Record Retention Policy

A formal written policy that specifies how long an organization must keep different types of business and employment records, when and how to destroy them, and the procedures for suspending destruction during litigation or government investigations.

TABLE OF CONTENT

What Is a Record Retention Policy?
Building a Record Retention Schedule
Essential Elements of a Record Retention Policy
Record Retention Policy Mistakes
Multi-State Retention Challenges
Record Retention Statistics [2026]
Implementing a Record Retention Policy
Frequently Asked Questions About Record Retention Policies

What Is a Record Retention Policy?

Key Takeaways

✓A record retention policy is a formal document that tells the organization exactly how long to keep each type of record, where to store it, how to protect it, and when to destroy it.
✓Without a written policy, record retention becomes ad hoc. Some departments hoard everything forever while others delete files too early, and both extremes create legal problems.
✓The policy must account for federal requirements (FLSA, OSHA, EEOC, IRS), state requirements, industry regulations, and contractual obligations, all of which may impose different timelines for the same record type.
✓A litigation hold provision is essential. Routine destruction becomes illegal destruction the moment a lawsuit or investigation is reasonably anticipated.
✓Nearly half of organizations still don't have a formal retention policy (Iron Mountain, 2023), exposing them to penalties, adverse inferences, and data breach risks from over-retention.

A record retention policy answers a simple question for every piece of information in your organization: how long do we keep this, and what do we do with it when the time is up? That sounds straightforward until you consider that over 26 federal statutes impose record retention requirements, each state adds its own, and different record types within the same employee file can have different retention periods. Payroll records need three years. Tax records need four. OSHA exposure records need 30. Personnel records need one year after separation under EEOC guidelines, but two years if you're a federal contractor. Without a written policy mapping all of this, compliance depends on individual judgment, and individual judgment isn't reliable at scale. The policy also needs to address the other side of the equation: destruction. Keeping records too long increases storage costs, data breach exposure, and the volume of documents that could be subpoenaed in litigation. A proper retention policy establishes destruction schedules and procedures, including who authorizes destruction, how destruction is verified, and when destruction must be suspended.

26+Federal statutes imposing specific record retention requirements on employers (DOL, 2024)

30 yrsLongest federal retention requirement: OSHA toxic substance exposure records

47%Of organizations that don't have a formal, written record retention policy (Iron Mountain, 2023)

$8,995Average fine per violation for improper record destruction during a federal investigation (DOJ, 2023)

Building a Record Retention Schedule

The retention schedule is the centerpiece of any retention policy. It's a master list mapping every document type to its required retention period, governing law, and destruction method.

Document Category	Minimum Retention	Governing Law/Agency	Recommended Retention	Notes
Payroll records (wages, deductions, hours)	3 years	FLSA (DOL)	7 years	State laws may require longer; California requires 3 years
Time cards and schedules	2 years	FLSA (DOL)	3 years	Keep with payroll records for consistency
Personnel records (general)	1 year post-separation	EEOC (Title VII, ADA)	7 years post-separation	2 years for federal contractors (OFCCP)
I-9 forms	3 years from hire or 1 year post-separation (whichever later)	DHS/ICE	Follow the formula exactly	Keeping too long creates liability too
Tax records (W-4, 941, W-2)	4 years after tax due/paid	IRS	7 years	Covers extended statute of limitations
OSHA injury/illness logs	5 years	OSHA	5 years	Calendar year plus five
OSHA exposure/medical records	30 years	OSHA (29 CFR 1910.1020)	30 years	Duration of employment plus 30 years for some
FMLA records	3 years	DOL	3 years	Includes leave requests, certifications, notices
Benefits plan documents	6 years after plan terminates	ERISA	Permanent while plan exists	Includes SPDs, 5500 filings
Job applications (not hired)	1 year	EEOC	2 years	2 years for federal contractors
Background check reports	See FCRA	FCRA	Destroy promptly after use	FCRA requires secure disposal
EEO-1 reports	1 year	EEOC	3 years	Keep originals and copies of filed reports

Essential Elements of a Record Retention Policy

A retention policy that just lists timelines isn't enough. It needs operational detail that tells people exactly what to do in every common scenario.

Scope and applicability

Define which departments, locations, and record types the policy covers. Most organizations create one master policy that covers all records, with a retention schedule attachment that breaks down timelines by department. Be explicit about whether the policy applies to physical records only, electronic records only, or both (it should cover both). Include email, chat messages, voicemails, and any other medium where business records might exist.

Retention schedule

The schedule should list every record type, its retention period, the triggering event that starts the retention clock (creation date, separation date, plan termination, etc.), and the governing law or regulation. Where multiple laws apply to the same record, use the longest retention period. Update the schedule annually to capture regulatory changes.

Litigation hold procedures

This is the most critical section. When litigation is filed, threatened, or reasonably anticipated, all routine destruction must stop for records relevant to the dispute. The policy should name who can issue a litigation hold (typically legal counsel), how the hold is communicated to records custodians, how compliance with the hold is monitored, and when the hold is released. Destroying records subject to a litigation hold is spoliation, which can result in sanctions, adverse inferences, or even default judgment.

Destruction procedures

Specify approved destruction methods (cross-cut shredding for paper, secure digital deletion for electronic records), who authorizes destruction, and what documentation is required. Maintain a destruction log that records the document type, date range covered, destruction date, method used, and authorizing person. If you use a third-party destruction vendor, require a certificate of destruction for your records.

Roles and responsibilities

Assign clear ownership. Who maintains the retention schedule? Who reviews records for destruction eligibility? Who issues and monitors litigation holds? Who trains new employees on the policy? Without named owners, the policy becomes a document that exists in theory but isn't followed in practice.

Record Retention Policy Mistakes

These mistakes surface repeatedly in compliance audits and litigation. Each one is avoidable with proper policy design and enforcement.

Keeping everything forever: The 'keep it all just in case' approach doesn't protect you. It increases storage costs, data breach exposure, and the volume of discoverable documents in litigation.
Destroying records too early: Shredding personnel files six months after separation when the EEOC requires one year. Not checking all applicable state laws before destruction.
No litigation hold process: Routine destruction continues after a lawsuit is filed because no one told the records department. This is spoliation, and courts take it seriously.
Inconsistent enforcement: The policy says three years for payroll records, but one department keeps them for one year and another keeps them for ten. Inconsistency undermines the entire program.
Ignoring electronic records: The policy covers paper files but doesn't address emails, Teams chats, Slack messages, shared drive files, or HRIS data. These are all records subject to the same retention and discovery rules.
No annual review: Regulatory requirements change. New laws get passed. The retention schedule from five years ago probably doesn't reflect current requirements.

Multi-State Retention Challenges

Organizations with employees in multiple states face overlapping and sometimes conflicting retention requirements. Managing this correctly requires careful analysis.

State variations

States frequently impose retention periods that exceed federal requirements. California requires three years for payroll records (matching the federal FLSA minimum) but requires four years for apprenticeship records. New York requires six years for many employment records. Texas requires five years for workers' compensation records. Multi-state employers must identify the longest applicable retention period for each record type across all states where they have employees and apply that as their standard.

Practical approach

Most employment attorneys recommend a simplified approach: use the longest applicable retention period across all jurisdictions as your default for each record type. This is easier to administer than maintaining different retention periods for employees in different states, and it eliminates the risk of destroying records that are still within their required period in some states. The trade-off is slightly higher storage costs, but the compliance certainty is worth it.

Record Retention Statistics [2026]

Data that shows why formal retention policies matter for compliance and cost control.

47%

Of organizations lacking a formal, written record retention policyIron Mountain Records Management Survey, 2023

$8,995

Average fine per violation for improper record destruction during investigationsDOJ Enforcement Actions Summary, 2023

30 yrs

Longest federal retention requirement for a single record type (OSHA exposure records)OSHA 29 CFR 1910.1020

72%

Of organizations that have experienced a compliance issue related to poor records managementARMA International Survey, 2024

Implementing a Record Retention Policy

Getting a retention policy written is step one. Getting the organization to follow it is the harder part.

Step 1: Legal review

Have employment counsel review all applicable federal, state, and local retention requirements for every jurisdiction where you have employees. Don't rely on internet lists. Regulations change, and a 2022 chart may not reflect 2026 requirements. The legal review produces your authoritative retention schedule.

Step 2: Draft the policy

Write a clear, specific policy that covers scope, the retention schedule, litigation hold procedures, destruction methods, roles, and enforcement. Avoid legal jargon where possible. The people following this policy are HR generalists and department managers, not attorneys. If they can't understand the policy, they won't follow it.

Step 3: Train and communicate

Every person who creates, stores, or handles employment records needs training on the policy. This includes HR staff, payroll, hiring managers, and administrative assistants. The training should cover what records they're responsible for, how long to keep them, where to store them, and what to do when they receive a litigation hold notice. Annual refresher training keeps the policy top of mind.

Step 4: Enforce and audit

Conduct annual compliance audits to verify that retention schedules are being followed, destruction logs are accurate, and no unauthorized destruction has occurred. Hold department heads accountable for compliance within their areas. A policy that isn't enforced isn't a policy. It's a suggestion.

Frequently Asked Questions

Does every company need a written record retention policy?

There's no single federal law that requires a written retention policy document. However, the practical answer is yes. Over 26 federal laws impose specific retention requirements, and the only reliable way to comply with all of them is a written policy with a detailed schedule. In litigation, courts look at whether the organization had a systematic retention and destruction process. Ad hoc practices suggest negligence. A written policy demonstrates that the organization took its obligations seriously.

What happens if we destroy records we were supposed to keep?

The consequences depend on the context. If records are destroyed during routine operations before their retention period expires, you face regulatory penalties from the relevant agency (DOL, IRS, OSHA). If records are destroyed after a lawsuit is filed or an investigation begins, it's spoliation, and courts can impose sanctions ranging from monetary penalties to adverse inference instructions (telling the jury to assume the destroyed records supported the opposing party). In extreme cases, spoliation can result in default judgment against the destroying party.

How often should the retention schedule be updated?

At minimum, annually. New regulations take effect, existing laws get amended, and court decisions change how retention requirements are interpreted. Federal agencies also adjust their penalty amounts annually for inflation. Beyond the annual review, trigger an immediate update whenever your organization expands into a new state (which brings new retention requirements), acquires another company, changes its federal contractor status, or receives guidance from legal counsel about a regulatory change.

Should we keep records longer than legally required just to be safe?

Within reason, yes. Many organizations add a buffer of one to two years beyond the minimum legal requirement. This accounts for the lag between when a potential claim arises and when the statute of limitations actually starts. It also provides protection against state requirements that may exceed federal minimums. However, don't keep records indefinitely. Over-retention increases storage costs, data breach exposure, and the volume of documents subject to discovery in litigation. A seven-year post-separation standard for most personnel records is a common and defensible practice.

How do litigation holds interact with the retention policy?

A litigation hold overrides the retention policy entirely for all records relevant to the matter. If your retention schedule says to destroy payroll records after seven years, but a wage claim lawsuit involves payroll data from eight years ago that you still happen to have, you can't destroy those records. The hold stays in effect until the legal matter is fully resolved, all appeals are exhausted, and legal counsel authorizes the release. Your policy should include a clear process for issuing, communicating, monitoring, and releasing litigation holds.

Do record retention rules apply to emails and chat messages?

Yes. If an email or chat message constitutes a business record or contains information subject to a retention requirement, it must be retained like any other record. An email approving a salary increase is a compensation record. A Teams chat discussing an employee's accommodation request is a medical record under the ADA. The format doesn't change the obligation. This is why retention policies must explicitly cover electronic communications and why organizations need archiving solutions for email and messaging platforms.

Written by Adithyan RK

Fact-checked by Surya N

Published on: 25 Mar 2026|Last updated: