Document Retention Policy Guide

A well-defined document retention policy improves efficiency and security. By establishing how physical and digital data are managed, it is easier to access and protect them.  

A document retention policy that sets forth protocols for record destruction can also provide coverage in the event of an audit or investigation, because the action was taken based on the organization’s established protocols.

What is a Document Retention Policy?

A document retention policy is also referred to as a records retention policy, records and information management policy, recordkeeping policy, or records maintenance policy. It codifies an organization’s expectations for how its data is handled, from creation to destruction. 

Document retention policies can be stand-alone documents or integrated into employee handbooks. A document retention policy should be comprised of standardized best practices, as well as applicable industry and government rules.

Among other reasons, organizations retain data to:

• Maintain financial records
• Adhere to regulatory requirements
• Keep documents accessible for legal needs

The system created with a document retention policy can be used to automate what happens throughout a document’s lifecycle, including copying, sending on a specific day or at a particular time, moving to a new location (e.g., folder, system, directory, site), and deleting. In addition to automating processes related to document retention, an established best practice is to remind your users to take particular actions via pop-up notices. 

Why a Documentation Policy is Needed

A document retention policy provides a framework and protocols to direct the management of information throughout the data lifecycle to meet regulatory requirements and improve operational efficiency.

Questions that a document retention policy addresses include:

• What data needs to be saved?
• What format should it be kept in?
• How long it should be stored?
• When it is no longer in use, should it be archived or destroyed?
• Who can make the ultimate decision to destroy data?
• How is the document retention policy enforced?

Benefits of a Document Retention Policy

• Quickly locate documents.
• Serve as a safety measure in audits or litigation.
• Improve the organization of documents.
• Destroy sensitive data that is no longer needed.
• Eliminate clutter by destroying or archiving unused documents.
• Avoid errors caused by using out-of-date documents.

The Document Retention Policy and Legal Readiness

If an organization finds itself snared in legal action, a document retention policy can help:

• Offer a defense for any documents that have been legitimately destroyed.
• Build an audit trail of a document’s lifecycle.
• Determine if a document is still available and, if so, can be located.

Address Compliance Requirements with a Document Retention Policy

Many laws and regulations have directives related to document retention. These include:

• Tax audit protocols from the Internal Revenue Service (IRS)
• Employment laws, such as the Fair Labor Standards Act (FLSA)
• Patient privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA)
• Employee record management directed by the Employee Retirement Income Security Act (ERISA)
• Mandates set forth by the Occupational Safety and Health Administration (OSHA)

These are just a few of the federal laws related to document retention policies. In addition, organizations can use document retention policies to adhere to city, county, and state requirements.

How to Create a Document Retention Policy

Whether starting from scratch or updating an existing document retention policy, taking time to review the components will provide helpful ideas and insights. Following are key elements in the data lifecycle that inform how the policy should be created or updated. It includes a review of the key lifecycle categories to consider as well as suggestions for how to best prepare for, develop, and implement a document retention policy. 

• Create a document retention policy team with a designated leader:
  • Assign someone to be directly responsible for the document retention policy project.
  • Give the team appropriate resources and executive support.
  • Include people from different departments with mandatory representation from IT and legal.
• Define the document retention policy project scope:
  • Assess and prioritize needs.
  • Establish a top-level timeline and detailed project schedule for the team.
  • Consider rolling out data compliance policies by the following categories:
    • must-keep-or-risk-noncompliance data
    • industry-standard-to-keep data
    • mission-critical data
    • business-critical data
    • data that requires additional assessment
    • need-it-but-not-often data
• Inventory the electronic and physical documents that are produced:
  • List the items found during the inventory in the document retention policy statement.
  • Append a retention schedule based on data type—electronically stored information (ESI) and paper documents, as well as other physical items, such as hard drives.
  • Identify who is currently responsible for the records.
  • Assess whether this responsibility should be centralized.
  • Assign ownership.
• Identify regulations that are pertinent to the document retention policy:
  • List corporate, industry, and government regulations that apply to the organization.
  • Define which types of documents are subject to the regulations.
  • Include the types of retention policies that apply to those documents.
  • Determine if the state in which the organization operates has a Uniform Preservation of Private Business Records Act (see the State of Illinois’ example below).

Unless express provision is made by law for the period during which they must be preserved or for the condition upon which they may be destroyed, business records which persons by the laws of this state are required to keep or preserve may be destroyed after the expiration of three years from the making of such records without constituting an offense under such laws.

Illinois Uniform Preservation of Private Business Records Act

• Detail instructions on storing, retaining, and preserving data:
  • Document how documents will be organized, stored, retained, and backed up.
  • Describe the protocols for storage, retention, and backup.
  • Determine the categories and types of documents, especially confidential or sensitive.
  • Define measures to protect retained sensitive information.
• Establish procedures for removing stale data:
  • Specify how to determine if data should be archived or destroyed.
  • Set guidelines for destroying expired or useless data.
  • Define policies for suspension of the retention policy in the event of impending legal action.
• Disseminate the document retention policy and train employees:
  • Introduce the policy to employees.
  • Communicate the document retention processes and the role of employees in supporting it.
  • Develop training that consistently and systematically explains the policy.
  • Explain plans to handle exceptions—e.g., special requests, legal holds.
  • Review the document retention policy periodically with staff and management.
• Review and refresh the document retention policy periodically:
  • Update the policy as needed.
  • Communicate changes to employees and management.
  • Remember that a document retention policy is a living document.
  • Review regulations for changes on a regular basis.

Creating a Document Retention Policy for a Non-Profit

In 2002, not-for-profit entities were inadvertently swept up in legislation intended to reduce corporate fraud incidents—the Sarbanes-Oxley Act (SOX). A clause requires all organizations to retain crucial organizational documents—from bank and tax statements to meeting minutes and payroll records. A document retention policy helps non-profit organizations comply with rigorous SOX requirements.

Although SOX does not specify particular document retention schedules, it is recommended that non-profit organizations follow the same best practices set forth by for-profit organizations.

Document Retention Policy Guidelines

There is no single right way to manage document retention. Requirements vary based on several factors, including the size of the organization, the industry, the location, and types of data processed. Best practices include: 

• Be aware of and understand all applicable regulations.
• Optimize document retention policies to streamline business-critical processes and promote efficiency.
• Engage all organizations in document retention policy execution.
• Keep document retention policies simple.
• Create different policies for different data types.
• Maintain transparency to keep all stakeholders informed about what information is being retained.
• Back up data consistently.
• Do not retain data longer than necessary.

Documents to Retain Permanently

• Articles of incorporation
• Audit reports
• Bylaws
• Chart of accounts
• Check copies for important payments and purchases
• Correspondence, legal, and important matters
• Deeds, mortgages, and bills of sale
• Depreciation schedules
• Employee discrimination reports
• Financial statements (year-end)
• Insurance records, accident reports, and claims
• Key Board of Directors communications
• Legal filings
• Mission statements and strategic plans
• Meeting minutes
• Property records, appraisals, and blueprints
• Records of paid mortgages
• Retirement and pension plans
• Tax returns and worksheets
• Training manuals

Implementing a Document Retention Policy

After creating a document retention policy program, implementation is critical to achieving results.

• Make sure employees know how data should be handled.
• Use systems to store and facilitate access to stored documents.
• Ensure consistency in records and information management practices

Create Compliance and Operational Efficiencies

In addition to creating and maintaining a documentation policy, organizations should have specific protocols that enable appropriate data reduction and elimination. Setting minimum retention periods reduces the risk of unauthorized or unwanted access to data.

A document retention policy can be challenging to develop and manage. Many factors impact these policies, including changes to regulations, organizational innovations, and employees’ transitions in and out of the company. However, a document retention policy is essential for any organization.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 15th July, 2021