Document Retention
The practice of keeping business records for a legally required or commercially prudent minimum period, then securely destroying them according to a documented policy.
For business owners, operations managers & HR teamsWhat is Document Retention?
Document retention is the organisational practice of keeping records for a minimum defined period to comply with legal obligations, protect the business in disputes, and support operational continuity - and then securely disposing of them when the retention period ends.
Businesses are subject to multiple overlapping retention requirements from different legislation: tax authorities typically require financial records for 5–7 years; the applicable limitation period in your jurisdiction creates a practical minimum for contract records (the period within which a civil claim can be brought); health and safety legislation requires various records to be kept for specific periods; and data protection laws require that personal data is not kept longer than necessary.
A document retention policy serves two purposes: it ensures records are kept long enough to be useful in disputes or inspections, and it ensures records are disposed of when no longer needed - preventing data breaches from over-retention and reducing the storage burden on the business.
Key Elements
Retention Schedule
A document listing each record type, the applicable law or reason for retention, the minimum retention period, and the retention trigger (e.g., "6 years from contract end date"). This is the operational backbone of a retention policy.Retention Trigger
The event that starts the retention clock - not just the creation date. For employment records, it may be the date of termination. For contract records, the contract end date. For accident records, the date of the last entry in the book.Secure Disposal Procedure
How records are destroyed when the retention period ends. Physical documents must be shredded. Electronic records must be permanently deleted in a way that prevents recovery. Certificates of destruction provide an audit trail for disposal.Data Protection Alignment
Any record containing personal data must have a retention period that is justifiable under applicable data protection law's storage limitation principles. "We might need it" is not sufficient justification. Retention must be linked to a specific, documented legal basis or legitimate business need.Real-World Example
A data protection authority investigation into a breach at a recruitment agency finds that the agency had retained candidate CVs and personal data from unsuccessful applicants dating back 12 years, with no documented justification and no secure disposal process.
The agency cannot demonstrate a legitimate basis for retaining personal data beyond the recruitment process outcome. The regulator determines this violates the storage limitation principle of applicable data protection law. In addition, the breach exposed data of people who had no reasonable expectation of their information still being held. The outcome: a fine and a formal enforcement notice requiring the agency to implement a documented retention and disposal policy. A simple retention schedule applied consistently would have prevented both the over-retention and the regulatory exposure.
Watch Out For
Conflating "keep everything" with safety
Some businesses assume retaining all records indefinitely is the safe option. It is not. Over-retention of personal data violates data protection principles, creates larger breach exposure, greater eDiscovery costs in litigation, and regulatory scrutiny.Forgetting retention applies to digital records too
Emails, cloud documents, and database records are subject to retention requirements just as paper records are. A retention policy that only applies to physical files misses the majority of modern business records.How to Use This in Your Favour
Use the jurisdiction default as your baseline minimum
For most business records where no specific shorter period is mandated, align with the applicable tax authority requirement and the civil claims limitation period in your jurisdiction. This is a defensible default in most cases.Link retention to your compliance calendar
Add document disposal dates to your compliance calendar alongside renewal dates. This ensures you actively manage the end of the retention period - not just the retention period itself.Frequently Asked Questions
How long must a business keep employee records?
Retention periods for employee records vary by jurisdiction. As a general guide: payroll records are commonly kept for 5–7 years; accident records for 3–5 years from the date of the last entry; redundancy or termination records for 5–7 years; pension records for the duration of the scheme plus several years thereafter. Always consult an employment law advisor in your jurisdiction for specific requirements. Data protection laws in your jurisdiction may also apply to personal data within these records.
Does data protection law conflict with minimum retention periods?
Not directly. Data protection law's storage limitation principle requires that personal data is not kept longer than necessary for its purpose. When there is a legal requirement to retain data (such as a tax authority's multi-year rule for financial records), that legal obligation provides the basis for retaining it for that period. The conflict arises when businesses retain personal data beyond the legally required period without any documented justification.
What records must be kept in relation to compliance certificates?
Safety inspection certificates should generally be kept for the duration of the inspection cycle plus one additional period, to provide overlap evidence in case of an inspection. Equipment safety reports should be retained for at least the useful life of the equipment. Fire risk assessment records should be retained for the life of the building. The current version of any certificate should always be accessible; historical versions should be retained for the applicable period. Consult local regulatory requirements for the specific periods in your jurisdiction.