Every nonprofit generates records: financial statements, board minutes, employee files, grant agreements, donor correspondence, tax filings, contracts, and more. Some of these records must be kept for a specific period by law. Others should be kept for practical reasons. And some should be destroyed once they are no longer needed, both to manage storage costs and to reduce the organization's exposure in litigation.
A document retention and destruction policy provides the framework for these decisions. It tells the organization what to keep, how long to keep it, and when and how to destroy it. Without such a policy, organizations tend to keep everything forever, which is expensive and creates unnecessary legal risk, or they destroy things haphazardly, which can violate legal requirements and raise suspicions of evidence tampering.
This guide covers why document retention policies matter for nonprofit boards, what the policy should contain, how to set retention schedules for different categories of records, and how to handle the sensitive issue of document destruction.
Why Document Retention Matters
IRS Expectations
The IRS Form 990 specifically asks whether the organization has a written document retention and destruction policy. While the IRS does not prescribe a specific policy, the question signals that the IRS considers this a governance best practice. Answering "no" invites scrutiny.
Legal Requirements
Various federal and state laws mandate minimum retention periods for specific types of records:
- Tax records must generally be retained for at least three years from the date the return was filed or the date the return was due, whichever is later. However, the IRS has up to six years to audit if it suspects a substantial understatement of income, so many organizations retain tax records for seven years.
- Employment records have varying retention requirements depending on the type of record and the applicable law. EEOC regulations require retention of personnel records for one year from the date of the personnel action. FLSA requires payroll records to be kept for three years.
- Corporate records such as articles of incorporation, bylaws, and board minutes should be retained permanently.
- Grant and contract records must be retained for the period specified by the funder, which is often three to seven years after the end of the grant period.
Litigation Protection
In litigation, organizations are required to preserve documents that are relevant to the dispute. This obligation, known as a litigation hold, arises as soon as the organization reasonably anticipates litigation. An organization that destroys relevant documents after it should have anticipated litigation faces severe consequences, including adverse inference instructions (the court tells the jury to assume the destroyed documents were harmful to the organization) and sanctions.
A document retention policy helps in two ways. First, it establishes that the organization has a routine, systematic process for managing records, which undermines any claim of intentional evidence destruction. Second, the policy should include a litigation hold provision that suspends routine destruction when litigation is anticipated.
Operational Efficiency
Organizations that keep everything forever accumulate mountains of records that are expensive to store, difficult to search, and time-consuming to manage. A retention schedule that identifies when records can be destroyed reduces storage costs and makes it easier to find the records that matter.
Privacy Protection
Some records contain sensitive personal information about employees, donors, or program beneficiaries. Retaining this information longer than necessary increases the risk of a data breach and may violate privacy laws. A retention policy that includes timely destruction of records containing personal information reduces this risk.
What the Policy Should Cover
Scope
The policy should cover all records created, received, or maintained by the organization, regardless of format. This includes:
- Paper documents.
- Electronic files, including email, databases, and cloud-stored documents.
- Financial records.
- Board and committee records.
- Personnel files.
- Donor records.
- Grant and contract files.
- Legal documents.
- Communications, including email and text messages.
- Social media content.
- Audio and video recordings.
Retention Schedule
The retention schedule is the heart of the policy. It specifies how long each category of records should be retained. The schedule should be organized by record type and should include the legal basis or business rationale for each retention period.
Destruction Procedures
The policy should specify how records are to be destroyed when their retention period expires. For paper records, this typically means shredding. For electronic records, this means secure deletion that renders the data unrecoverable. Simply deleting a file or sending it to the recycle bin is not sufficient.
Litigation Hold Provision
The policy must include a provision for suspending routine document destruction when the organization reasonably anticipates litigation, a government investigation, or an audit. The litigation hold should:
- Be triggered by any employee, officer, or board member who becomes aware of anticipated litigation or investigation.
- Be communicated immediately to all personnel who may have relevant records.
- Specify that no records that might be relevant to the matter may be destroyed until the hold is lifted.
- Be managed by a designated individual, typically legal counsel or the executive director.
Oversight and Enforcement
The policy should designate a specific individual or role responsible for overseeing compliance with the policy, including monitoring retention schedules, managing destruction processes, and implementing litigation holds.
Recommended Retention Schedules
The following retention periods are generally accepted best practices. However, specific legal requirements may vary by state and by the type of organization. Consult legal counsel to confirm that your retention schedule complies with all applicable laws.
Corporate and Governance Records
These records define the organization's legal existence and governance history. Most should be retained permanently.
- Articles of incorporation and amendments: Permanent.
- Bylaws and amendments: Permanent.
- Board meeting minutes: Permanent. Minutes document the board's decision-making and are essential evidence of fiduciary duty compliance. Use a meeting minutes tool that creates a permanent, searchable archive.
- Committee meeting minutes: Permanent.
- Board resolutions: Permanent.
- Conflict of interest disclosure forms: Seven years. These forms demonstrate compliance with the organization's conflict of interest policy.
- Annual reports filed with the state: Permanent.
- IRS determination letter: Permanent.
- IRS Form 1023 or 1024 (application for tax-exempt status): Permanent.
- Policies adopted by the board: Permanent (retain all versions with effective dates).
Financial Records
- Annual audited financial statements: Permanent.
- General ledger: Permanent.
- IRS Form 990 and all schedules: Permanent (these are public documents).
- Tax returns (state and federal): Seven years.
- Bank statements and reconciliations: Seven years.
- Accounts payable and receivable records: Seven years.
- Payroll records: Seven years.
- Expense reports and receipts: Seven years.
- Budgets: Seven years.
- Investment records: Seven years after disposition of the investment.
- Audit workpapers: Seven years.
Employment Records
- Personnel files (active employees): Retain during employment.
- Personnel files (terminated employees): Seven years after termination.
- Employee benefit plan documents: Permanent.
- I-9 forms: Three years after date of hire or one year after termination, whichever is later.
- Workers' compensation claims: Ten years after settlement.
- OSHA records: Five years.
- Timesheets: Seven years.
Donor and Fundraising Records
- Donor records and contribution history: Permanent (or as required by donor management practices).
- Gift agreements and pledge documents: Seven years after the pledge is fulfilled.
- Charitable solicitation registration filings: Seven years.
- Acknowledgment letters: Seven years.
- Fundraising campaign records: Seven years.
Grant and Contract Records
- Grant agreements: Seven years after the end of the grant period or as required by the funder, whichever is longer.
- Grant reports: Seven years after the end of the grant period.
- Contracts and agreements: Seven years after expiration or termination.
- Leases: Seven years after expiration.
Insurance Records
- Insurance policies: Permanent (retain all expired policies; claims can arise years after a policy expires).
- Claims and settlements: Permanent.
- Certificates of insurance: Seven years after expiration.
Legal Records
- Litigation files: Permanent (or ten years after final resolution).
- Legal correspondence: Seven years.
- Intellectual property registrations: Permanent.
Communications
- General business correspondence: Three years.
- Email: Three years (unless the email falls into a category with a longer retention period).
- Board member communications about board business: Seven years. These may be relevant to documenting board deliberations and should be treated as governance records.
Implementing the Policy
Board Adoption
The document retention policy should be formally adopted by the board through a recorded vote, documented in the meeting minutes. This establishes that the board has exercised its governance authority over records management.
Training
All employees, volunteers, and board members should receive training on the policy. Training should cover:
- The general principle that records should be retained in accordance with the schedule and destroyed when the retention period expires.
- The prohibition on destroying records outside the normal retention schedule.
- The litigation hold process and the obligation to report anticipated litigation or investigations.
- How to handle electronic records, including email.
Annual Review
The policy and retention schedule should be reviewed at least annually to account for:
- Changes in legal requirements.
- New types of records generated by the organization.
- Changes in technology or storage methods.
- Lessons learned from any litigation hold or discovery process.
Include the document retention policy review on the board's annual compliance calendar.
Document Management Practices
The policy is only effective if the organization has the infrastructure to implement it. This means:
- Organized filing systems for both paper and electronic records, with clear labeling and consistent naming conventions.
- Secure storage for sensitive records, with appropriate access controls.
- Backup procedures for electronic records to prevent data loss.
- A board management platform that centralizes governance records. A system like NFPHub can store board packs, meeting minutes, voting records, and compliance documents in a single, searchable, secure location with built-in retention management.
Destruction Procedures
When records reach the end of their retention period, destruction should be:
- Systematic. Conduct destruction on a regular schedule (for example, annually) rather than ad hoc.
- Documented. Maintain a destruction log that records what was destroyed, when, and by whom. This log itself should be retained permanently.
- Secure. Paper records should be shredded. Electronic records should be securely deleted using methods that prevent recovery.
- Supervised. A designated individual should oversee the destruction process to ensure it is carried out properly.
- Subject to the litigation hold. Before any destruction, confirm that no litigation hold is in effect that would require preservation of the records slated for destruction.
Special Considerations for Electronic Records
Email is one of the most challenging record types to manage because it can contain records that fall into almost any category: financial discussions, board deliberations, employment communications, donor correspondence, and legal matters. The policy should provide guidance on:
- Which emails must be retained and for how long (based on their content, not their format).
- How employees should identify and preserve emails that contain records subject to the retention schedule.
- Whether the organization uses an email archiving system that automatically retains emails for a specified period.
Cloud Storage
Many organizations store records in cloud-based systems such as Google Drive, Dropbox, or SharePoint. The policy should address:
- Who is responsible for managing records stored in cloud systems.
- How retention schedules apply to cloud-stored records.
- How records are destroyed in cloud systems (deletion from a cloud system may not immediately remove all copies).
- Data security and privacy considerations for records stored in third-party cloud systems.
Board Management Platforms
A board management platform like NFPHub centralizes many governance records in one system: agendas, board packs, meeting minutes, votes, action items, and compliance records. This simplifies retention management because governance records are in a single, organized location rather than scattered across email, personal drives, and paper files.
Social Media
If the organization uses social media, the policy should address whether and how social media content is archived. Posts, comments, and messages on social media platforms may be subject to retention requirements, particularly if they relate to fundraising or program activities.
Common Mistakes
Keeping Everything Forever
This is the most common mistake and the most expensive. Organizations that never destroy records accumulate massive archives that are costly to store and create unnecessary legal exposure. In litigation, the more records you have, the more records you have to search through and potentially produce. A retention schedule that includes routine destruction of records that are no longer needed reduces both cost and risk.
Destroying Records Without a Policy
The opposite extreme is equally dangerous. Destroying records without a systematic policy can look like evidence tampering, especially if the destruction happens to coincide with a dispute or investigation. A written policy adopted in advance demonstrates that destruction is routine and not motivated by a desire to conceal evidence.
Ignoring the Litigation Hold
When litigation is reasonably anticipated, the obligation to preserve relevant records overrides the retention schedule. An organization that continues to destroy records after it should have implemented a litigation hold faces serious legal consequences. Every employee and board member should know what a litigation hold is and how to trigger one.
Not Addressing Electronic Records
A policy that covers only paper records is incomplete. Electronic records, including email, are subject to the same retention requirements and legal obligations as paper records. The policy must address electronic records explicitly.
Inconsistent Application
A retention schedule that is followed sometimes but not others provides little protection. If the organization destroys financial records after seven years in some departments but keeps them indefinitely in others, the inconsistency undermines any claim that destruction is routine and systematic.
Conclusion
A document retention and destruction policy is a governance fundamental. It ensures that the organization keeps the records it needs, destroys the records it does not, and handles the transition between the two in a systematic, defensible way. It protects the organization from regulatory penalties, litigation risks, and the operational burden of managing unnecessary records.
If your organization does not have a document retention policy, creating one should be an immediate priority. If you have a policy but it has not been reviewed recently, schedule a review and update the retention schedule. And if your organization's records are scattered across multiple systems with no consistent management, consider how a centralized platform like NFPHub can bring order to the chaos.
For the broader compliance picture, see our essential guide to nonprofit board compliance.