General guidance about registering with the Information Commissioners Office (ICO) and record retention periods:
DBS service update February 2019
Organisations should not keep the original paper certificate. This is the employee’s property. They must return the certificate to the employee once they have checked it.
Employers can make a copy of a certificate. This is as long as they have permission from the employee. If you have this, there is no official time limit for keeping the copy.
All organisations should have a policy on storing personal information. This policy should meet the requirements of the General Data Protection Regulation (GDPR).
If there is no policy in place
Visit the ICO website. You will find details on how employers should handle personal information there.
The Disclosure and Barring Service
Email: customerservices@dbs.gov.uk
Retention of records relating to allegations against adults who are or have been working in the setting
NSPCC states:
Keep the records in their personnel file either until they reach the age of 65 or for 10 years whichever is longer (IRMS, 2016). This applies to volunteers and paid staff.
For example:
- if someone is 60 when the investigation into the allegation is concluded, keep the records until their 70th birthday
- if someone is 30 when the investigation into the allegation is concluded, keep the records until they are aged 65.
You should keep records for the same amount of time regardless of whether the allegations were unfounded. However, if you find that the allegations are malicious you should destroy the record immediately.
Information should be kept for this length of time even if the person stops working or leaves the setting.
Guide to the UK General Data Protection Regulation (UK GDPR)
Record retention periods
Ofsted requirements about accessibility and availability of information about staff and children in a childcare setting
Section 3 Safeguarding and Welfare Requirements
Information and records
3.70. Records must be easily accessible and available (with prior agreement from Ofsted or the childminder agency with which they are registered, these may be kept securely off the premises). Confidential information and records about staff and children must be held securely and only accessible and available to those who have a right or professional need to see them. Providers must be aware of their responsibilities under the Data Protection Act (DPA) 1998 and where relevant the Freedom of Information Act 200
Further information for organisations can be found on the Information Commissioners Office website.
Childcare providers wishing to store records off the premises must:
- Email Ofsted to inform them and wait for a response
- Ensure that all staff and parents are fully aware of the arrangements and that they have been approved by Ofsted
- Ensure that written agreements are in place and signed by staff and parents
- Consider how the records will be ‘transported’
- Update confidentiality agreements
- Update staff code of conduct
- Demonstrate how the records are kept secure ‘off site’ (for example family members not having access if the records are brought home)
- Consider using a locked box/case/cupboard with a key fob, and security code access.
|
Record |
Retention period |
Statutory Authority/Non-Statutory recommendation |
|
Staff accident records (if have 10+ employees) |
Three years after the date of last entry |
Social Security (Claims and Payments) Regulations 1979 |
|
Statutory Sick pay records, certificates |
Three years after the end of the tax year to which they relate. |
Statutory requirement The Statutory Sick Pay (General) Regulations 1982 |
|
Statutory Maternity pay records |
Three years after the end of the tax year in which the maternity period ends |
Statutory requirement The Statutory Maternity Pay (General) Regulations 1986 |
|
Accounting records |
Six years for public limited companies and charities this should include the current year of trading |
Statutory requirement Section 221 Companies Act 1985 Statutory requirement Charities Act 1993 (amended 2006) |
|
Income tax and National Insurance returns/records |
At least three years after the end of the tax year to which they relate |
Statutory requirement The Income Tax (Employments) Regulations 1993 |
|
Wage/salary records (including overtime, bonuses, and expenses) |
Six years |
Statutory requirement Taxes Management Act 1970 |
|
Nursery Education Funding Scheme |
Seven years |
Statutory requirement Local Authority |
|
Children’s records which would include attendance records, registers, medication records/accident (Include staff records too) |
All children’s records must be kept while the child is in attendance at the setting and recommended for at least 3yrs after the child has left the provision However settings must check with their insurance company about their particular requirement |
EYFS Statutory requirement 2017 3.71 Records relating to individual children must be retained for a reasonable period of time after they have left the provision 56. Individual providers should determine how long to retain records relating to children The Data Protection Act 1998/GDPR 2018 does not specify periods for the retention of personal data. It is left to data controllers to decide how long personal data should be retained, taking into account the Data Protection Principles (see Data Protection Act Overview/GDPR principles), business needs, and any professional guidelines |
|
Child Welfare Records Advise settings if sibling attends to keep a copy of records if they have ongoing concerns until sibling leaves the setting/starts school/new setting |
Transferred to the new setting/school with the child when they leave the setting. If the new setting/school is unknown, then the setting is to retain for 6 years from the date of the last entry and then archive until the child reaches 25 years old |
The Independent Inquiry into Child Sexual Abuse requires all institutions to retain their records relating to the care of children for the duration of the Inquiry under Section 21 of the Inquiries Act 2005. There is therefore an obligation to preserve records for the Inquiry for as long as is necessary. The Data Protection Act 1998/GDPR 2018 does not specify periods for the retention of personal data. It is left to data controllers to decide how long personal data should be retained, taking into account the Data Protection Principles (see Data Protection Act Overview/GDPR principles), business needs, and any professional guidelines. Primary school – These are retained while the child is in the school; then transfer to the relevant secondary school. Secondary school – These are retained until the child is 25 years old and then shredded |
|
Complaints Records |
Recommended at least six years from the date of the last record |
EYFS Statutory Requirement 2021 IRMS irms.org.uk |
|
Trustees deeds and rules, trustee minutes |
At least for the existence of the charity |
The CIO (General) Regulations 2012 Companies Act 2006 Recommended retention period (non-statutory) Charity Commission (CC48-Charities and Meetings) |
|
Insurance liability documents |
40 years from the date of expiry |
Statutory requirement The Employers’ Liability (Compulsory Insurance) Regulations 1998 Health and Safety executive hse.gov.uk |
|
DBS Check/Disclosure |
Six months after the date on which recruitment decisions have been taken, or after the date on which the dispute about the accuracy of the disclosure has been resolved |
EYFS Statutory requirement 2021 DBS service DBS (code of practice) settings should destroy disclosure form/any photocopies after this time but must record the following information for Ofsted The date of issue of the disclosure The name of the subject The type of disclosure requested The position for which the disclosure was requested The unique reference number of the disclosure The details of the recruitment decision taken |
|
Application forms and interview notes (for unsuccessful candidates) |
At least one year |
Recommended retention period (non-statutory) Chartered Institute of Personnel |
|
Personnel files and training records (including disciplinary records and working time records) |
Six years after employment ceases |
Recommended retention period (non-statutory) Chartered Institute of Personnel |
|
Redundancy details, calculations of payments, refunds, notification to the Secretary of State |
Six years from the date of redundancy |
Recommended retention period (non-statutory) Chartered Institute of Personnel If your organisation has to make more than 20 people redundant, the Secretary of State must be notified of this intention. Failure to do so without justification may result in prosecution and/or a fine for the company or any of its officers. Advance notification of the redundancies is made using the HR1 Form |
|
Records of any reportable death, injury, disease, or dangerous occurrence |
Three years after the date record was made |
Requirement: The reporting of Injuries, Disease and Dangerous occurrences regulations 1995 (RIDDOR) (as amended) |
|
Accident/medical records as specified by The Control of Substances Hazardous to Health Regulations (COSHH) |
40 years from the date of the last entry |
Requirement The Control of Substances Hazardous to Health Regulations 2002 (COSHH) |
|
Visitors books/signing-in sheets |
The current year plus six years |
Recommendation IRMS irms.org.uk |
|
Fire Drill records |
Recommend from date of last Ofsted inspection |
Early Years Foundation Stage Framework 3.56 Providers must take reasonable steps to ensure the safety of children, staff, and others on the premises in the case of fire or any other emergency and must have an emergency evacuation period. |
