Compliance Recordkeeping Requirements
Compliance recordkeeping requirements govern which employment documents must be created, retained, and destroyed — and under what conditions — across federal and state regulatory frameworks. Employers operating in the United States face overlapping mandates from agencies including the Department of Labor, the Equal Employment Opportunity Commission, and the Occupational Safety and Health Administration, each specifying distinct document types, retention windows, and access rules. Failures in recordkeeping consistently trigger penalty exposure during audits and litigation, independent of whether the underlying conduct was compliant. This page covers the definitional scope, operational mechanics, common employer scenarios, and the decision logic for classifying and managing compliance records.
Definition and scope
Compliance recordkeeping, as a regulatory construct, refers to the systematic creation, maintenance, and controlled disposal of employment-related documents that federal or state law requires an employer to produce or preserve. The scope extends beyond passive storage — it includes the obligation to generate specific records at defined trigger points (hire, injury, termination), to retain them for prescribed minimum periods, and in some cases to make them available to regulators on demand.
The Fair Labor Standards Act establishes foundational payroll recordkeeping obligations under 29 CFR Part 516, requiring employers to retain payroll records, collective bargaining agreements, and wage rate tables for a minimum of three years, with supporting time and earnings records held for at least two years (DOL Wage and Hour Division).
OSHA's recordkeeping rule at 29 CFR Part 1904 requires most employers with 11 or more employees in non-exempt industries to log work-related injuries and illnesses on the OSHA 300 Log, with the OSHA 300A annual summary retained for five years. The EEOC mandates retention of employment records — including job applications, promotion records, and termination documentation — for a minimum of one year under 29 CFR Part 1602, with extended periods for employers with 100 or more employees filing EEO-1 reports.
Form I-9, required under the Immigration Reform and Control Act, must be retained for three years from the date of hire or one year after termination, whichever is later (USCIS I-9 Central). ERISA plan documentation, governed by 29 CFR Part 2520, carries a six-year retention floor for plan documents and participant benefit statements.
How it works
Compliance recordkeeping operates in four discrete phases:
- Trigger identification — A regulatory event (hire, payroll cycle, workplace injury, benefits enrollment) activates the obligation to create a specific record. Employers must map each operational event to the applicable regulatory trigger.
- Record creation — The document must be generated in the format the regulation specifies. OSHA 300 Logs, for example, must be completed in the manner prescribed in 29 CFR 1904.29; electronic equivalents are acceptable provided they meet the regulatory definition of a "equivalent form."
- Active retention — Records must remain accessible, unaltered, and retrievable for the full statutory period. The employee records compliance framework distinguishes between "active" files (current employees) and "inactive" files (former employees), each subject to different access and security controls.
- Controlled disposal — Records may not be destroyed before the minimum retention period expires. Destruction must follow a documented schedule; premature destruction during litigation can constitute spoliation under federal civil procedure rules.
Physical and electronic records carry equivalent legal weight provided electronic systems preserve record integrity, prevent unauthorized alteration, and allow authorized reproduction on demand — criteria addressed in the Department of Labor's guidance on electronic recordkeeping (DOL ERISA Advisory Council).
Common scenarios
Payroll and wage records: Under the FLSA, employers must capture the employee's full name, Social Security number, address, birth date (if under 19), sex, occupation, hours worked each day and week, and wages paid each pay period. Employers engaged in wage and hour compliance audits will find that missing time records — not just missing pay — constitute independent violations.
Workplace injury documentation: An employer with 250 or more employees in covered industries must electronically submit OSHA 300A data annually to OSHA's Injury Tracking Application. Smaller employers in high-hazard industries with 20 to 249 employees face the same submission requirement (OSHA Recordkeeping Rule, 29 CFR 1904.41).
I-9 and employment eligibility: Form I-9 errors — missing signatures, incorrect document codes, expired reverification — are among the most frequently cited violations during ICE Form I-9 inspections. Fines for substantive I-9 paperwork violations ranged from $272 to $2,701 per violation as of 2024 (USCIS).
FMLA records: The Family and Medical Leave Act regulations at 29 CFR Part 825.500 require three-year retention of FMLA notices, medical certifications, and leave tracking records — separate from regular personnel files.
Decision boundaries
Distinguishing which records fall under which retention regime requires applying three classification variables:
| Variable | Examples | Governing Standard |
|---|---|---|
| Record type | Payroll vs. medical vs. safety | FLSA, HIPAA, OSHA respectively |
| Employer size | Under 11 employees (OSHA exemption) vs. 100+ (EEO-1) | 29 CFR 1904.1; 29 CFR 1602.7 |
| Employee status | Active vs. terminated | IRCA (I-9); FLSA |
A critical contrast exists between personnel records and medical records: the Americans with Disabilities Act (29 CFR Part 1630) requires that medical information be maintained in files separate from general personnel files, with access restricted to supervisors on a need-to-know basis, first aid and safety personnel in emergency contexts, and government officials investigating compliance. Mixing medical and personnel records into a single file is an independent ADA violation — distinct from any underlying accommodation issue.
Retention periods are floors, not ceilings. Employers with pending charges, lawsuits, or regulatory investigations must apply a litigation hold that suspends normal destruction schedules for all records potentially relevant to the matter, regardless of whether the standard retention period has expired. The workplace compliance audits process should include a documented hold-release protocol. For employers operating across state lines, state-specific rules — such as California's three-year payroll retention requirement under Labor Code §1174 — may exceed federal minimums and control where they are more stringent.
References
- DOL Wage and Hour Division — FLSA Recordkeeping Fact Sheet #21
- OSHA Recordkeeping Rule — 29 CFR Part 1904
- EEOC Recordkeeping and Reporting — 29 CFR Part 1602
- USCIS I-9 Central — Handbook for Employers (M-274)
- ERISA Recordkeeping — 29 CFR Part 2520
- FMLA Recordkeeping — 29 CFR §825.500
- ADA Regulations — 29 CFR Part 1630
- California Labor Code §1174 — Payroll Records
- DOL ERISA Advisory Council — Electronic Recordkeeping Guidance
- eCFR — FLSA Recordkeeping, 29 CFR Part 516