Document retention requirements in the UK: periods by industry
UK document retention requirements by industry. Statutory periods under the Companies Act 2006, Limitation Act 1980, HMRC rules and Data Protection Act 2018 compliance.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokUK businesses must retain most financial and corporate records for at least 6 years, driven primarily by the Limitation Act 1980 and HMRC requirements. However, specific industries face longer retention periods: health records must be kept for 8 years minimum (or 25 years for children), and construction records linked to building safety must be preserved for the lifetime of the building under the Building Safety Act 2022. Failing to meet these requirements can result in criminal penalties, regulatory fines and the inability to defend against legal claims. This guide covers the statutory retention periods applicable to UK businesses, organised by document type and industry sector.
Statutory framework for document retention in the UK
The UK has no single piece of legislation that governs document retention across all sectors. Instead, retention obligations arise from multiple statutes, each covering a specific domain of business activity.
Core legislation
The Limitation Act 1980 sets the general limitation period for contractual and tortious claims at 6 years from the date of the cause of action. This creates a practical minimum retention period for most commercial documents, since destroying records before the limitation period expires removes the ability to defend against claims.
The Companies Act 2006, section 388 requires every company to keep adequate accounting records for 3 years (private companies) or 6 years (public companies) from the date they are made. In practice, the 6-year HMRC requirement means private companies should retain records for at least 6 years.
HMRC requires businesses to keep records that support their tax returns for at least 6 years after the end of the relevant accounting period. For self-assessment taxpayers, the period is 5 years after the 31 January submission deadline. Records include invoices, receipts, bank statements, payroll records and VAT documentation.
Retention periods by document type
| Document type | Minimum retention period | Legal basis |
|---|---|---|
| Accounting records (public company) | 6 years | Companies Act 2006, s.388 |
| Accounting records (private company) | 3 years (6 years recommended) | Companies Act 2006, s.388 |
| Tax records (corporation tax) | 6 years after accounting period | HMRC |
| VAT records | 6 years | VAT Regulations 1995, reg. 31 |
| Payroll records | 3 years after end of tax year | Income Tax (PAYE) Regulations 2003 |
| Contracts and agreements | 6 years after expiry | Limitation Act 1980 |
| Board minutes and resolutions | Lifetime of the company | Companies Act 2006, s.248 |
| Share registers | Lifetime of the company | Companies Act 2006, s.113 |
| Insurance policies | 6 years after expiry (or longer for latent claims) | Limitation Act 1980 |
| Personnel records | 6 years after employment ends | Limitation Act 1980 |
| Health and safety records | 40 years (for exposure records) | COSHH Regulations 2002 |
| Import/export records | 4 years | Customs (Import Duty) Regulations |
Industry-specific retention requirements
Beyond the general statutory framework, individual sectors face additional obligations imposed by their regulators or sector-specific legislation.
Financial services
The Financial Conduct Authority (FCA) requires regulated firms to retain records sufficient to enable it to monitor compliance. Under SYSC 9.1, firms must keep records of services and transactions for at least 5 years from the date they were created. For MiFID business, the retention period extends to 5 years (or 7 years if requested by the FCA).
Anti-money laundering records under the Money Laundering Regulations 2017 must be kept for 5 years after the end of the business relationship or after the date of an occasional transaction. Customer due diligence records, transaction records and suspicious activity reports all fall within this scope. For more on business verification obligations, see our complete KYB guide.
Healthcare (NHS and private providers)
The NHS Records Management Code of Practice 2021 sets detailed retention periods. Adult patient health records must be kept for 8 years after the last entry. For children, records are retained until the patient's 25th birthday (or 26th if the last entry was made when the child was 17). Maternity records are kept for 25 years after the birth of the last child. Mental health records are retained for 20 years after the last contact or 8 years after death.
Construction and building safety
The Building Safety Act 2022 introduced the concept of a "golden thread" of building information. For higher-risk buildings (over 18 metres or 7 storeys), the accountable person must maintain a comprehensive set of building safety records for the lifetime of the building. These include structural calculations, fire safety assessments, material specifications and maintenance logs.
Legal profession
The Solicitors Regulation Authority (SRA) requires law firms to keep files for at least 6 years after the matter is concluded. However, the Law Society recommends longer periods for specific work types: 15 years for property transactions, 21 years for matters involving minors and indefinitely for wills and trust deeds.
Education
Schools and educational institutions must retain pupil records for the lifetime of the school or until the pupil reaches 25, whichever is later. Examination results are kept for 6 years. Safeguarding records are retained until the individual reaches 25 or for 6 years after the last contact, whichever is longer.
Data protection and retention: the UK GDPR balance
The Data Protection Act 2018 and UK GDPR require organisations to keep personal data only for as long as necessary for the purpose it was collected. This principle of storage limitation must be balanced against the statutory retention obligations described above.
Lawful basis for retention
When a statutory obligation requires the retention of documents containing personal data, the lawful basis under UK GDPR Article 6(1)(c) (legal obligation) applies. This means the organisation can retain the data for the legally required period without needing consent from the data subject.
However, once the statutory retention period expires, the lawful basis ceases to exist. The organisation must then either delete the personal data, anonymise it or identify a different lawful basis for continued retention.
Practical implementation
The Information Commissioner's Office (ICO) recommends that organisations implement a retention schedule that maps each category of personal data to its retention period and lawful basis. Automated deletion or anonymisation processes should trigger at the end of each retention period. Manual processes are acceptable for smaller organisations but increase the risk of non-compliance.
Access controls should ensure that archived records are accessible only to authorised personnel for the specific purposes permitted by law. A payroll record retained for HMRC purposes should not be accessible to a marketing team.
Digital retention and electronic records
UK law treats electronic records as equivalent to paper records in most circumstances, provided certain conditions are met.
Admissibility of electronic records
The Civil Evidence Act 1995 removed the common law rule against hearsay, meaning electronic records are admissible as evidence in civil proceedings. The key requirement is authenticity: the party relying on the record must be able to demonstrate that it has not been tampered with and accurately represents the original.
Metadata, audit trails and digital signatures all strengthen the evidential weight of electronic records. Organisations should ensure their document management systems maintain comprehensive audit logs showing when documents were created, modified, accessed and by whom.
HMRC requirements for digital records
Since April 2022, Making Tax Digital (MTD) for VAT requires all VAT-registered businesses to maintain digital records and submit VAT returns using compatible software. From April 2026, MTD extends to income tax self-assessment for businesses and landlords with income above GBP 50,000. Digital records must be maintained in a form that allows HMRC to access them during an enquiry.
Building a document retention policy
A retention policy document transforms scattered legal obligations into a structured, operational framework that every department can follow.
Key components
Document inventory. Catalogue every type of document produced or received across the organisation. Include physical files, digital records, emails, instant messages and cloud-stored documents.
Retention schedule. Map each document type to its applicable retention period, citing the specific legal basis. Where multiple obligations apply (e.g., a contract that is both a commercial record and contains personal data), apply the longest required period.
Storage and security. Define where documents are stored, who has access and what security measures protect them. Encryption, access controls and backup procedures should be documented.
Disposal procedures. Specify how documents are destroyed at the end of their retention period. Physical documents should be cross-cut shredded. Digital records should be securely wiped using methods that prevent recovery.
For guidance on automating these processes, see our article on automated document verification workflows.
Common retention mistakes and how to avoid them
Keeping everything indefinitely. This is not a safe default. Retaining personal data beyond the required period breaches UK GDPR and exposes the organisation to ICO enforcement action. The ICO issued GBP 4.4 million in fines during 2024 for data protection breaches, with several cases involving excessive data retention.
Applying a single retention period to all documents. Different document types have different legal requirements. A one-size-fits-all approach will inevitably result in some records being destroyed too early and others being kept too long.
Ignoring litigation holds. When litigation is anticipated or underway, normal disposal procedures must be suspended for all documents relevant to the dispute. Destroying documents subject to a litigation hold can constitute contempt of court.
Failing to account for limitation periods. The 6-year general limitation period under the Limitation Act 1980 extends to 12 years for deeds. Latent damage claims can be brought up to 15 years after the act that caused the damage. Retention periods should account for these extended limitation periods where relevant.
How Checkfile helps manage document retention
Checkfile automates document collection, verification and lifecycle management. The platform automatically classifies incoming documents, applies the correct retention period based on document type and industry and triggers alerts before retention deadlines.
Integration with existing document management systems via API means no manual re-entry of data. Visit our pricing page to find the plan that matches your document volume, or request a personalised demo.
For a comprehensive view of document verification processes, see our document verification guide.
Frequently asked questions
How long must UK businesses keep tax records?
HMRC requires businesses to retain records supporting their tax returns for at least 6 years after the end of the relevant accounting period. For self-assessment taxpayers, the period is 5 years after the 31 January submission deadline for the relevant tax year.
Are electronic records legally equivalent to paper records in the UK?
Yes. The Civil Evidence Act 1995 and the Electronic Communications Act 2000 establish that electronic records are admissible as evidence and have equivalent legal standing to paper records. The key requirement is that the organisation can demonstrate the authenticity and integrity of the electronic record through audit trails, access controls and appropriate storage.
What happens if a company destroys documents too early?
Destroying documents before the statutory retention period expires can have several consequences. If HMRC conducts an enquiry and records are unavailable, the company may face estimated assessments, penalties and potential criminal prosecution. In civil litigation, the court may draw adverse inferences from the destruction of relevant documents. Under the Data Protection Act 2018, the ICO can investigate whether destruction procedures were applied correctly.
How does Brexit affect document retention requirements?
UK document retention requirements remain largely unchanged post-Brexit. The Data Protection Act 2018 and UK GDPR continue to apply. The Limitation Act 1980 and Companies Act 2006 are domestic legislation unaffected by EU withdrawal. However, businesses operating across the UK and EU must comply with both UK GDPR and EU GDPR, which may result in different retention requirements for the same document depending on which jurisdiction's data subjects are involved.
Do retention periods apply to emails?
Yes. Emails are business records and are subject to the same retention requirements as any other document. An email containing a contractual agreement must be retained for the same period as a paper contract. Organisations should implement email archiving solutions that apply retention rules automatically based on content classification, sender/recipient and metadata.