Skip to content Skip to footer

Table of contents

This Massachusetts Human Resources Manual is offered to you for free. Find state specific laws and regulations below.

Personnel Files — Massachusetts


When an employer collects any information concerning an employee, it should store the information in a confidential manner. The best practice is to keep employee personnel files in a locked cabinet, and to designate only a few specific individuals who may access the records. In addition, the Americans with Disabilities Act (ADA) requires that an employer keep medical information separate from personnel records, and Massachusetts law requires that an employer take certain data security measures as described herein.

In Massachusetts, the law defines “personnel record” broadly to include any record maintained by an employer that identifies an employee, to the extent that the record is used or has been used, or may affect that employee’s qualifications for employment, promotion, transfer, additional compensation, or disciplinary action. The contents of an employer’s personnel records are likely to vary widely depending on the industry or business involved.

The contents of records

Massachusetts law requires that employers with 20 or more employees keep the following information, if they prepare or maintain it, in the employee’s personnel record:

  • name, address, date of birth
  • job title and description
  • rate of pay and other compensation information
  • starting date of employment
  • job application, resumes or other forms of employment inquiry submitted by the employee in response to an employment advertisement
  • performance evaluations
  • written warnings of substandard performance
  • probationary periods
  • waivers signed by the employee
  • dated termination notices
  • any other documents relating to disciplinary action.

Employers also generally keep Form I-9s and Form W-4s in the personnel record. 

The law does not require that the employer prepare the information in the first place, nor does it actually require the employer to have personnel records, it only specifies where this information should be maintained if it is kept by the employer.

Notice requirement

Massachusetts law also requires employers to notify employees within ten days of the addition to their personnel record of any information that either:

  1. may be used to negatively affect the employee's qualification for:
    • employment 
    • promotion
    • transfer
    • additional compensation
  2. may subject the employee to disciplinary action.

The new law does not specify whether notice to the employee must be written, or whether the employer must include a copy of the document. However, the best practice is to provide a written and dated notification to the employee, as it will serve as evidence of the employer’s compliance with the requirement.

The employee has the right to present a rebuttal to the information in his or her personnel file and may not be fired for doing so.

Maintaining personnel records

The employer should maintain personnel records in typewritten or printed form or in handwriting in permanent ink.


Massachusetts employers must retain an employee’s personnel record, without deletions or expungement of information (except by mutual agreement of the employer and the employee), for three years after termination of employment.  Records may be maintained in electronic format, provided that measures necessary to secure their privacy are implemented (see section on Data privacy measures).

Keeping medical records separate

The employer should store any medical information about an employee in a separate record apart from the personnel record, as required by the ADA. Medical information includes requests for leaves of absence based on underlying medical conditions and notes from physicians concerning any work restrictions. Similarly, if a doctor’s note regarding an employee’s absence contains medical information, the note should be kept in a separate file. The employer may want to insert a simple notation in the personnel record that states that a written note was provided to excuse the absence. In most cases, workers’ compensation claim forms should not be kept in personnel records because they often contain confidential medical information. Also, benefit claim forms may also include medical information, and the employer should separate them from personnel records to ensure confidentiality.

Employee access to records

In Massachusetts, upon written request, an employee may review his or her personnel record during normal business hours, and may obtain a copy of it. Employers must make the personnel file available to the employee within five business days of the written request. This law applies to both current and former employees.

An employee may only ask to review his or her personnel record twice in any calendar year. Importantly, however, a review triggered by an employer’s notice that it has placed negative information in the personnel record does not count as one of the two annual reviews.

When an employee requests to see his or her personnel record, a member of human resources or management should remain present during the review to prevent the employee from removing or altering information in the record.

Medical records

Employees have the right to obtain certain medical information. Under the Occupational Safety and Health Act (OSH Act), employers are required to maintain accurate records concerning any potential employee exposure to toxic material or harmful physical agents which are required to be monitored or measured under OSH Act regulation. This law provides employees and their representatives with an opportunity to observe the monitoring and measuring of toxic materials and to have access to certain related medical records. For more information see Safety and health.

Ensuring confidentiality and privacy

Massachusetts employers must ensure confidentiality in recordkeeping to avoid claims for violation of privacy. Massachusetts law states that an individual has a right against unreasonable, substantial or serious interference with his or her privacy. The court has further found that employees have heightened privacy interest in their personnel records, meaning there is an increased risk of claims for employers. 

Additionally, the ADA requires that public and private employers maintain rigorous confidentiality procedures regarding medical information. According to this law, an employer must keep confidential any medical information that is remotely discernible, even where such information may not directly identify an individual. Employers must be especially careful with regard to highly personal information, such as mental health status, HIV status, and other serious illnesses. Because the potential for harm to the employee and to the company is so high, employers should carefully monitor access to confidential medical information and should establish procedures to ensure that this type of information is disseminated only as necessary.

Data privacy measures

Massachusetts recently enacted a comprehensive data privacy law in response to highly publicized thefts of confidential consumer information. The law applies to “personal information” as defined to include a Massachusetts resident’s last name, first name or first initial, and either:

  • Social Security number
  • driver’s license number or state issued identification number
  • financial account number or debit or credit card number.

The regulations impose a duty on employers to protect the security and integrity of such information, which includes a written comprehensive information security program that contains administrative, technical, and physical safeguards to protect against risks to the integrity of the information. The employer’s safeguards will depend on:

  • the size, scope and type of business
  • the amount of resources available to the business
  • the need for security and confidentiality of the information at hand.

Employers must develop a security program that includes, among other things:

  • designation of an employee to maintain the plan
  • assessment of "reasonably foreseeable" risks to the security of the personal information
  • policies regarding the use of records containing personal information outside the business
  • steps to ensure compliance by vendors
  • certain documentation requirements.

In addition, the regulations require that employers use technical safeguards on computer and wireless systems to the extent they are feasible. These safeguards include:

  • secure user authentication protocols
  • secure access control measures
  • encryption requirements
  • monitoring
  • firewall, virus, and malware protection
  • training and education of employees.

Breach notification

In the event that an employer inadvertently discloses an employee’s personal information, it must provide notice of the known or suspected breach to:

  • the Massachusetts attorney general
  • the Director of the Massachusetts Office of Consumer and Business Regulation
  • the affected resident.

Employer policy regarding records

Employers should institute and follow a written policy regarding maintenance of personnel records to ensure that supervisors and human resources personnel are consistent. The policy should identify the employer representative who will be present for any reviews. 

The employer should also periodically review and update each personnel record with any new information. 

Employers and documentation

Proper documentation is an invaluable tool in the defense of a company’s decisions relating to a particular employee. However, poor documentation may be more detrimental to an employer than none at all. Therefore, employers should ensure that all documentation relating to an employee is accurate, concise, and factual, and employers should keep in mind that all documents may later be disclosed in future litigation.