General guidance about registering with the Information Commissioner's Office (ICO) and record retention periods:
DBS service update February 2019
Organisations should not keep the original paper certificate. This is the employee’s property. They must return the certificate to the employee once they have checked it.
Employers can make a copy of a certificate. This is as long as they have permission from the employee. If you have this, there is no official time limit for keeping the copy.
All organisations should have a policy on storing personal information. This policy should meet the requirements of the General Data Protection Regulation (GDPR).
If there is no policy in place
Visit the ICO website. You will find details on how employers should handle personal information there.
The Disclosure and Barring Service
Email: customerservices@dbs.gov.uk
Retention of records relating to allegations against adults who are or have been working in the setting
NSPCC states:
Keep the records in their personnel file either until they reach the age of 65 or for 10 years whichever is longer (IRMS, 2016). This applies to volunteers and paid staff.
For example:
- If someone is 60 when the investigation into the allegation is concluded, keep the records until their 70th birthday
- If someone is 30 when the investigation into the allegation is concluded, keep the records until they are aged 65.
You should keep records for the same amount of time regardless of whether the allegations were unfounded. However, if you find that the allegations are malicious you should destroy the record immediately.
Information should be kept for this length of time even if the person stops working or leaves the setting.
Guide to the UK General Data Protection Regulation (UK GDPR).
Record retention periods
Ofsted requirements about accessibility and availability of information about staff and children in a childcare setting
Section 3 Safeguarding and Welfare Requirements
Information and records
I keep some documents off-site. Will I have to provide these during the inspection if the inspector asks to see them?
The EYFS framework for group and school-based providers does not require providers to seek permission from Ofsted to keep any records securely off-site. However, providers should ensure that they comply with data protection obligations.
Records required by the safeguarding and welfare requirements of the EYFS must be easily accessible and available by the end of the inspection if the inspector asks to see them. If you cannot access these records easily, then inspectors may consider the impact of this on your ability to keep children safe.
The inspector will direct you to the inspection handbook during the notification call and the documents they may wish to see. This will help you to consider if there are any documents you want to make sure are on-site and available on the day of the inspection.
|
Record |
Retention period |
Statutory authority/non-statutory recommendation |
|
Staff accident records (if more than 10 employees). |
Three years after the date of the last entry. |
Social Security (Claims and Payments) Regulations 1979. |
|
Statutory sick pay records, certificates. |
Three years after the end of the tax year to which they relate. |
Statutory requirement The Statutory Sick Pay (General) Regulations 1982. |
|
Statutory maternity pay records. |
Three years after the end of the tax year in which the maternity period ends. |
Statutory requirement The Statutory Maternity Pay (General) Regulations 1986. |
|
Accounting records. |
Six years for public limited companies and charities this should include the current year of trading. |
Statutory requirement Section 221 Companies Act 1985. Statutory requirement Charities Act 1993 (amended 2006). |
|
Income tax and National Insurance returns/records. |
At least three years after the end of the tax year to which they relate. |
Statutory requirement The Income Tax (Employments) Regulations 1993. |
|
Wage/salary records (including overtime, bonuses, and expenses). |
Six years. |
Statutory requirement Taxes Management Act 1970. |
|
Nursery education funding scheme. |
Seven years. |
Retain records, either paper or electronic, regarding children for whom early years funding was claimed for a minimum period of six years after the child has left the provision. Provider Local Agreement requirement. |
|
Children’s records which would include attendance records, registers, medication records/accident (Include staff records too). |
All children’s records must be kept while the child is in attendance at the setting and recommended for at least three years after the child has left the provision. However, settings must check with their insurance company about their particular requirement. |
EYFS statutory requirement 2024. 3.80 Records relating to individual children must be retained for a reasonable period of time after they have left the provision. 49. Individual providers should determine how long to retain records relating to children. The Data Protection Act 1998/GDPR 2018 does not specify periods for the retention of personal data. It is left to data controllers to decide how long personal data should be retained, taking into account the Data Protection Principles (see Data Protection Act Overview/GDPR principles), business needs, and any professional guidelines. |
|
Child welfare records. Advise settings if sibling attends to keep a copy of records if they have ongoing concerns until sibling leaves the setting/starts school/new setting. |
Transferred to the new setting/school with the child when they leave the setting. If the new setting/school is unknown, then the setting is to be retained for six years from the date of the last entry and then archived until the child reaches 25 years old. |
The Independent Inquiry into Child Sexual Abuse requires all institutions to retain their records relating to the care of children for the duration of the Inquiry under Section 21 of the Inquiries Act 2005. There is therefore an obligation to preserve records for the Inquiry for as long as is necessary. The Data Protection Act 1998/GDPR 2018 does not specify periods for the retention of personal data. It is left to data controllers to decide how long personal data should be retained, taking into account the Data Protection Principles (see Data Protection Act Overview/GDPR principles), business needs, and any professional guidelines. Primary school – These are retained while the child is in the school, and then transferred to the relevant secondary school. Secondary school – These are retained until the child is 25 years old and then shredded. |
|
Complaints records. |
Recommended at least six years from the date of the last record. |
EYFS statutory requirement. |
|
Trustees deeds and rules, trustee minutes. |
At least for the existence of the charity. |
The CIO (General) Regulations 2012. Companies Act 2006. Recommended retention period (non-statutory) Charity Commission (CC48-Charities and Meetings). |
|
Insurance liability documents. |
40 years from the date of expiry. |
Statutory requirement The Employers’ Liability (Compulsory Insurance) Regulations 1998. Health and Safety executive hse.gov.uk. |
|
DBS check/disclosure. |
Six months after the date on which recruitment decisions have been taken, or after the date on which the dispute about the accuracy of the disclosure has been resolved. |
EYFS statutory requirement. DBS service. DBS (code of practice) settings should destroy disclosure form/any photocopies after this time but must record the following information for Ofsted. The date of issue of the disclosure. The name of the subject. The type of disclosure requested. The position for which the disclosure was requested. The unique reference number of the disclosure. The details of the recruitment decision taken. |
|
Application forms and interview notes (for unsuccessful candidates). |
Any data or records of unsuccessful applicants must be destroyed. Under GDPR, keeping records you do not have consent to hold is an offence. At least one year. |
If an employee wishes to retain an unsuccessful applicant’s application for future use they must ensure they have the individual's consent and issue a Privacy Data Notice to the applicant. |
|
Personnel files and training records (including disciplinary records and working time records). |
Six years after employment ceases. |
Recommended retention period (non-statutory) Chartered Institute of Personnel. |
|
Redundancy details, calculations of payments, refunds, notification to the Secretary of State. |
Six years from the date of redundancy. |
Recommended retention period (non-statutory) Chartered Institute of Personnel. If your organisation has to make more than 20 people redundant, the Secretary of State must be notified of this intention. Failure to do so without justification may result in prosecution and/or a fine for the company or any of its officers. Advance notification of the redundancies is made using the HR1 Form. |
|
Records of any reportable death, injury, disease, or dangerous occurrence. |
Three years after the date the record was made. |
Requirement: The reporting of Injuries, Diseases and Dangerous occurrences regulations 1995 (RIDDOR) (as amended). |
|
Accident/medical records as specified by The Control of Substances Hazardous to Health Regulations (COSHH). |
40 years from the date of the last entry. |
Requirement The Control of Substances Hazardous to Health Regulations 2002 (COSHH). |
|
Visitors' books/signing-in sheets. |
The current year plus six years. |
|
|
Fire drill records. |
Recommend from date of last Ofsted inspection. |
Early years foundation stage (EYFS) statutory framework. 3.65 Providers must take reasonable steps to ensure the safety of children, staff, and others on the premises in the case of fire or any other emergency and must have an emergency evacuation period. |
