1.1 This policy establishes comprehensive standards for the creation, maintenance, storage, retrieval, and disposal of employee records throughout the entire employment lifecycle, from pre-employment through post-separation retention. The policy ensures that all personnel records are accurate, complete, up-to-date, confidential, and retained in strict compliance with applicable federal, state, and local laws and regulations. It applies to all forms of employee records, whether maintained in physical or electronic format, and governs the practices of all personnel who create, access, or manage such records on behalf of the Organization. The policy further aims to standardise record-keeping practices across all departments and business units to minimise legal and operational risk.

1.2 This policy applies to all current and former employees, contractors, temporary staff, interns, and consultants of the Organization, as well as to all individuals who handle, access, or manage employee records in any capacity, including Human Resources personnel, payroll administrators, IT support staff, and authorised third-party service providers. The policy covers all categories of employee records maintained in both physical and electronic formats, including but not limited to personnel files, payroll records, benefits enrolment documentation, performance evaluations, disciplinary records, training records, medical and health records, and immigration and work authorisation documentation. Where specific record categories are governed by separate regulatory frameworks, those requirements shall take precedence to the extent of any conflict.

1.3 The Head of Human Resources, or such senior HR leader as may be designated by the Chief Executive Officer, shall serve as the policy owner and shall bear ultimate responsibility for ensuring that all employee records are created, maintained, stored, and disposed of in accordance with this policy and all applicable legal requirements. The policy owner shall ensure that adequate resources, systems, training, and oversight mechanisms are in place to support consistent application of this policy across the Organization. The policy owner shall report to the executive leadership team at least annually on compliance metrics, audit findings, and any recommended amendments. Day-to-day administration of employee records shall be delegated to the HR Operations team, which shall operate under the direction of the policy owner.

2.1 The Organization shall maintain a master personnel file for each employee, which shall serve as the primary repository for core employment documents. The master file shall contain, at a minimum, the signed offer letter and employment agreement, the current job description and any amendments, compensation history including base salary, variable pay, and allowance records, tax withholding forms, emergency contact information, and signed policy acknowledgements. The master personnel file shall be created upon the employee's acceptance of the offer of employment and shall be maintained throughout the employment relationship and for the applicable retention period following separation. The HR Operations team shall ensure that all documents are filed promptly and that the master file is reviewed for completeness at least annually during the employee's tenure.

2.2 In compliance with applicable disability discrimination and medical privacy legislation, all medical records shall be maintained in a separate confidential medical file that is physically and electronically segregated from the employee's master personnel file. The medical file shall contain pre-employment medical examination results, disability accommodation requests and interactive process documentation, workers' compensation claims and related correspondence, fitness-for-duty certifications, drug and alcohol testing records where applicable, and any other health-related documentation. Access to medical files shall be restricted to designated HR personnel with a documented need to know, the employee's treating occupational health provider, and individuals authorised by law. Medical files shall not be disclosed to hiring managers, supervisors, or colleagues except to the extent necessary to communicate approved accommodations or work restrictions, and only on a need-to-know basis without revealing the underlying medical condition.

2.3 Payroll and benefits records shall be maintained in a dedicated payroll file, separate from the master personnel file, to ensure appropriate access controls and compliance with financial record-keeping requirements. The payroll file shall contain salary and wage history, commission and bonus records, tax withholding forms and declarations, benefits enrolment and change forms, pension and retirement plan documentation, leave accrual and usage records, expense reimbursement records, and garnishment or deduction orders. Access to payroll files shall be restricted to authorised payroll administrators, finance personnel, and designated HR staff on a need-to-know basis. Payroll records shall be reconciled monthly by the payroll team and audited by the finance department at least quarterly to ensure accuracy and compliance with applicable wage and hour laws and tax regulations.

2.4 Performance and disciplinary records shall be maintained in a dedicated performance file to facilitate structured access and confidentiality. This file shall contain annual and interim performance reviews, goal-setting and performance improvement plans, commendation and recognition records, disciplinary notices including verbal warnings, written warnings, and final warnings, suspension records, investigation reports related to misconduct or policy violations, and grievance and complaint documentation. Performance and disciplinary records shall be retained for the duration of employment plus the period specified in the Organization's retention schedule, which shall be no less than 3 years following separation or as required by applicable law, whichever is longer. Managers shall submit completed performance documentation to HR within 10 business days of the evaluation period's close, and HR shall ensure that all disciplinary actions are documented contemporaneously with the event.

3.1 All employee records shall be created using standardised templates, forms, and documentation protocols approved by the HR department to ensure consistency, completeness, and legal compliance across the Organization. Records must be accurate, legible, free from unauthorised alterations, and completed in their entirety before being filed in the employee's record. The HR department shall maintain a central repository of approved templates and forms, which shall be reviewed and updated at least annually to reflect changes in legal requirements, organizational policies, or operational processes. Employees responsible for creating records shall receive training on proper documentation standards, including the use of objective language, the avoidance of subjective or discriminatory comments, and the importance of contemporaneous record creation. Any errors discovered in existing records shall be corrected using a documented amendment process that preserves the original entry and records the date, nature, and author of the correction.

3.2 Employees shall be responsible for promptly notifying the HR department of any changes to their personal information that may affect their employment records, benefits eligibility, tax withholding, or emergency contact arrangements. Changes that must be reported include, but are not limited to, legal name changes, residential address changes, marital status changes, birth or adoption of a dependent, changes to emergency contact information, changes to banking details for payroll direct deposit, and changes to immigration or work authorisation status. Employees shall submit change notifications through the Organization's HR information system or using the approved change request form within 15 calendar days of the effective date of the change. The HR department shall process change requests within 5 business days of receipt and shall update all affected records and systems accordingly. Failure to report material changes in a timely manner may result in administrative complications, including interruptions to payroll, benefits, or tax processing, for which the Organization shall not be held responsible.

3.3 The HR department shall conduct a comprehensive audit of employee records at least once every 12 months to verify accuracy, completeness, proper classification, and compliance with the Organization's retention schedule and applicable legal requirements. The audit shall include a representative sample of no fewer than 25% of active employee files and 10% of separated employee files per audit cycle. Audit criteria shall include the presence of all mandatory documents, the accuracy of personal and employment data, proper segregation of medical and confidential files, appropriate access controls, and adherence to retention and disposal schedules. Audit findings, including compliance rates, identified deficiencies, and recommended corrective actions, shall be documented in a formal audit report and presented to the policy owner within 15 business days of the audit's completion. Deficiencies shall be remediated within 30 calendar days, and a follow-up review shall be conducted to confirm that corrective actions have been implemented effectively.

4.1 Access to employee records shall be granted on a strict need-to-know basis and shall be limited to the minimum level of access necessary for the individual to perform their job responsibilities. The HR department shall maintain a current register of all individuals authorised to access each category of employee record, specifying the type of access granted (view-only, edit, or full administrative access) and the business justification for the access. Access permissions shall be reviewed at least quarterly by the HR Operations team to ensure that permissions remain appropriate and that access for separated employees, role changes, or departmental transfers is revoked or adjusted promptly. Unauthorised access to, or disclosure of, employee records shall be treated as a serious violation of this policy and may result in disciplinary action up to and including termination of employment, as well as potential civil or criminal liability under applicable data protection laws.

4.2 Physical employee records shall be stored in locked, fireproof filing cabinets within a secure, access-controlled area of the HR department. Access to the physical storage area shall be restricted to authorised HR personnel, and a sign-in log shall be maintained to record all instances of physical file access. Electronic employee records shall be stored in the Organization's HR information system, which shall be configured with industry-standard security controls including data encryption at rest and in transit, multi-factor authentication for all users, role-based access controls aligned with the principle of least privilege, automated session timeouts, and comprehensive audit logging of all access and modification events. The IT department shall conduct vulnerability assessments and penetration testing of the HR information system at least annually, and shall ensure that all security patches are applied within 30 calendar days of release. Backup copies of electronic records shall be created daily and stored in a geographically separate, secure location with the same level of access controls as the primary system.

4.3 All personnel who create, access, process, or manage employee records, including HR staff, payroll administrators, IT support personnel, and authorised third-party service providers, shall be required to sign a confidentiality agreement that explicitly acknowledges their obligations regarding the protection and non-disclosure of employee information. Confidentiality agreements shall be executed upon commencement of employment or engagement and shall remain in effect indefinitely following separation. All personnel with access to employee records shall complete mandatory training on data handling procedures, privacy obligations under applicable law, information security protocols, and the consequences of unauthorised access or disclosure. Initial training shall be completed within 30 calendar days of being granted access to employee records, and refresher training shall be completed annually. The HR department shall maintain records of training completion and shall suspend record access privileges for any individual whose training is not current.

5.1 Employee records shall be retained for the periods specified in the Organization's records retention schedule, which shall be developed and maintained by the HR department in consultation with Legal Counsel and shall comply with all applicable federal, state, and local retention requirements. At a minimum, master personnel files shall be retained for 7 years following the employee's date of separation, payroll and tax records shall be retained for 7 years, medical records shall be retained for the duration of employment plus 30 years, I-9 and work authorisation records shall be retained for 3 years after the date of hire or 1 year after the date of separation, whichever is later, and records related to formal complaints, investigations, or legal proceedings shall be retained until the matter is fully resolved and any applicable statute of limitations has expired, plus an additional 3 years. Where local law imposes a longer retention period than specified in this schedule, the longer period shall prevail.

5.2 Upon expiration of the applicable retention period, and provided that no legal hold, pending investigation, or active litigation requires continued retention, employee records shall be disposed of securely using methods that render the information permanently unrecoverable. Physical records shall be destroyed by cross-cut shredding or incineration by an approved and bonded document destruction vendor. Electronic records shall be permanently deleted using certified data destruction methods that meet or exceed the standards set forth in NIST Special Publication 800-88. The HR department shall maintain a disposal log that records the date of disposal, the categories of records destroyed, the retention period that applied, the method of destruction, and the name of the individual authorising the disposal. Disposal activities shall be witnessed by at least one HR representative and, where a third-party vendor is used, the vendor shall provide a certificate of destruction. The disposal log shall be retained permanently as part of the Organization's compliance records.

5.3 The Organization shall implement and maintain a legal hold process to ensure that employee records that may be relevant to pending or reasonably anticipated litigation, regulatory investigation, government audit, or internal investigation are preserved and excluded from routine disposal activities. Legal holds shall be issued by Legal Counsel or the General Counsel's office and shall specify the scope of records to be preserved, the reason for the hold, and the expected duration. Upon receipt of a legal hold notice, the HR department shall immediately identify all affected records, suspend any scheduled disposal activities for those records, and notify all custodians of the obligation to preserve the records in their current form. Legal holds shall remain in effect until formally released in writing by Legal Counsel. The HR department shall maintain a register of all active legal holds and shall audit compliance with hold requirements on a quarterly basis. Failure to comply with a legal hold may result in adverse legal consequences for the Organization and disciplinary action against the responsible individual.

6.1 Any violation of this policy, whether by act or omission, shall be subject to disciplinary action proportionate to the severity and nature of the violation. Violations include, but are not limited to, unauthorised access to or viewing of employee records, improper disclosure of confidential employee information to unauthorised parties, failure to create or maintain records in accordance with the standards prescribed by this policy, alteration or falsification of employee records, premature or improper destruction of records in violation of the retention schedule, and failure to comply with a legal hold. Disciplinary consequences may include formal counselling and written warning, suspension of record access privileges, mandatory retraining, suspension from employment, or termination of employment. The Organization reserves the right to pursue civil or criminal remedies against individuals who engage in wilful or malicious misuse of employee records.

6.2 This policy shall be reviewed comprehensively at least once every 12 months by the policy owner in consultation with Legal Counsel, IT Security, and senior HR leadership to ensure that it remains current, effective, and compliant with all applicable legal and regulatory requirements. In addition to the scheduled annual review, an interim review shall be triggered by any material change in applicable data protection or employment legislation, a significant organizational event such as a merger, acquisition, or systems migration, the findings of an internal or external audit, or a data breach or security incident involving employee records. Proposed amendments shall be reviewed by Legal Counsel for legal sufficiency, approved by the Head of Human Resources and the Chief Executive Officer, and communicated to all affected personnel at least 14 calendar days before the effective date. A complete version history shall be maintained as an appendix to this policy.

6.3 The HR department shall establish and monitor key performance indicators to measure the effectiveness and compliance of the Organization's employee record-keeping practices. KPIs shall include, at a minimum, file completeness rates for active and separated employee records, annual audit pass rates by record category, timely processing rates for employee change requests, access control compliance rates, retention schedule adherence rates, and timely disposal rates for records that have exceeded their retention period. These metrics shall be compiled into a quarterly compliance dashboard and reported to the policy owner and the executive leadership team. Where KPIs fall below the established targets, the HR department shall conduct a root cause analysis and implement corrective actions within 30 calendar days. KPI targets shall be reviewed and adjusted annually as part of the policy review process to reflect the Organization's evolving compliance maturity and operational requirements.