Records Retention Schedules [w/ Best Practices]

  • Email Archiving
  • Laws and Regulations
  • Retention Policy
  • Records Retention Schedules [w/ Best Practices]

    Bank statements, insurance documents, contracts, permits and licenses, personnel files and more — there’s a seemingly endless stream of important records organizations need to keep track of. Many of these documents need to be retained for specific periods of time, either for legal, compliance or just business purposes, which is why it’s imperative that organizations create records retention schedules. This article will help you define your own records retention schedule, with special attention to records retention laws by state.

    What Is a Records Retention Schedule?

    A records retention schedule, or simply a retention schedule, is a policy that explains how long an organization needs to hold onto certain documents. Although legislative and regulatory compliance are the primary drivers behind organizations creating and implementing records retention schedules, they can also support information management initiatives and help businesses stay organized.

    It’s also important to note that records retention schedules exist not just for paper-based records, but electronic records, including emails, text messages, social media posts and direct messages and more.

    How Long Are Organizations Required to Retain Records?

    There’s really no one rule when it comes to creating records retention schedules. How long you’re required to retain records depends on a few different factors, including:

    • What industry your organization operates in
    • Where your organization is based
    • What types of records you have on file
    • What your business needs are

    Let’s discuss each of these factors individually.

    What Industry Your Organization Operates in

    Certain industries are subject to regulation, and certain regulations come with specific records retention requirements. For example, in the financial services industry, the Securities and Exchange Commission (SEC) Rule 17a-4 requires broker-dealers to retain and index electronic correspondences, including email, with immediate access for a period of two years and with non-immediate access for at least six years.

    Firms that fail to comply with SEC Rule 17a-4 are subject to investigation and penalization by the Financial Industry Regulatory Authority (more commonly known as FINRA). We’ll talk about other industry-specific regulations a little later in this article.

    Where Your Organization Is Based

    As any realtor would say, it’s all about “location, location, location.” This is as true for records retention as it is for real estate. Where your organization is based has a direct impact on how long you’re required to retain documents because different countries (and even states) have their own specific requirements.

    For example, under Japanese tax law, businesses are required to retain accounting records for up to seven years; the Australian government requires businesses to keep most records for a period of five years; and under Denmark’s Danish Companies Act, organizations are required to retain company documents for no less than five years.

    Where your clients are based matters, too. The General Data Protection Regulation (GDPR), which is designed to protect the privacy of citizens of the European Union (EU) and the greater European Economic Area (EEA), is perhaps the most well-known example of this.

    Although GDPR does not stipulate specific retention periods, it does require any organization that processes the personal data of EU and EEA citizens — known as “data subjects” — to hold onto that information for “no longer than is necessary.” GDPR also requires organizations to clearly outline and communicate how long they intend to retain data subjects’ information, which makes defining a records retention schedule an absolute must.

    What Types of Records You Have on File

    Certain records, such as tax documents (and supporting documents), employment records, sales receipts, expense reports and insurance policies, take precedence over others when it comes to records retention. You may not need to retain a company-wide email announcing the date of your annual holiday party, but you definitely need to retain any emails pertaining to your legal, financial or human resources departments.

    In some cases, these high-priority records come with their own set of retention requirements. For example, the Internal Revenue Service requires organizations to retain employment tax records for a minimum of four years; the Occupational Health and Safety Administration requires businesses to retain records on workplace injuries for five years; and the Equal Employment Opportunity Commission requires employers to retain all personnel or employment records for one year.

    What Your Business Needs Are

    Last, but certainly not least, your business needs will dictate how long you hold onto certain documents. From client communications to project-specific documentation and deliverables, there’s a wide variety of records you’ll want to create custom retention schedules for.

    Records Retention Regulations

    In addition to SEC Rule 17a-4 and GDPR, some of the most important regulations with general or specific records retention schedule requirements include:

    • Sarbanes-Oxley (SOX) Act: Passed into U.S. federal law in 2002, SOX created financial record keeping and reporting requirements for corporations to protect investors from fraudulent activity. Those requirements include a five-year retention period for customer invoices, a seven-year retention period for tax returns and receivable or payable ledgers and an indefinite retention period for payroll records and bank statements.
    • Gramm-Leach-Bliley Act (GLBA): GLBA, which became law in 1999, requires financial institutions to be transparent with consumers about their information-sharing practices and to make an additional effort to secure consumer data. Although GLBA does not stipulate a specific retention period, the general rule of thumb is to retain all financial records for a period of seven years.
    • Health Information Portability and Accountability Act (HIPAA): Although HIPAA — the regulation designed to protect patients’ private data against fraud and theft — does not set specific retention periods of medical records, it does specify how long healthcare organizations must retain HIPAA-related documents. According to CFR § 164.316, healthcare organizations (known as “Covered Entities”) are required to retain HIPAA compliance documentation for a minimum of six years from when it was created or, in the event of a policy, from when it was last in effect.
    • Family Educational Rights and Privacy Act (FERPA): FERPA is a data security regulation that applies specifically to educational institutions and agencies. FERPA does not specify retention periods. However, it does require schools to produce and present a student’s educational records to their parent or legal guardian upon request, which means academic institutions would do well to retain these records for at least a few years after a student has graduated or is no longer enrolled.
    • Freedom of Information Act (FOIA): Similar to FERPA and GLBA, FOIA — which gives members of the public the right to request records from federal agencies — does not have any hard-and-fast records retention requirements. With that said, FOIA does require federal agencies to establish records management programs and “identify records that should be preserved.” As a result, any federal agency’s record management program should include records retention schedules for different paper and electronic documents.

    Records Retention Laws by State

    For organizations that are based and operate in the U.S., which state you’re located in will have a direct impact on any records retention schedules you create. The reason for this is that many states have records retention requirements, which are legally enforced.

    Here are state-by-state records retention laws:

    • Alabama

    State Records Disposition Authorities

    • Alaska

    Records & Information Management Services

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Arizona

    Document Retention Schedules

    Records Management FAQs 

    Employer Recordkeeping Laws

    • Arkansas

    Department of Finance and Administration Records Retention Schedule

    Records Management FAQs

    Electronic Records Management

    Employer Recordkeeping Laws

    • California

    State Records Management Act

    Records Management and Appraisal Program

    Records Management Handbook

    Personnel Files and Records

    • Colorado

    Records Management FAQs

    Employer Recordkeeping Laws

    • Connecticut

    Records Retention Schedule (Municipalities)

    Records Retention Schedule (State Agencies)

    Employer Recordkeeping Laws

    • Delaware

    Records Retention Schedules (Agency Specific)

    Records Retention Schedules (General)

    Employer Recordkeeping Laws

    • Florida

    Records Management FAQs

    Document Retention Schedules

    Employer Recordkeeping Laws

    • Georgia

    Records Management Requirements

    Records Retention Schedules (Municipalities)

    Records Retention Schedules (State Agencies)

    Employer Recordkeeping Laws

    • Hawaii

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Idaho

    Records Retention Schedules

    Records Management Guide

    • Illinois

    Records Management Guide

    Employer Recordkeeping Laws

    • Indiana

    Records Management Guide

    Records Retention Schedules

    • Iowa

    Records Management Guide & Schedule

    Employer Recordkeeping Laws

    • Kansas

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Kentucky

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Louisiana

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Maine

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Maryland

    Records Retention Schedule

    Records Management Guidance

    Employer Recordkeeping Laws

    • Massachusetts

    Records Retention Schedule

    Employer Recordkeeping Laws

    • Michigan

    Records Retention Schedules

    Payroll Records Requirement

    • Minnesota

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Mississippi

    Records Retention Schedules (Municipalities)

    Employer Recordkeeping Laws

    • Missouri

    Department of Records Management

    Records Retention Schedules (Municipalities)

    • Montana

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Nebraska

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Nevada

    Records Retention Schedules

    Employer Recordkeeping Laws

    • New Hampshire

    Division of Archives and Records Management

    Records Retention Schedules (Municipalities)

    Employer Recordkeeping Laws

    • New Jersey

    Records Retention Schedules

    Employer Recordkeeping Laws

    • New Mexico

    Records Retention Schedules

    Employer Recordkeeping Laws

    • New York

    Records Retention Schedules

    Employer Recordkeeping Laws

    • North Carolina

    Records Retention Schedules (Municipalities)

    Employer Recordkeeping Laws

    • North Dakota

    Records Retention Schedules

    • Ohio

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Oklahoma

    Records Disposition

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Oregon

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Pennsylvania

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Rhode Island

    Records Management Guide

    Records Retention Schedules

    Employer Recordkeeping Laws

    • South Carolina

    Records Retention Schedules

    Employer Recordkeeping Laws

    • South Dakota

    Records Management

    Employer Recordkeeping Laws

    • Tennessee

    Records Retention

    Employer Recordkeeping Laws

    • Texas

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Utah

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Vermont

    Records Retention Schedules

    General Record Schedules 

    Employer Recordkeeping Laws

    • Virginia

    Records Retention Schedules

    Employer Recordkeeping Laws

    • Washington

    Records Retention Schedules (Municipalities)

    Records Retention Schedules (State Agencies)

    Employer Recordkeeping Laws

    • West Virginia

    Records Retention Schedules (County)

    Employer Recordkeeping Laws

    • Wisconsin

    Statewide General Records Schedules

    Employer Recordkeeping Laws

    • Wyoming

    Records Retention Schedules

    Employer Recordkeeping Laws

     Additional Reading: Understanding California’s Consumer Privacy Act >>

    Best Practices for Defining Records Retention Schedules

    Ready to create your very own records retention schedule? First thing’s first: We recommend downloading our free data retention policy plan template, which can serve as a blueprint for your own records retention schedule.

    Then, once you’re ready, follow these best practices:

    • Understand your requirements. With the help of your legal team, familiarize yourself with your organization’s legal and regulatory obligations and how they might influence your records retention schedule. You’ll also want to take stock of your business’ needs with help from key stakeholders across various departments, including human resources, finance, sales, marketing and IT.
    • Optimize for simplicity. Your records retention schedules don’t need to be overly complicated and full of legal jargon. In order to ensure that your employees understand and adhere to records retention schedules, it’s important that you use simple, easy-to-understand language when drafting policies and procedures.
    • Make sure your bases are completely covered. Your records retention schedule should not only explain how long to hold onto various documents, but also detail how and where they should be stored, how they should be disposed of when the time comes and who is responsible for enforcing the schedule.
    • Don’t take a “one-size-fits-all” approach. Trying to create one, overarching records retention schedule will only increase your risk of noncompliance. You’ll likely find that, in order to meet various internal and external requirements, you need to create multiple records retention schedules.
    • Invest in an archiving solution. Archiving solutions are especially useful for electronic communications and files because they can automatically capture data and securely store it within a centralized repository. Certain archiving solutions even enable you to define custom records retention schedules and automate the retention process, saving you and your employees time and effort.
    • Back up your data. From systems failures to power outages, disasters can and do happen, and they can cause you to lose access to business-critical information. Investing in a solution that routinely backs up your data is integral to any records management strategy and can reduce your risk of noncompliance.

    For more information on how archiving can support records retention, contact the team at Intradyn today.

    Azam is the president, chief technology officer and co-founder of Intradyn. He oversees global sales and marketing, new business development and is responsible for leading all aspects of the company’s product vision and technology department.

    Build Strong Retention Policies That Keep Your Data Safe
    Get started with our data retention policy template.
    Send me the Data Retention Policy Plan