Going Paperless? Legal Guidelines & Tips for a Paperless HR Department

by Obermayer Rebmann Maxwell & Hippel LLP

In today’s high-tech business environment, it is commonplace for employers to digitize personnel documents. Maintaining these documents in electronic form has obvious benefits, including ease of accessibility and storage efficiency. Although electronic storage of personnel records is permissible under federal employment laws, employers must be mindful of the statutory rules relating to document retention periods and electronic storage systems to avoid legal pitfalls. If your company is considering implementing a paperless human resources department, read on for legal guidelines and tips to ensure a smooth transition.

Personnel Records and Application Materials

The Equal Employment Opportunity Commission (EEOC) requires that personnel and employment records be preserved for the following periods:  

  • Private employers must retain records for one year from the date of making the record or the personnel action involved, whichever occurs later, but in the case of involuntary termination of an employee, they must retain the terminated employee’s personnel or employment records for one year from the date of termination. Examples of documents include: performance evaluations; attendance records; disciplinary records; handbook receipts; requests for employment verification; education certifications; applications; and resumes.
  • Educational Institutions and State and Local Governments must retain such records for two years from the date of the making of the record or the personnel action involved, whichever occurs later, but in the case of involuntary termination of an employee, they must retain the terminated employee’s personnel or employment records for two years from the date of termination.

Please note that some states have laws which govern retention periods for personnel files which differ from the EEOC regulations. Further, record retention periods may be longer if the employer has affirmative action obligations or is required by regulatory agencies to maintain records for a longer period of time.  

Medical Records

Medical information (including documents related to a disability accommodation request or Family Medical Leave Act (FMLA) request) must be kept confidential and separate from an employee’s basic personnel file. One way to address this concern is to house electronic medical data in its own separate database with its own separate access protocol.

The Americans with Disabilities Act (ADA) requires that covered employers keep all ADA-related files for at least one year from the date the file was created. The FMLA requires covered employers to keep FMLA-related files for at least three years. As a best practice, medical records of terminated employees should be retained for at least four years from the date of termination. Please note that medical records related to workers’ compensation claims have a different retention period.

EEO-1 Forms

The EEOC recommends that race and ethnicity identification forms be kept separate from an employee’s basic personnel file. Again, it may be prudent to house electronic race/ethnicity data in its own separate database with its own separate access protocol.

Payroll Documentation

Because the Fair Labor Standards Act (FLSA) does not require a particular order or form of records, wage records may be maintained electronically. If records are stored electronically, records must be available for copying and transcription upon request by representatives of the Department of Labor (DOL), and reproductions must be clear and identifiable. The FLSA requires employers to keep payroll records for at least three years. Further, employers must keep all records (including wage rates, job evaluations, seniority and merit systems, and collective bargaining agreements) that explain the basis for paying different wages to employees of opposite sexes in the same establishment for at least two years. Please note that state wage laws (i.e., Arizona) may require longer retention periods.

OSHA Records

Records required by the Occupational Safety and Health Administration (OSHA) may be kept electronically provided the computer they are stored on can produce forms equivalent to OSHA’s forms when they are needed and the system meets specific regulatory requirements. Access to injury and illness records must be limited. When an authorized government representative asks for certain records (i.e., an OSHA 300 Log which lists all injuries and illnesses at worksites) copies of the records must be provided within four (4) business hours. Finally, X-rays must be preserved in their original state (i.e., if X-rays were received as hard copies, than they must be retained in hard copy form).

I-9 Forms

The U.S. Citizenship and Immigration Services (USCIS) requires that electronic systems used for storing I-9 documentation have:

  • reasonable controls to ensure the integrity, accuracy, and reliability of the electronic storage system;
  • reasonable controls designed to prevent and detect the unauthorized or accidental creation of, addition to, alteration of, deletion of, or deterioration of an electronic I-9 Form, including the electronic signature, if it is used;
  • an inspection and quality assurance program that regularly evaluates the electronic generation or storage system and includes periodic checks of electronically stored I-9s, including the electronic signature, if it is used;
  • a retrieval system that includes an indexing system that permits searches by any data element; and
  • the ability to reproduce legible paper copies.

Paper copies of I-9 Forms do not have to be retained if stored electronically, provided the storage system complies with the latter standards. Employers must retain I-9 Forms for three years after the date employment begins or one year after the date the person’s employment is terminated, whichever is later. If you are an agricultural association, agricultural employer, or farm labor contractor, you must retain the I-9 Form for three years after the date employment begins for persons you recruit or refer for a fee.

Beware: Copies of I-9 Forms must be available on three days’ notice of inspection by U.S. Immigration and Customs Enforcement (ICE).

Employee Benefits Documents

The Employee Retirement Income Security Act (ERISA) has two record retention provisions, which apply to all ERISA employee benefit plans (retirement, health and welfare plans):

  • ERISA 107: requires anyone who files or certifies certain information (such as a Form 5500) to maintain sufficient records (i.e., spreadsheets, email correspondence, plan documents, amendments, work records) to explain, corroborate, substantiate, and clarify what is in the filing or certification. Under ERISA 107, an employer must maintain these records for six years after the filing date (or from the date of any extended date for filing).
  • ERISA 209: requires an employer to maintain all such information for “as long as a possibility exists that they [the records] might be relevant to a determination of the benefit entitlements of a participant or beneficiary.” This is essentially an indefinite duration. ERISA 209 applies to documents such as plan notices and service records used to determine eligibility.

General Requirements for Electronic Storage Systems

The record maintenance requirements of federal employment laws are generally satisfied when using electronic media if:

  • There are reasonable controls to ensure the integrity, accuracy, authenticity and reliability of the records kept in electronic form.
  • The electronic records are maintained in reasonable order, in a safe and accessible place, and in a manner that they may be readily inspected or examined.
  • The electronic records are readily convertible into legible and readable paper copies as may be needed to satisfy reporting and disclosure requirements.
  • The electronic recordkeeping system is not subject, in whole or in part, to any agreement or restriction that would directly or indirectly compromise or limit a person’s ability to comply with any reporting and disclosure requirement.
  • Adequate records management practices are established and implemented (i.e., providing a secure storage environment; creating back-up electronic copies and selecting an off-site storage location; observing a quality assurance program evidenced by regular evaluations of the electronic recordkeeping system including periodic checks of electronically maintained or retained records; and retaining paper copies of records that cannot be clearly, accurately or completely transferred to an electronic recordkeeping system).

Helpful Tips for Electronic Storage

  • If a lawsuit is filed against your company, you will have a legal duty to maintain relevant documents in their original form and suspend their destruction or alteration as soon as you learn that litigation is imminent and until the lawsuit is resolved. Although documents may be scanned into electronic form at this time, paper copies should not be destroyed during the pendency of the lawsuit.
  • Account for ease of retrieval and searches when designing and implementing electronic document creation and storage protocols. Put time and effort in up front to design detailed metadata to improve search ability.
  • Establish security protocols so that only authorized individuals can access each electronically maintained file. That includes creating a secure and reliable electronic storage environment, including off-site backup, and complete and secure destruction protocols consistent with the retention policy for hard copies.
  • If technology does not self-audit or contain compliance monitoring, consider a quality assurance program that includes regular evaluations and checks of the electronic record-keeping system.
  • Retain paper copies of any records that cannot be clearly, accurately, or completely transferred to an electronic record-keeping system (i.e., performance documents which include notations in pencil or light ink).

*Adapted from Going Paperless? Legal Guidelines for Electronic Retention of Documents & Evidentiary Considerations, co-presented by Tiffani L. McDonough and Michael Fagan for the Liberty Bell Chapter of ARMA International (April 2014) and Archive Systems (May 2014).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Obermayer Rebmann Maxwell & Hippel LLP | Attorney Advertising

Written by:

Obermayer Rebmann Maxwell & Hippel LLP

Obermayer Rebmann Maxwell & Hippel LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.