The public libraries in our region have been requiring staff to complete a health self-assessment every day that they report to the building to work. Some of these libraries now have a collection of paper or electronic responses that date back to June.
How long should these records be kept? Two weeks? Two months? Forever?
And, not to complicate matters, but for municipal or school district public libraries, are these records, or portions thereof, subject to FOIL?
Records management is an art formed by the crossroads of life, law, and data.[1]
As soon as we saw that the state's "Template Safety Plan" required completion of employee health screening, the records management implications were clear. In fact, "Ask the Lawyer" has alluded to this very concern before.[2] But the member's questions give us a really good focal point.
Here is some background, and then we'll tackle the member's questions:
As librarians know better than most people, information often falls into a variety of "buckets."
One of the biggest "buckets" of records that may sound familiar is the bucket labelled "evidence." Most people know that when you leave a paper trail, it can (with many exceptions) be used for—or against—you in court. In the employee data arena, common uses of such evidence are labor law and civil rights claims.
Another big bucket is "health care records" pertaining to individual people. This type of information is protected by a complex array of state and federal law, rules, and regulations, and the obligations related to it change based on who is retaining them. In the case of employers, the restrictions are generally rigid.
And of course, there are "municipal records" and "business records" both of which have a vast array of sub-classes and categories, depending on the municipality or the business (I don't know who has it worse, the records management office for a large city, or the records management office for an insurance company[3]). Municipal employers are always having to balance transparency with accountability, sorting disclosable[4] data from data restricted due to employee privacy.
Very often, the records in one "bucket" also belong in another, which swaps the bucket analogy for your classic Venn Diagram.
The member's question puts us squarely in a Venn Diagram comprised of sets (buckets) of:
Because of the different definitions and regulations defining and restricting the information in the buckets, it is critical to know what data you're keeping. For instance, while employers are allowed to keep CONFIDENTIAL records related to employee health, COVID screening records are not supposed to contain such information—only the fact that a person was screened, and either made it through, or was denied access to the work site due to a screening factor.[5]
And with that....
How long should these records be kept? Two weeks? Two months? Forever?
Records showing that COVID screening and follow-up action[6] is being done as required, with no employee-specific information (like an employee's name coupled with their temperature, symptoms, or a positive diagnosis) included[7], is at the very least a compliance-related record, could be evidence in a lawsuit, and is (debatably) a municipal record. This means it could be used to show compliance (or lack thereof), to prove liability (or lack thereof), and/or may be subject to FOIL (more on that in a moment).
But despite all that overlap, I can find no clear legal requirement to retain screening data. The state's Executive Orders and guidance are silent on this, except for some areas where we can extrapolate retention (for instance, records kept for contact tracing must obviously be kept at least three weeks, since the whole point is timely notification within the window of exposure and possible illness).
Because I despise lawyering from a vacuum (I'd almost rather have bad guidance than no guidance) to see if any input could be gleaned from it, I took a long, hard look at the LGS-1[8], the "Local Government Schedule" of the New York Archives, which is the go-to text for questions related to municipal records retention.
Clocking in at over 400 pages, this document, which went into effect in August, 2020, lists just about every type of municipal record imaginable...except it doesn't list "Executive Order Compliance," or any other category I felt safe basing a reply to this question on.
With no clear bucket and no clear requirements, at this point, I have to answer that retention of proof of screening should be permanent.
And, not to complicate matters, but for municipal or school district public libraries, are these records, or portions thereof, subject to FOIL?
While I imagine most of the readers who have hung on this deep into this answer already know it, I will mention: "FOIL" is New York's "Freedom of Information Law," which requires government agencies to disclose most records[9] related to their operations.
It is well-known that an association library is not subject to FOIL; on the flip side, it is generally held that a public library, which is established by government and "belong[s] to the public" [Education Law, §253(2)] is subject to the Freedom of Information Law.
So, is the trove of information listed by the member subject to FOIL? It's highly likely.
Why?
This question by the member brings us full circle on our buckets. While employee health records are most certainly exempt from disclosure under FOIL[10], the impersonal operational records of a FOIL-able library that is simply ensuring screening is happening might not be.
Therefore, a library that knows it is subject to FOIL should be ready to asses if it has to disclose its safety plan compliance records upon request. However, in no event should such disclosure include employee names and related health information (disclosing a record with the name of the person or team in charge of monitoring compliance would be fine).
And there (complexities and all) you have it.
Thanks for a good records management-gymnastics-inducing question.
APPENDIX
From New York's "Interim COVID-19 Guidance for Curbside and In-Store Pickup Retail Business Activities"; record-generation triggers are highlighted in yellow.
A. Screening and Testing
• Responsible Parties must implement mandatory daily health screening practices.
o Screening practices may be performed remotely (e.g. by telephone or electronic survey), before the employee reports to the retail location, to the extent possible; or may be performed on site.
o Screening should be coordinated to prevent employees from intermingling in close contact with each other prior to completion of the screening.
o At a minimum, screening should be required of all workers and essential visitors (but not customers) and completed using a questionnaire that determines whether the worker or visitor has:
(a) knowingly been in close or proximate contact in the past 14 days with anyone who has tested positive for COVID-19 or who has or had symptoms of COVID-19,
(b) tested positive for COVID-19 in the past 14 days, or
(c) has experienced any symptoms of COVID-19 in the past 14 days.
• According to CDC guidance on “Symptoms of Coronavirus,” the term “symptomatic” includes employees who have the following symptoms or combinations of symptoms: fever, cough, shortness of breath, or at least two of the following symptoms: fever, chills, repeated shaking with chills, muscle pain, headache, sore throat, or new loss of taste or smell. Responsible Parties should require employees to immediately disclose if and when their responses to any of the aforementioned questions changes, such as if they begin to experience symptoms, including during or outside of work hours.
o If an employee has COVID-19 symptoms AND EITHER tests positive for COVID-19 OR did not receive a test, the employee may only return to work after completing a 14-day self-quarantine. If an employee is critical to the operation or safety of a facility, the Responsible Parties may consult their local health department and the most up-to-date CDC and DOH standards on the minimum number of days to quarantine before an employee is safely able to return to work with additional precautions to mitigate the risk of COVID-19 transmission.
o If an employee does NOT have COVID-19 symptoms BUT tests positive for COVID-19, the employee may only return to work after completing a 14-day self-quarantine. If an employee is critical to the operation or safety of a facility, the Responsible Parties may consult their local health department and the most up-to-date CDC and DOH standards on the minimum number of days to quarantine before an employee is safely able to return to work with additional precautions to mitigate the risk of COVID-19 transmission.
o If an employee has had close contact with a person with COVID-19 for a prolonged period of time AND is symptomatic, the employee should notify the Responsible Parties and follow the above protocol for a positive case.
o If an employee has had close contact with a person with COVID-19 for a prolonged period of time AND is NOT symptomatic, the employee should notify the Responsible Parties and adhere to the following practices prior to and during their work shift, which should be documented by the Responsible Parties:
o If an employee is symptomatic upon arrival at work or becomes sick during the day, the employee must be separated and sent home immediately, following the above protocol for a positive case.
B. Tracing and Tracking
[1] I spend a lot of time at this crossroads; so much so that If I ever find myself in line at the DMV next to a Hollywood agent, I have a pitch for a show: An archivist, a lawyer, an IT expert, a chemist, and a rogue town clerk, united by a traumatic loss of data, form an unlikely alliance to fight for justice, truth, and the use of acid-free paper. Called "For the Record", each episode would start with a Core Reveal (like a surveyor moving property line pins in the dark), while the rest of the episode would show the Team disentangling the plot. While “For the Record” would hinge on plot devices like hidden scrolls, encrypted data, and HVAC systems gone wild, what will really keep audiences coming back for more would of course be an elaborate, over-arching plot line involving the census, adoption records, and the complicated emotional lives of the protagonists. If any agent out there wants to take me up on this, I promise an epic, solid seven-season run.
And with that out of my system, I will answer the question.
[2] See "Ask the Lawyer" https://www.wnylrc.org/ask-the-lawyer/raqs/163 and https://www.wnylrc.org/ask-the-lawyer/raqs/144.
[3] Actually, I do know: the city employee. There is never enough money in a city budget to manage records properly.
[4] One of the primary ways such information is subject to disclosure is Article VI of the Public Officer's Law, or FOIL. There is a big FOIL fight going on right now over law enforcement disciplinary records, and my firm is in the thick of it.
[5] https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/offices-interim-guidance.pdf
[6] By "follow-up action," I mean the things an employer is required to do as a result of screening. If your library determines that it must follow the NYS requirements for retail, I have put those at the end of this answer, and highlighted in yellow the different COVID SCREENING RECORDS they will generate.
[7] Remember, anything specific to the employee (temperature, a positive diagnosis, disclosure of symptoms) are separate, confidential employee health records and should not be retained, or should be retained in confidence as required by ADA.
[8] Found at: http://www.archives.nysed.gov/common/archives/files/lgs1.pdf. WARNING! This is a rabbit hole. Have coffee and a protein bar on hand if you start reading it.
[9] There are, of course, a ton of exceptions, including health records of employees.
[10] FOIL §89(2)(b).
Tags: COVID-19, Personnel Records, Retention
The library is using NYS Archives and Civil Service references to set personnel and payroll files records retention and disposition.
A question arose regarding employee rights to request removal of materials from personnel records.
The committee’s question was specifically about removal of a negative matter after the minimum required retention time had elapsed.
In this instance there was no question about the accuracy of the record nor was there litigation involved or anticipated.
There are a lot of little details to address in considering this question, but first, there is one big principle I must emphasize. When it comes to records retention—and especially when it comes to employee-related records—nothing should be discretionary.
In other words, if an employer wants to create a process where every corrective action plan,[1] performance evaluation, employment-related investigation, or incident report is removed after its minimum retention period has elapsed, that is fine. However, unless it is a benefit that has been carefully negotiated and confirmed in a contract,[2] there should be no process for an employee to initiate optional removal of materials, and by no means should that process require the employer to make a “yes” or “no” decision.
The moment personnel records that could be interpreted as “negative” become subject to an employee-initiated, optional procedure, the employer, simply by having such a procedure, has: 1) admitted that possibility that the materials could have a negative impact on the employee; 2) created a system where such material could be retained inadvertently; and 3) set up a scenario where such a request could accidentally or deliberately be denied or perceived as somehow subject for debate, potentially triggering the possibility of a complaint, litigation, or a damage claim.[3]
Unless retention is being considered for historic/archival purposes, record retention or destruction should never be discretionary (and of course, the decision to retain certain records for historic/archival purposes should be based on objective criteria). The best approach for management of employee performance-related records is simply that they be retained as required, or be purged when no longer needed, based purely on the category (not the substance) of the records’ content.[4]
So, my answer to this question is: there should be no process for an employee to request optional removal of negative materials from a personnel file. Rather, the removal of material from personnel files should only happen per uniformly and routinely applied policy.[5] If a negative review or incident report has served its purpose and is no longer needed,[6] it may be removed as part of the routine purging policy and process. If it is still needed, it should be retained. There should be no middle ground; it creates risk. If your library is part of a collective bargaining agreement or uses contracts that include this approach, employees should all be notified and trained on how to exercise these rights.
Thank you for an insightful question.
[1] Just in case you are new to the Human Resources world, a “corrective action plan” is a time-limited plan with a clearly articulated goal and measurable steps to address a performance concern. Here is an example of a properly formulated Corrective Action Plan, taken from my domestic life: “To ensure optimal vegetable growth and family cohesion, for the next eight weeks, every family member will spend no less than ten minutes weeding per day. To enable verification, family members will place uprooted weeds on the Stick Pile.” Now, here is an improperly formulated version: “If you Ingrates don’t help me in the garden today, I will put a dead thistle by your pillow tonight.” Both techniques can, of course, yield results, but only one wins the “Happiest Workplace” award.
[2] Of course, a collective bargaining agreement could create the right to request removal of accurate information from a personnel file. Again, however, because such a discretionary approach might not be exercised or even known by all employees, I don't see this as a fair or helpful clause (to either employees, or the employer). A better option would be a simple records purge, or a purge tied to an objective performance metric (“after three years of ‘satisfactory’ reviews, this Corrective Action Plan will be removed from the employee’s record”).
[3] These are all the “little details” I mention in the opening sentence, but as you can see, they aren’t so little.
[4] With all due consideration of privacy.
[5] This could include, by the way, a Corrective Action Plan process with a “self-destruct” measure for the guts of the “negative” issue. In other words, the CAP policy itself could say “Upon satisfactory completion of a Corrective Action Plan, after # years, the only record retained will be the summary note confirming successful completion of a Plan of Improvement.” But again, this should be per a uniformly applied policy, not a discretionary request.
[6] By “needed,” I mean, among other things, that proof of the remedial action taken by the employer is no longer required to protect the employer. While many policies base this on statutes of limitations, most only start the clock after the employee’s period of employment is over, and that, in my view, is generally the most prudent choice.
Tags: Employee Rights, Management, Policy, Retention, Personnel Records
