Getting started with Custom Fields and Notes: Best practices and compliance pitfalls to avoid
Custom fields and notes are an easy way to supplement Member Profiles and capture helpful information on a member-by-member basis. However, even with the best intentions, seemingly harmless data can expose a company to legal and compliance risks. While custom field and note categories can be light and fun (birthday cake preferences anyone?), employee data and privacy should be taken seriously.
We’ve created some guidelines to get you started. But first, a little background.
What are employment records?
Every single piece of a company’s data pertaining to its employees, from salary to state of residence, constitute employment records. Companies generally maintain at least three or four distinct categories of employment records in order to appropriately manage the viewing and editing permissions for different types of information.
We’ve outlined below a few of the most common types, their appropriateness for the custom fields and notes feature, and what permissions you should create in order to manage the information safely and effectively.
What custom fields and notes should be used for:
We recommend using custom fields and notes to track information that enhances the employee experience and makes your life easier. This could include information that pertains to your physical office and company culture, or details that track employees’ career development and performance at your company. Keep in mind that custom field and note information is for admins’ internal reference only and is not used by Justworks in providing services, such as payroll, to your company.
- Office management details
- Desk number
- Employee ID
- T-shirt size
- Birthday cake preferences
- Employee’s dog approved for the office?
Justworks admins and office managers should be able to freely view and update this information.
Personnel details and documents
- Recruiting information (e.g., education) and documents, including applications, resumes, and education transcripts
- Job descriptions
- Employee career journey, including job offers, promotions, salary grade/level, and transfers
- Warnings, counseling, or other disciplinary actions
- Performance reviews and goal-setting documents
- Termination records
Who should have access?
HR Managers (for all employees), recruiters (for their employee groups), and managers (for their reports only).
What Custom fields and notes should not be used for:
Medical and confidential information should not be stored in the Justworks platform. For example, it would be illegal to share HIPAA-protected health information with Justworks, and logging such information in custom fields or notes is effectively doing so. For other types of sensitive, non-medical information the permissions management is just too crucial for you to house it in any cloud-based platform with multiple admins.
Payroll information that Justworks would need to process your payroll and related payroll taxes shouldn’t be logged in custom fields or notes because, a) many contain Social Security Numbers, and b) there’s a more appropriate place to store that information that ties directly into Justworks’ functionality. These records should be used to update information in-app, or sent to Justworks in order for us to correctly process your payroll and related payroll taxes.
And, of course, non-factual information or commentary is not appropriate for custom fields and notes.
Medical / confidential information includes data such as:
- Social Security Numbers
- Medical records, including doctor’s notes
- Disclosed disabilities
- Reasonable accommodations granted related to a disability
- Disability claim history and documentation
- Information that would run afoul of anti-discrimination laws
- Parental, FMLA, or other leave history and documentation
- Drug test results
- Background checks
- I-9 files and employment verification documentation
- Investigative materials surrounding harassment, discrimination, or retaliation claims
- Litigation notes/documents
*Allergies, really? As surprising as it might seem, yes. While they are an important safety concern, allergy information - like all medical information - is protected under HIPAA. Only your most senior HR staff, or an individual taking on these responsibilities, should have access to these sensitive details.
Non-factual information or commentary
Lastly, you also want to be sure that all records you keep are factual. As such, the following should be excluded from all employment records, including the custom fields and notes feature in Justworks:
- Staff opinions
- Unfounded rumors
- Allegations not pursued, investigated, and concluded
- Observed physical characteristics
- Notes on actual performance which are informal or incomplete
- Any other non-factual information or commentary
Still not sure? A good test is to ask yourself, “if this piece of information were accidentally made public, would it be a good idea to call my lawyer?” If the answer is “yes,” store the information elsewhere.