---
name: document-retention-policy
title: Document Retention Policy (Nonprofit)
description: Drafts board-adoptable document retention policies for nonprofit organizations with IRS-grounded retention schedules, destruction protocols, and litigation hold procedures. Use when creating retention policies, records management governance, document destruction schedules, or compliance frameworks for 501(c)(3) and other tax-exempt entities.
author: CaseMark
author_url: https://github.com/CaseMark/skills/tree/main/skills/legal/document-retention-policy
license: Apache-2.0
version: 0.1.0
execution_mode: open
jurisdiction: us
practice: tax
language: en
---

# Document Retention Policy (Nonprofit)

Drafts a board-adoptable document retention policy with legally grounded retention schedules, destruction protocols, and litigation hold procedures for nonprofit organizations.

## Prerequisites

Gather before drafting:

- **Organization details** — name, state of incorporation, operating states, EIN, tax-exempt type
- **Record inventory** — types and volume (paper and electronic)
- **Industry context** — mission area for sector-specific regulations (healthcare, education, etc.)
- **Federal grant status** — whether org receives federal funds (triggers 2 CFR Part 200)
- **Existing policies** — any current retention or records management documents

## Quick Start

1. Collect prerequisites above
2. Draft header block: policy title, effective date, version, board resolution reference, chair signature line
3. Define scope: all personnel, all formats, adopted by board resolution
4. Build retention schedule using the table below, adjusted for state requirements
5. Add storage, destruction, litigation hold, and roles sections
6. Close with review cadence and adoption block

## Policy Sections

### Scope

Applies to all employees, officers, directors, volunteers, and contractors. Governs all records in any format (paper, electronic, cloud).

### Retention Schedule

Minimum periods — adjust upward for state-specific requirements.

| Category | Examples | Minimum Retention | Authority |
|---|---|---|---|
| Tax Returns & 990s | Form 990, 990-T, schedules | Permanent | IRS Rev. Proc. 98-25 |
| Tax Supporting Docs | GL, receipts, donor records | 7 years | IRC § 6501(e) |
| Governance | Articles, bylaws, minutes, COI disclosures | Permanent | State nonprofit corp. statutes |
| Audit Reports | External audit, management letters | Permanent | Best practice; grantor requirements |
| Bank & Financial | Statements, reconciliations, AP/AR | 7 years | IRC § 6501; UCC § 2-725 |
| Grant Records | Applications, reports, budgets | Per grant terms or 7 yrs after closeout | 2 CFR § 200.334; funder terms |
| Employment Tax | W-2s, W-4s, 941s | 4 yrs after tax due/paid | IRC § 6501(a); Treas. Reg. § 31.6001-1 |
| Personnel Files | Applications, evaluations, termination docs | 7 yrs after separation | Title VII; ADA; ADEA |
| I-9 Forms | Employment verification | 3 yrs from hire or 1 yr after separation (later) | 8 CFR § 274a.2(b)(2)(i) |
| Payroll Records | Timesheets, pay stubs | 7 years | FLSA § 11(c); state wage laws |
| Benefits/ERISA | Plan docs, SPDs, 5500s | 6 yrs after filing | ERISA § 107 |
| Contracts & Leases | Vendor agreements, MOUs, leases | 10 yrs after expiration | Statute of limitations + buffer |
| Insurance Policies | Policies, certificates, claims | Permanent | Occurrence-based claims |
| Program/Client Records | Service delivery, case files | 7 yrs or per funder/licensing | Sector regulation |
| Correspondence | Substantive letters, emails | 3 years | Operational (unless tied to above) |
| Electronic Backups | System backups, databases | Per source record category | Mirror source retention |

Always verify state nonprofit corporation act and sector licensing (e.g., HIPAA = 6 yrs for PHI [VERIFY]).

### Storage

**Physical:** Secure climate-controlled storage, restricted access, labeling tied to retention categories, annual inventory review.

**Electronic:** Encrypted storage with access controls and audit logging, automated backups (on-site + off-site/cloud), email retention aligned to schedule, version control for governance documents.

### Destruction Protocol

1. Records Manager confirms retention period expired
2. Cross-check against active litigation holds
3. Department head approves destruction list
4. Execute: paper via cross-cut shredding; electronic via secure deletion/degaussing (NIST SP 800-88)
5. Log: document type, date range, destruction date, method, authorized by, executed by
6. Retain destruction logs permanently

### Litigation Hold

**Triggers:** Anticipated litigation, subpoena, government investigation, audit, or regulatory inquiry.

1. Executive Director or counsel issues written hold notice identifying matter, affected categories, and preservation obligations
2. Distribute to all relevant staff and departments
3. **Suspend all destruction** of identified categories immediately
4. Confirm receipt and compliance in writing from each custodian
5. Maintain hold until written release by counsel

Non-compliance risk: spoliation sanctions, adverse inference. 18 U.S.C. § 1519 (SOX § 802) may impose criminal penalties for obstruction [VERIFY applicability to org type].

### Roles

| Role | Responsibilities |
|---|---|
| Board of Directors | Adopt policy; review biennially; approve amendments |
| Executive Director | Overall compliance; authorize holds; approve destruction |
| Records Manager / CFO | Maintain schedule; coordinate annual review; manage logs |
| Department Heads | Identify records; ensure proper storage; flag expirations |
| All Staff & Volunteers | Comply; report questions; preserve records under hold |

### Review & Adoption

- Management review: **annually**; board review: **every two years** or upon material legal changes
- Amendments require board approval with version tracking
- Staff training at adoption and upon substantive amendment
- Include adoption block: board resolution date, chair signature, effective date, version number

## Pitfalls

- **State variations** — retention periods differ by state; verify incorporation state and all operating states
- **Federal grantees** — 2 CFR Part 200 Subpart D applies; retention runs from final expenditure report, extends if audit findings unresolved
- **Donor records** — IRC § 170 substantiation may require permanent retention of gift instruments and pledges
- **Sector overlays** — HIPAA, FERPA, child services regulations may exceed general minimums; flag for separate analysis
- **No compliance gap advice** — flag existing issues for counsel review, do not opine
- **Plain language** — policy must be implementable by non-lawyers
- **Mark uncertainties** with [VERIFY], especially state-specific statutes and sector regulations