Complying with Employment Record Requirements

[Learn the latest on staying compliant at the SHRM Annual Conference & Expo 2024. Join us in Chicago or online June 23-26 to access in-depth learning opportunities that will solidify your knowledge of HR fundamentals. Try a deep dive into tactical HR at a preconference Compliance Bootcamp.]

Overview

Record-keeping requirements can be confusing given that there are numerous regulations that govern some aspect of employer record-keeping and retention.

Not only do various federal agencies have their own record-keeping requirements, but individual state and local statutes and regulations must also be considered. Some of the provisions apply to most all employers, whereas others apply primarily to government contractors and subcontractors.

In addition, many of these obligations are dependent on the number of employees at a company.

Employers generate and receive a significant volume of records, and it is important for management to make a strong business case for implementing a comprehensive records management program. Key reasons include:

The HR function within an organization typically has the primary responsibility for record-keeping and retention/disposal of employment-related records. Governing laws often provide for civil monetary penalties and, in some instances, there are both individual and criminal liabilities.

Additionally, maintenance of employment records is critical to defending against employment-related litigation. In fact, an employer can be sued for wrongful destruction of employment records under the theory of spoliation of evidence. It is critical that employers ensure their workplace has in place effective procedures for creating and maintaining required records.

Guidelines for Policy Development

An effective workplace records policy is the blueprint for compliance with federal and state laws and regulations, as well as the practical guidance for consistent and effective records management and retention. Several key elements should be considered when developing, implementing and maintaining a workplace records policy.


Definition of "record." Clearly define what is meant by "record" so that the appropriate documents will be governed by the policy. Generally, records do not include drafts or documents that are works in progress, only final versions of documents.

Retention schedule. Identify the retention period for each category of documents. Certain records may be governed by more than one law; however, the periods of retention often vary, making it generally advisable to retain the information for the longest period required. Records related to pending claims or litigation should be retained until the matter is fully resolved. A summary of federal record retention requirements can be found in SHRM's online compliance resources.

Access. Limit access to those with a legitimate business need. Laws such as the Health Insurance Portability and Accountability Act (HIPAA) and data privacy regulations contain specific provisions for who may access information and how it may be used. In addition, define current and former employee rights to review and/or copy information within their personnel file.

Storage and format. Designate the specific location where records will be sent for retention, as well as the format in which the records will be maintained.

Security and privacy. Ensure the physical security of the records, whether stored in hard copy or electronically, to protect the confidentiality of employee records and the privacy of the information contained in them. See Employee Records Confidentiality Policy.

Destruction of documents. Identify how records will be disposed of once retention requirements have been met. Records containing confidential, personal or financial information should be shredded or incinerated to protect employee privacy and to comply with applicable laws.

Consistent policy implementation and periodic audits. Record retention rules and procedures must be consistently applied to ensure compliance. Periodically audit the policy and practice to ensure that internal requirements are current and are being followed correctly. See Record-Keeping Policy: Records Maintenance, Retention and Destruction.

Retaining Hiring Records

A hiring file includes the documents and actions taken for the hiring of each position. Included are job advertisements, resumes, employment applications, job orders submitted to any agency, interview evaluations, reference checks, results of physical examinations, employment test results, credit reports, validity documentation of tests used in the selection process, applicant data for candidates not hired, and related information. These records must be maintained for candidates that are hired as well as those that are not.

Federal contractors subject to affirmative action requirements must maintain records related to their hiring and selection, including advertisements; job postings; applications; resumes; interview notes; requests for reasonable accommodations; tests and test results; personnel files; rates of pay and other compensation; selection for training or apprenticeship; and other information regarding hiring, transfers, promotions, layoffs and terminations. As part of their record retention obligations, federal contractors must retain records relating to all individuals who meet the criteria of "Internet applicant," along with other employment records.

The Uniform Guidelines on Employee Selection Procedures (UGESP) are used by the courts to determine if unlawful hiring practices were the basis of a discrimination claim. Although not required by law, applicant tracking is recommended by these guidelines for all employers covered under Title VII and can be done pre-hire when it is part of an employer's decision to follow the guidelines. Adherence to these guidelines would strongly suggest an employer is free from unlawfully discriminatory hiring practices.

Maintenance of Employee Files

Employee files should be stored in a secure location and be kept strictly confidential. Access should be restricted to those with a legitimate need to know or as required by law. Several categories of records must be maintained according to specific requirements. See What should, and should not, be included in the personnel file?

Employee records to be maintained in personnel files

Certain records related to employees and their employment history should be maintained in an employee's personnel file. These records include:

Records to be Maintained separately from the Personnel File

Certain employee records should be kept separate from an employee's personnel file to protect the privacy rights of employees and to insulate employers from liability. This includes the following types of records:

Electronic Record-Keeping

Employers often choose to maintain records electronically rather than keeping paper files. This relieves the need for physical storage space for employment records over a span of many years, which may save money and time. Also, electronic storage facilitates easy retrieval of information and allows for efficient access to documents. Organizations may also elect to go paperless as part of a commitment to sustainability.

Employers have options when creating an electronic record-keeping strategy and numerous vendors and software platforms are available. A cloud-based or software-as-a-service (SAAS) approach allows companies to implement new processes faster, update software with greater ease and remove tech support burdens from HR. On the other hand, some professionals find that private on-premises systems offer more control in determining how to use, store and locate data. See What factors should we consider when converting personnel files from hard copy to electronic format?

Compliance guidance is provided for certain types of records such as I-9 forms and OFCCP rules for federal contractors.

For an overview of specific requirements by type of record, see:

Access to Personnel Files

Many state laws require employers to allow current and/or former employees access to the contents of their personnel file. Employers need to understand the requirements of the law in the state(s) where their employees work and define internally what access is permitted in states where there is no regulatory requirement. Some considerations include:

A multistate employer needs a flexible policy, so it is applicable to all employees. For example, a statement such as "Access to personnel files will be provided according to state law" is appropriate.

Security of Employment Records

Employers must implement safeguards to protect personal employee information. Identity theft has become a top consumer fraud issue, and the Federal Trade Commission (FTC) reports that identity theft tops the list of consumer complaints that are reported every year. Every employer maintains records that are at risk of theft and misuse; therefore, employers should develop processes that protect this sensitive employee information.

Record Retention

There are numerous federal and state laws that govern retention of employment records. Employers must ensure that all records are maintained, either in hard copy or electronically, for the minimum period of time required. Often, employers will use a 7-year rule for purging terminated employee files as this typically covers state and federal statutes of limitations; although shorter retention periods may suffice for some records such as I-9 forms and longer periods may apply to other records such as OSHA exposure records. SHRM has a chart on federal record retention requirements to assist in identifying statutory requirements.

While most record-retention requirements are dictated by federal or state statutes, there are some situations where no time period is prescribed. The Uniform Preservation of Private Business Records Act (UPPBRA) sets a three-year time limit for records without a statute-specific retention period. This uniform law has been enacted by a number of states and provides a general guideline in others, although employers should consult with legal counsel to determine their individual compliance obligations and suggested best practices.

Document Destruction

Once an employer has fulfilled the requirements to retain employment records, an effective disposal plan must be adhered to. Simply tossing employment records in the trash creates a significant risk of theft or misuse of employee information that may result in regulatory investigations, fines, potential civil lawsuits, bad publicity and damage to the employer's brand.

When employment records contain personally identifiable information (PII) such as a name, address, Social Security number, etc., employers must securely dispose of this information.

The Federal Trade Commission (FTC) recommends the following disposal practices: