It seems like an easy task, and often is delegated to an entry-level HR or Administrative staff member – filing.  However, significant company liability issues and penalties can result from improper employment recordkeeping.  Best practices would include:

1. An up-to-date, written procedure outlining the employee personnel file structure, system, retention schedule and destruction authorization and process
2. Dedicated file space or server space that remains locked/protected and is only accessed by a limited number of HR and/or senior managers, on a need to know basis
   
3. Regular reviews of file content, with a focus on maintenance, compliance and retention/destruction practices
   
4. An up-to-date, written procedure for maintaining confidentiality of any personnel files stored offsite
   
5. An up-to-date, written policy and procedure for handling employee requests for access to their personnel file
   

The responsibility for protecting employee data is not only dictated by regulations, but also involves the expectations of candidates, employees, and former employees that an employer who requests sensitive information (i.e., Social Security number, health information, bank account number, etc.) will have strong safeguards in place to protect the data from being seen by those who do not need access, or from being stolen.

File Missteps

According to information posted by the Society for Human Resource Management (SHRM), most employers find themselves in trouble as a result of the following issues:

Medical privacy – HIPAA Security , HITECH Act , and ADA all have requirements for protecting the medical information of employees.  All medical information related to an employee should be maintained in a confidential and separate file from the employee’s personnel file.  Access to this information, on a need to know basis, should be scrutinized and authorized by the HR Manager.

Nondiscrimination – It’s important to maintain all employee files in the same manner.  Supervisors should have access to these files when they are involved with making a personnel decision.  In most situations, employees will have the right to review their file, usually with the supervision of the HR Manager.  To avoid any misconceptions of discrimination, the employment file should only contain information that is relevant to the individual’s employment.  Anything that is not relevant or contains information that distinguishes an employee’s protected class (i.e., optional disclosure statement from the Employment Application of ethnicity for Affirmative Action purposes) should be kept in a separate and confidential file.

Identity theft – Sensitive information is generally shared by the employee for payroll purposes (i.e., social security number, bank information, etc.).  However, depending on circumstances, the employer may also receive information relative to background investigations, garnishment information, etc.  Employers are held to a high standard for security and maintenance of this data.  If records are accessed it’s the employers responsibility to give adequate notice to employees so steps can be taken to protect them from identity theft.

Records retention – Employers are responsible for following local state retention laws, as well as federal laws which may sometimes be in conflict with each other.  Often the company’s legal counsel will establish and maintain the records retention schedule to ensure consistency across the organization.

Records destruction – As stated above, every organization should have written procedures on records retention and destruction.  The Fair Credit Reporting Act and Sarbanes-Oxley legislation include specific methods of destruction of reports and working papers.  Organizations should seek legal counsel advice on purging and destruction schedules.  Under discovery and e-discovery laws, it is illegal to destroy documents related to a current or potential lawsuit.  The laws allow for records to be subpoenaed back farther than the record retention laws requires, and if those records are not already destroyed, they are discoverable.  This is a good reason to keep current with your destruction schedule.

I-9 Audits – As with other violations of personnel file regulations, non-compliant I-9 files and forms can bring significant penalties.  I-9 forms should be reviewed, prior to signing off to ensure they are completed properly and that adequate, valid documentation was provided.  Periodic reviews of the I-9 forms should be completed and any mistakes discovered should be documented and corrected immediately.  I-9 forms should be maintained in a confidential and separate file and not included in the employee’s personnel file.  Keeping the I-9’s for current employees in a notebook with alphabetized dividers will make it quick and easy for you to produce an I-9 if requested, or make it easy to produce the documentation needed for an I-9 audit.

Actions Worth Taking

Rather than risk the penalties associated with improper recordkeeping, it’s worth your time to conduct annual audits of your personnel records.  Along with the audit, ensure that related written policies and procedures are up-to-date and properly executed.  With sufficient instructions for timely and accurate processing of personnel file information, in a confidential and secure manner, your organization will be well on the way to ensuring compliance with employment documentation handling.