---
name: Document & Records Management
description: "Manage HR document repository, e-signatures, retention, and compliance. Triggers: 'hr document management', 'personnel file', 'document retention', 'hr records compliance', 'e-signature request', 'document audit', 'hr file access', 'record purging', 'retention policy', 'legal hold', 'file access', 'document destruction', 'eDiscovery'"
---

# Document & Records Management

## Overview

Organize, secure, and retain all HR documents compliantly including personnel files, contracts, I-9s, and policy acknowledgments. Ensure eDiscovery readiness and regulatory compliance.

## Workflow

### Document Lifecycle Management

1. **Creation & Capture**:
   - Standardize templates for all HR documents
   - Automated generation from HRIS data
   - Scan and digitize physical documents (with OCR)
   - Metadata tagging for easy retrieval
2. **Storage & Organization**:
   - Centralized repository with folder structure:
     - Employee personnel files (confidential)
     - Policy documents (public/internal)
     - Contracts and agreements
     - Compliance records (I-9s, OSHA logs, EEO reports)
     - Training records
     - Disciplinary files
   - Role-based access controls
   - Version control for all documents
3. **Review & Approval**:
   - Workflow routing for document approvals
   - E-signature integration (DocuSign, Adobe Sign)
   - Audit trail for all changes and access
4. **Retention & Disposition**:
   - Automated retention scheduling per document type
   - Legal hold capability for litigation
   - Secure destruction when retention expires
   - Annual retention audit

### Personnel File Management

1. **Central File** (accessible to HR and authorized managers):
   - Job offer and acceptance
   - Performance reviews
   - Training records
   - Promotions and transfers
2. **Confidential File** (HR access only):
   - Medical information (FMLA, accommodations)
   - Disciplinary actions
   - Complaints and investigations
   - Background check results
   - Salary and compensation data
3. **I-9 File** (separate from personnel file):
   - Form I-9 (Section 1 & 2)
   - Supporting documentation copies
   - E-Verify results

### eDiscovery Readiness

1. **Legal Hold**:
   - Identify and preserve relevant documents
   - Suspend automated purging for affected records
   - Document preservation scope and timeline
2. **Production**:
   - Search and export relevant documents
   - Redact privileged/confidential information
   - Maintain chain of custody documentation
3. **Compliance Audits**:
   - Regular internal audits of document practices
   - External audits as required by regulation
   - Remediation of identified gaps

## Templates

### Document Retention Schedule

```
HR Document Retention Schedule
===============================
Jurisdiction: [US Federal + applicable state]
Last Reviewed: [Date]

Document Type          | Min. Retention | Trigger        | Storage       | Disposition
-----------------------|---------------|---------------|---------------|------------------
Personnel Files        | 7 years post-employment | Separation  | Encrypted digital | Secure delete
I-9 Forms             | 3 years after hire or 1 year post-separation (whichever later) | Hire/Separation | Separate file | Secure destroy
Performance Reviews   | 7 years post-employment | Separation  | Encrypted digital | Secure delete
Compensation Records  | 7 years       | Annual update | Encrypted digital | Secure delete
Training Records      | 3 years       | Completion    | Digital | Archive
Disciplinary Files    | 7 years post-employment | Separation  | Confidential | Secure delete
Medical Records       | 7 years post-employment | Separation  | Confidential | Secure delete
Employment Apps/Resumes (hired) | 1 year post-hire | Hire    | Digital | Secure delete
Employment Apps/Resumes (not hired) | 1 year | Application close | Digital | Secure delete
EEO/OFCCP Records     | 2 years       | Annual update | Digital | Secure delete
OSHA 300 Logs         | 5 years       | Calendar year end | Digital | Archive
Policy Acknowledgments | 7 years post-employment | Separation | Digital | Secure delete
Background Checks     | 3-7 years (varies by state) | Check date | Confidential | Secure delete
Workers' Comp         | 7 years post-employment | Separation | Digital | Secure delete
```

### Document Access Control Matrix

```
Role                  | Personnel Files | Confidential Files | I-9 Files | Policy Docs | Compliance Records
----------------------|-----------------|-------------------|-----------|-------------|-------------------
HR Director          | Full            | Full              | Full      | Full        | Full
HR Generalist        | Read/Edit       | Read/Edit         | Read/Edit | Read        | Read/Edit
HR Coordinator       | Read/Edit       | Read              | Read/Edit | Read        | Read
Hiring Manager       | Read (own team) | None              | None      | Read        | None
Employee             | Read (self)     | None              | None      | Read        | None
External Auditor     | Read (scoped)   | None              | Read      | Read        | Read
IT Admin             | None            | None              | None      | None        | None (infra only)
```

## Edge Cases

| Scenario | Handling |
|----------|----------|
| Employee requests their file copy | Provide copy per state law; exclude confidential notes, investigation details |
| Litigation pending | Place legal hold immediately; preserve all related documents |
| State-specific retention laws | Maintain jurisdiction-specific retention rules (CA, NY, IL differ) |
| Physical document transition | Scan with OCR; verify accuracy; securely destroy originals; document destruction |
| Former employee document access | Terminate access immediately upon separation; retain records per schedule |
| GDPR data subject request | Locate, provide, or delete personal data within 30 days |
| Natural disaster/backup | Off-site encrypted backups; test recovery procedures annually |
| M&A due diligence | Secure transfer of personnel records; verify compliance of acquired company |

## Integration Points

- **Document management**: DocuWare, M-Files, SharePoint, Box, Google Drive
- **E-signature**: DocuSign, Adobe Sign, HelloSign
- **HRIS**: Workday, BambooHR, Rippling (source of truth for employee data)
- **Records management**: Iron Mountain, Shred Everything
- **eDiscovery**: Relativity, Nuance
- **DLP tools**: Prevent unauthorized document access/sharing
- **Backup/DR**: Encrypted cloud and off-site backup systems

## Best Practices

1. **Separation of concerns**: Keep confidential files separate from general personnel files
2. **Access minimization**: Principle of least privilege for all document access
3. **Regular audits**: Quarterly access audits; annual retention audits
4. **Training**: HR staff trained on document handling and privacy requirements
5. **Digital-first**: Minimize physical documents; scan everything that arrives in paper
6. **Consistent naming**: Standardized naming convention across all HR documents
7. **Change management**: Document process changes; update retention schedule as laws change