When an employer collects any information concerning an employee, it should store the information in a confidential manner. The best practice is to keep employee personnel files in a locked cabinet, and to designate only a few specific individuals who may access the records. In addition, the Americans with Disabilities Act (ADA) requires that an employer keep medical information separate from personnel records, and Massachusetts law requires that an employer take certain data security measures as described herein.
In Massachusetts, the law defines “personnel record” broadly to include any record maintained by an employer that identifies an employee, to the extent that the record is used or has been used, or may affect that employee’s qualifications for employment, promotion, transfer, additional compensation, or disciplinary action. The contents of an employer’s personnel records are likely to vary widely depending on the industry or business involved.
Massachusetts law requires that employers with 20 or more employees keep the following information, if they prepare or maintain it, in the employee’s personnel record:
Employers also generally keep Form I-9s and Form W-4s in the personnel record.
The law does not require that the employer prepare the information in the first place, nor does it actually require the employer to have personnel records, it only specifies where this information should be maintained if it is kept by the employer.
Massachusetts law also requires employers to notify employees within ten days of the addition to their personnel record of any information that either:
The new law does not specify whether notice to the employee must be written, or whether the employer must include a copy of the document. However, the best practice is to provide a written and dated notification to the employee, as it will serve as evidence of the employer’s compliance with the requirement.
The employee has the right to present a rebuttal to the information in his or her personnel file and may not be fired for doing so.
The employer should maintain personnel records in typewritten or printed form or in handwriting in permanent ink.
Massachusetts employers must retain an employee’s personnel record, without deletions or expungement of information (except by mutual agreement of the employer and the employee), for three years after termination of employment. Records may be maintained in electronic format, provided that measures necessary to secure their privacy are implemented (see section on Data privacy measures).
The employer should store any medical information about an employee in a separate record apart from the personnel record, as required by the ADA. Medical information includes requests for leaves of absence based on underlying medical conditions and notes from physicians concerning any work restrictions. Similarly, if a doctor’s note regarding an employee’s absence contains medical information, the note should be kept in a separate file. The employer may want to insert a simple notation in the personnel record that states that a written note was provided to excuse the absence. In most cases, workers’ compensation claim forms should not be kept in personnel records because they often contain confidential medical information. Also, benefit claim forms may also include medical information, and the employer should separate them from personnel records to ensure confidentiality.
In Massachusetts, upon written request, an employee may review his or her personnel record during normal business hours, and may obtain a copy of it. Employers must make the personnel file available to the employee within five business days of the written request. This law applies to both current and former employees.
An employee may only ask to review his or her personnel record twice in any calendar year. Importantly, however, a review triggered by an employer’s notice that it has placed negative information in the personnel record does not count as one of the two annual reviews.
When an employee requests to see his or her personnel record, a member of human resources or management should remain present during the review to prevent the employee from removing or altering information in the record.
Employees have the right to obtain certain medical information. Under the Occupational Safety and Health Act (OSH Act), employers are required to maintain accurate records concerning any potential employee exposure to toxic material or harmful physical agents which are required to be monitored or measured under OSH Act regulation. This law provides employees and their representatives with an opportunity to observe the monitoring and measuring of toxic materials and to have access to certain related medical records. For more information see Safety and health.
Massachusetts employers must ensure confidentiality in recordkeeping to avoid claims for violation of privacy. Massachusetts law states that an individual has a right against unreasonable, substantial or serious interference with his or her privacy. The court has further found that employees have heightened privacy interest in their personnel records, meaning there is an increased risk of claims for employers.
Additionally, the ADA requires that public and private employers maintain rigorous confidentiality procedures regarding medical information. According to this law, an employer must keep confidential any medical information that is remotely discernible, even where such information may not directly identify an individual. Employers must be especially careful with regard to highly personal information, such as mental health status, HIV status, and other serious illnesses. Because the potential for harm to the employee and to the company is so high, employers should carefully monitor access to confidential medical information and should establish procedures to ensure that this type of information is disseminated only as necessary.
Massachusetts recently enacted a comprehensive data privacy law in response to highly publicized thefts of confidential consumer information. The law applies to “personal information” as defined to include a Massachusetts resident’s last name, first name or first initial, and either:
The regulations impose a duty on employers to protect the security and integrity of such information, which includes a written comprehensive information security program that contains administrative, technical, and physical safeguards to protect against risks to the integrity of the information. The employer’s safeguards will depend on:
Employers must develop a security program that includes, among other things:
In addition, the regulations require that employers use technical safeguards on computer and wireless systems to the extent they are feasible. These safeguards include:
In the event that an employer inadvertently discloses an employee’s personal information, it must provide notice of the known or suspected breach to:
Employers should institute and follow a written policy regarding maintenance of personnel records to ensure that supervisors and human resources personnel are consistent. The policy should identify the employer representative who will be present for any reviews.
The employer should also periodically review and update each personnel record with any new information.
Proper documentation is an invaluable tool in the defense of a company’s decisions relating to a particular employee. However, poor documentation may be more detrimental to an employer than none at all. Therefore, employers should ensure that all documentation relating to an employee is accurate, concise, and factual, and employers should keep in mind that all documents may later be disclosed in future litigation.