For forms and policies, click here:

The Personnel File

As a best practice, employers should maintain a personnel file for each employee. Personnel files should contain data related to employment. Personnel files should not contain medical information and certain other types of information.

Medical information should be stored in separate and confidential medical files.

Examples of job-related information that belong in a personnel file include:

  • Resume, employment application, offer letter
  • Job description
  • Employee classification (exempt from overtime or non-exempt)
  • Hire date
  • List of company-issued property
  • Salary history
  • Form W-4
  • Direct deposit authorization
  • Signed handbook acknowledgment
  • Employee number
  • Performance evaluations
  • Performance goals
  • Discipline records
  • Records of promotions, demotions, or transfers
  • Grievances
  • Records of trainings completed

If the employee was hired through any sort of special recruitment process (under an Affirmative Action program, for instance) employers should retain copies of the job posting and other tools and resources used in the recruiting effort. To the extent these documents reveal personal, sensitive information about an applicant, retain them in a separate file.

When an employee leaves the company, his or her personnel file should be updated to include the exit interview report (if applicable), separation/resignation letter, and reason for leaving.

Maintaining Multiple Files

All personally identifying information should be kept separate from employee personnel records. The Americans with Disabilities Act (ADA) requires that all information obtained from employee medical tests be kept on separate forms, in separate medical files, and treated as confidential. This includes, but is not limited to:

  • Doctor’s notes and medical certifications
  • Requests for medical leave
  • Short or long-term disability records
  • Drug and alcohol testing records
  • Benefit enrollments and claims histories

In addition, an employee’s main file should not include any information that may contain sensitive information or may reveal a protected characteristic under federal, state or local nondiscrimination laws, such as:

  • Date of birth or age
  • Gender
  • Marital or family status
  • Medical history or genetic information
  • National origin or citizenship
  • Religion
  • EEO records and self-identification forms
  • Affirmative action data
  • Background check reports (employees)
  • Supporting I-9 documentation (e.g., social security card, driver’s license, passport)
  • Investigation records, including witness statements, evidence, and investigation results
  • Litigation documents
  • Other personal information unrelated to the job or company

ADA and Title VII Recordkeeping Requirements

The Americans with Disabilities Act (ADA) and Title VII of the Civil Rights Act require employers with 15 or more employees to retain certain records for a period of one year from the date the records were made, or the date of the personnel action involved, whichever is later. These records include:

  • Resumes
  • Application forms
  • Interview notes
  • Notes pertaining to reference checks
  • Records of promotion, transfer, demotion, layoff, termination
  • Rates of pay
  • Applications for disability benefits
  • Requests for reasonable job accommodations

In addition, the ADA requires employees to keep employee medical information in files separate from employee personnel files. Access to these files should be severely restricted.

OSH Act Recordkeeping Requirements

The Occupational Safety and Health Act (OSH Act) requires certain employers with 11 or more employees to record work-related injuries and illnesses that result in death, loss of consciousness, medical treatment beyond first aid, days away from work, restricted work activity, or job transfer. Covered employers must record these incidents using Forms 301, 300, and 300-A.

Exemptions: Employers in certain low-hazard industries, including retail, service, finance, insurance, or real estate are exempt from the OSH Act’s injury and illness reporting requirements.

OSHA Form 301: Injury and Illness Incident Report

Within seven calendar days of receiving information that a recordable work-related injury or illness has occurred, employers are required to complete Form 301. Form 301 requests information about the incident, including what the employee was doing at the time of the incident, how the injury occurred, and what type of treatment the employee received.

OSHA Form 300: Log of Work-Related Injuries and Illnesses

Use OSHA Form 300 to record all instances of work-related injuries and illnesses for the calendar year. This report requests: employee name, job title, date of injury, where the event occurred, a description of the injury or illness, and the number of days the worker was away from work.

OSHA Form 300A: Summary of Work-Related Injuries and Illnesses
At the end of each year, covered employers must prepare Form 300A. This report summarizes the year’s work-related injuries and illnesses with the total number of incidents by type. Each year between February 1 and April 30 employers must post the summary report in a conspicuous area of the workplace, even if no injuries and illnesses were reported.

Privacy Concern Cases

Employers must consider the following types of injuries or illnesses to be privacy concern cases: an injury or illness resulting from a sexual assault, a mental illness, a case of HIV infection, hepatitis, tuberculosis, a needlestick injury or cut from a sharp object that is contaminated with blood or other potentially infectious material, and other illnesses, if the employee independently and voluntarily requests that his or her name not be entered on the log.

Instead of entering the employee’s name on the space normally used for their name, employers are to enter the words “privacy case”. Employers must retain a separate, confidential list of which case number is associated with which employee.

Retention Period:

These OSHA logs must be maintained for a period of five years following the year for which they relate. In addition, employers have an obligation to update the OSHA 300 log if the status of a case changes or new information is discovered at any point within the five year retention period.

OSHA Required Medical Examinations

Employers must also maintain records of any medical examinations required by OSHA. These records must be retained for 30 years following the employee’s separation from the company. All medical records must be maintained in a separate secure file with access severely restricted.

Hazardous Substance Reporting

The OSH Act requires employers to maintain Safety Data Sheets (SDS) for each hazardous chemical within the workplace. The SDS is a document prepared by the chemical’s manufacturer that describes the physical and chemical properties, health hazards, routes of exposures, precautions for safe handling, emergency and first-aid procedures, and protective measures. Employers are required to keep on file the most recent SDS for each hazardous substance and make it readily accessible to employees in their work areas. If exposure to toxic or hazardous agents occurs, employers are to keep records related to the incident for a period of 30 years.

State Requirements

Your state may have its own health and safety reporting and recordkeeping requirements that may differ from federal law Check your state requirements to ensure compliance.

ERISA Recordkeeping Requirements

The Employee Retirement Income Security Act (ERISA) requires all employers who maintain employee retirement plans to retain the following records for six years:

  • Annual reports
  • Summary plan descriptions (SPDs)
  • Notice of plan changes, amendments, or termination
  • Welfare and pension reports