"How long do we actually have to keep this?" It is one of the most common, and most fudged, questions in any UK business. Keep records too briefly and you risk HMRC penalties, lost tribunal defences and failed audits. Keep them too long and, where they contain personal data, you breach the UK GDPR's storage-limitation principle. Most organisations land somewhere unhelpful in the middle: a mix of overflowing filing cabinets, bulging shared drives and a vague sense that "we'd better hang on to it just in case."
This guide sets out the retention periods UK businesses are most often asked about in 2026, grouped by document type, and then shows how to stop tracking all of this in a spreadsheet and let your document system enforce it for you.
Tax & accounting records
This is where the hard legal minimums are clearest, because HMRC and the Companies Act set them.
| Record type | Keep for at least | Why |
|---|---|---|
| Limited-company accounting records | 6 years | From the end of the financial year (Companies Act 2006; HMRC). Longer if filed late or the transaction spans several years. |
| Self-employed / sole trader tax records | 5 years | After the 31 January Self Assessment deadline for that tax year (HMRC). |
| VAT records | 6 years | HMRC requirement (or 10 years if using the VAT One Stop Shop). |
| Construction Industry Scheme (CIS) records | 3 years | After the end of the tax year they relate to. |
Payroll, pensions & people
| Record type | Keep for at least | Why |
|---|---|---|
| PAYE / payroll records | 3 years | From the end of the tax year (HMRC). Many employers keep 6 years to align with limitation periods. |
| National Minimum / Living Wage records | 6 years | Extended from 3 to 6 years in April 2021. |
| Pension auto-enrolment records | 6 years | 4 years for opt-out and opt-in notices. |
| Statutory Maternity / Paternity / Sick Pay | 3 years | After the end of the relevant tax year. |
| Personnel / employee files | Employment + 6 years | No fixed statutory period; 6 years matches the limitation period for most contract and tribunal claims. |
| Unsuccessful job applications | 6–12 months | Long enough to defend a discrimination claim, then securely deleted. |
| Working time / 48-hour opt-out records | 2 years | From the date they were made. |
Health, safety & insurance
These carry some of the longest retention periods of all, because the harm they relate to can surface decades later.
| Record type | Keep for at least | Why |
|---|---|---|
| Accident book / RIDDOR records | 3 years | From the date of the last entry (longer for incidents involving under-18s). |
| Health records under COSHH (hazardous substances) | 40 years | Long-latency illnesses can emerge decades after exposure. |
| Asbestos exposure / medical records | 40 years | Control of Asbestos Regulations. |
| Employers' liability insurance certificates | 40 years (recommended) | The mandatory 40-year rule was lifted in 2008, but long-tail claims make retention strongly advisable. |
Contracts, legal & everything else
| Record type | Keep for at least | Why |
|---|---|---|
| Standard contracts & agreements | 6 years | After expiry, the limitation period for breach of a simple contract (Limitation Act 1980). |
| Contracts executed as a deed | 12 years | The longer limitation period that applies to deeds. |
| CCTV footage | ~30 days | No fixed period, the ICO says keep it only as long as necessary for its stated purpose. |
| Risk assessments & policies | While current | Keep the live version, plus superseded versions as evidence of what was in force and when. |
The retention paradox: too short and too long are both risky
Retention is one of the few areas of compliance where you can fail in two opposite directions at once:
- Keep too little, and you're exposed. HMRC can charge penalties for inadequate records, you may be unable to defend a tribunal or contract claim, and you can fall short of sector rules in healthcare, construction or food manufacturing.
- Keep too much, and you breach GDPR. The UK GDPR storage-limitation principle requires that personal data is "kept for no longer than is necessary." A drive full of old CVs, ex-employee files and decade-old customer data isn't caution, it's a growing liability and a bigger blast radius if you're breached.
The answer is not to guess. It's to assign a defined retention period to every category of record, and then actually enforce disposal when that period expires. That second part is where most businesses come unstuck.
Why spreadsheets and shared drives fail at retention
In theory, a retention schedule is a simple table. In practice, enforcing it manually means someone has to remember to revisit thousands of files, work out when each one was created, decide whether it has expired, delete it, and prove they did so. Nobody has time, so it never happens, and "we'll sort it later" quietly becomes "we kept everything forever." When the auditor, the ICO or a subject-access request arrives, you're searching folders by hand and hoping.
How DocFlow automates retention, and proves it
DocFlow treats retention as a property of the document, not a job on someone's to-do list. Because every document is classified on the way in (see how Aida, our AI engine, classifies and extracts data automatically), the right retention rule can be applied the moment a record lands:
- Retention policies by document type. Set the period once, 6 years for invoices, 40 years for COSHH health records, 6 months for unsuccessful applications, and DocFlow applies it to every matching document automatically.
- Automatic review and disposal. When a record reaches the end of its life, it's flagged for review or securely disposed of, so personal data doesn't quietly over-stay its welcome.
- An immutable audit trail. Every retention action, what was kept, reviewed, or deleted, and when, is recorded on a tamper-evident, hash-chained log, so you can evidence good governance, not just claim it.
- Find any record in seconds. When an audit or HMRC enquiry lands, retrieval is a search, not a fortnight in the archive room.
It's the same approach that underpins broader compliance tracking in DocFlow, and it's available whether you run UK-hosted, on-premise or fully air-gapped, so even your most sensitive records never leave your control. For the wider security picture, our Trust Centre sets out how everything is protected.
Record retention will never be the most exciting part of running a business. But it's one of the easiest places to remove risk, and the difference between a stressful audit and a five-minute one is usually just whether the rules were written down and enforced automatically.