How Long to Keep Employee Files: 5 Great Tips for Compliance

Keeping accurate and organized employee records is a critical part of HR, not only as a business function but also as an important legal protection. HR compliance mistakes can financially devastate businesses in penalties and legal expenses. In one recent case, two healthcare staffing agencies were required to pay out $2.4 million in back pay and damages to misclassified employees.

In addition to being risky to your business’s bottom line, incomplete data and disjointed systems can create HR headaches. Employee records, or personnel files, are important documents that track the employee journey. Not retaining employee records limits your ability to develop evidence-based people strategy and puts you in a bad position when someone wants to review a past policy or incident.

In this article, we’ll answer your biggest questions about managing employee records, including how to:

• Store and maintain employee records
• Stay compliant
• Handle employee record audits
• Protect employee data
• Dispose of employee records

Read on to learn how to keep your employee records accurate, up-to-date, and compliant, so you can focus on peoplework, not just paperwork.

How long to keep employee files

The length of time you need to hold onto employee records depends on the type of document and your state and local regulations. Many employers stick to a seven-year rule for retaining employee documents, which complies with most laws regarding employee records.

However, some documentation, such as hazardous exposure records for OSHA, must be kept for much longer than seven years. With that in mind, it’s always important to check specific requirements before disposing of any employee records.

Review your recordkeeping policies with your legal counsel to ensure you’re in compliance with all applicable laws. Here are some good rules of thumb to get you started.

Employee personnel file documents: 2+ years

As a general rule of thumb, keep all general employee personnel files for at least two years. This should cover your bases for most legal regulations, as well as keep you prepared for any inquiries about your employment practices.

Employee personnel files can include any of the following documents:

Hiring and applicant tracking documents

• Job description
• Job application and cover letter
• Pre-employment tests
• Interview notes
• References
• Background check

Employees’ personal data

• Name
• Address
• SSN
• Contact information
• Any document with an employee signature

Onboarding documents

• Offer letter
• Noncompete clauses or other contracts
• Orientation checklists
• Employee handbook receipt

Employee performance records

• Completed trainings
• Performance evaluations
• Pay rates and changes
• Job titles, promotions, or position changes
• Leaves of absence
• Transfers
• Disciplinary actions or complaints
• Layoff or termination information

Be sure to keep all hiring records, including interview notes, resumes, drug test results, and any other documents related to the hiring decision for at least one year after making the hire, unless state law dictates otherwise. This year-long period doesn’t start until your hiring decision is official—after the offer letter has been accepted.

Maintaining employee hiring records for at least this long will help your organization show that your hiring process is fair and unbiased if questions arise down the road.

Likewise, performance or disciplinary records should be kept for at least two years after the employee’s termination date, so they can be available in the case of an unemployment claim or lawsuit.

Employment eligibility documentation: 3+ years

Your company should keep an employee’s Form I-9 for at least one year after termination or three years from their hire date, whichever date is later. These rules come from US Citizenship and Immigration Services; they offer a handy calculator on their website to help you figure out how long you need to keep these employee records.

Because Form I-9 contains personal information protected by the EEOC, like age and national origin, it’s best to keep these files separate from general personnel files. Doing so will ensure better compliance with anti-discrimination laws and allow you to quickly access employment eligibility documents ‌if requested.

Family and Medical Leave Act (FMLA) documents: 3+ years

If an employee exercises their right to family or medical leave (FMLA leave), you must keep proper documentation to prove compliance with the law. Whenever an employee requests FMLA leave, you should immediately begin maintaining related records, even if your organization ultimately denies that employee’s request.

The FMLA requires that employers keep any related records for at least three years. These records include:

• Payroll data
• Identifying employee data
• Dates of FMLA leave, including hours if leave is less than one day (record must indicate that the absence is FMLA leave)
• Notice of leave from the employee
• Notice of eligibility from the employer
• Documentation of the company’s employee leave policy
• Premium payment records for employee benefits
• Records of any disputes regarding FMLA leave requests

Make sure to keep any FMLA-related medical records of the employee or their family members confidential and separate from their regular employment records. It’s also worth checking with your legal team to ensure your recordkeeping is in compliance with applicable privacy laws, such as the Genetic Information Nondiscrimination Act and the Americans with Disabilities Act.

Payroll and tax records: 4 years

Retaining payroll records and tax records can get a little confusing. There’s a lot of documents related to payroll, and just as many regulations. It’s best to err on the side of caution and speak with a professional about how long to keep employee records around pay, but here are some basic rules to get you started.

Per the IRS, employers should maintain employment tax records for at least four years. This will ensure you’re prepared for any audits or information requests. These retained tax records should include:

• Your employer identification number (EIN)
• Amounts and dates for all wage, annuity, and pension payments
• Payment records for paid sick leave
• Documentation of all tips reported by employees and a record of allocated tips
• Record of all in-kind wages paid, with market values
• Records of expense reimbursements and fringe benefits issued to employees
• Names, SSNs, dates of employment, and occupations of all employees
• Copies of every employee’s Form W-4
• Any copies of employees’ Form W-2 that were returned as undeliverable
• Documentation of tax deposits
• Copies of filed tax returns
• Documented proof of all claimed tax credits

Additionally, the Fair Labor Standards Act (FLSA) requires employers to keep the following payroll-related employment records for at least three years:

• All payroll records
• Collective bargaining agreements
• Sales and purchase records

The FLSA also mandates that employers retain all wage calculation records for at least two years, including:

• Timecards
• Piecework tickets
• Wage rate tables
• Work and time schedules
• Records of additions or deductions from wages

Benefit records: 6+ years

The Employee Retirement Income Security Act (ERISA) requires organizations to keep employee records around retirement plans, such as fiduciary plan documents, contracts and agreements, participant notices, and compliance documents for the length the employee is enrolled, and then for at least six years from the date the last retirement plan report (Form 5500) was filed.

In addition to these regulations on retirement plans, the EEOC requires employers to retain a record of any employee benefit plan (such as a health insurance plan) for the entire time the plan is active, plus a full year after the plan is terminated.

Medical records: 30+ years

If an employer keeps any employee medical records, it’s important to be extra attentive to their proper storage and retention. Not only can medical records be relevant to a wide range of legal matters, but they may also fall under the purview of OSHA, which requires employers to keep certain employee medical records for at least 30 years.

Examples of employee medical records and other health-related documentation include:

• Employee physicals or medical examinations
• Requests for health-related leaves of absence
• Medical-related job accommodations or restrictions
• Worker’s compensation, accident or injury reports
• Any physician-signed paperwork or recommendations
• Research that uses employee medical data (such as toxic material exposure studies)

Note that if you have official employee medical records (as opposed to regular personnel files that may include health information disclosed by the employee), they are protected under the HIPAA privacy rule. Make sure you store all medical records securely and separately from other personnel files to protect employees’ confidential information.

How to store and maintain employee records

Knowing which employee records you need to keep and for how long is one thing, but how do you properly maintain employee records so they’re organized, accurate, and secure? There are three popular methods for keeping employee records—here’s a breakdown of each.

Best option: HRIS

There’s a reason so many HR professionals opt for cloud-based employee databases. An HR information system, or HRIS, gives you access to all your employee records in a single, secure source.

It’s easier to stay organized when you aren’t dealing with multiple systems, spreadsheets, or hardcopy files—all the documents you need are just a few clicks away. Plus, with advanced reporting and analysis tools, you can put all that employee data to good use as you elevate your people strategy.

As you choose an HRIS, look for a comprehensive, easy-to-use platform that brings all your HR tech into one place, including features for payroll, time tracking, benefits administration, and performance management.

Spreadsheets

For smaller organizations, spreadsheets may seem like an appealing option for employee records management. Spreadsheet software may be more affordable than an HRIS, and can be a simple, accessible option for your team. However, as your company grows and your recordkeeping becomes more complex, you may need to upgrade.

Spreadsheets can quickly become unwieldy, turning into an inscrutable web of tiny cells where information is impossible to find. Additionally, using spreadsheets for recordkeeping can present security and compliance risks: even if the file is password-protected, confidential employee data often requires a higher level of cybersecurity.

To ensure data stays secure and your organization is compliant with recordkeeping regulations, it’s best to move your records into an HRIS that’s designed with employee data laws in mind.

Physical records

While an HRIS is the ideal option for keeping records secure, accurate, and accessible, there’s still situations where companies may be using hardcopy files. For example, if your organization existed before digital filing was an option, you may still be managing the storage of older physical employee records.

This may also be true for a sole proprietorship or small business that made the transition to an HRIS later in the company’s lifespan. Or depending on the nature of your organization, hardcopy files could simply be the best option for the work environment or your team’s technological skill level.

That said, it’s a good idea to digitize your physical employee records. Securely storing paper documents takes up a lot of space, and there’s a greater risk of files being lost or damaged. By taking the time to scan records onto your computer and uploading them to an HRIS, you can keep employee records safe and accessible—and eliminate those trips down to a dusty storage basement!

Once you digitize your physical records, you can either save the hardcopies if it’s necessary for your business, or you can properly dispose of them with a paper shredder.

How to protect employee data security and access

A data breach comes with an enormous cost in customer confidence, employee trust, and your bottom line. Prevention is the best defense, so make sure your HRIS vendor and your own organization employs data protection measures like defense-in-depth strategies, zero trust architecture, and SOC-2 compliance.

As a general practice, limit employee records access within your organization to only those with a legitimate business need. Train employees who have access to employee records on laws related to employee privacy, data security, and protected characteristics.

How to handle employee record requests and audits

Companies should be ready in the event an employee requests access to their employee records, or the government requests or audits company files. As long as your organization securely keeps employee records in compliance with all federal and state laws, you should be properly prepared for an audit or records request.

In collaboration with your organization’s legal counsel, HR managers should establish a process for handling employee records requests. Having a plan in advance will save you time and help you stay on top of any compliance concerns.

You can also be proactive by regularly conducting an internal audit of employee records, checking for completion, accuracy, security, and any other compliance red flags.

How to properly dispose of employee records

HR managers should have a system in place for disposing of employee records that are no longer needed. With a digital database like an HRIS, it’s possible that employee records can be securely stored indefinitely.

However, if you’re dealing with physical records, limited digital storage space, or highly sensitive information, it’s possible that you’ll need to dispose of employee records once the legally required timespan for keeping them has lapsed.

When disposing of employee records, they should be destroyed in such a way that they can’t be reconstructed. Not only does this keep you in compliance with privacy laws, but it’s also a good practice for protecting your company’s data.

Here are some examples of ways to properly dispose of employee records:

• Shredding
• Burning
• Destroying hard drives (physically breaking hard drives into many small pieces)
• Digitally erasing files (using a method so the file can’t be recovered)

If you’re unsure of how to properly destroy a digital record, consult with a cybersecurity professional.

How to keep employee records the easy way

Employee records management can be easy to overlook, as it’s usually a means to an end. However, the risks and costs associated with compliance mistakes and data breaches can sink a company overnight! With the stakes being so high, careful employee data storage, security, organization, and disposal is non-negotiable.

The good news is, you don’t have to manage it all by yourself. A secure, easy-to-use HRIS like BambooHR^Ⓡ can help you collect and maintain your employee records in one connected platform, so employee data stays accessible and safe, and so you can have peace of mind.