Technical helpsheet highlighting key considerations relating to document retention for accountants.
Accountants are required to retain a wide variety of documents and records in various formats to comply with legislative, regulatory and other requirements. Accountants will also hold a wide range of personal data and will therefore be subject to the requirements of the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The UK GDPR has not changed the need to hold personal data securely and appropriately but it has introduced the principle of ‘accountability’. This means that all organisations must not only ensure they are compliant with the GDPR but prove this too.
This helpsheet highlights key considerations with regard to document retention in broad terms and is primarily focussed on client-related documents and records from a practitioner’s perspective. It is not intended to provide advice on documents and records relating to employees or to address retention of documents in the context of exercising a lien, guidance on which is available in the helpsheet Exercising liens.
This helpsheet should be read in conjunction with any relevant guidance and policy wording issued by a firm’s insurer and is not a substitute for specific legal advice. Where there is any doubt, legal advice should be obtained.
Members may also wish to refer to the following related helpsheets and guidance:
Establishing a document retention policy
Firms should establish a clear written document retention policy and should ensure that all staff are familiar with it. The UK GDPR requires firms to adhere to the ‘accountability’ principle, which is primarily evidenced through documentation.
With respect to both paper and electronic documents and records, document retention policies should clearly cover aspects including:
- Storage of documents and records
- Who should have access to different types of documents and records
- Retention periods
- Secure destruction of documents and records after the end of the retention period
The policy should be reviewed on a regular basis, both to ensure that it is still in line with any legal or statutory requirements and to ensure that it is being adhered to by staff.
Clients should also be made aware of the firm’s document retention policy (albeit a high level summary), perhaps in the letter of engagement and privacy notice (see Engagement letters and privacy notices helpsheet). Any variation to the general principles for the ownership of records should be agreed by the client, in writing wherever possible.
Engagement letter and privacy notice
Rather than providing lengthy retention policies and schedules to clients in an engagement letter, firms may wish to adopt a more generic approach (although firms would be expected to provide more details to clients if requested). In a privacy notice, wording along the following lines may be appropriate:
We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected. When assessing what retention period is appropriate for your personal data, we take into consideration: the requirements of our business and the services provided; any statutory or legal obligations; the purposes for which we originally collected the personal data; the lawful grounds on which we based our processing; the types of personal data we have collected; the amount and categories of your personal data; and whether the purpose of the processing could reasonably be fulfilled by other means.
Firms may also wish to advise clients of when they will destroy/delete their documents and records. The following wording (see Engagement letters and privacy notices helpsheet paragraph 22.2 in the terms of business) is suggested:
Although certain documents may legally belong to you, we may destroy correspondence and other papers that we store electronically or otherwise that are more than [seven] years old, except documents we think may be of continuing significance. You must tell us if you wish us to keep any documents for any longer period.
Where clients do inform firms of their wish for the firm to keep documents for a longer period, this is for discussion between the firm and the client.
The ownership of a document depends on the contract between the client and accountant, the capacity in which the accountant acts and the purpose for which the document is created. Please refer to the guidance Documents and records: Ownership, lien and rights of access for more details and seek legal advice if in doubt about the ownership of a particular document.
Storage of documents and records
Firms need to ensure that documents and records are stored securely to comply with the requirements of the GDPR in respect of personal data and the general principles of confidentiality contained within section 114 of the ICAEW Code of Ethics. Further guidance on data security is available from the Information Commissioner’s Office (ICO) on its security page.
Paper documents and records
Firms may wish to place documents, that are no longer current, in storage, perhaps using a reputable external storage provider. Firms should ensure that the instructions provided to a third party storing client records on their behalf are clear, that reasonable steps are taken to ensure client confidentiality will be preserved and that documents are held without deterioration. Firms should be able to retrieve files from such storage providers at short notice if required and should ensure that such providers are not able to destroy any documents without the authority of the firm. Careful labelling of files will be needed.
Firms should also ensure that they know where the third party stores the records as if this is outside the UK or EEA then the firm will need to ensure that the data protection regime is deemed ‘adequate’.
Electronic documents and records
As firms increasingly move to cloud computing and storage, it is extremely important that they have detailed contracts with their providers, not only to comply with the requirements of the GDPR, but to ensure that the responsibilities of both parties are clear. As with paper documents and records firms should also ensure that they know where the third party stores electronic documents and records. If this is outside the UK or EEA then the firm will need to ensure that the data protection regime is deemed ‘adequate’.
If documents or other information is stored by means of licensed proprietary software (for example, taxation or accounts preparation software), firms must bear in mind that some software suppliers ’time bomb’ their software, rendering it unusable after the expiry date of the licence. If a firm relinquishes its licence for such software, they should confirm with the supplier whether it will still be useable to access old records. If not, firms should make timely arrangements to print out the information to be retained or, more commonly, export it into another electronic format.
Firms need to ensure that they continue to have access to the appropriate hardware and software to enable them to recover, in readable form, the documents they have stored. In practical terms, this means ensuring that, as information systems evolve, firms either retain the technology to access redundant data-storage formats, or update the format in which the data is stored. Firms should also restore sample documents from time to time to ensure that retrieval systems and processes still work.
Who should have access to documents and records
Access to documents and records should be restricted to those within the firm who have a genuine need to access the files for legitimate purposes. Ultimately, a firm needs to be able to identify who has access to client files and why they have such access.
A firm also needs to have appropriate physical and/or technological security measures in place to prevent unauthorised access. Where hardcopy files are used, locked cabinets with appropriate key holders may be a sensible option. Where electronic files are used, user level access and/or password protected files to restrict access would be sensible. Further details can be found on the ICAEW Cyber security page.
The helpsheet GDPR – Client files includes discussion on who within a firm may require access to client files.
The GDPR requires that personal data should be held only for as long as is necessary. Similar principles should be applied to documents and records not containing personal data as well. In practice, the ‘necessary’ period can usually be justified by reference to statutory retention periods, retention periods required by regulations and requirements of professional indemnity insurers. Additionally, where a firm has received (or has been notified of) a complaint, claim or inquiry, the retention period should be extended as necessary.
In the majority of cases, original records will be retained by the client and should be returned to them as soon as practicable (with copies kept by the firm as appropriate). Whilst the responsibilities for maintaining records for statutory retention periods are usually those of the client concerned, firms would be wise to maintain their own copies of such documentation in line with the indicative retention periods below (plus any additional period specified by their insurers) to assist in the event of any potential claims.
It is also worth noting that some professional indemnity insurers include retention clauses within their policies. Failure to observe such clauses may affect the validity of your PII cover. At inception, it would be advisable to notify your insurer of your document retention policy. You should always review your professional indemnity cover before adopting or amending your retention policy, as requirements of your policy may go above and beyond other statutory or regulatory requirements.
Indicative retention periods
Whilst it is not possible in this document to provide an exhaustive list of retention periods or explanations as to why such periods have been suggested (namely because some documents never cease to have value and others remain valuable for an undefined period of time), the table in the Appendix 1 provides suggestions and indicative guidance.
Secure destruction after the end of the retention period
For documents that the client owns, firms should not destroy documents and records prior to any period specified within the terms of their engagement letter. If the engagement letter is silent, firms should consult their client or seek legal advice prior to destroying documents legally owned by the client (see Documents and records: Ownership, lien and rights of access). For documents owned by the firm Appendix 1 offers indicative guidance.
When destroying documents, reasonable steps should be taken to preserve the confidentiality of the client’s information in the destruction process.
Paper documents and records
In the context of paper documents, careful thought should be given to secure shredding or incineration facilitates and clear instructions should be given to any third party destroying client information on the firm’s behalf.
Electronic documents and records
In the context of electronic documents, consideration should also be given to backup and storage facilities as well as the ‘live’ copies of documents and records. Where portable devices or drives have come to the end of their life, they should be securely destroyed. In most cases it will be appropriate to use a specialist third party, as simply deleting a file from such a device does not, in itself, prevent data recovery. Where cloud computing facilities are utilised, contracts with such providers are required and care should be taken to ensure that providers adhere to the firm’s retention and destruction policies.
Firms may wish to consider checking whether any third parties they use to provide destruction services hold BS EN 15713 Secure destruction of confidential material or another appropriate certification.
If in doubt seek advice
ICAEW members, affiliates, ICAEW students and staff in eligible firms with member firm access can discuss their specific situation with the Technical Advisory Service on +44 (0)1908 248 250, via webchat or e-mail email@example.com.
Appendix 1: Indicative retention periods
|Type of document/record and justification||Indicative retention period
Information relating to a client’s chargeable assets and gifts
Such documentation is useful for an indefinite time period due to the nature of chargeable assets and gifts.
Records relating to pension transfers and opt-outs
COBS 3.8 in the FCA Handbook requires records relating to pension transfers, conversions and opt-outs to be retained indefinitely.
Documents of title (e.g. leases)
Section 15 of the Limitation Act 1980 specifies a 12 year time limit for actions to recover land and therefore such documents should be kept for this period of time.
|12 years after end of interest in property
Accounts preparation working papers
Under Schedule 18 of the Finance Act 1998 (as amended) a company must keep such records as may be needed to enable it to deliver a correct and complete tax return for the period until the sixth anniversary of the end of the period for which the company may be required to deliver a company tax return. This is a longer period than required by s387 of the Companies Act 2006 which requires accounting records to be kept for three or six years for private and public companies respectively.
|Current year plus six further years
Audit files and working papers
Regulation 3.11 of the Audit Regulations require registered auditors to keep all audit working papers, which auditing standards require for an audit, for a period of at least six years starting with the end of the accounting period to which the papers relate.
Assurance files and working papers
Whilst there are no specific regulations governing retention of assurance files and working papers, it would be sensible to retain them for a similar period to accounts and audit files for similar reasons.
Tax papers relating to income tax and capital gains tax
As a general rule, CH14530 in the HMRC Compliance Handbook requires records and supporting documents to be retained until the sixth anniversary of the end of the period.
Tax papers relating to corporation tax
As a general rule, CH14600 in the HMRC Compliance Handbook requires records and supporting documents to be retained until the sixth anniversary of the end of the period.
Tax papers relating to VAT
As a general rule, CH15000 in the HMRC Compliance Handbook requires records and supporting documents to be retained for 6 years.
Government guidance suggests employers maintain PAYE records for three years from the end of the tax year to which they relate. It is best practice to maintain the records in line with the general current year plus six further years requirement in order to ensure other requirements are adhered to.
Investment business records
Guidance on regulation 4.06 in the DPB (Investment Business) Handbook recommends that documents be kept for at least six years from the date they were made. Firms authorised directly by the FCA should refer to the FCA’s own guidance for specific retention periods.
Office papers (general correspondence and time records)
Given the connection of general correspondence and time records to the underlying working papers (whether they be accounting working papers, audit papers or tax papers for example) it is sensible to maintain such records for a similar period.
Insolvency related files
Requirements for retaining documents related to insolvency files are complex. Compliance with the above requirements is still required and therefore it would usually be sensible to retain the current year plus six further years of records. Additionally the following requirements also apply.
In the case of an administration or a voluntary liquidation, once the company has been dissolved, the person who was the last administrator of the company or the former liquidator may, a year from the date of dissolution, destroy or otherwise dispose of the books, papers and other records of the company (Regulations 3A and 16 of the Insolvency Regulations 1994 (as amended)).
The trustee in bankruptcy or the liquidator in a compulsory liquidation must obtain permission from the official receiver to destroy or otherwise dispose of the bankrupt’s or company’s records (Regulations 30 and 16 respectively of the Insolvency Regulations 1994 (as amended)).
|Records relating to SRA reporting accountant engagements
Rule 13.1 of the SRA Accounts Rules requires solicitors regulated by the SRA to store all accounting records securely and retain these for at least six years. A reporting accountant may decide that a similar retention period is appropriate.
Probate files and working papers
Regulation 3.10 of the Probate Regulations requires accredited probate firms to keep records relating to work performed for at least six years, although some legislation requires certain records to be retained for longer (see the rest of this Appendix for some specific examples).
Anti-money laundering records
Paragraph 3.6.18 of the CCAB Anti-money laundering guidance for the accountancy sector requires all records created as part of the customer due diligence process, including non-engagement documents relating to the client relationship and ongoing monitoring of it, to be retained for five years after the relationship ends.
No indicative retention period is officially specified for records relating to internal reports; the MLRO’s consideration of internal reports; any subsequent reporting decisions or suspicious activity reports sent to the NCA. Since these records can form the basis of a defence against accusations of money laundering or terrorist financing, a business may decide that five years is a suitable retention period for them.
|Five years from the end of the relationship
© ICAEW 2021 All rights reserved.
ICAEW cannot accept responsibility for any person acting or refraining to act as a result of any material contained in this helpsheet. This helpsheet is designed to alert members to an important issue of general application. It is not intended to be a definitive statement covering all aspects but is a brief comment on a specific point.
ICAEW members have permission to use and reproduce this helpsheet on the following conditions:
- This permission is strictly limited to ICAEW members only who are using the helpsheet for guidance only.
- The helpsheet is to be reproduced for personal, non-commercial use only and is not for re-distribution.
For further details members are invited to telephone the Technical Advisory Service T +44 (0)1908 248250. The Technical Advisory Service comprises the technical enquiries, ethics advice, anti-money laundering and fraud helplines. For further details visit icaew.com/tas.