Recent research by PwC suggests that three-quarters of large organizations suffered a staff-related security breach during 2015, with half of the worst cases caused by human error. Educating employees on best practices to keep sensitive data secure is something HR will need to focus on in the years to come. This doesn’t exclude employee records. That’s what today’s reader note is all about.
Hi, I recently began working in the HR department at a new company. I’ve noticed a lot of things that seem unorganized and strange. My biggest concern is personnel file compliance. Basically, I read a lot of online information dictating how they should be organized, but I’m curious about which of these details are “required” and which are “recommended.” For example:
- The personnel, medical and termination files are all being filed separately. However, they are all in the SAME room.
- The records room is simply in one of the main hallways, right in the front of the HR office. It is usually wide open and NONE of the file cabinets have locks.
- In a personnel file, is it required to have no sensitive information (such as social security numbers) on any documents and/or other forms?
I just want to make sure we’re compliant. Any help would be greatly appreciated!!
To help us understand our obligations, I asked a labor attorney to share his thoughts. Mark Neuberger is with the firm of Foley & Lardner. He’s has shared his knowledge with us before – this post about the proper way to terminate someone is one of my favorites.
I know I don’t have to remind you, but just in case, please remember that Mark has a regular full-time job and he’s doing this to give back to the profession. His comments should not be construed as legal advice or as pertaining to any specific factual situations. If you have detailed questions, you should address them directly with your friendly neighborhood labor attorney.
Mark, are there laws regarding how organizations should maintain employee records? And if so, are the laws federal, state or both?
[Neuberger] While there are a multitude of recordkeeping requirements in virtually every employment and tax law, generally there are no federal laws establishing what must be in a ‘personnel’ file and how they should be maintained. An exception is found in the Americans with Disabilities Act (ADA) which says employee medical records must be stored in a separate file. Similarly, the Genetic Information Nondiscrimination Act (GINA) requires medical and genetic information to be stored separately. There is no guidance on how far away the files must be.
What is a best practice when it comes to sensitive employee info (like social security numbers) on employee records?
[Neuberger] In today’s WikiLeaks world, everyone is becoming increasingly sensitive to privacy concerns. Every HR department in even the smallest company has a LOT of sensitive information. There can be liability to the company for leaks, hacks and inadvertent disclosures. There is no one ‘best practice” that I am aware of. How you store sensitive data (hard copy/ electronically) will dictate what you need to do. My experience tells me most HR departments and in fact most companies, are way behind the curve in ‘hardening their firewall.’ This requires specific expertise oftentimes not found within your company and will require spending money.
I think the lock question is an excellent one. Is it enough to have employee records in a locked room or do they need to be in a locked cabinet – or both? Is there a best practice HR should consider for during the work day when we’re constantly going in/out of the filing cabinets?
[Neuberger] Again, I know of no one best practice. Ask yourself, ‘Can anyone other than those with a need to know get at the good stuff?’ If the answer is ‘yes,’ then you need to fix it.
What about medical files? Should employee medical information be separate from the rest of their personnel file?
[Neuberger] As mentioned above the Americans with Disabilities Act requires it. There is additional guidance available on the EEOC’s website at www.eeoc.gov.
Lastly, the reader didn’t ask about employee records retention, but there are legal requirements on how long organizations must keep files. Where can readers find out records retention requirements?
[Neuberger] There are so many differing record retention requirements depending upon the federal state or even local law. Do not forget about the Internal Revenue Code and state tax laws because your payroll records are also tax records. Unfortunately, I know of no one reliable source that collects everything you need to know in one place.
(Editor’s Note: The Society for Human Resource Management (SHRM) offers a Records Retention Toolkit that can help you get started.)
My thanks to Mark for sharing his knowledge. If you want to learn more, check out Foley & Lardner’s Labor and Employment Law Perspectives blog.
As you can see, there’s no one rule to follow when it comes to personnel files. But one thing is apparent, HR departments must send the message to candidates and employees that the information they provide is secure.
Image taken by Sharlyn Lauby after speaking at the Healthcare Human Resources Association Conference in Stillwater, MN0