×
Go back to Martindale-Avvo
Labor and Employment
Human Resources Law For Employers

Keeping Employee Records Private

Employers are required to take certain steps to protect sensitive information in employee records.
By Lisa Guerin, ​J.D. · UC Berkeley School of Law
Updated: Apr 7th, 2026
Why Trust Us?
Why Trust Us?

An experienced team of legal writers and editors researches, drafts, edits, and updates the articles in the Understand Your Issue section of Lawyers.com. Each contributor has either a law degree or independently established legal credentials. Learn more about us.

Personnel files hold lots of private information about employees, from their Social Security numbers and next of kin to bank account numbers and medical records. State and federal laws place strict limits on who can access these records and for what reasons.

Despite the legal and practical reasons to keep employee records private, there are times when certain employees will need to access personnel files to do their jobs. Employees may also want to view their own files, either while still employed or after leaving the company. This article explains your company’s legal obligations when it comes to employee personnel documents.

The law dictates how employers may use certain types of employee information and who has a right to see that information. Generally, your obligation to keep employee records private depends on the type of information the records contain.

Social Security Numbers

We use Social Security numbers as a key method of verifying identity and work authorization here in the U.S. For this very reason, they are a rich target for thieves, who can use Social Security numbers to open bank accounts, obtain credit cards, create false work documents, and otherwise steal someone’s identity.

A growing number of states have passed laws requiring employers to maintain the confidentiality of employee Social Security numbers. In California, for example, employers may print only the last four digits of employee Social Security numbers on the pay stubs they are legally required to provide. The state also prohibits employers from making employee Social Security numbers available to the public, printing those numbers on access cards, or printing those numbers on materials to be mailed (unless legally required, as might be the case for tax documents).

Medical Records

Strict confidentiality requirements apply to employee medical records. You might not have medical records for all of your employees. However, if an employee has a disability, you may have medical records relating to the employee’s medical condition and need for an accommodation.

An employee who has taken leave for a serious health condition under the Family and Medical Leave Act may have submitted a medical certification form. And, even though the Genetic Information Nondisclosure Act (GINA) generally prohibits employers from gathering genetic information about employees, you may nonetheless have such information pursuant to an exception to the law.

Who Should Have Access to Employee Medical Records?

If you have employee medical records, you must treat them confidentially. If you have information pertaining to an employee’s disability, for example, the Americans with Disabilities Act (ADA) requires you to keep that information in a separate confidential file, to be accessed only by:

  • first aid and other safety personnel, if necessary to provide medical treatment or safely evacuate the employee in an emergency
  • the employee’s supervisor, if the employee’s disability imposes work limitations or requires a reasonable accommodation
  • government officials, if required by law, and
  • insurance companies that require a physical examination.

If your company has more than 50 employees and provides group health benefits, it may also have privacy obligations under the Health Insurance Portability and Accountability Act (HIPAA). For example, you may be required to have a designated in-house privacy officer and adopt policies to keep employee health information private.

Some state laws also protect the privacy of employee medical records and limit the circumstances in which they may be disclosed. To find out if your state has this type of law, contact your state department of labor.

Employee Rights to View Personnel Files

Although federal law doesn’t address the issue, a number of states give employees and former employees the right to view their own personnel files. These laws vary in what is allowed and required. In Illinois, for example, current and former employees have the right to inspect their full personnel files up to twice a year; they also have the right to insert a rebuttal statement in the file, if they disagree with something that the employer refuses to remove from the file.

California employees and former employees also have the right to view their files, but employers do not have to provide certain records, including letters of reference and documents pertaining to an investigation of a criminal offense. (See State Laws on Access to Your Personnel File for more information.)

Best Practices for Keeping Personnel Files Confidential

In addition to the above legal obligations, employers have good practical reasons for keeping employee records private. Although employers may not be legally required to keep things like employee salary information or performance evaluations private, for example, there is no good reason to allow other employees access to these records.

Tips for Safeguarding Employee Personnel Files

Here are some tips that will help you maintain the confidentiality of employee personnel files:

  • Learn the state and federal laws that apply to particular employee records, and follow them. As explained above, for example, your company will need separate confidential files for employee medical records, with access limited as required by law.
  • Keep all employee personnel files in a secure location, such as a locked filing cabinet, an offsite storage facility, or secure computer server.
  • Restrict access to employee personnel files to those with a legitimate need to know. For example, you might allow only an employee, the employee’s manager, and HR personnel to view each file.
  • Adopt a written policy explaining who has access to an employee’s file, how an employee can access his or her own personnel file, and how special records (like medical documents) are handled. Distribute the policy to employees.

Review personnel files periodically to make sure they include all relevant employment records, like recent performance evaluations, salary data, and disciplinary records. Also, make sure the files don’t include documents that shouldn’t be there, such as medical records or disciplinary warnings that should have been removed after a certain period of time.

When to Contact an Attorney

If you've experienced a data breach or are worried that you've allowed unauthorized access to employee personnel files, contact an employment law attorney right away to discuss the best way forward.

About the Author

Lisa Guerin ​J.D. · UC Berkeley School of Law

Lisa Guerin is the author or co-author of several Nolo books, including The Manager's Legal Handbook, Dealing with Problem Employees, The Essential Guide to Federal Employment Laws, The Essential Guide to Family & Medical Leave, Workplace Investigations, and Create Your Own Employee Handbook.  Guerin has practiced employment law in government, public interest, and private practice, where she has represented clients at all levels of state and federal courts and in agency proceedings. She is a graduate of UC Berkeley School of Law.

Get Professional Help

Find a Human Resources Law For Employers lawyer
Practice Area:
Zip Code:
How It Works
  1. Briefly tell us about your case
  2. Provide your contact information
  3. Connect with local attorneys
NEED PROFESSIONAL HELP?

Talk to an attorney

How It Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you