compliance

Records Retention Policy

Records Retention Policy template for classifying business records, setting retention periods, placing legal holds, and securely disposing of records on schedule.

Fill it now — Free Get Started

Customize with AI → Live preview →

Trusted by frontline teams 15 years of frontline software AI customization in seconds

Built for: Healthcare · Manufacturing · Professional Services · Retail · Technology

9:41

HR Policies

1 Purpose

2 Scope

3 Definitions

4 Policy

5 Procedure

6 Roles & Responsibilities

7 Compliance / Discipline

8 Review & Revision

Overview

This Records Retention Policy template defines how your organization classifies records, assigns retention periods, preserves records under legal hold, and disposes of records securely when the schedule ends. It is meant for companies that need a clear rule set for HR files, payroll records, leave documentation, investigations, contracts, email, and other business records that are created across departments.

Use this template when you need a written policy that tells policy holders, managers, and system owners what to keep, where to keep it, who approves exceptions, and how to handle deletion or destruction. It is especially useful when records live in multiple systems, when you operate across states with different retention or privacy rules, or when you need to show that records are not being kept longer than necessary.

Do not use this template as a substitute for a litigation hold notice, a data privacy notice, or a records schedule that must be approved by outside counsel. It also should not be used as a one-size-fits-all archive rule for every document type. If your organization has union records, safety logs, payroll records, or employee medical files, those categories may need separate treatment and longer retention periods. The policy should be paired with a procedure for review, escalation, and documented destruction so that retention is actually followed in practice.

Standards & compliance context

This template should be aligned to federal employment and recordkeeping obligations under FLSA, FMLA, Title VII, ADA, ADEA, EEOC guidance, and NLRA-related records where applicable.
If records may support an accommodation request, complaint, or investigation, the policy should preserve them through the interactive process and any related legal hold.
State law can require different retention periods or notice obligations, especially for California, New York, Illinois, and Washington records.
Personal data retention and deletion rules should be coordinated with GDPR and CCPA-style requirements when employee or applicant data is involved.
The policy should distinguish routine retention from preservation duties so a legal hold overrides normal disposal schedules without ambiguity.

General regulatory context for orientation only — verify current requirements with counsel or the relevant agency before relying on this template for compliance.

What's inside this template

Purpose

Explains why the policy exists and what business problem it solves.

This policy establishes the standards for classifying, retaining, preserving, and securely disposing of business records. The policy is designed to support legal compliance, efficient information management, and timely destruction of records that are no longer required. The company will maintain records in accordance with applicable law, including recordkeeping obligations under the **EEOC**, **FLSA**, **FMLA**, **ADA**, **Title VII of the Civil Rights Act**, and any applicable state or local requirements.

Scope

Defines which people, records, systems, and jurisdictions the policy applies to.

This policy applies to all employees, contractors, temporary workers, and third parties who create, receive, store, manage, or dispose of company records. It applies to records in all formats, including: - Paper files - Email and attachments - Chat and collaboration messages - Spreadsheets and reports - Databases and system exports - Audio, video, and scanned documents - Cloud storage and shared drives **California employees:** records containing personal information must also be handled in a manner consistent with applicable privacy obligations, including secure storage and disposal practices where required by law. **All employees:** must follow any separate department-specific retention schedule if one has been approved by Legal or Compliance.

Definitions

Clarifies terms like record, retention period, legal hold, archive, and secure destruction.

For purposes of this policy, the following terms apply: - **Business Record:** Any information created or received in the course of business. - **Retention Schedule:** The approved schedule that identifies how long records must be retained. - **Legal Hold:** A preservation requirement that suspends normal destruction of records. - **Secure Disposal:** A method of destroying or deleting records so they cannot reasonably be reconstructed. - **Record Owner / Policy Holder:** The business function or designated individual responsible for the accuracy, retention, and disposition of a record category.

Policy

States the actual retention, preservation, access, and disposal rules users must follow.

1. **Record Classification** - Records must be classified by business function and sensitivity level (for example: HR, payroll, recruiting, finance, legal, operations, confidential, restricted). - Each record category must have an assigned record owner and an approved retention period. - Records containing PII, health information, payroll data, or confidential business information must be labeled and protected according to their sensitivity. 2. **Retention Requirements** - Records must be retained for the longer of: (a) the company’s approved retention schedule, or (b) the period required by applicable law, regulation, contract, audit, or litigation hold. - HR records must be retained in a manner consistent with applicable EEOC and FLSA recordkeeping requirements. - Payroll and wage records must be retained for the period required by the FLSA and any applicable state wage-hour law. - Records related to employment decisions, accommodations, leave, complaints, investigations, and disciplinary actions must be retained according to the approved schedule and any applicable legal requirement. 3. **Legal Hold** - When Legal or Compliance issues a legal hold, all normal destruction of relevant records must stop immediately. - Employees must preserve all potentially relevant records, including paper files, email, chat messages, drafts, backups, and system-generated data, until the hold is lifted in writing. - No record subject to a legal hold may be altered, deleted, overwritten, or disposed of without written authorization from Legal. 4. **Secure Disposal** - Records may be destroyed only after the retention period has expired and no legal hold, audit, investigation, or other preservation requirement applies. - Paper records must be shredded, pulped, or otherwise destroyed using approved secure methods. - Electronic records must be securely deleted or wiped using approved IT methods that prevent reasonable reconstruction. - Third-party destruction vendors must be approved by the company and, where appropriate, must provide a certificate of destruction. 5. **Exceptions** - Any exception to this policy must be approved in writing by Legal, Compliance, or the designated policy holder. - If a record category is not listed in the retention schedule, employees must retain the record until guidance is received from Legal or Compliance.

Procedure

Shows the step-by-step workflow for classifying, holding, archiving, and destroying records.

1. **Create and Classify Records** - Identify the record type and business function at the time of creation or receipt. - Assign the record to the appropriate retention category and storage location. - Mark records containing sensitive information with the required confidentiality designation. 2. **Store and Protect Records** - Store records in approved systems or repositories. - Restrict access based on role and business need. - Maintain records so they remain complete, accurate, and retrievable for the full retention period. 3. **Apply Retention Schedule** - The record owner must follow the approved retention schedule for each category. - HR, payroll, and recruiting records must be reviewed periodically to confirm the retention period, legal requirements, and any pending hold. - If a record is subject to multiple retention rules, the longest applicable retention period controls unless Legal directs otherwise. 4. **Issue and Manage Legal Holds** - Legal or Compliance will notify relevant employees when a legal hold is issued. - Recipients must acknowledge the hold and preserve all relevant records immediately. - The hold remains in effect until Legal issues a written release. 5. **Dispose of Records Securely** - Before destruction, confirm that the retention period has expired and no hold applies. - Use approved destruction methods based on record format and sensitivity. - Document destruction activity when required by the retention schedule or Legal. 6. **Escalation** - Any suspected loss, unauthorized destruction, or accidental deletion of records must be reported immediately to HR, Legal, Compliance, or IT Security. - Do not attempt to recreate, conceal, or overwrite records without direction from Legal or IT.

Roles & Responsibilities

Assigns ownership so HR, Legal, IT, and managers know who does what.

- **Policy Holder / Legal:** approves the retention schedule, issues and lifts legal holds, and interprets legal retention requirements. - **HR:** manages employee-related records, including personnel files, leave records, disciplinary records, and accommodation documentation. - **Finance / Payroll:** manages wage, tax, and payroll records in accordance with applicable law. - **IT:** maintains secure storage, access controls, backup procedures, and approved deletion methods. - **Managers:** ensure records within their teams are classified, retained, and escalated appropriately. - **All Employees:** create, store, preserve, and dispose of records in accordance with this policy and report concerns promptly.

Compliance / Discipline

Explains how violations are handled and what corrective action may follow.

Failure to follow this policy may result in disciplinary action, up to and including termination of employment, subject to applicable law and any collective bargaining agreement. Examples of policy violations include: - Destroying records before the retention period expires - Ignoring a legal hold - Storing records in unauthorized systems - Sharing confidential records without authorization - Failing to report accidental deletion, loss, or suspected tampering Where appropriate, the company may also take corrective action such as retraining, a documented warning, or a performance improvement plan (PIP).

Review & Revision

Sets the review cadence, version control, and update process for legal or operational changes.

This policy will be reviewed at least annually and updated as needed to reflect changes in law, business operations, retention schedules, or technology. Revisions must be approved by Legal or the designated policy holder. Updated versions should be communicated to affected employees and acknowledged when required.

How to use this template

1. Fill in the effective_date, version, applicable_jurisdictions, applicable_roles, and policy holder so the document has a clear owner and legal scope.
2. Add your record categories and retention periods in the Policy section, separating HR, payroll, tax, legal, safety, and operational records where the rules differ.
3. Define the Procedure section to show how records are created, classified, reviewed for legal hold, archived, and securely destroyed with a documented trail.
4. Assign Roles & Responsibilities to HR, Legal, IT, managers, and department leaders so each step has a named decision-maker and backup.
5. Publish the policy, train users on hold escalation and deletion rules, then review exceptions, audit findings, and regulatory changes at least annually.

Best practices

Separate active, archived, and transitory records so users do not apply one retention rule to every file type.
Require a legal hold check before any deletion or destruction action is approved.
Tie each record category to a business purpose and legal basis so retention periods are defensible.
Use secure destruction methods that match the format of the record, including paper shredding and controlled electronic deletion.
Document who approved an exception, when it was approved, and when the exception expires.
Map retention rules to the systems where records actually live, including HRIS, email, shared drives, and document management tools.
Review state-specific rules separately for California employees, New York whistleblower materials, Illinois rest requirements, and Washington paid sick leave records where applicable.

What this template typically catches

Issues teams running this template most often surface in practice:

No documented retention schedule by record type, only a general promise to keep records as needed.

Deletion occurs before Legal confirms whether a hold, complaint, audit, or investigation is pending.

HR, payroll, and medical-related files are mixed together without separate access or retention rules.

Managers are allowed to delete email or files without approval or a documented workflow.

Secure destruction is not defined, so paper and electronic records are discarded inconsistently.

The policy does not identify the policy holder, backup owner, or escalation path for exceptions.

State-specific retention differences are ignored, creating gaps for multi-state employee records.

Common use cases

HR Director managing employee file lifecycle

The HR Director uses the template to define how personnel files, disciplinary records, leave paperwork, and separation documents are retained and destroyed. It helps ensure the file lifecycle is consistent across managers and locations.

In-house counsel issuing a litigation hold

Legal uses the policy to suspend normal deletion when a complaint, subpoena, audit, or lawsuit is anticipated. The template gives counsel a clear process for notifying custodians and tracking preservation.

Payroll manager handling tax and wage records

Payroll teams use the template to distinguish wage, tax, and timekeeping records from general HR files. This helps keep records long enough for audit and wage-hour review without over-retaining unrelated documents.

IT administrator configuring deletion rules

IT uses the policy to map retention periods into email archives, shared drives, and document management systems. The template clarifies when automated deletion is allowed and when it must be paused.

Compliance lead standardizing multi-state retention

Compliance teams use the template to add jurisdiction-specific carve-outs for California, New York, Illinois, and Washington. It helps standardize the baseline while preserving local exceptions.

Frequently asked questions

What records does this policy cover?

This template is built for business records created or received by HR, finance, legal, operations, and managers in the ordinary course of work. It typically covers employee files, payroll records, leave records, investigations, contracts, emails, and other operational documents. You can narrow or expand the schedule by record type, system, or jurisdiction. It is meant to define what is kept, for how long, and when records must be preserved under a legal hold.

How often should the retention schedule be reviewed?

The template includes an annual review cadence, which is the standard starting point for most organizations. You should also review it when laws change, systems change, or a new record category is introduced. If your company operates in multiple states or countries, review more often for jurisdiction-specific updates. The policy holder should confirm the schedule still matches business, tax, employment, and litigation needs.

Who should own and run this policy?

The policy holder is usually HR, Legal, Compliance, or Records Management, with IT and department leaders supporting implementation. HR often owns employee and leave records, while Legal owns legal hold decisions and litigation preservation. IT and system administrators help enforce deletion, archiving, and access controls. The template is designed so responsibilities can be assigned clearly instead of relying on ad hoc judgment.

How does this relate to legal holds?

A legal hold overrides the normal retention schedule when litigation, investigation, audit, or government inquiry is reasonably anticipated. This template includes a procedure for suspending deletion and notifying custodians so records are preserved. It should also require confirmation that the hold applies to both paper and electronic records. Once the hold is lifted, normal retention and disposal rules resume.

What laws or regulations should this policy account for?

This template is designed to align with federal employment and recordkeeping frameworks such as FLSA, FMLA, Title VII, ADA, ADEA, EEOC guidance, and NLRA-related records. It also leaves room for state-specific overlays, such as California, New York, Illinois, and Washington requirements where retention, notice, or privacy rules differ. If your company handles personal data, you should also address GDPR and CCPA-style data retention and deletion rules. The policy should cite the actual legal sources your organization relies on.

What are the most common mistakes with retention policies?

Common mistakes include keeping everything forever, deleting records without a legal hold check, and failing to define who approves exceptions. Another frequent gap is treating all records the same instead of separating HR, payroll, tax, safety, and investigation files. Many organizations also forget to document secure destruction methods and audit trails. This template helps prevent those gaps by tying each step to a defined procedure.

Can this template be customized for different departments or systems?

Yes. You can add department-specific schedules, system-specific storage locations, and jurisdiction-specific carve-outs without changing the core policy structure. Many teams customize the definitions section to distinguish active files, archived records, confidential records, and transitory documents. You can also map the policy to your DMS, HRIS, email archive, and ticketing tools. The goal is to make the policy operational, not just descriptive.

How should this policy be rolled out to employees and managers?

Start by publishing the policy, assigning ownership, and training managers on what must be preserved and when to escalate a hold. Then configure retention rules in the systems that store records and document the disposal workflow. Managers should know not to delete records on their own if a dispute, complaint, audit, or investigation is pending. A short rollout memo and annual refresher training usually help adoption.

Related templates

Hr Policy

Anti-Harassment & Anti-Discrimination Policy

Anti-Harassment & Anti-Discrimination Policy template for defining prohibited conduct, reporting ...

Hr Policy

Code of Conduct

A Code of Conduct policy that defines expected behavior, reporting channels, and discipline for v...

Forms

Customer Feedback Survey

Capture post-interaction customer feedback on overall satisfaction, specific touchpoints, and ope...

Inspections

Forklift Daily Pre-Shift Inspection

Forklift Daily Pre-Shift Inspection template for recording pre-use checks, defects, and out-of-se...

Sop

Cash Drawer Open & Count

Cash Drawer Open & Count is the SOP for verifying a drawer, counting the starting bank, recording...

Workspace

Engineering Sprint Team

A two-week engineering sprint workspace with sprint planning, daily standup, retro, and a hill ch...

Ready to use this template?

Get started with MangoApps and use Records Retention Policy with your team — pricing built for small business.

Get Started Customize with AI