Sample Record Retention Policies

Sample_Documents

DISCLAIMER: This is a sample template provided for informational purposes only. It does not constitute legal, tax, or financial advice. Organizations should consult their own legal and tax advisors and tailor this document to reflect their specific business needs, geographies, and applicable laws.

• Document Type: Record Retention Policies
• Category: Compliance & Governance
• Company: <Company Name>
• Policy ID: <Policy ID>
• Version: <Version Number>
• Effective Date: <Effective Date: <Date>>
• Last Reviewed: <Date>
• Next Scheduled Review: <Date> (every <Number> months)
• Document Owner: <Title, e.g., Total Rewards Director>
• Accountable Executive: <Chief People Officer or equivalent>
• Approvers: <Approver Name and Title>; <Approver Name and Title>
• Primary Contact: <Contact Email/Distribution List>

• Provide a clear, consistent, and lawful framework for retaining, archiving, and disposing of Total Rewards records managed by <Company Name>.
• Satisfy legal, regulatory, and contractual obligations in <Country>, <Country>, and other operating geographies.
• Protect employee privacy and maintain data security aligned with data minimization principles.
• Reduce storage costs and operational risks associated with outdated or duplicative records.
• Enable reliable auditability for payroll, benefits, equity, and compensation programs.

• In Scope
  • Total Rewards data, including payroll, time and attendance, benefits, leaves, wellness, compensation, equity, retirement plans, recognition, and Total Rewards communications.
  • Systems of record and downstream systems integrating HR data (e.g., HRIS, payroll vendor, benefits administration platforms, equity administration portals, data warehouses).
  • Records in any format: electronic, paper, images, audio, and structured or unstructured data.
  • Global operations where <Company Name> employs staff, contractors, or directors.

• Out of Scope
  • Non-HR records not related to Total Rewards (e.g., product R&D files, marketing creative, customer data) except where such data is intermingled in HR-controlled systems.
  • Legal department case files not managed by Total Rewards.
  • IT system logs not containing identifiable HR data.

• Applicability
  • Applies to all employees, managers, and contingent workers handling HR and Total Rewards data.
  • Binds third parties processing HR data for <Company Name> (e.g., <Vendor Name>) under contracts and data processing agreements.
  • Supplements, and does not replace, enterprise records management, information security, and privacy policies.

• Lawful Basis and Minimization: Collect and retain only what is necessary for the stated lawful purpose, and keep it no longer than needed.
• Defined Retention Triggers: Retention periods are tied to clear triggers (e.g., termination date, plan year end, tax year close, claim resolution).
• Authoritative Schedule: The Retention Schedule in this document is the authoritative source for Total Rewards record retention.
• Consistent Application: Apply periods consistently across systems holding the same record type, including backups where feasible.
• Exceptions via Legal Hold: Retention is suspended when a legal hold or investigation applies.
• Secure Disposal: Disposal methods must be appropriate to the sensitivity of the data (e.g., secure digital wipe, cross-cut shredding).
• Auditability: Retention actions must be logged and auditable.
• Employee Rights: Respect privacy rights (e.g., access, correction, deletion) in applicable jurisdictions.
• Vendor Accountability: Vendors must meet or exceed <Company Name> standards and certify deletion upon request or at contract termination.

• Total Rewards Director (Policy Owner)
  • Maintains this policy and the Retention Schedule.
  • Ensures alignment with compensation, benefits, and equity program governance.
• HR Operations and Payroll
  • Implements retention rules in HRIS and payroll systems.
  • Ensures pay data, tax records, and time files are archived and disposed of correctly.
• Benefits Administration
  • Manages retention for plan documents, enrollments, COBRA, and claims.
  • Coordinates HIPAA/PHI protections where applicable.
• Equity Administration
  • Manages grant agreements, vesting records, and transaction confirmations with transfer agents or platforms.
• HR Technology/HRIS
  • Configures retention automation, data classification tags, and secure deletion in systems and data warehouses.
• Information Security
  • Approves disposal methods and validates secure destruction.
  • Monitors access controls and encryption.
• Privacy/Data Protection Officer
  • Confirms compliance with privacy laws (e.g., GDPR, <Country> privacy statutes).
  • Reviews data subject rights requests affecting HR data.
• Legal/Compliance
  • Advises on regulatory requirements and oversees legal holds.
• Vendor Management and Procurement
  • Embeds retention and deletion obligations in contracts and verifies vendor compliance.
• People Leaders and HRBPs
  • Limit creation of unmanaged local copies.
  • Follow request procedures for legal holds and exceptions.

• Restricted (e.g., SSN/NIN, bank details, PHI, equity tax IDs)
• Confidential (e.g., compensation plans, performance notes, survey results)
• Internal (e.g., job profiles, policies, non-sensitive communications)
• Public (e.g., publicly disclosed plan summaries)

Records must be labeled in systems using the above schema to enable automated retention and access controls.

Note: Timeframes below are examples. Substitute jurisdiction-specific requirements. Where multiple laws apply, retain for the longest required period. Periods may reset when a legal hold is issued.

Record Category	Description	System of Record	Retention Period and Trigger	Legal/Regulatory References (examples)	Security Classification	Disposal Method	Record Owner
Employee Master Data	Personal identifiers, demographics, employment dates	HRIS <System Name>	7 years after termination date	General statutes of limitations; payroll and benefits reconciliation	Confidential	Secure digital wipe; vendor-certified deletion	HR Operations
Recruitment and Applicant Data	Applications, resumes, interview notes, disposition reasons	ATS <Vendor Name>	2 years from decision date; 3 years for <Country> federal contractor roles	Title VII/EEOC; OFCCP; local fair hiring laws	Confidential	Delete or anonymize; purge attachments	Talent Acquisition
Background Check Results	Screening reports, adjudication outcomes	Screening portal <Vendor Name>	2 years from decision; retain only pass/fail where allowed	FCRA/DP laws; local consent requirements	Restricted	Delete report; retain consent record per law	HR Operations
Right-to-Work/Identity (e.g., I‑9)	Work authorization verification	Document management <System Name>	For US: 3 years after hire or 1 year after termination, whichever is later; else per local law	IRCA; local right-to-work laws	Restricted	Secure deletion; paper cross-cut shred	HR Operations
Payroll Registers	Earnings, deductions, net pay summaries	Payroll <Vendor Name>	7 years after tax year end	IRS/Tax authorities; financial controls	Restricted	Secure digital wipe per schedule	Payroll
Wage and Hour Computations	Rate changes, time rates, piecework, schedules	Payroll/Time system	2 years from record date	FLSA; local wage laws	Confidential	Delete from system of record	Payroll
Time and Attendance Data	Hours worked, leave taken, overtime approvals	Time system <Vendor Name>	3 years after pay period close; longer if disputes ongoing	FLSA; local labor codes	Confidential	Purge transactional logs; retain summaries	Payroll
Payroll Tax Filings and Support	Returns, deposits, reconciliations, W‑2/Year-end statements	Payroll tax module	4 years after tax due or paid; keep 7 years for audit coverage	IRS/Tax agencies	Restricted	Secure deletion; retain audit log	Payroll
Benefit Plan Documents	SPDs, plan amendments, trust agreements	Benefits repository	6 years after the filing date or plan termination, whichever later	ERISA; local pension laws	Confidential	Archive then destroy per legal counsel	Benefits
Benefits Enrollment Records	Enrollment forms, evidence of insurability	Ben admin <Vendor Name>	Plan year end + 7 years	ERISA; HIPAA documentation rules	Restricted	Vendor deletion certificate; secure wipe	Benefits
PHI for Health Plans	Claims, EOBs, appeals (plan sponsor view, minimum necessary)	Health plan TPA	6 years from creation or last effective date	HIPAA Privacy/Security Rules	Restricted	De-identify then delete; TPA attestation	Benefits
COBRA Notices and Elections	Notices, elections, premium payments	COBRA admin portal	6 years after plan year end related to notice	ERISA; COBRA regs	Confidential	Vendor deletion after audit window	Benefits
Leave of Absence (FMLA/Local)	Certifications, approvals, return-to-work	Leave admin system	3 years from leave end date	FMLA; local leave statutes	Confidential	Delete; minimum necessary retention	HR Operations
Workers’ Compensation Files	Injury reports, claims, settlements	Safety/Claims platform	5 years after closure or longer per state law	OSHA; state WC laws	Confidential	Secure deletion; paper shred	HR Operations
OSHA Injury/Illness Logs	OSHA 300/301 forms and summaries	Safety system	5 years following the end of the calendar year	OSHA regulations	Internal	Delete after statutory period	Safety/HR
Performance Reviews and Notes	Formal reviews, ratings, notes	Performance system	4 years after termination; managers’ working notes purged annually	Local employment law; dispute limitation periods	Confidential	Delete content and attachments	HR Operations
Disciplinary Actions	Warnings, PIPs, investigations outcomes	Employee relations case tool	7 years after termination or case closure	Local employment law; litigation defense	Confidential	Delete case records; hold if litigation	Employee Relations
Compensation Planning Files	Merit cycles, promotion recommendations	Comp planning tool	7 years after cycle close	Audit and pay equity analysis support	Confidential	Purge exports; archive summaries	Total Rewards
Incentive/Bonus Calculations	Plan documents, calculations, approvals	Comp system	7 years after payout	SOX controls; tax substantiation	Confidential	Secure deletion; retain signed plan terms	Total Rewards
Sales Compensation Records	Credit rules, quota, attainment, disputes	Sales comp platform	7 years after plan year end	Commercial and tax claims windows	Confidential	Delete transactional detail; archive statements	Total Rewards
Equity Grant Agreements	Grants, acceptances, vesting, tax withholding	Equity platform <Vendor Name>	7 years after final transaction or account closure	Securities/tax recordkeeping	Restricted	Vendor deletion; retain statutory tax forms	Equity Administration
ESPP Participation	Enrollments, purchases, dispositions	Equity/Payroll	7 years after final disposition	Tax substantiation	Confidential	Delete after retention; retain tax slips per law	Equity/Payroll
Retirement Plan Participant Data	Eligibility, contributions, distributions	Recordkeeper	Duration of participation + 7 years after payout; or as required to determine benefits	ERISA; local pension law	Restricted	Vendor deletion; archive plan reports	Benefits
Training and Certification Records	Compliance and safety training completions	LMS	Active employment + 2 years; regulatory training per law	Local compliance requirements	Internal	Delete user-level detail; keep completion rates	HR Operations
Immigration/Visa Files	Work permits, visas, sponsorships	Immigration counsel portal	Per country requirements; minimum 2 years post expiration	Immigration rules	Restricted	Delete per counsel; maintain minimal index	HR Operations
Travel and Expense HR Data	Expense reimbursements with PII	Expense system	7 years after fiscal year close	Tax and audit rules	Confidential	Delete; retain aggregate reports	Payroll/Finance
Vendor Contracts and DPAs	Contracts, security addenda, SCCs	Contract repository	Contract term + 7 years	Contract law; privacy cross-border rules	Confidential	Archive then delete	Procurement/Legal
HR Communications to Employees	Program announcements, notices, FAQs	Intranet/Email archive	3 years after superseded by new notice	Employment communications archiving	Internal	Delete and replace with updated versions	HR Communications
HR Analytics and Data Extracts	Data lake extracts, dashboards, models	Data warehouse	1 year rolling window or as needed for trend analysis, then anonymize	Privacy by design; minimization	Confidential	Anonymize then delete source keys	HRIS/Analytics
Background Consent Forms	Signed consents separate from reports	HRIS/Document mgmt	4 years from consent date	FCRA/consent laws	Confidential	Delete per schedule	HR Operations
Diversity/EEO Self-ID	Gender, ethnicity, disability, veteran status	HRIS	Active employment + 2 years; aggregated reporting retained longer	EEOC/OFCCP; local anti-discrimination laws	Restricted	Delete personal data; retain aggregates	HR Operations
Job Descriptions and Org Charts	Role profiles, org structures	HRIS/Knowledge base	Retain current + 2 superseded versions	Business operations	Internal	Delete outdated versions	HR Operations
Global Mobility and Tax Equalization	Assignment letters, tax reconciliations	Mobility vendor	Assignment end + 7 years	Tax and immigration requirements	Confidential	Vendor deletion; secure wipe	HR Operations

• Termination-Based: Retention period begins the day after employment ends.
• Plan-Year-Based: Period begins at close of the plan year linked to the record.
• Tax-Year-Based: Period begins at fiscal or tax year close.
• Event-Based: Period begins at case closure, claim payment, visa expiration, or final disposition.

• Upon notice from Legal, the Document Owner must immediately suspend deletion for specified custodians, data types, and systems.
• Legal holds apply to both production and backup data where technically feasible. If backup deletion is infeasible, holds must be documented and data must not be restored and deleted outside standard change windows.
• Systems impacted by a hold must be tagged, and scheduled purges paused. The HRIS team will document the scope, date, and data classes affected.
• When Legal releases the hold, retention clocks resume; any missed deletions should be executed within 30 days.

1. Legal issues a written hold notice to Document Owner and HRIS describing scope and custodians
2. HRIS implements hold flags and pauses purges in affected systems
3. Vendor Management notifies impacted vendors and requests written acknowledgment within <Number> business days
4. Document Owner updates the hold log and communicates to relevant teams and managers
5. On release, HRIS executes deferred deletions and records completion with timestamps

• Backups are for disaster recovery, not as a records repository. Retention of backups must be the shortest operationally feasible period (target: <Number> days).
• If automated deletion within backups is not feasible, Data Protection Impact Assessments must document the constraint, and restoration for eDiscovery must require Legal approval.
• Archival storage used to meet longer retention should apply encryption, access controls, and indexing for efficient retrieval and purge.

• Where applicable (e.g., GDPR in <Country>), employees may request access, rectification, or deletion of personal data. Requests are evaluated against legal retention obligations and legitimate interests.
• For deletion requests, if a legal obligation requires retention, data will be restricted from routine processing rather than deleted.
• Data minimization measures include pseudonymization for analytics, storage limitation, and regular purge cycles aligned to this policy.

• Contracts with <Vendor Name> and other processors must include:
  • Data retention limits
  • Deletion on request or at contract end with certificate of destruction
  • Cross-border transfer safeguards (e.g., SCCs or <Country> approved mechanisms)
  • Incident and breach notification SLAs
  • Right to audit or obtain independent audit reports
• Vendors must segregate <Company Name> data and disable access promptly upon termination.
• Cross-border retention must follow the strictest applicable law across relevant jurisdictions.

This section provides a practical path HR and Total Rewards teams can follow to operationalize the policy.

1. Inventory and Data Mapping: Identify all HR systems, data stores, and file shares holding Total Rewards data; document data elements, owners, and flows
2. Classification: Tag records with data classification and assign retention rule codes in each system
3. Schedule Design: Reconcile laws across <Country> and <Country>; select longest applicable period for each record type
4. System Configuration: Configure auto-archiving and purge jobs; enable retention labels; create deletion workflows
5. Vendor Alignment: Update Statements of Work to include retention and deletion SLAs and reporting
6. Testing and Validation: Run purge tests in non-production; validate logs, audit trails, and exception handling
7. Go-Live: Communicate schedule, finalize job schedules, and activate monitoring dashboards
8. Sustain and Improve: Quarterly audits; update schedule with regulatory changes; review metrics

• Deletion Success Rate: Target 98 percent of eligible records purged within <Number> days of eligibility.
• Exception Rate: Less than <Percentage> exceptions per quarter; root cause analysis required for exceptions above threshold.
• Vendor Attestations: 100 percent of in-scope vendors provide annual deletion certificates.
• Access Reviews: Semi-annual access recertification for HR systems and archives.

• Maintain configuration change records, test results, purge logs, vendor attestation letters, and legal hold logs for at least 4 years.
• Store evidence in <Repository Name> with Restricted access.

• Configure rolling purges of detailed timecard records after 3 years; retain weekly or monthly summaries for 7 years.
• Retain payroll registers and tax support at least 7 years; align with Finance for common archival storage.
• Restrict local downloads of payroll files; if required, use encrypted folders with auto-delete after <Number> days.
• For off-cycle adjustments, include the adjustment memo and approvals in the 7-year package.

• Retain enrollment transactions for plan year + 7 years; ensure minimum necessary PHI stored on <Company Name> systems.
• Store HIPAA plan documents and policies for 6 years from last effective date; archive superseded versions.
• COBRA notices and payment confirmations retained 6 years; coordinate with <Vendor Name> to provide quarterly deletion attestations.

• Keep grant agreements, acceptances, and vesting events for 7 years after final disposition.
• Tax forms (e.g., <Country> equivalents) retained per local tax laws; ensure synchronization with payroll for consistent periods.
• For leavers, trigger a retention clock on the later of termination or final vest date.

• Formal performance reviews retained 4 years after termination; purge manager notes annually.
• Disciplinary and investigation files retained 7 years after closure; extend if legal hold applies.
• Ensure sensitive attachments (e.g., medical notes) are stored separately under Restricted classification.

• Retain applicant data 2 years (or per local law); reduce volume by deleting drafts and duplicates after <Number> days.
• Retain background check results only as required; store pass/fail outcomes where legally permissible.

• Access
  • Role-based access controls with least privilege.
  • Multi-factor authentication for Restricted data systems.
• Disposal Methods
  • Electronic: NIST-aligned secure erase or cryptographic wipe, vendor deletion certificate required.
  • Paper: Cross-cut shredding or certified destruction service.
• Verification
  • HRIS exports purge logs; Infosec samples at least <Percentage> of purged records quarterly to validate.

• Any deviation must be approved by the Document Owner and Legal, documented with justification, scope, and expiration date.
• Emergency restores that reintroduce deleted data must be promptly reconciled and re-purged.

• Review Cycle: Minimum annually, or within 60 days of a material legal change in <Country> or <Country>.
• Change Control

1. Proposed changes drafted by Document Owner
2. Legal and Privacy review for compliance
3. Stakeholder review by Payroll, Benefits, HRIS, Equity
4. Executive approval by Accountable Executive
5. Publication to policy repository and notification to impacted teams

• Approvals
  • Approved by: <Name, Title> on <Date>
  • Approved by: <Name, Title> on <Date>

• Quarterly audit of retention jobs and deletion logs across HRIS, payroll, benefits, and equity systems.
• Annual vendor compliance review including SOC 2/ISO 27001 reports and deletion attestations.
• Random sampling: audit at least <Percentage> of records marked for deletion to confirm purge success.
• Findings tracked in <Issue Tracking Tool> with remediation plans and due dates.

• United States: FLSA (wage and hour recordkeeping), IRCA (I‑9), FMLA (leave records), OSHA (injury logs), HIPAA (plan documents/PHI), ERISA (plan records), IRS regulations (tax records), EEOC/Title VII (applicant records)
• <Country>: <Local labor code citation>, <Data protection act>, <Tax authority recordkeeping rule>
• European Union: GDPR storage limitation, data subject rights, accountability principle
• Canada: <PIPEDA or provincial equivalent>
• United Kingdom: <UK GDPR/Data Protection Act>, HMRC recordkeeping requirements

Important: Consult local counsel to confirm and update references.

• Mandatory training for HR, Payroll, Benefits, Equity, HRIS, and managers with access to Restricted/Confidential data, refreshed annually.
• Onboarding training for new HR team members within <Number> days of start.
• Quick reference guides for system-specific purge steps hosted in <Repository Name>.

• What if two laws conflict? Retain for the longer required period; document rationale.
• Do aggregated analytics need deletion? Personal identifiers must be removed; anonymized aggregates may be retained if irreversibility is assured.
• How do we handle shared drives? Migrate to managed repositories; enable auto-deletion of orphaned files after <Number> days.
• What if a purge job fails? Create an incident in <Ticketing Tool>, notify Infosec and Document Owner, and run a compensating purge within <Number> days.

Version	Date	Summary of Changes	Author/Owner
<1.0>	<Date>	Initial release	<Name>
<1.1>	<Date>	Updated benefits and equity retention windows; added vendor attestation requirements	<Name>
<1.2>	<Date>	Clarified legal hold scope and backup handling	<Name>

• ATS: Applicant Tracking System used for recruiting.
• COBRA: Law requiring continuation of group health coverage in the United States.
• Data Minimization: Limiting data collection and retention to what is necessary.
• DPA: Data Processing Agreement between controller and processor.
• ERISA: U.S. law governing employee benefit plans.
• FLSA: U.S. wage and hour law.
• HIPAA: U.S. health information privacy and security law.
• HRIS: Human Resources Information System.
• Legal Hold: Instruction to preserve records potentially relevant to litigation or investigation.
• PHI: Protected Health Information under HIPAA.
• SCCs: Standard Contractual Clauses for cross-border data transfers.
• System of Record: Authoritative source system for a data element.
• TPA: Third-Party Administrator.
• Vendor Deletion Certificate: Written attestation that a vendor permanently deleted specified data.

This section is intended for employees and managers. It explains our practices in plain language.

At <Company Name>, we keep the HR and Total Rewards records we need to pay you correctly, provide your benefits, and comply with the law. We also delete information when it is no longer needed. Doing both helps protect your privacy and keeps our systems clean and secure.

When you apply for a job here, we keep your application and interview notes for a limited time. In most places, that is about 2 years after we make a decision. If you are hired, the information we need for your employment moves into our HR systems. If you are not hired, we delete your application after that period unless the law requires us to keep it longer or you ask us to keep it on file.

While you are employed, we keep the records needed to run payroll, manage time and attendance, and administer benefits. For example, payroll and tax records often need to be kept for several years to meet local requirements. Benefits enrollment records are usually kept for a period after each plan year so we can resolve questions or claims. Health-related information that the company receives as a plan sponsor is handled with extra care and kept for the minimum time required.

If you leave <Company Name>, most HR records are kept for a specific period after your last day, then deleted. Some examples:

• Pay and tax records are typically kept for up to 7 years after the tax year closes.
• Performance reviews are usually deleted a few years after you leave.
• Disciplinary files, if any, are kept longer to protect everyone’s rights and to meet legal timelines.
• Equity and retirement plan records may be kept for several years after your last transaction because tax and plan rules require it.

Sometimes we must pause deletion. If there is an investigation or a legal matter, our Legal team may issue a legal hold. That means we must retain certain records until the matter is resolved. We document these holds carefully and delete the records as soon as the hold is lifted.

You have rights over your personal information. Depending on where you live, you may be able to request access to your data, ask us to correct it, or request deletion. We evaluate every request and explain what we can do. In some cases, we cannot delete information right away because the law requires us to keep it for a certain time. When that happens, we will limit how we use the data and delete it as soon as we are allowed.

We work with trusted partners to run some HR programs, such as payroll, benefits, and equity. Our contracts require these partners to protect your data, keep it only as long as needed, and delete it securely when we ask or when our contract ends. We regularly check that they are meeting these commitments.

Security is built into our process. Your most sensitive data, like national ID numbers and bank details, is labeled as Restricted and protected with strong access controls and encryption. When it is time to delete a record, we use secure methods and keep logs to show the deletion happened.

If you have questions about how long we keep a specific type of HR record, or if you want to make a privacy request, please contact <Contact Email/Portal>. Managers who receive questions from employees should direct them to this contact so we can respond quickly and consistently.

Thank you for helping us keep our records accurate, secure, and up to date. Your attention to these practices supports payroll accuracy, benefits quality, and compliance in every country where we operate.

---

Document Information:

• Document Type: Record Retention Policies
• Category: Compliance & Governance
• Generated: August 28, 2025
• Status: Sample Template
• Next Review: <Insert Review Date>

Usage Instructions:

1. Replace all text in angle brackets < > with your company-specific information
2. Review all sections for applicability to your organization
3. Customize content to reflect your company's policies and local regulations
4. Have legal and HR leadership review before implementation
5. Update document header with your company's version control information
6. At bottom of the document you find a short example on how the content could be communicated to end-users, for instance employees.

This sample document is provided for reference only and should be customized to meet your organization's specific needs and local legal requirements.