Document Destruction Services

Call: 0800 654 6507 Covering Bury St Edmunds, Suffolk and East Anglia

How long UK businesses must keep records and when secure destruction is required

How long UK businesses must keep records and when secure destruction is required

How Long Should UK Businesses Keep Records - and When Should They Be Destroyed?

Most businesses have a vague sense that they should keep records for “about six years.” A few have a proper retention schedule. The majority sit somewhere in between; hanging on to everything just in case, or quietly binning things when the filing cabinet gets full.

Neither approach is right, and both carry real risk. Destroy records too early and you could fall foul of HMRC, the Health and Safety Executive or the Information Commissioner. Keep them beyond their useful life and you’re sitting on a growing pile of data protection liability. The UK GDPR storage limitation principle isn’t just a reason to be careful about deleting data. It’s equally a legal basis for destroying it. Personal data kept longer than necessary is, technically, a compliance breach.

What follows is a plain-English guide to the retention rules that matter most for UK businesses. It’s not exhaustive (there are entire regulated sectors with their own separate obligations) but it covers the areas where mistakes are most common.

Company and Financial Records

For limited companies, the headline rule is six years from the end of the financial year the records relate to. That covers invoices, receipts, contracts, bank statements and anything else that supports a Company Tax Return.

Six years is a minimum, not a ceiling. If a transaction straddles more than one accounting period, or an asset is expected to outlast that window, or HMRC opens a compliance check: the clock stops until things are resolved. Filing a return late has the same effect. In practice, treating six years as a hard cut-off is usually fine for routine financial records, but significant contracts and asset documentation often warrant keeping longer.

VAT records follow the same six-year rule in most cases. Businesses using the VAT One Stop Shop scheme need to keep records for ten years, which catches out a fair number of e-commerce businesses selling across borders.

Payroll, Pay Records and Hours

Three years is the PAYE minimum, specifically three years after the end of the tax year the records relate to. Most employers keep payroll records for longer than this, and they’re right to. National Minimum Wage regulations require pay and pay reference period records to be held for six years, which is a separate obligation that gets overlooked surprisingly often.

Working time records (the kind kept to show compliance with the Working Time Regulations) have their own two-year retention period, running from the date each record is made. This is distinct from the NMW requirement and shorter. The two rules are not interchangeable, and treating them as the same thing is a genuine compliance gap.

Self-employed people and partnerships need to keep Self Assessment records for at least five years after the 31 January filing deadline for the relevant year. Later filing dates push that out further.

Employment and HR Records

This is where retention gets genuinely complicated, because many HR record categories have no fixed statutory minimum at all. That doesn’t mean you can keep them indefinitely: UK GDPR requires retention to be purposeful and limited to what’s necessary. But it does mean the decision often falls to whoever is responsible for HR in your business, which is rarely documented as carefully as it should be.

For the categories that do have fixed periods:

Right-to-work evidence must be held for the full duration of employment plus two years after the person leaves. Home Office guidance is explicit that records should be securely destroyed at that point.

Statutory pay records like maternity, paternity, adoption and shared parental pay, etc., must be kept for three years from the end of the tax year in which the payments were made.

Auto-enrolment pension records generally need to be retained for six years. Opt-out notices are treated separately and have a four-year requirement.

DBS certificate information is one most businesses get wrong. The certificate itself should normally be destroyed within six months of the recruitment decision. Keeping a full copy of someone’s DBS certificate on file for years is almost never justified and leaves organisations exposed.

For disciplinary files, appraisals, training records and general HR documentation, there’s no fixed statutory minimum. Many organisations use the six-year contract claims limitation period (England and Wales) as a default (five years under Scottish prescription rules) but this needs to be a documented decision, not an assumption.

Health and Safety Records - The Long Tail

This is the area most likely to cause serious problems for businesses with a blanket “shred after six years” policy.

RIDDOR records (like accident books, incident logs and reports made under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013, etc) must be kept for at least three years from the date the entry was made. Many organisations extend this to six years to cover civil claims. So far, so manageable.

COSHH records are a different matter. Under the Control of Substances Hazardous to Health Regulations 2002, exposure monitoring records must be kept for five years, or forty years if they can be attributed to specific, identifiable employees. Health surveillance records under COSHH must be retained for forty years from the date of the last entry. That isn’t a misprint.

The practical consequence is that a manufacturing business, a laboratory, a cleaning company or anyone else dealing with hazardous substances could have health-related records that need to survive four decades. A standard shredding schedule that doesn’t specifically account for these categories will eventually destroy something it shouldn’t. Getting this right matters - both for regulatory compliance and because these records can be critical evidence in long-latency occupational disease claims.

Waste Records

Non-hazardous waste transfer notes need to be kept for two years. Hazardous waste is handled under a more demanding regime: producers and holders must retain registers for at least three years at the premises where waste was produced or stored, while consignment notes held by consignees at permitted sites must be kept for five years.

These records often get treated as administrative low-priority. They’re not. Waste documentation can contain supplier details, regulated substance information and chain-of-custody evidence that an enforcement officer might ask to see at any point.

When Destruction Becomes the Right Answer

The point of all this is to know when to let go, not just when to hold on.

Once statutory retention periods have expired and there’s no active enquiry, dispute or litigation hold, keeping records serves no lawful purpose. Under UK GDPR, continuing to hold personal data beyond that point is a breach of the storage limitation principle, regardless of how securely it’s stored.

Some regimes go further. The Money Laundering Regulations 2017 require personal data to be actively deleted at the end of the five-year retention period, unless a specific exception applies. This isn’t guidance; it’s a legal requirement to destroy.

What This Means for Choosing a Shredding Company

If you’re reviewing shredding providers, the retention landscape above should shape your assessment. A professional service isn’t just someone who turns up with a van and shreds whatever you put in a sack. The question is whether they help you understand what’s actually ready for destruction, and whether they give you the documentation to prove that destruction happened.

A few things to look for:

  • A certificate of destruction issued for every consignment. If a regulator or insurer ever asks, you need that paper trail.
  • Some working knowledge of complex record categories (eg, COSHH health surveillance records, right-to-work documentation, DBS information) so that nothing is destroyed prematurely.
  • A clear service agreement covering what happens to your data in transit and what the provider does in the event of a security incident.

About Shredsec

We provide confidential document shredding for businesses across Suffolk, East Anglia and London.

If you’re weighing up providers and want to talk through your situation (like retention schedules, volume, timing, what to prioritise), give us a call.

Contact Shredsec to discuss your shredding requirements.

Ready to Get Started?

Contact us today for a free quote.

Request a Quote