Document Retention & Records Policy
Document Number: 04
Version: 1.0
Effective Date: [DATE]
Last Reviewed: [DATE]
Approved By: [BOARD/EXECUTIVE BODY]
1. Purpose and Scope
1.1 Purpose
This Document Retention & Records Policy establishes consistent guidelines for the creation, retention, storage, and destruction of organizational records for [ORGANIZATION NAME] (“Organization”). This policy ensures compliance with legal and regulatory requirements, supports operational efficiency, and protects the Organization from liability associated with improper records management.
1.2 Scope
This policy applies to:
- All Personnel: Board members, officers, employees, volunteers, contractors, and agents
- All Records: Regardless of format (paper, electronic, audio, video, photographic)
- All Locations: Physical offices, remote work environments, cloud storage, and third-party services
- All Activities: Past, present, and future organizational operations
2. Records Classification and Retention Requirements
2.1 Permanent Retention (Indefinite)
The following records must be retained permanently:
| Record Category | Examples |
|---|---|
| Corporate Governance | Articles of Incorporation, Bylaws, amendments, corporate resolutions |
| Board Records | Meeting minutes, official correspondence, consent resolutions |
| Tax Status | IRS determination letters, tax-exemption applications, Form 1023/1024 |
| Major Contracts | Real estate purchases, perpetual license agreements, endowment documents |
| Intellectual Property | Trademark registrations, patent filings, original copyright registrations |
| Strategic Documents | Mission/vision statements, strategic plans, major policy decisions |
Storage: Fireproof safe or secure offsite facility with climate control. Digital copies in redundant, encrypted cloud storage with geographic distribution.
2.2 Financial Records (7 Years)
The following financial records must be retained for seven (7) years:
| Record Category | Examples |
|---|---|
| General Ledger | Chart of accounts, journal entries, general ledgers |
| Banking | Bank statements, canceled checks, deposit slips, reconciliation reports |
| Tax Returns | Federal, state, and local tax returns with all supporting schedules |
| Payroll | Payroll registers, W-2s, W-4s, 1099s, payroll tax returns |
| Donor Records | Contribution receipts, donor acknowledgment letters, pledge records |
| Expenses | Accounts payable, vendor invoices, expense reports, credit card statements |
| Grants | Grant applications, award letters, financial reports, audit reports |
| Audits | Independent audit reports, management letters, working papers (7 years from audit date) |
Storage: Secure filing system with limited access. Digital records encrypted with role-based access controls.
2.3 Operational Records (3-7 Years)
| Record Category | Retention Period | Examples |
|---|---|---|
| Personnel Files | 7 years post-termination | Applications, performance reviews, disciplinary actions, benefits records |
| Insurance Policies | 7 years post-expiration | Policies, claims, correspondence with insurers |
| Contracts | 7 years post-termination | Service agreements, vendor contracts, consulting agreements |
| Project Files | 3-5 years post-completion | Project plans, deliverables, client correspondence |
| Email Communications | 3 years* | General business correspondence, operational communications |
| Website Content | 3 years | Published content, version history, analytics reports |
*Exception: Emails related to litigation, regulatory matters, or permanent retention categories must be retained according to those categories.
2.4 Short-Term Retention (1-3 Years)
| Record Category | Retention Period | Examples |
|---|---|---|
| Routine Correspondence | 1 year | Internal memos, non-substantive communications |
| Draft Documents | Until finalization | Drafts of policies, reports, presentations |
| Travel & Expense | 3 years | Travel itineraries, per diem records |
| Routine Procurement | 3 years | Purchase orders, receiving documents, routine invoices |
2.5 Immediate Destruction (Upon Processing)
The following may be destroyed immediately after processing:
- Junk mail and spam
- Duplicate copies (unless serving a specific purpose)
- Transitory communications (meeting scheduling, lunch orders)
- Superseded drafts with no historical value
- Convenience copies of official records
3. Electronic Records Management
3.1 Electronic Storage Standards
Cloud Storage Requirements:
- Use Organization-approved cloud providers only: [PROVIDER NAMES]
- Minimum encryption: AES-256 at rest, TLS 1.3 in transit
- Geographic redundancy: Data replicated across minimum [NUMBER] regions
- Access logging enabled for all repositories
- Version history maintained for [DURATION]
Prohibited Storage:
- Personal cloud accounts (Dropbox personal, Google Drive personal, etc.)
- Unencrypted removable media (USB drives, external hard drives)
- Personal email accounts for Organization business
- Public file-sharing services without password protection and expiration dates
3.2 Backup Procedures
| System | Backup Frequency | Retention Period | Location |
|---|---|---|---|
| Financial System | Daily (incremental), Weekly (full) | 7 years | Cloud + offsite physical |
| Email System | Continuous | 7 years | Cloud with eDiscovery capabilities |
| Document Repository | Real-time sync | Per classification | Cloud with geographic redundancy |
| Website/Database | Daily | 90 days rolling | Cloud with point-in-time recovery |
3.3 Email Retention
Automatic Archival:
- All emails retained in searchable archive for 3 years
- Litigation hold suspends automatic deletion
- Users may not manually delete emails subject to hold
Mailbox Management:
- Active mailbox size limit: [SIZE] per user
- Auto-archival to compliant storage after [TIME PERIOD]
- Personal folders must sync to approved cloud storage
4. Records Destruction Procedures
4.1 Destruction Authorization
No records may be destroyed without proper authorization:
- Department Head Review: Identifies records eligible for destruction
- Legal/Compliance Review: Confirms no litigation holds or regulatory requirements
- Approval: [DESIGNATED OFFICIAL] authorizes destruction
- Execution: Approved destruction method applied
- Certificate of Destruction: Documentation maintained per retention schedule
4.2 Destruction Methods
| Record Type | Approved Methods | Requirements |
|---|---|---|
| Paper - Confidential | Cross-cut shredding (minimum DIN P-4) or secure pulping | Witnessed destruction for bulk quantities |
| Paper - Non-confidential | Strip shredding or recycling bin | Standard office disposal |
| Hard Drives/SSDs | Physical destruction (shredding/degaussing) or NIST 800-88 compliant wiping | Certificate of destruction required |
| Optical Media | Physical destruction (shredding/incineration) | Complete data layer destruction |
| Mobile Devices | Factory reset + data overwrite + physical destruction | Certificate required |
| Cloud Data | Secure deletion with cryptographic erasure | Verification of non-recoverability |
4.3 Destruction Schedule
Quarterly Review:
- Records eligible for destruction identified
- Hold verification conducted
- Destruction batch approved
Annual Certification:
- Complete inventory of destroyed records
- Certificates of destruction filed
- Policy compliance attestation to Board
5. Litigation Hold Procedures
5.1 Triggering Events
A litigation hold (“legal hold”) must be implemented upon:
- Receipt of subpoena, discovery request, or other legal process
- Threatened or pending litigation (internal or external)
- Regulatory investigation or audit notice
- Internal investigation where records may be relevant
- Reasonable anticipation of legal action
5.2 Hold Implementation
Step 1: Notice (Within 24 Hours)
- [DESIGNATED LEGAL COUNSEL] issues litigation hold notice
- Notice distributed to all relevant personnel
- IT/Systems Administrator implements technical holds
Step 2: Identification
- Identify all custodians with potentially relevant records
- Map all relevant systems, devices, and storage locations
- Document scope of relevant time period and subject matter
Step 3: Preservation
- Suspend automatic deletion protocols
- Preserve records in native format with metadata
- Create forensic images when necessary
- Prevent custodian self-collection
Step 4: Monitoring
- Quarterly reminders to custodians
- Updated notices as litigation scope changes
- New employee onboarding to hold obligations
5.3 Hold Release
- Hold released only upon written authorization from [DESIGNATED LEGAL COUNSEL]
- Release documented with date, scope, and authorization
- Normal retention resumes for non-hold records
- Hold-related records retained per litigation outcome
5.4 Hold Documentation
Maintain for duration of litigation plus 7 years:
- Original hold notice and all updates
- Custodian acknowledgment receipts
- Hold compliance certifications
- Records produced in litigation
6. Roles and Responsibilities
6.1 Board of Directors
- Approve Document Retention & Records Policy
- Review annual compliance reports
- Authorize exceptions in extraordinary circumstances
6.2 Executive Director / CEO
- Overall accountability for policy implementation
- Appoint Records Management Officer
- Approve destruction of significant record categories
6.3 Records Management Officer
Designated Officer: [NAME/TITLE]
- Day-to-day administration of retention program
- Develop and maintain retention schedules
- Coordinate litigation hold implementation
- Conduct training and awareness programs
- Maintain certificates of destruction
6.4 Department Heads
- Implement department-specific retention procedures
- Identify records eligible for destruction
- Ensure staff compliance with retention requirements
- Report suspected violations
6.5 All Personnel
- Comply with all retention and destruction requirements
- Maintain records in approved systems only
- Report litigation triggers immediately
- Complete required training
6.6 IT / Systems Administrator
- Implement technical controls for retention
- Execute secure deletion procedures
- Maintain backup and archival systems
- Support litigation hold technical requirements
7. Privacy and Confidentiality
7.1 Confidential Records
Records containing the following require enhanced handling:
- Personally identifiable information (PII)
- Protected health information (PHI)
- Financial account numbers
- Social Security Numbers
- Donor financial information
- Personnel medical information
- Attorney-client privileged communications
7.2 Handling Requirements
Access Control:
- Role-based access on need-to-know basis
- Multi-factor authentication for sensitive repositories
- Access logging and quarterly review
Transmission:
- Encryption required for all external transmission
- Secure file transfer for files exceeding [SIZE]
- Password-protected documents with separate password delivery
Disposal:
- Immediate shredding for paper documents
- Cryptographic erasure for electronic files
- Certificate of destruction for bulk disposal
8. Compliance and Monitoring
8.1 Training Requirements
| Audience | Training | Frequency |
|---|---|---|
| All Staff | General records awareness | Annually |
| Managers | Retention requirements + litigation hold | Annually |
| IT Staff | Technical implementation | Annually |
| New Hires | Policy overview | Within 30 days |
8.2 Audit and Review
Annual Internal Audit:
- Random sample of record categories
- Compliance with retention schedules
- Secure destruction verification
- Litigation hold compliance
Policy Review:
- Full policy review every [NUMBER] years
- Ad hoc updates for legal/regulatory changes
- Board approval for material amendments
8.3 Violations and Remedies
Policy Violations:
- Failure to follow retention schedules
- Unauthorized destruction of records
- Storage in non-approved systems
- Failure to report litigation triggers
Consequences:
- First occurrence: Remedial training
- Repeated occurrences: Disciplinary action up to and including termination
- Legal violations: Referral to legal counsel
9. Implementation Notes
9.1 Immediate Actions (0-30 Days)
- Designate Records Management Officer
- Inventory existing record categories
- Identify and contract with secure destruction vendor
- Implement litigation hold notification procedures
- Deploy records management training for all staff
9.2 Short-Term Actions (30-90 Days)
- Audit current storage systems for compliance
- Migrate non-compliant records to approved systems
- Establish backup verification procedures
- Create department-specific retention guides
- Implement access control reviews
9.3 Ongoing Actions
- Quarterly destruction batch processing
- Annual policy training refresh
- Annual compliance audit
- Regular review of retention schedules against legal requirements
9.4 Template Forms
The following supporting documents should be developed:
- Records Destruction Request Form
- Certificate of Destruction Template
- Litigation Hold Notice Template
- Hold Release Authorization Form
- Quarterly Compliance Report Template
10. Policy Exceptions
Exceptions to this policy require:
- Written request with business justification
- Legal counsel review and approval
- [DESIGNATED EXECUTIVE] authorization
- Documentation of exception and duration
- Annual review of ongoing exceptions
No exceptions may circumvent legal or regulatory retention requirements.
Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [AUTHOR] | Initial policy |
Acknowledgment
I have received, read, and understood the Document Retention & Records Policy. I agree to comply with its requirements and understand that violations may result in disciplinary action.
Employee Name: _________
Signature: _________
Date: _________