HR Recordkeeping and Data Privacy Requirements

HR recordkeeping and data privacy sit at the intersection of employment law, federal agency enforcement, and information security — making them among the most compliance-dense responsibilities in human resources. Federal statutes including the Fair Labor Standards Act (FLSA), Title VII of the Civil Rights Act, the Americans with Disabilities Act (ADA), and the Family and Medical Leave Act (FMLA) each impose distinct retention schedules and access restrictions on specific record types. Employers that mishandle personnel data face regulatory penalties, litigation exposure, and reputational harm. This page covers the foundational definitions, operational mechanics, common scenarios, and decision boundaries that govern HR recordkeeping and data privacy obligations at the national level.

Definition and scope

HR recordkeeping refers to the systematic creation, maintenance, retention, and lawful destruction of employment-related documents — spanning hiring records, payroll data, performance documentation, benefit enrollment files, and medical records. Data privacy, in the HR context, refers to the legal and procedural obligations that govern who may access, share, process, or store information about current, former, and prospective employees.

The scope of these obligations is determined by at least four overlapping regulatory frameworks:

  1. Fair Labor Standards Act (FLSA) — Administered by the U.S. Department of Labor (DOL), the FLSA requires employers to retain payroll records, collective bargaining agreements, and records explaining wage computation for a minimum of 3 years, and basic employment and earnings records for 2 years (29 CFR Part 516).
  2. Title VII / EEOC Regulations — The Equal Employment Opportunity Commission (EEOC) requires retention of personnel and employment records for at least 1 year from the date of the employment action, and 3 years for federal contractors subject to Executive Order 11246 (29 CFR Part 1602).
  3. FMLA and ADA — Under 29 CFR Part 825, FMLA-related records must be retained for 3 years. The ADA mandates that medical records be kept separate from general personnel files and treated as confidential, accessible only to supervisors, first aid staff, and government officials in limited circumstances.
  4. HIPAA (where applicable) — Employers sponsoring group health plans are subject to the Health Insurance Portability and Accountability Act, enforced by the HHS Office for Civil Rights, which governs protected health information (PHI) held in plan records.

State-level privacy statutes — most prominently the California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA) — impose additional obligations for employers operating in those jurisdictions. The California Privacy Protection Agency enforces CPRA, which as of 2023 extended employee personal information rights, including the right to know, correct, and delete certain data.

The broader regulatory context for human resources management situates these requirements within the full compliance landscape HR functions must navigate.

How it works

Record classification

HR data separates into three operationally distinct categories, each governed by different access and retention rules:

Category Examples Access Restrictions
General personnel file Job applications, performance reviews, disciplinary notices Manager and HR access; employee inspection rights vary by state
Confidential medical file ADA accommodation requests, FMLA certifications, return-to-work documentation Strictly segregated; ADA mandates separation from personnel file
Payroll and financial records Wage rates, hours worked, deductions, W-4 forms Payroll and finance only; shared with DOL on investigation

Retention schedule implementation

A compliant retention schedule follows a structured lifecycle:

  1. Creation — Document is generated, timestamped, and categorized at point of origin (hiring system, HRIS, email archive).
  2. Active maintenance — Document remains accessible within its functional file for the duration of employment plus any statutory hold period.
  3. Litigation hold — If a charge, lawsuit, or government investigation is reasonably anticipated, all destruction must halt for affected records regardless of normal schedule. This is a common-law obligation, not limited to a single statute.
  4. Scheduled destruction — After the applicable retention window closes and no holds are active, records are destroyed using methods proportionate to data sensitivity (e.g., cross-cut shredding, certified digital erasure).

HRIS platforms and document management systems that automate retention scheduling reduce the risk of premature or over-retention errors. The selection and configuration of these systems is addressed in HR information systems and HRIS selection.

Data minimization and access controls

Privacy frameworks increasingly impose a data minimization principle: employers should collect only data that is necessary for a defined HR purpose. The National Institute of Standards and Technology (NIST) Privacy Framework, version 1.0, provides a voluntary structure for identifying, governing, controlling, communicating, and protecting employee data. Role-based access controls (RBAC) limit record access to job-relevant personnel, reducing unauthorized disclosure risk.

Common scenarios

Scenario 1: I-9 and employment eligibility records
Employers must retain Form I-9 for each employee for either 3 years after the date of hire or 1 year after the date employment ends, whichever is later (8 CFR 274a.2). I-9 records must be stored separately from general personnel files and made available to Immigration and Customs Enforcement (ICE) or the DOL on request. More detail on I-9 logistics appears in I-9 and employment eligibility verification.

Scenario 2: FMLA medical certification
When an employee submits FMLA medical certification, the document must be filed in a confidential medical file — not the general personnel record. The FMLA's 3-year retention requirement applies from the date the leave was taken or documentation was created, whichever is later (29 CFR §825.500).

Scenario 3: Background check records under FCRA
When consumer reports (background checks) are used in employment decisions, the Fair Credit Reporting Act (FCRA), enforced by the Federal Trade Commission (FTC), requires employers to provide pre-adverse and adverse action notices, and to retain records of consent and disposition. Candidate files are typically retained for 5 years to align with EEOC recordkeeping periods for selection records.

Scenario 4: State biometric data laws
Illinois's Biometric Information Privacy Act (BIPA), 740 ILCS 14/, requires written consent and a publicly available retention-and-destruction policy before collecting biometric identifiers such as fingerprints or facial geometry. Non-compliance under BIPA carries statutory damages of $1,000 per negligent violation and $5,000 per intentional violation (740 ILCS 14/20). Employers using time-and-attendance systems with biometric input in Illinois must comply.

Decision boundaries

Understanding which rule applies — and when different rules conflict — is the operational core of HR compliance. The key decision boundaries are:

Federal floor vs. state ceiling
Federal statutes set minimum retention periods; states may impose longer retention mandates. When state law requires a longer retention period than federal law, the longer window governs for records in that jurisdiction.

Personnel file vs. medical file
The ADA creates a hard boundary: medical information obtained through employment (accommodation requests, fitness-for-duty exams, workers' compensation records) must be maintained in files separate from the general personnel record. This separation applies even where the medical information is relevant to a performance or leave issue.

Active employee vs. former employee
Retention obligations generally extend for a defined period after separation. The starting date of the post-separation window varies by statute: FLSA payroll records begin the 3-year clock from the date the record was made, not the date of termination. EEOC records begin from the date of the personnel action.

Litigation hold vs. scheduled destruction
Once an employer has notice of a potential claim — including receipt of an EEOC charge — all records reasonably related to that claim are subject to a litigation hold. Destroying records after receiving notice of litigation or an agency charge creates spoliation risk under Federal Rules of Civil Procedure, Rule 37(e).

Covered entity vs. employer-only
Not all employers are HIPAA covered entities. An employer's general personnel records are expressly excluded from HIPAA's definition of protected health information (45 CFR §160.103). HIPAA applies when the employer is acting as a plan sponsor administering a group health plan, not in its capacity as an employer maintaining personnel files.

The HR compliance and employment law obligations framework provides the broader context for how these specific recordkeeping rules interact with the full range of employer legal duties. The full landscape of HR practice areas is accessible from the HR Authority home.

References

Read Next

Workplace Safety and OSHA HR Responsibilities Next in HR Compliance & Employment Law I-9 and Employment Eligibility Verification Previous in HR Compliance & Employment Law