicable to a majority of UK business.

Retention Requirements for the following document types are covered:

• Company Contracts: including terms of business, supplier and customer contracts.
• Accounting Records: including Financial details, director reports and shareholder specifics.
• Tax Records: including Invoices, revenue and expenditure.
• Employment Records: Including Payroll details and employee contracts.
• Data Protection Records: including Personal data records and processing logs.
• Health and Safety Records: including Incident logs and risk evaluations.

Retention Requirements for Company Contracts

The legal requirements for company contract retention are relatively simple. The Limitation Act 1980 provides that legal actions arising from a contract can be brought within a period of up to 6 years from the date on which the breach occurred. Where a contract is executed as a ‘deed’ this is extended to 12 years.

Businesses should ensure that all supplier and customer contracts are stored and retained for a period of 6 years.

Where the business uses standard terms and conditions of sale these should be stored by version number, for ease of future reference.

Retention Requirements for Company Accounting Records

A range of legislation sets out the legal retention requirements for documents that relate to accounting, financial and tax matters. 

Section 386 of the Companies Act 2006 requires that all companies retain ‘adequate’ accounting records. ‘Adequate’ in this context is defined as:

Records that are sufficient:

(a) to show and explain the company’s transactions,

(b) to disclose with reasonable accuracy, at any time, the financial position of the company at that time, and

(c) to enable the directors to ensure that any accounts required to be prepared comply with the requirements of this Act

This means that all invoices, receipts and transaction records used to produce the financial statements of the company (accounts and if applicable VAT returns) are retained. 

Section 388 of the Companies Act sets out the document retention period. Section 388(4) (a) and (b) requires that these documents are retained for a period of 3 years for private companies and 6 years for public companies.

The Taxes Management Act 1970 requires that all payroll and salary records are retained for a period of at least 6 years from the end of the financial year that they relate to.

We recommend that all companies retain their accounting records for a period of at last 6 years. The reason for this is that HMRC can investigate historical tax return submissions for up to 6 years from the date of submission. The time limit is actually 4 years for innocent errors and 6 years for errors that can be deemed to have arisen from ‘carelessness’ or negligence’.

The penalty for failing to retain accounting documents for the statutory retention period is a fine of up to £3,000 and potentially imprisonment for a term of up to two years (section 389 of the Companies Act 2006).

Retention Requirements for Employment Document Records

The legislation applicable to the retention of employee records is extensive. Different legislative provisions require different retention periods. For this reason, as a ‘general rule’ we recommend retaining employment related records for at least 6 years. 

The relevant legislative requirements are:

• Employment Rights Act 1996. There is a requirement to retain general employee records for a period of at least 4 years after the departure of the employee.
• National Minimum Wage Act 1998. There is a requirement to retain pay related details for a period of at least 6 years.
• Taxes Management Act 1970. There is a requirement to retain payroll and salary records, including overtime, bonus and expenses details for a period of at least 6 years.
• Retirement Benefits Schemes (Information Powers) Regulations 1995. Require that details relating to any retirement benefits are retained for at least 6 years.
• Statutory Maternity Pay (General) Regulations 1986 (as amended, Maternity & Parental Leave Regulations 1999). Require that all maternity and paternity related records are retained for a period of at least 3 years after the end of the tax year to which the records relate.
• Working Time Regulations 1998. Require that working time records (which include working hours, annual holiday, overtime and time off for dependants) are retained for at least 2 years from the date on which the record was created.
• Statutory Sick Pay (General) Regulations 1982. Require that all records relating to Statutory Sick Pay (SSP) are retained for at least 3 years after the tax year to which they relate.

The penalties for non compliance vary between the different legislative requirements. However, in each case a fine can be levied, and in certain cases the directors of the business, or business owner for sole traders and partnerships, can be prosecuted. 

Retention Requirements for Personal Data Document Records

The Data Protection Act and UK GDPR require that personal data is only retained for so long as there is a genuine need to retain it. 

Data retention is specifically covered in Article 5(1)(e) of UK GDPR. This means that the retention period will vary depending on how the data is being used, and what other legislative requirements relate to it.

We recommend that a retention period of six years is put in place for personal data. This should be confirmed in your data protection policy. A suitable privacy policy is a key legal requirement for a website. This will provide the business with access to the data to meet its retention obligations under the accounting and employment laws.

However, note that under the Data Protection Act and UK GDPR individuals have the ‘right to be forgotten’. Article 17 of UK GDPR states that all individuals have the right to require that their personal data is erased, at their request, unless it can be demonstrated that there is an overriding need to retain the data.

Document Retention requirements for Health and Safety

A range of legislation applies to business health and safety matters, and which set out varying retention periods. As a general rule health and safety records should be retained for a period of five years.

The exception to note is where H&S records have been generated as a result of employee, or worker, health surveillance. Under the Control of Substances Hazardous to Health Regulations 2002 documents relating to health surveillance must be kept for 40 years.

A business will usually hold H&S documentation related to:

• Health and Safety policies (e.g. general H&S policies and specific policies that may apply, such as a lone worker policy)
• Health and Safety log books and accident records.
• Risk assessments
• COSHH assessments
• Display Screen Workstation Assessments (DSE Assessments)

It is worth noting that civil claims for injuries can be brought against a business for up to three years following the event that caused an injury. 

All businesses must be aware of the legal requirements for document retention in the UK. Failure to do so may expose the business to financial penalties. Good document management helps to minimise business risks. 

Most businesses will benefit from putting in place a Document Retention Policy (DRP). A DRP helps to make sure that all staff are aware of their responsibilities relating to document management. 

A DRP will not just cover retention periods. A good document retention policy will also cover key matters such as storage requirements. How often do businesses find that they cannot locate a key document because it was created and stored by an employee at home on their local computer?!.

With the benefit of a clear understanding of the legal requirements that apply in the UK to document retention, you should consider putting in place a Document Retention Policy. Read our post to Creating a Document Retention Policy.