That box of old personnel files in the storage closet? It might be protecting you from a lawsuit, or it might be a liability. Knowing how long to keep employee records isn’t just an administrative detail. It’s a compliance obligation with real consequences if you get it wrong.
Federal agencies like the IRS, EEOC, and Department of Labor each set their own retention requirements, and they don’t always agree. Add state-level rules on top of that, and you’ve got a patchwork of deadlines that can trip up even the most organized business owner. Destroy records too early, and you could face fines or lose critical evidence in a dispute. Hold onto them too long, and you’re creating unnecessary risk and clutter.
This guide breaks down the major federal retention periods by record type, payroll, tax forms, I-9s, personnel files, benefits documents, and more, plus key state considerations you need to watch for. At Soteria HR, we help growing companies build compliant, organized HR systems from the ground up, and proper records management is one of the foundations we always address first.
Why employee record retention matters
Employee record retention is one of those compliance areas that stays invisible until something goes wrong. When you’re running a growing business, it’s tempting to treat old files as a low-priority task. But federal agencies and state regulators have clear expectations about what you keep, how long you keep it, and in some cases, exactly how you destroy it when the time comes. Getting this wrong puts you in a difficult position: you either lack records when you need them most, or you’re sitting on sensitive data longer than the law requires. Neither outcome serves you well.
Legal and regulatory exposure
Several federal agencies set the rules for how long to keep employee records, and they each operate independently of one another. The IRS requires payroll tax records for at least four years, the Department of Labor sets a three-year minimum for most wage and hour records under the Fair Labor Standards Act, and the EEOC requires employers to retain personnel and employment records for at least one year from the date of the personnel action or termination. Each agency can audit your business, request specific documents, and issue penalties if your records are incomplete or missing entirely.
If a federal agency requests records you can no longer produce, the burden of explanation falls on you, and the assumption often will not be in your favor.
State labor agencies add another layer on top of those federal requirements. Many states extend federal minimums by one to several years, and some require retention of documents you wouldn’t expect at the federal level, such as job postings, written offer letters, or interview notes. Relying only on federal timelines gives you partial coverage at best and leaves you exposed to state-level risk.
What’s at stake in disputes and lawsuits
Employment litigation is more common than most small business owners expect. Wrongful termination claims, wage disputes, discrimination complaints, and harassment allegations can surface months or even years after an employee leaves your company. When they do, your records serve as your primary line of defense. If you cannot produce performance reviews, disciplinary notes, timesheets, or written policy acknowledgments, your position in any dispute weakens considerably.
Courts and administrative agencies draw negative inferences when records that should exist are missing. Proper documentation creates a clear, defensible account of the decisions you made, the process you followed, and the standards you applied consistently across your workforce. Without that paper trail, a legitimate business decision can look arbitrary or retaliatory in front of a judge or investigator.
The cost of keeping records too long
Most conversations about record retention focus on keeping records long enough. But holding records past their required retention period carries real risks of its own. Data breaches become significantly more damaging when sensitive employee information, such as Social Security numbers, medical records, and direct deposit details, is stored beyond its useful life. Regulators may also question why you retained personal data without a current, legitimate business reason.
Unnecessary storage creates practical and legal complexity that compounds over time. Physical files take up space and require secure handling. Digital files accumulate across systems without proper oversight or clear ownership. If litigation arises, anything you retain can be subject to discovery, which expands your document review burden and drives up legal costs. A clear, written retention schedule protects you on both ends of the timeline.
Federal retention timelines by record type
Federal law doesn’t give you a single rule for how long to keep employee records. Different agencies govern different record types, and each carries its own minimum retention period. Understanding which agency applies to which documents keeps you prepared for audits, wage disputes, and compliance reviews.
Payroll, wage, and hour records
The Fair Labor Standards Act (FLSA) requires you to retain payroll records, including time cards, wage rate tables, and records of additions or deductions, for at least three years. Basic employment and earnings records that support those payroll figures, such as work schedules and wage calculations, carry a two-year minimum. The Department of Labor enforces these requirements and can audit your business without advance notice.
If you cannot produce FLSA-required records during a wage and hour audit, investigators may estimate back wages based on available data, and those estimates typically favor the employee.
Tax records
Your employment tax records must be kept for at least four years from the date the tax is due or paid, whichever is later. This covers federal income tax withholding, Social Security taxes, Medicare taxes, and supporting documents like W-2s and W-4s. The IRS governs this category, and a four-year lookback period is the minimum, not the ceiling.
I-9 employment eligibility records
Form I-9 follows its own retention formula. You must keep completed I-9 forms for three years from the date of hire or one year after the employee’s separation, whichever is later. U.S. Citizenship and Immigration Services and the Department of Homeland Security can inspect your I-9s with as little as three business days’ notice, so these records need to be accessible and organized at all times.
Personnel files and EEO records
Under EEOC rules, you must retain personnel and employment records for at least one year from the date the record was created or from the date of the personnel action, whichever is later. If an employee files a discrimination charge during that period, you must preserve all related records until the case fully closes.
Here is a quick reference for the major federal timelines:
| Record Type | Governing Agency | Minimum Retention |
|---|---|---|
| Payroll and time records | DOL / FLSA | 3 years |
| Payroll support records | DOL / FLSA | 2 years |
| Employment tax records | IRS | 4 years |
| Form I-9 | USCIS / DHS | 3 years from hire or 1 year post-separation |
| Personnel and EEO records | EEOC | 1 year |
State and local rules and how to handle conflicts
Federal minimums give you a foundation, but state and local laws frequently set longer retention requirements that override what federal agencies mandate. If you operate in multiple states or have remote employees spread across different jurisdictions, the complexity multiplies quickly. Understanding how state rules interact with federal ones is essential for keeping your records management program legally sound.
Where states commonly exceed federal requirements
Several states set their own timelines for specific record categories that go well beyond the federal floor. California requires employers to retain payroll records for three years, which matches the FLSA but adds requirements for itemized wage statements and certain personnel records that extend to four years. New York requires payroll records to be kept for six years under state labor law, which is double the federal minimum. States like Massachusetts and Illinois have similarly extended timelines for wage and hour records, and many require retention of documents that federal law does not address at all, such as job postings or written offer letters.
Here are some common state-level extensions worth knowing:
- California: Payroll records for 3 years; personnel files must be accessible to employees upon request
- New York: Payroll records for 6 years under the New York Labor Law
- Illinois: Wage payment records for 3 years; job postings may carry additional retention obligations
- Texas: Generally follows federal minimums, but active discrimination claims can extend applicable timelines
How to handle conflicts between state and federal rules
When state and federal requirements conflict, the rule that offers employees greater protection typically takes precedence. In practice, that means you apply whichever timeline is longer. If the IRS requires four years for tax records but your state requires five, you keep those records for five years to satisfy both obligations at once.
When in doubt, default to the longer retention period. Exceeding a minimum is never a compliance violation; falling short of one can be.
Your safest approach to figuring out how long to keep employee records across multiple jurisdictions is to anchor your retention schedule around your most demanding state requirement for each record category. If you have employees in California and New York, use New York’s six-year payroll standard as your baseline for that record type across the whole organization. Maintaining one consistent standard simplifies audits, reduces the risk of accidental early destruction, and keeps your HR team from managing parallel timelines for the same document types.
How to build a simple retention schedule and policy
Building a retention schedule doesn’t require a legal team or a complicated system. What it requires is a clear list of your record types, the applicable retention periods for each, and someone responsible for following through. Start simple. A well-organized spreadsheet covers most of what small and mid-sized businesses need to stay compliant and understand how long to keep employee records across every category.
Map your record types first
Before you can assign retention periods, you need to know what records your organization actually creates. That sounds obvious, but many businesses discover gaps in this step. Pull together every document category your HR, payroll, and operations teams generate, from hiring paperwork and performance reviews to benefits enrollment forms and termination records. Group similar records together so you can apply a single retention period to an entire category rather than tracking individual documents one by one.
A basic mapping exercise typically produces categories like these:
- Payroll and time records
- Employment tax documents (W-2s, W-4s, 941s)
- Form I-9 and supporting identity documents
- Personnel files (applications, offer letters, reviews, disciplinary records)
- Benefits enrollment and COBRA notices
- Separation agreements and termination documentation
Put it in writing
Once you have your record categories and the corresponding retention periods mapped out, document the schedule in a written policy. Your retention policy should state the record type, the minimum retention period, the governing authority (IRS, DOL, state law, etc.), and the disposal method. A written policy protects you in two directions: it demonstrates good-faith compliance efforts to regulators, and it gives your team a clear reference point so decisions don’t rely on memory or guesswork.
A verbal retention practice is not a policy. Documented, consistent procedures are what hold up under audit scrutiny.
Assign ownership and build in review dates
A retention schedule only works if someone owns it. Assign a specific person or role, whether that’s your HR manager, office manager, or an outsourced HR partner, to maintain the schedule and ensure records are handled consistently. Build an annual review date into the policy so you can update it when laws change or your organization adds employees in a new state. Employment laws shift often enough that a schedule you built two years ago may no longer reflect current requirements in every jurisdiction where you operate.
How to store, secure, and dispose of records
Knowing how long to keep employee records only solves half the problem. The other half is making sure those records are stored properly, protected from unauthorized access, and disposed of in a way that doesn’t expose you to a breach or compliance violation. Where and how you store records matters just as much as how long you keep them.
Physical vs. digital storage
Most organizations today maintain a mix of paper and digital records, and both formats carry specific obligations. Paper records should be kept in locked, access-controlled storage, with a clear labeling system that makes retrieval straightforward during an audit or legal review. Digital records need to live in a system with role-based access controls, meaning only authorized personnel can view sensitive files like medical records, I-9s, or termination documentation.
Digital storage doesn’t automatically mean secure storage. Unprotected shared drives and unsecured email attachments create the same risks as an unlocked filing cabinet.
If you use a cloud-based HR or payroll system, confirm that the vendor complies with relevant data security standards and that your contract clearly states who owns the data and what happens to it if you end the relationship. Keep your I-9 forms separate from general personnel files, as required by federal guidance, whether you store them physically or digitally.
Securing sensitive employee data
Employee records contain some of the most sensitive personal data your organization handles: Social Security numbers, banking information, health records, and immigration documents. A breach involving any of these carries significant legal and reputational consequences. Limit access to personnel files on a need-to-know basis, and document who has access and why so you can demonstrate accountability if a breach occurs.
Conduct an annual review of who has access to your HR systems and files. People change roles, leave the organization, or no longer need access to specific records. Removing unnecessary access points reduces your breach exposure without adding complexity to your day-to-day operations.
Disposing of records properly
When a record reaches the end of its retention period, destruction needs to be deliberate and documented. Paper records should be cross-cut shredded, not simply discarded. Digital records should be permanently deleted or wiped using methods that prevent recovery. Log the destruction date, the record type, and who authorized disposal so you have evidence of a compliant, systematic process rather than an ad hoc cleanup.
Conclusion
Understanding how long to keep employee records protects your business from regulatory penalties, legal disputes, and costly data security incidents. Federal agencies like the IRS, DOL, and EEOC each set their own distinct timelines, and state rules often extend those minimums by several years. When the two conflict, you apply the longer requirement. A written retention schedule, clear storage controls, and deliberate disposal procedures tie the whole system together and give you a defensible position when regulators or courts come asking.
Records management is one of those areas where getting it right upfront saves you significant time, money, and stress later. Building compliant HR systems doesn’t have to feel overwhelming when you have the right partner working alongside you. If you’re ready to stop guessing and start operating from a clear, organized HR foundation, connect with the Soteria HR team to schedule a consultation and see what’s possible for your business.
