HR Newsletter

Spring 2018 Edition

Your Recordkeeping Checklist for Spring Cleaning

A number of federal, state, and local laws dictate which records employers must retain, for how long, and who should have access to those records. Here's a checklist to help you review your company's recordkeeping practices:

check Are personnel files complete for each employee?

Review each personnel file to ensure that it includes all relevant employment information. Generally, personnel files should contain records related to:

  • Hiring (resume, offer letter, etc.) and onboarding, promotion, demotion, transfer, layoff or termination
  • Status as exempt or non-exempt
  • Rates of pay and salary history
  • Training records
  • Job descriptions
  • Employee handbook acknowledgments
  • Performance reviews and any disciplinary actions taken against the employee

check Do you keep separate files for medical and other sensitive information?

Some laws specifically call for certain records to be kept in a separate confidential file. The following information should NOT be kept in personnel files:

  • Any information reflecting an employee's membership in a protected group, such as their voluntary self-identification of gender, ethnicity, or race, veteran's status or as an individual with a disability.
  • Any document relating to an employee's health or medical condition, including doctor's notes and medical certification forms, drug test results, and accommodation and leave of absence requests based on an employee's injury or disability.
  • I-9 forms and supporting identity and work authorization documents. It is a best practice to store all I-9 forms together in one file, since they must be produced promptly following an official request.
  • Records concerning workplace investigations (written statements from all relevant parties, interview notes, final investigation report, etc.) should be kept in a separate workplace investigation file.

check Do you have a completed I-9 Form for each employee?

Employers must complete and retain an I-9 for every employee hired in the United States on or after November 6, 1986. Employers must retain I-9 forms for at least three years, or for one year following the employee's separation from the company, whichever is later. If an I-9 was never completed or it is missing, complete the current version of the form as soon as possible. If you discover that the wrong version of the I-9 was completed at the time of hire, but the documentation presented was acceptable under the rules in place at the time, you may:

  • Staple the outdated completed form to a blank copy of the current version; and
  • Sign the current blank version and note why the current blank version is attached (such as, wrong edition used at time of hire).

Note: In 2017, the U.S. Citizenship and Immigration Services (USCIS) released a revised version of the I-9. Employers were required to begin using it by September 18, 2017. The latest version is dated 07/17/17.

check Do you avoid using SSNs to the extent possible?

To protect against identity theft or other fraud, take appropriate steps to avoid transmitting, printing and using employees' Social Security Numbers (SSNs) whenever possible. For example, consider assigning an employee identification number to each employee, which can be used as a unique identifier on employee time cards and personnel files. Note: Many jurisdictions have specific rules restricting employers' use of SSNs. For instance, with limited exceptions, New York generally prohibits employers from requiring employees to use or print their SSNs or any number derived from their SSN (such as the last four digits).

check Are records retained for at least the minimum period required by law?

Various laws establish minimum retention periods, some of which extend well beyond termination. Some federal record retention requirements are outlined below, but state and/or local requirements may vary.

Type of Record

Minimum Retention Period

Hiring Documents (including job descriptions, advertisements, applications, resumes, interview questions and notes, background and reference check materials)

1 year from the date the records were made (hires and non-hires). If a discrimination complaint is filed, records related to the case must be kept until the final disposition of the complaint or lawsuit.

Performance Records (including records relating to promotion, discipline, demotion, layoff, or termination)

1 year from the date the records were made, or from the date of the personnel action involved, whichever is later. If a discrimination complaint is filed, records related to the case must be kept until the final disposition.

Accommodation Requests (for pregnancy, disability, or religious practices)

1 year from the date of the decision, but employers may want to keep them for the duration of employee's employment. If a discrimination complaint is filed, records related to the case must be kept until the final disposition.

Employee Exposure Records (toxic substances)

30 years

Employee Medical Records

Duration of employment plus 30 years

ERISA & Benefits Records (including summary plan descriptions, annual reports, notices of reportable events, and plan termination documents)

6 years

Family and Medical Leave Records (including dates of leave, medical certifications, employer-provided notices, and premium payments)

3 years

Form I-9 (Employment Eligibility Verification Form)

3 years after employment begins or 1 year beyond termination, whichever is later

OSHA Logs (including incident reports and annual summaries: Forms 300, 300A, and 301)

5 years following the year to which they relate

Payroll & Tax Records (including employee name, occupation, address, social security number, wage rate, number of hours worked daily and weekly, gross wages, deductions, allowances claimed, net wages, overtime, date of each payment, federal income tax and FICA withheld, Form W-4, etc.)

4 years for records required for tax purposes. Otherwise, 3 years.

check Are records kept securely?

Establish adequate administrative, technical, electronic and physical controls to properly secure employee records. Paper records should be stored in a locked location, with access limited to one individual who is chiefly responsible for maintaining the files. Electronic records should be encrypted, password protected (which should be changed frequently), and maintained on a secure server. Evaluate electronic systems regularly to ensure that new technology and viruses do not compromise security.

check Is access to records restricted to those who need to know?

Verify that access is restricted to those who have a need to know the information. For example, managers should only be given access to performance information, such as their employees' attendance records and performance reviews. Keep a log of who accesses employee records, the date of access, and why. If employee records are stored electronically, ensure that the software is able to control and log when records are accessed and by whom. Audit paper and electronic logging systems frequently to help ensure access is properly traced.

check Are employees granted access to their own personnel files in accordance with state law?

Several states require employers to grant employees access to their own personnel file upon request. If you're not subject to this type of requirement, you can decide whether or not you will grant employees access to their files. However, the practice must be applied consistently—that is, if you permit one employee to view their records, you must allow access under the same conditions for all employees who request it. It's a best practice to keep records of when employees request and access their files.

check Are records disposed of properly?

Generally at the end of the retention period, employers must dispose of all employee records so that they can't be read or reconstructed. Examples include, but are not limited to, burning, pulverizing, or shredding the records; ensuring the destruction or removal of electronic media containing the employee information; and contracting with a reputable third party vendor to properly dispose of the records in compliance with all applicable regulations.


When running a business, documents can pile up quickly. Make sure you are devoting the time and resources to ensuring that your recordkeeping practices comply with federal, state, and local laws.