Essential guide to filing and records management

Business woman holding business files and company records

Reliable filing and record-keeping systems provides you with access to the information you need, when you need it – helping to save time, money, and effort.

There are established ways to manage and store information. As well as ensuring information is accessible, filing systems ensure data is safely stored and that you comply with all legislation.

'Family-tree' filing

Managing the filing and records system

Making filing and records management work

Filing and records security

Legal issues

Filing and records management in the longer-term

How long is long-term?

1. 'Family-tree' filing

You need one single filing and records system to ensure that people can find the information they need, when they need it. This system is based on a hierarchy – or family tree – of files, hence its name.

Decide the main categories for your filing system and give each a code

  • For example, sales (SA), accounting (AC), human resources (HR) and general administration (GA).
  • Have a Project Files category (PF) for anything that falls outside of your main categories.

Divide each category into sub-categories

  • For example, divide HR into HR/recruitment, HR/pay, HR/performance appraisals, HR/training, HR/employee file.

Further divide these into sub-sub-categories, to whatever level is necessary

  • For example, if you need to file the CV of a potential secretary (for the first time), you might create a new file called HR/recruitment/candidates/secretary/potential.

Storing files in alphabetical order makes information easier to find

  • For example, if customers have named files, these can be stored near the sales team, in order eg SA/customer/Amis.

Businesses with large or complex filing systems often use a filing code instead of a name

  • For example, potential secretary candidates might be filed in HR/1/2/1/1 (where the first 1 signifies recruitment, the 2 means candidates, the next 1 means secretary and the last 1 means potential).
  • This can initially appear more complicated, but it’s easy to understand and logical.

2. Managing the filing and records system

Give one person overall responsibility for your filing and records system

  • Make each manager and individual responsible for managing information within the context of their job.
  • Records should only be available to staff who need them to carry out their work (with appropriate and necessary safeguards for personal and sensitive information).
  • Make sure that all managers and staff handling personal data are aware of your obligations and the rights of individuals under the General Data Protection Regulation (GDPR) and of any specific data protection policies and procedures you may have.
  • Consider appointing a Data Protection Officer (DPO) to oversee all aspects of your data protection compliance, including your filing systems. 
  • Communicate the basics of information management to all employees.

Only create new files with specific approval of the person responsible.

Good indexing and titling are essential for effective information storage

  • Each file's title must be meaningful and must accurately reflect its contents.
  • Anyone who knows your system ought to be able to find the right file immediately.
  • If the nature of the contents changes you should leave the old file alone and create a new one.

Develop a clear tracking system for files

  • Any files that are removed from their normal locations should be signed out, so that they can be traced.

Do not allow files that spring up around projects to undermine the system

  • If any new project involves personal data, take a ‘privacy by design’ approach. Conduct data protection impact assessments where appropriate to ensure that personal data is protected.
  • Make moving project data into the main filing system the final phase of any project.

Discourage personal filing of documents. Not only is this unprofessional, it is also unsafe.

Filing dilemmas

Some information needs to be split between two files

For example, for notes about the IT training course that your employee, Smith, has just completed:

  • record the usefulness of the training course in the HR file HR/training/IT;
  • but record how Smith performed on the course in Smith's personnel record - HR/employee file/Smith.

Some information needs to be copied into two files

  • As well as filing it in the accounts department, you might need to copy an invoice (or an order) to your sales and distribution departments.

Problems can occur when people do not file items within the main filing system architecture

  • For example, a person running a training project may set up a second filing system, filing all the information in his or her own 'work-in-progress' file.
  • If the information is filed under Project/training folder, this information is never united with related information in the main Training files. The danger is that almost anything at all can be put under the Project category.

3. Making filing and records management work

For a paper filing system, write file names on the spines of (narrow) folders or ring binders

  • Write from the top downwards. Consistency means all the titles on a shelf can be read quickly.

If it is not obvious, put an outline of the contents on a record sheet in the front of each file

  • Include dates for each update.

Use colour to make different types of file easier to spot

  • Use a differently coloured file for each category. For example, red for sales and green for accounting.
  • Use coloured dividers to separate sections.
  • Use coloured paper (or mark the top right corner with a highlighter pen) for important documents. For example, an invoice, a contract, or a progress summary.

Do not let working files get too fat

  • Papers in a file will start to be damaged once it is more than about 3cm thick. Close the folder (insert a sheet saying: 'Folder closed, see Part 2'), mark it 'Part 1' and open a new folder for the same file (marked 'Part 2').

Store electronic documents where employees can access them

  • Files can be stored on a network server so that everyone can access them (subject to appropriate access controls).
  • Discourage employees from saving work-in-progress and other files locally (to their desktop or hard drive). Files saved this way may not get backed-up and could be permanently lost should the computer fail.
  • No personally identifiable information should be stored in this way.

Use a 'general enquiries' folder for one-off enquiries that do not fit anywhere else

  • File all records in date order.
  • These records should be destroyed after a short time (six months is reasonable), if the enquiry has not come to anything.
  • One-off sales enquiries should be treated differently. They should be archived for five years because you may be able to sell your new products to these potential customers.

4. Filing and records security

In any business, some information needs to be kept confidential. Personal data must be protected, with access restricted only to employees who require it for their roles.

Physical files and digital files that need to be shared outside of the organisation pose a particular security risk. Your staff must understand these risks and their responsibilities to protect company data.

Confidential documents must be kept in locked cupboards or filing cabinets

  • Have a simple way of classifying and marking confidential files. For example, by adding an asterisk after the file's name.

Confidential material in computer files can be given appropriate protection

  • Protect files with strong passwords. Use a combination of letters, numbers and special characters. Avoid anything that can be easily guessed or ‘cracked’. Use a tool for testing your password security.
  • Files can be compressed and password protected using third-party utilities such as WinZip, or features built-in to Windows and MacOS.
  • For highly sensitive material such as credit card details, use encryption software. Even free encryption software can give almost unbreakable protection.

You must have back-up systems in case of loss, theft or damage to files

  • Regular computer back-ups are essential. Encrypting those back-ups is equally important.
  • Back-up copies of important files must be stored in a secure, off-site location.
  • You need to know where all sensitive data is stored to comply with GDPR.

Limit the storage of data on laptops and other mobile devices

  • Discourage (and prohibit, where appropriate) employees from storing personal and/or confidential data on laptops and other mobile devices. Such devices are at greater risk of being lost or stolen.
  • If you must store personal data on a laptop or mobile device, ensure that the device’s storage (eg HDD or SSD) is encrypted and that the device itself is protected with a strong password or biometric security such as a fingerprint.
  • Be wary of unproven new security measures that could be easily compromised.

Install virus protection to safeguard information stored on computer

  • Computers connected to the internet should also be protected from any unauthorised person attempting to access it with a security 'firewall'.

Dispose of old files and computers containing confidential information in a secure fashion

  • Paper records should be shredded or disposed of through a recognised waste contractor.
  • Hard drives on redundant computers should be physically destroyed or securely 'wiped' to make all the data on them irretrievable. Unless you do this, data may remain accessible.

5. Legal issues

GDPR (the General Data Protection Regulation) covers how you must handle and store personal information

  • You must only keep personal information you need. You must ensure that it is held securely and delete (or otherwise dispose of it) when it is no longer necessary. The retention of personal data should be regularly reviewed to ensure that it is not being held for longer than absolutely necessary.
  • Where any personal information is to be used for a project, build privacy and data security into the planning process from the beginning.
  • Individuals have a range of rights under the GDPR including (but not limited to) the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to object to processing, and the right to data portability. These rights may have an impact on your filing and records management as you will need to respond quickly when an individual chooses to exercise one or more of their rights.

You are legally required to keep specified tax and financial information for a set period

Certain pieces of sensitive information must be kept confidential

  • Access to data should be limited and only given when it's essential to the role.
  • Failing to safeguard data could lead to data breaches and losses that could affect your reputation and damage your business.

Include clauses restricting use of company information in terms of employment

  • For example, salespeople may try to take a copy of the sales database when they leave. They should be advised that this is a breach of their terms and conditions and will be dealt with forcefully.

6. Filing and records management in the longer term

Be clear about how long you want to keep different types of files

  • Consider your business needs and legally how long you must keep data.
  • Keep paper records in good condition by storing them in boxes. Scan paper files into computer files if possible.
  • Move old records out of the main filing system and into an archive to keep your filing system efficient and uncluttered.

Apply sensible disposal schedules

  • Encourage people to get rid of material as soon as it isn’t essential for performing their role or is no longer useful.

If you need access to significant amounts of archived files, consider using a records management company

  • Each file is bar-coded and stored by the company ready for immediate delivery to you when required.
  • Legal, accounting and insurance companies use these services, as they cannot afford to mislay customer records.
  • Record management companies offer consultancy services and can work with other suppliers (such as software houses) to deliver an integrated service.
  • If personal data is involved, the GDPR requires a written contract (a data processing agreement) where a "data controller2 (you) uses a "data processor" (anyone that does anything with personal data on your behalf). Such contracts must clearly set out each parties data protection responsibilities and liabilities.
  • Take additional care if any data (particularly personal data) is likely to be stored outside the UK or European Economic Area (EEA) as legal standards of data protection may be lower elsewhere. 

7. How long is long-term?

Accounting and tax

  • Accounting and tax records for an ordinary limited company must be retained for at least six years after the end of the tax period they relate to.
  • Self-employed sole traders or partnerships must keep their records for at least five years after the 31 January filing deadline.
  • If you file your tax return late, or HM Revenue & Customs starts an investigation, you may need to keep records longer.


  • Pay records must be kept for a minimum of three years after the end of the tax year the earnings relate to.
  • This includes sickness and sick pay records, and records relating to maternity pay, paternity pay and adoption pay.


  • VAT records and documents must be kept for six years.


  • Contracts should usually be kept for six years after the contract ends, though contracts under seal (such as deeds) should be kept for 12 years.
  • Legal claims under a contract cannot usually be brought outside these limitation periods, though there are exceptions.

Health and safety

  • Health and safety records should be kept for at least three years.
  • Records relating to hazardous substances may need to be kept longer. For example, asbestos records should be retained indefinitely in case of legal challenge.

Employers' liability insurance

  • The requirement to retain your compulsory employers' liability insurance certificates for 40 years ended on 1 October 2008. You should still keep records of the insurance in case a retrospective claim is made.
  • Employers must display their certificate of insurance at each place of business. The certificate can be made available to all employees electronically.


  • Download guidance on the tax records you need from HMRC.
  • Find data protection guidance from the Information Commissioner's Office (0303 123 1113).

Expert quote

"In practice, confidential information is at its most vulnerable when you decide it is not needed any more. Make sure papers or files are shredded. You do not want to be responsible for pages of personal records turning up on a landfill site." - Richard Beevers, Customer Plus

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.