In the age of the Digital Personal Data Protection (DPDP) Act 2023 and the New Labour Codes 2025, many HR managers face a genuine dilemma: Should we delete data to stay private, or keep it to stay compliant?

The answer lies in the 8-Year Rule. Under Indian law, deleting an employee's payroll history too early is not just a storage choice — it's a statutory violation. Here is what the law requires, what the April 2023 Audit Trail mandate means for your software, and how ZiacPay's Statutory Vault keeps every record safe.

⚠️ The Core Dilemma

DPDP says minimise data. Labour law says retain it. The resolution is purpose-bound retention — keeping records for precisely as long as each statute requires, in a secure, auditable system.

8 YrsMinimum retention under the Companies Act (Section 128)
10 YrsIT Act lookback if escaped income exceeds ₹50 Lakhs
Apr 2023MCA Audit Trail (Edit Log) mandate effective date

Indian laws are explicit about how long you must be able to "produce" records during an inspection. Three statutes create the core retention obligations for payroll:

Companies Act, 2013

Section 128 — Books of Account

Every company must preserve its "books of account" and relevant vouchers for a minimum of 8 financial years. Since payroll is a significant business expense, salary registers, bonus logs, and payslip records fall directly under this requirement.
🗓 Mandatory Retention: 8 Financial Years
Income Tax Act, 1961

Section 149 — Assessment Reopening

While a standard audit lookback is 6 years, the department can reopen assessments for up to 10 years if "escaped income" is suspected to exceed ₹50 Lakhs. For cases involving foreign assets, this window extends to 16 years.
🗓 Safe Retention: 10 Years (16 for foreign assets)
Code on Social Security, 2025

PF Inquiry Lookback Period

The lookback period for PF inquiries has been capped at 5 years to prevent "inspector raj." However, maintaining the underlying payroll data for 8 years remains the safest practice for defending against litigation or "Damages" claims under the code.
🗓 Safe Retention: 8 Years (5-year inquiry cap)

2. The "Audit Trail" Mandate (April 2023)

As of April 1, 2023, the Ministry of Corporate Affairs (MCA) mandated that every company using accounting software must have an Audit Trail (Edit Log) feature enabled at all times.

🚨 What This Means in Practice

You cannot simply keep a "Final" version of a payroll sheet. You must maintain a digital log of every change made to that data — who made it, when, and what the original value was.

⚡ The Audit Risk

If an auditor finds that you modified a salary structure in 2024 but cannot produce the "original vs. edited" change log in 2026, the entire record can be deemed unreliable — exposing you to penalties even if the underlying numbers were correct.

How does this connect to HRMS audit readiness?
Read our HRMS Audit Checklist (2026) for the full picture on what auditors examine — and how to ensure every data point is defensible.
Read

3. Record Retention Checklist by Statute

Use this quick-reference table to confirm your current retention periods against each legal requirement:

Document Type Primary Act Mandatory Duration
Salary Registers / Muster Rolls Companies Act / Wage Code 8 Years
PF & ESI Contribution Logs Code on Social Security 5–8 Years
Form 16 & Form 24Q (TDS) Income Tax Act 8 Years
Gratuity & Bonus Registers Code on Social Security 8 Years
Accident / Injury Reports OSHWC Code Permanent / 30 Years

How ZiacPay Protects Your History

Manual filing is prone to moisture, fire, or "misplacement." More critically, physical records cannot satisfy the MCA's Audit Trail mandate — there is no edit log on a paper register. ZiacPay's Statutory Vault automates the entire archiving process.

  • Immutable Audit Trail: Every change to a salary structure, tax regime, or employee record is time-stamped and logged with the "before" and "after" values — satisfying the MCA Edit Log mandate from day one.
  • Cloud-Native Encrypted Storage: Every ECR, TDS return, Form 16, and payslip is stored in an encrypted, geo-redundant cloud environment — no risk of fire, flood, or physical misplacement.
  • Statute-Aware Retention Rules: The Vault automatically applies the correct retention period to each document type — 8 years for salary registers, permanent for accident reports — and flags records approaching deletion eligibility for HR review.
  • One-Click Retrieval: Any document from any period can be retrieved instantly by employee, date range, or document type — providing inspectors with a machine-readable audit trail in seconds, not hours.
  • DPDP Compliance Mode: Once the mandatory retention period has elapsed, ZiacPay flags the record for compliant deletion — resolving the privacy vs. retention dilemma automatically.
✅ ZiacPay Statutory Vault

Manual filing is the number one reason payroll records are deemed "unreliable" during inspections. ZiacPay's Statutory Vault turns your entire payroll history into a court-admissible, instantly retrievable, always-current archive.

Conclusion: Retention is Not Optional

The 8-Year Rule is not a best practice — it is a statutory minimum enforced across the Companies Act, Income Tax Act, and Labour Codes simultaneously. And with the April 2023 Audit Trail mandate, keeping the right version of records is just as important as keeping the records themselves.

Is your payroll data stored in a way that would survive a statutory inspection today? Book a ZiacPay Demo to see the Statutory Vault in action — or download our Record Retention Guide for Indian Employers for a full statute-by-statute breakdown.

📅 Book a ZiacPay Demo Download Retention Guide →
RS

Rahul Sharma

Head of Compliance & Payroll Products, ZiacPay

Rahul has 12+ years of experience in Indian labour law and statutory compliance. He leads the compliance product team at ZiacPay, translating complex legislative changes into practical, automated solutions for Indian SMEs.