As an employer you will have to keep records about your employees. This page tells you more about the records you need to keep.
What records should I keep?
How long do I need to keep my records?
What happens if you do not keep accurate records?
Data protection considerations
There are certain worker and employer records that you must keep by law. There are other records you may want to keep as a matter of good practice. It may be helpful to think about the ‘must keep’ records in three separate chunks – basic information, payroll records and other records and we talk about these in detail below.
In terms of the ‘may want to keep’ staff records, here we are thinking of information on matters like:
- training and appraisals
- records of lateness
- any disciplinary action you have ever taken
- terms and conditions of employment including any correspondence relating to changes to their terms and conditions, CV/application form, references and other essential checks and details of termination of employment.
Such documents may be particularly important in the event of a dispute with your personal assistant (PA). The information may be stored in a variety of ways such as paper files or on a computer, however where documents have been signed, e.g. an employment contract signed by the employee, it may be best to keep a hard copy of the signed document.
See GOV.UK for information about other personal information you may want to keep on your employee, e.g. emergency contact details, details of any work relevant disability, qualifications and so on.
As part of the starter procedure, you must gather and keep some personal information about your employees(s) such as:
- Date of birth
- National Insurance number
It is essential you keep accurate payroll records so that HM Revenue & Customs (HMRC) can make sure that you and your employees are paying the right amount of tax and National Insurance (NIC), and that your employees are getting any statutory payments they are entitled to (such as Statutory Sick Pay and so on).
You should note that the required details will be recorded automatically if you use payroll software to help you with your payroll tasks. As with any computer program it is recommended you keep regular 'backups'. A back up is a 'snapshot' of the information on the computer program at a specific date, saved to a different place. In any loss of data, you can then at least start off from the point of your last back up.
Users of HMRC’s Basic PAYE Tools (BPT) should check the user guide which contains step by step help on the most common functions of BPT, including how to back up your data.
If you are going to carry out your payroll tasks manually (i.e. on paper), your records must include:
- employee’s gross pay (before deductions)
- their National Insurance contributions
- the amount of tax you deduct under Pay As You Earn (PAYE)
- Student Loan deductions
- tax code
- any statutory payments made, like Statutory Sick Pay and Statutory Maternity, Paternity or Adoption Pay
- any details of any taxable benefits and expenses.
Much of this will be satisfied if you keep copies of your employee’s payslips, however you must also keep your calculations for working out the tax, employee's NIC and employer's NIC and so on, along with details of all payments you have made to HMRC. Form RT11 will help you here.
Both online and paper filers should make sure they keep any supporting hard-copy documents somewhere safe in case HMRC want to see them. Such documents may include your employee's P45 from their previous job, or Starter Checklist.
Top Tip: Take a photocopy of all submissions you physically post to HMRC or your employees, e.g. RT2 if you are a paper filer, P11D, P60 and send them registered post or something similar if you can.
You can find more information on keeping payroll records on GOV.UK and if you are a paper filer, on page 37 of booklet RT7 – Guidance for employers exempt from filing Real Time Information online.
You are also required to keep other records to prove that you are complying with things like the minimum wage, auto-enrolment and other legal matters (see our employment law section for more information). You may need to supply these records in the event of a check on your compliance with the relevant laws.
When it comes to the minimum wage, it is up to you to determine what records you need to keep for these purposes, but you may be able to use existing records maintained for other purposes, such as pay, to help you. It goes without saying that you should keep details of rate of pay and hours worked, including any overtime and bonuses.
For auto-enrolment, by law, there are two different types of records that an employer must keep. These are:
- Records about workers: e.g. name, National Insurance number, date joined scheme, opt-out notices
- Records about the pension scheme: e.g. employer pension scheme reference and scheme name and address.
You can find out more in The Pensions Regulator guidance.
In addition, you should keep records on things like:
- Accidents, injuries and dangerous occurrences – to meet health and safety requirements
- Holidays and other days of leave, e.g. details of any absences for sickness (you should also keep records of supporting medical evidence), maternity/paternity leave (you should also keep records of supporting evidence that the employee provided you with to claim their statutory pay) or leave for any other reason, authorised or unauthorised.
- You must also keep records to ensure that daily and weekly working time limits and night time working time limits (under the Working Time Regulations) are being complied with.
- Evidence of the employee's right to work in the UK.
There is a useful guide to these things in ACAS’s booklet on personnel data and record keeping, available on the ACAS website.
For most purposes it is sufficient that you retain your records for the current and three previous tax years. Records for 2018/19, should therefore be kept until at least 5th April 2022.
For auto-enrolment, you must keep records for a minimum of six years (except for records of opt-outs which you must keep for four years).
You should ensure that you check all of the record-keeping requirements carefully for your own situation.
HMRC can ask to see your records as part of a PAYE check.
Hopefully you will not need it, but for information on what to do if your records are lost, stolen, or destroyed see GOV.UK or page 38 of booklet RT7 – Guidance for employers exempt from filing Real Time Information online.
You must follow rules on data protection if you handle and store personal information about your staff.
Under the Data Protection Act 1998 any personal information you keep on your staff should be adequate, relevant and not excessive. It must also be ‘accurate, up to date and kept no longer than is necessary’. When employers really no longer need to keep certain data, destruction must take place securely and effectively, for example by shredding.
Employees have the right to access their records. Before releasing employee data to a third party, the employer must seek the permission of the individual concerned.
You must make sure the information is kept secure – e.g. in a locked cupboard or on a password protected and virus protected computer.
You should be aware that there are even greater security requirements in respect of ‘sensitive personal data’ including physical/mental health conditions, as if this information is compromised or lost then there could be greater harm caused to the individual.
You can find out more on data protection on the GOV.UK website.
You should be aware that the EU’s new General Data Protection Regulations (GDPR), came into force across the UK in May 2018. They significantly strengthen the current principles enshrined in the Data Protection Act 1998, in terms of accuracy, security of data etc. to reflect advances in technology and to create a unified approach to data protection across the EU.
There are several things for employers to take into consideration when ensuring compliance with the GDPR. Identifying what personal data you have about employees, and why will be a helpful first step.
You should then consider the following key elements of GDPR and how you can comply with them:
- Employers will need to provide more detailed information, in plain English, to employees when they start their jobs (in their employment contracts for example, or a privacy notice), including: the identity and contact details of the employer (the data controller), how long data will be stored for, if data will be transferred to other countries, information on the right to make a subject access request; and information on the right to have personal data deleted or rectified in certain instances.
- There is a requirement to notify data breaches (such as an accidental or unlawful loss, or disclosure of personal data), to the data protection authority (the Information Commissioner’s Office) within 72 hours of becoming aware of them. Where the breach poses a high risk e.g. to the reputation of the employee, or could cause them financial loss, the individual concerned will also have to be notified. Employers should have adequate procedures in place to assess and respond to any data breach.
- Questions have been raised about the idea of employers handling and storing their personal employee’s data based on an employee’s ‘consent’, given the likely imbalance of power in many employer/employee relationships. Employers will therefore have to ensure that any consent is ‘freely given, informed, specific and explicit’. You should be able to prove this by getting a clear, affirmative, statement from the employee that they consent to you handling/storing their data, however it should still be okay for employers to handle and store certain employee data based on other laws – e.g. where it is necessary for the performance of the employment contract (e.g. where you require bank details to be able to pay your PA).
- All of these things are meant to ensure that data protection in the UK is ‘by design’ – it will be up to employers to prove compliance with GDPR and this will require having adequate records and processes in place to demonstrate this.
This all probably sounds scary but much of what GDPR is saying it is common sense. Care and support employers are probably relatively ‘low-risk’ in the eyes of the ICO, so if you are already complying with the Data Protection Act 1998, you are likely already in a good place to comply with new requirements. Indeed, some of the new requirements formalise existing current best practice.
You can find out more about GDPR for small employers on the ICO’s website.