Records Management, Retention Periods and Archiving
Records Management in Brief
- Records demonstrate that the management system actually operated
- Retention periods set by legal, contractual and operational need
- Secure storage, retrieval and disposal arrangements
Records management and retention
Records are the documented information that captures what an organisation has actually done - completed forms, signed minutes, calibration certificates, accident reports, financial transactions, employment files. The ISO management system standards treat them differently from documents, because once a record exists it is evidence and changing it removes its value as evidence.
The core requirement under ISO 9001 Clause 7.5, and the equivalent clauses in the other ISO standards, is that records remain accessible, legible, protected from unintended change, retained for a defined period and then disposed of in a controlled way.
Why retention periods matter
Retention is the part of records management where most organisations get tripped up. Keep records for too short a period and the organisation may breach a legal duty, lose the ability to defend itself in a dispute, or fail to provide evidence for a tax investigation. Keep them for too long and the organisation accumulates personal data it no longer has a lawful reason to hold, which is a breach of UK data protection law.
Setting retention periods is not an exact science. For some records the law is precise. For others it is a balance of legal risk, business need and what is reasonable. The retention table in the document register is where these decisions are recorded and reviewed.
Common UK retention periods
The following are the retention periods most UK organisations need to consider. These are not advice on individual cases - sector regulation, insurance requirements and contracts can extend them - but they are the starting point for most retention schedules.
Financial and tax records. Under the Companies Act 2006 and HMRC rules, accounting records must be kept for at least three years for private companies and six years for public companies. In practice most organisations apply a six-year minimum to all financial records to cover both corporation tax and VAT.
Employment records. No single retention period is set in law, but in the UK most employers retain personnel files during employment and for around six years after leaving, which aligns with the contract limitation period under the Limitation Act 1980. Right to work check evidence is typically retained for the duration of employment and at least two years after.
Health and safety records. Accident records under RIDDOR 2013 must be kept for at least three years. COSHH health surveillance records must be kept for forty years. Asbestos exposure records must be kept for forty years under the Control of Asbestos Regulations 2012.
Pension records. Pension scheme records are typically kept indefinitely, given that pension entitlements can crystallise decades after employment ends.
Risk assessments and COSHH assessments. Usually kept indefinitely while the activity continues, with previous versions archived rather than deleted, so that the history of a particular hazard can be traced.
Quality records. Internal audit reports, management review records, non-conformance reports and corrective action records are typically retained for around six years to cover certification cycles and to support management trend analysis.
CCTV and personal data. Subject to UK GDPR, retention should be no longer than necessary. CCTV is typically kept for between thirty and ninety days. Personal data more generally should have a documented retention period justified by purpose.
Setting retention periods that work
The aim is a single source of truth - usually a column on the document register - that everyone can refer to when asked how long a particular record is kept. Three principles help.
First, choose the longest applicable period and document the reason. If a record is subject to a six-year financial retention rule and a three-year H&S retention rule, six years applies. The document register should record both reasons, so that retention is not accidentally shortened later.
Second, distinguish between active records and archived records. Records do not all need to live in the same place for their entire retention period. A live record might sit in a current folder, then move to an archive folder after a year, then be deleted at the end of retention. Archive does not mean inaccessible - it means moved out of day-to-day operations.
Third, treat retention as a control, not a guideline. Records that should have been deleted but were not are a real risk under UK GDPR. A scheduled disposal date - even a calendar reminder - is more reliable than an intention to review.
Protecting records from unintended change
The standards expect records to be protected from accidental or unauthorised alteration. In practice this is achieved through three controls.
The first is access. Only the people who need to use a record can see and edit it - typically through folder permissions or document management software. Visitors, agency workers and people who do not need access do not have it.
The second is format. Records that are PDFs or read-only files are harder to alter accidentally than open Word documents. Where records are kept in editable formats, the controls usually rely on access permissions and a clear convention that completed records are not edited.
The third is backup. A record that exists only on one machine is one disk failure away from being lost. Backup of records, with regular testing of restore, is part of records management even though it is often delegated to IT.
Disposal of records
Disposal is the part of records management most often forgotten. When the retention period ends, the organisation should dispose of the record in a way that matches its sensitivity. Routine business records can usually be deleted from the system. Records containing personal data, confidential information or commercially sensitive material need secure disposal - either confidential shredding for paper, or secure digital deletion for electronic records.
The document register usually carries a brief note on disposal method against each record type. A simple shred / secure delete column avoids the question being relitigated every time a retention period expires.
Health and safety records are the area where I see the most retention errors, in both directions. Some companies are still keeping accident books from twenty years ago because nobody has ever decided when to dispose of them. Others have deleted health surveillance records after five years because they thought the data protection rule applied - but COSHH health surveillance has to be kept for forty years, and not having it is a serious problem if there is ever a claim.
Get the H&S retention periods right and document the reasoning. RIDDOR three years for accidents, forty years for occupational health surveillance and asbestos exposure, indefinitely for risk assessments while the activity continues.
When I audit records management I am looking for two things. Are records actually being kept for the period the company says they are kept for. And is the retention period in the register defensible.
I will pick a record type at random, look at the retention rule, then go and find the oldest record of that type. If it is older than the retention period, the company has a problem with disposal. If it is younger and there is nothing more recent, the company has a problem with creation. Both findings come up regularly.
The most useful exercise for clients setting up a retention schedule for the first time is to walk through one of every type of record they create and ask three questions. Why are we keeping it. Who says we have to. When can we dispose of it. The answers go straight onto the document register. Doing this once properly takes a few hours, and the result lasts for years.
Practical compliance guidance
IMS1 Section 1.5 Management of Documented Information and Data sets out how records are managed across the integrated management system, including retention, protection and disposal. The retention table on the document register is the live record of how long each type of record is kept.
The toolkit provides a records register, a records management policy and a data retention policy, along with the underlying document register and supporting guidance.
| alphaZ document | How to use it |
|---|---|
| ISO 9001, 14001 and 45001 IMS Toolkit | Full integrated toolkit including the IMS1 manual, document register and supporting policies for records management across multiple ISO standards. |
| F-IMS20 Document Register | Two-section register including a records section with description, storage location, security and retention period for each type of record held. |
| F-IMS201 Records Register | Standalone records register for organisations that hold a wider range of records than fits sensibly on the document register. |
| P-90 Records Management Policy | Policy covering how records are created, protected, retained and disposed of, with responsibilities for owners and users. |
| P-91 Data Retention Policy | Policy specifically covering retention periods and disposal, useful where the organisation needs a separate retention policy for data protection or sector regulation reasons. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation relevant to records retention
UK retention requirements come from a range of statutes and regulations rather than a single source. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.
- Data Protection Act 2018
- UK GDPR
- Companies Act 2006
- RIDDOR 2013
- Control of Substances Hazardous to Health Regulations 2002
- Control of Asbestos Regulations 2012
- Limitation Act 1980
