What Employee Info Can You Collect in Personnel Files?

What is an employee personnel file?

An employee personnel file is a centralized record of documents related to a specific worker. It includes information that employers are legally required to maintain, as well as other records that support day-to-day management and compliance.

Damien Weinstein, a partner at Weinstein & Klein PC, explained that personnel files should tell a clear, cohesive story about an employee’s role and performance within the organization. “You should be able to read a personnel file and have a pretty accurate view into who the employee is, what they do at the company and how they are performing,” Weinstein explained.

Storing and accessing personnel files

For years, many employers kept personnel files in locked filing cabinets. Physical storage can still work when it’s done carefully, but it leaves records vulnerable to things like fire, water damage or unauthorized access. Today, many businesses rely on the best HR software to store employee records securely in the cloud, where files benefit from cloud encryption and can be backed up and accessed only by authorized users.

How long you keep personnel records matters just as much as how you store them. Federal and state laws set minimum retention requirements for certain documents. For example, the Fair Labor Standards Act (FLSA) requires employers to keep payroll records for at least three years. Other records, such as tax and hiring documents, are governed by different timelines depending on the law that applies. Because these requirements can overlap (and employment-related claims may arise years after the fact), many HR professionals follow a conservative best practice of retaining general personnel records for at least seven years after an employee leaves the company.

Even when formal audits aren’t legally required, it’s smart to review personnel files on a regular basis. An annual check can help ensure records are accurate, complete and stored appropriately and can surface issues before they turn into compliance problems or employee disputes.

What should be included in a personnel file?

Personnel files can contain a wide range of employee information, but not all documents should be stored together. Some records are routine and job-related, while others are highly sensitive and subject to stricter access rules.

To keep information organized and reduce risk, Nicole Anderson, founder and CEO of the HR solutions firm MEND, recommends separating employee records into three distinct files: an employee file, a confidential file and a separate I-9 file.

Employee file

The employee file should contain documents related to an employee’s role, performance and day-to-day employment history. According to Anderson, this general file typically includes:

• New-hire checklist
• Job application
• Resume
• Job description (and acceptance)
• Offer letter
• Employment contract
• Job references and reference check forms
• Emergency contact form
• Receipt of company property
• Confidentiality agreement (such as a nondisclosure agreement)
• Remote work plans or telecommuting agreements
• Signed acknowledgments, such as employee handbook, policies and procedures, and health insurance options
• Training documents and acknowledgments
• Past performance evaluations
• Employee performance improvement plans or enhancement forms
• Records of corrective or disciplinary actions

Confidential file

The confidential file should be reserved for highly sensitive employee information and stored separately from general personnel records. Access to this file should be tightly restricted and limited to designated individuals who need the information for compliance or administrative purposes.

As Anderson explained, a confidential file typically includes documents such as:

• Self-identification forms
• Medical or disability-related documentation, including return-to-work or doctor’s notes
• Workers’ compensation records
• Insurance enrollment forms
• 401(k) retirement plan documents (or other plans)
• Beneficiary forms
• Release authorizations
• Credit report disclosures and authorizations
• Criminal background check records
• Drug test consents and affidavits
• W-4 tax forms
• State tax forms, if applicable
• Direct deposit forms or voided checks
• Any document containing personally identifiable information, such as a date of birth, bank account numbers, Social Security number, sex or marital status

I-9 file

Form I-9 is used to verify an employee’s identity and authorization to work in the United States. Employers must use the current edition of Form I-9 issued by U.S. Citizenship and Immigration Services and store it separately from general personnel records.

Under changes introduced in 2023, certain employers enrolled in E-Verify and in good standing may use an approved alternative procedure to examine I-9 documents remotely. With this option, employers can review documents during a live video call rather than meeting in person, as long as they follow all required steps. Employers that aren’t enrolled in E-Verify must continue using the standard, in-person review process.

Because Form I-9 is subject to inspection by U.S. Immigration and Customs Enforcement, keeping I-9s organized and readily accessible is important. Maintaining a dedicated I-9 file can help reduce disruption during a Form I-9 audit and limit the risk of fines tied to missing or improperly completed forms.

What should not be included in a personnel file?

Including the wrong documents in a personnel file can create legal and privacy risks. As a general rule, any information that is highly sensitive, unrelated to job performance or protected by privacy laws should not be stored in an employee’s general personnel file.

• Keep separately: Certain records should be kept separately, not discarded. These include tax forms such as W-4s, equal employment opportunity (EEO) data, Social Security numbers and medical records, all of which require stricter access controls. As Weinstein explained, “Personal health information (exposures, test results, documentation of symptoms, etc.) should not be kept in the general personnel file since this may be accessed by too many people.”
• Do not include: Other materials should not be included at all in standard personnel files. This includes investigation records, whistleblower complaints, unsubstantiated allegations and informal notes or opinions about an employee. Employers should also avoid storing copies of personal identification documents, such as Social Security cards, passports, government-issued IDs or driver’s licenses, once they’ve served their required purpose. As Anderson noted, “Once the use of these items is done, they should be destroyed to prevent any unauthorized duplication or breach.”

Who should have access to employee personnel records?

Access to employee personnel files should be limited to a small group of designated individuals. In most organizations, that includes key HR staff and select C-suite executives, such as a business owner or chief operating officer, who need the information to manage compliance, employment decisions or legal obligations.

Weinstein emphasized that access decisions should be guided by confidentiality obligations rather than job titles alone. “Key personnel who are contractually and legally obligated to maintain confidentiality [should have access],” Weinstein explained. “This could be a business owner and COO, head of HR, etc. The point is that this contains personal, private and sensitive information and isn’t meant to be readily available to anyone in the company.”

Best practices for managing employee personnel files

Managing employee personnel files involves more than storing paperwork. When records aren’t handled carefully, small oversights can turn into compliance issues, privacy concerns or employee disputes. The following data management best practices can help you keep personnel files accurate, secure and well managed.

• Establish a written retention policy. Create clear guidelines that spell out which documents you collect, where they’re stored and how long they’re kept before being destroyed. This policy should also outline who is allowed to access different types of records. Make sure HR department members understand and follow these standards consistently.
• Maintain transparency with employees. State laws vary when it comes to an employee’s right to view their personnel file, but business transparency often helps build trust regardless of the legal minimum. Let employees know which documents you retain, and consider having them acknowledge key records with a signature so there are no surprises later.
• Use role-based access controls. Employee records need to be handled carefully, especially when multiple people have access to them. In practice, that usually means giving managers visibility into job-related information only, while keeping sensitive medical or financial records limited to HR or a small group of designated leaders.
• Review personnel files regularly. A periodic review — often done annually — helps ensure records are current, accurate and stored correctly. This is also a good opportunity to remove outdated documents that no longer need to be retained under your policy.
• Leverage automation thoughtfully. HR software can streamline document storage and reduce manual errors by automating parts of the file management process. Even with automation in place, regular reviews are still important to confirm that records remain compliant and complete.
• Back up everything. Finally, make sure your personnel files are backed up. Having secure backups in place helps protect employee records in the event of a system failure, cyber incident or natural disaster.

What are the laws regarding personnel files?

Laws governing personnel files vary by state and at the federal level, but most requirements fall into a few key categories. Understanding how these rules work together can help you stay compliant and avoid common missteps. Consider the following:

• Employee access rights vary by state. Many employees assume they can inspect their personnel file at any time, but that isn’t always true. State laws differ widely on when and how employees can access their records, and some jurisdictions require a formal written request or additional conditions before employers must provide access.
• Certain records must be stored separately. Federal and state laws also dictate how specific types of employee information must be stored and who can access it. As Anderson explained, many standard employment documents can be kept in HR files or secure cabinets, but others require stricter controls, such as those affected by HIPAA requirements. “The Americans with Disabilities Act (ADA) and the Health Insurance Portability and Accountability Act (HIPAA) require that confidential medical information be kept separate from the personnel file so that no one but designated HR staff or company officials can access it,” Anderson said.
• Retention rules set minimum timelines. Federal regulations establish how long certain employment records must be kept. For example, the Equal Employment Opportunity Commission requires employers to retain most personnel records for at least one year from the date the document is created or the employment action occurs, whichever is later. The Age Discrimination in Employment Act similarly requires employers to keep employee benefit plans and written merit or seniority systems for at least one year after they’re discontinued.
• Well-maintained files matter in legal disputes. Personnel records can become critical if a current or former employee files — or threatens to file — a business lawsuit. As Weinstein noted, “[A personnel file] is usually the first thing your lawyer will ask for if the employee is suing (or threatening to sue) you.” Keeping files organized and easy to retrieve, ideally in a secure digital system, can save time, reduce legal fees and support your legal defense.

Source interviews were conducted for a previous version of this article.