Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.


This website requires cookies. Your browser currently has cookies disabled.

Record-keeping: employer duties

As an employer you need to make sure you provide accurate and complete records to your pension scheme provider or administrator. You should have effective processes in place to store the data and pass it on.

Poor quality records can affect staff that are members of your pension scheme. It can also be very expensive if things go wrong due to bad or missing data.

Incorrect or out of date information is the main cause of payment problems. This can lead to disputes between employers and members, scheme providers, or trustees.

Employers also have specific record-keeping duties as part of automatic enrolment, which they should comply with.

How long to keep records for

By law, you must keep records about what contributions you pay to your pension scheme for at least six years. You will need to keep other types of records for as long as they remain relevant and are needed for the scheme to operate.

Keeping this information makes sure that correct contributions are paid, and will provide evidence if there’s a dispute.

You should safely dispose of data that you no longer need to keep – this must be done in compliance with the General Data Protection Regulation (GDPR).

Provide data to your pension scheme

You need to provide data to the scheme administrator when key events take place. This includes when a member of staff:

  • joins or leaves the scheme
  • changes their rate of contributions
  • changes their name, address or salary
  • changes their member status
  • transfers employment between scheme employers

You need to keep information on contributions and membership up to date. You should tell your pension scheme provider or administrator about any changes.

You need to keep records relating to:

  • staff gross earnings
  • staff and employer pension scheme contributions due to be paid (and if different the actual amounts paid)

Your pension scheme provider or trustees need this payment information to meet their legal duties.

You should agree a process for providing payment information when you set up the scheme. This could involve you giving updated earnings information at the same time as you pay contributions to the scheme.

Providers or trustees may ask you for additional payment information which you should provide within seven working days. If you don't provide this information on time, TPR may take regulatory action which in some cases may lead to a fine.

Manage risks to data security

As an employer, you have a duty to handle your staff’s data in a responsible way that complies with the General Data Protection Regulation (GDPR) and Data Protection Act 2018.

You need to protect your staff’s data when storing it, and especially when sharing it with your scheme and other third parties.

Take the time to understand the cyber risk – read our cyber security guidance and learn what you need to do.

Make sure controls are in place to protect data belonging to staff who are members of your scheme.

Work with the scheme administrator and trustees to help them understand what data-processing activities are being carried out, so they can keep records of them.

Data processing will only be lawful if it's performed on a recognised basis, like one of the following:

  • conducted with the consent of the scheme member
  • needed for the performance of a contract to which the scheme member is a party
  • needed for compliance with a legal obligation to which the data controller is subject
  • needed for the purposes of the legitimate interests pursued by the controller

You need to make the grounds on which data is processed clear to the scheme member in a concise, accessible and easy-to-understand form.

Read more about GDPR on the Information Commissioner's Office website.

Report a breach of the law

Poor quality or missing data can affect your scheme. It may mean that the trustee or administrators haven't complied with their legal duties. This is a breach of the law and you may need to report it to us. 

See our code modules on reporting breaches of the law.