Nonprofits handle a lot of sensitive data – donor records, financial reports, volunteer logs, and more. Knowing how long to keep these records and when to securely delete them is critical for compliance, operational efficiency, and minimizing risks. A clear data retention policy ensures your nonprofit avoids legal issues, maintains transparency, and meets IRS requirements (e.g., Form 990).
Key Takeaways:
- Legal Compliance: Federal laws (e.g., IRS, FLSA, SOX) and state-specific statutes dictate retention periods.
- Data Audits: Regularly inventory all data sources, including emails and employee devices.
- Retention Periods: Some records (e.g., tax returns, board minutes) must be kept permanently; others have defined timelines (e.g., payroll for 7 years).
- Secure Deletion: Implement safe disposal practices for expired data to reduce risks.
- Access Control: Limit file access based on roles to protect sensitive information.
- Policy Updates: Review and update retention policies annually to stay compliant.
Example Retention Periods:
- Articles of Incorporation, Tax Returns: Permanent
- Payroll Records: 7 years
- Contracts: 3 years post-expiration
A structured retention policy not only safeguards your nonprofit legally but also streamlines operations and preserves vital records for future needs.
Document Retention Guidelines for Nonprofits: What to Keep & For How Long
sbb-itb-2ec70df
Review Your Organization’s Current Data
Having a clear understanding of your data is the backbone of creating an effective retention policy. Nonprofits often manage data across various platforms – filing cabinets, cloud storage, local servers, email accounts, and even employee devices. These environments house a mix of records, from donor databases and financial reports to program logs and board meeting minutes.
Complete a Full Data Audit
The first step is conducting a detailed inventory across all departments. Collaborate with teams like IT, HR, Finance, and Programs to document the types of data you have, where it’s stored, and how it’s used. Don’t stop at the obvious systems like donor management or accounting software.
You also need to account for email records, as they are legally recognized documents and must be part of your retention policy. Data on employee-owned devices can introduce "shadow IT" risks, as these devices often fall outside the organization’s formal oversight. Additionally, evaluate whether your backup and recovery systems are reliable, especially if you rely on digital or cloud storage.
The IRS Instructions to the Form 990 emphasize that your retention policy should address:
"the record retention responsibilities of staff, volunteers, board members, and outsiders for maintaining and documenting the storage and destruction of the organization’s documents and records".
This means your audit should not only catalog what data you have but also identify who has access to it and who is responsible for managing it. This comprehensive perspective will help you pinpoint data that carries higher risks and needs special attention.
Find High-Risk Data
After mapping out your data, focus on identifying records that pose greater legal or operational risks. Examples include donor records with credit card details, employment files containing Social Security numbers, and records related to minor children. For records involving minors, you may be required to retain them until the child reaches adulthood, plus the length of your state’s statute of limitations.
High-risk data also includes any records that could be critical for future audits or legal proceedings. Consult with your accounting firm or legal advisors to understand which documents the IRS might require and how long they need to be kept. Be aware that deleting important records prematurely – even unintentionally – can create legal issues, as it may be perceived as an attempt to conceal information during investigations.
Determine Legal and Business Retention Requirements
Nonprofit Data Retention Periods by Record Type
Once you’ve audited your data, the next step is to figure out how long to keep it. This involves balancing legal requirements with your organization’s operational needs, which don’t always match up. Addressing both ensures you’re compliant while also meeting your organization’s goals.
Learn Federal and State Retention Laws
Federal laws provide a baseline for retention requirements. For instance, the Fair Labor Standards Act (FLSA) mandates that nonprofits retain specific employment and payroll records for certain periods. The IRS also highlights this issue in Form 990, Part VI, Section B, Question 14, which asks if your organization has a documented retention and destruction policy. Additionally, under Section 802 of the Sarbanes-Oxley Act (SOX), it’s a crime to destroy or alter records to obstruct a federal investigation.
State laws complicate the picture further. For example, California has nonprofit integrity statutes with specific retention rules. Other states rely on general statutes of limitations, which determine how long records must be kept based on the time allowed for legal claims. These requirements vary significantly by state, so it’s essential to research the laws specific to your location.
Set Retention Periods for Your Organization
Beyond legal obligations, your organization may need to retain certain records for operational reasons. For example, consulting with your accounting firm can help identify which documents to keep. Records involving minors should typically be held until the child reaches adulthood plus the applicable statute of limitations.
Some records, like board minutes, founding documents, or major program evaluations, may hold historical significance for your organization. Even if not legally required, preserving these can provide long-term value. The key is finding a balance between compliance, storage costs, and the importance of the records to your mission.
| Record Type | Recommended Retention Period |
|---|---|
| Articles of Incorporation, Bylaws, Board Minutes | Permanent |
| IRS Determination Letter and Tax Returns (Form 990) | Permanent |
| Audit Reports and Year-End Financial Statements | Permanent |
| Accounts Payable Ledgers and Invoices | 7 Years |
| Payroll Records and Timesheets | 7 Years |
| Personnel Files (after termination) | 7 Years |
| Bank Statements and Reconciliations | 3 Years |
| Employment Applications | 3 Years |
| Contracts and Leases | 3 Years after expiration |
Build a Retention Schedule for Each Data Type
Once you’ve identified the legal retention requirements for your organization, the next step is to organize your data into clear categories with specific timelines. A well-structured retention schedule eliminates uncertainty about what to keep and for how long. Here’s how to break it down:
Records to Keep Permanently
Certain documents are critical to your nonprofit’s legal and operational history and should never be destroyed. These include:
- Articles of Incorporation
- Bylaws
- Board Meeting Minutes
- IRS Determination Letter
- Tax Returns (Form 990)
- Audit Reports
- Year-End Financial Statements
- General Ledgers
- Key Donor Records (e.g., endowment funds or major restricted gifts).
Records with Set Time Limits
For other types of records, retention timelines vary based on legal and operational needs:
- Payroll Records and Summaries: Keep for 10 years.
- Personnel Files: Retain for 7 years after an employee leaves.
- Employment Applications and Volunteer Records: Maintain for 3 years.
- Contracts and Leases: Store for 3 years after they expire.
- Insurance Policies and Accident/Claim Records: Retain longer to mitigate potential future legal risks.
Archive and Delete Expired Data
A consistent approach to data destruction is just as important as retention. Attorney Thomas Silk, in his Model Document Retention Policy for CompassPoint Nonprofit Services, emphasizes that standardized deletion practices help avoid any perception of wrongdoing if legal issues arise.
- Digital Archiving: Electronic copies are acceptable if they are an accurate representation of the original. However, documents with raised seals should remain in physical form.
- Secure Disposal: When records reach the end of their retention period, securely destroy sensitive information (e.g., bank records, credit card numbers, or employee personal data) through methods like shredding.
- Legal Exceptions: If your organization is under government investigation or involved in a lawsuit, halt all document destruction immediately. Routine deletion can only resume with written approval from legal counsel or the CEO.
Set Up Secure Data Access and Deletion Procedures
Create Role-Based Access Controls
Limit access to sensitive files by setting up role-based access controls. This ensures that only authorized individuals – like staff, volunteers, board members, or external partners – can view, edit, or delete specific records. Nonprofits should clearly document which roles are permitted to access, manage, and store particular types of records. This is especially important for meeting federal tax compliance requirements, as outlined in IRS Form 990, which recommends having a written record retention policy.
For instance, a finance director might need access to payroll and donor financial data, while program coordinators may only require participant-related information. Policies should address all storage formats, including cloud systems, local servers, physical files, and email records. Work with legal or accounting experts to determine which roles need access for IRS audits or to comply with state laws. As the Minnesota Council of Nonprofits explains:
"The adoption of a document retention policy sets guidelines and facilitates directors’ fulfillment of the duty of care, establishes transparency and ensures compliance".
Once access is properly managed, the next step is ensuring that records are securely deleted when no longer necessary.
Plan for Secure Data Deletion
Securely deleting data is just as important as controlling access. Develop a clear, policy-driven process for document destruction. Include a legal hold provision in your policy to immediately pause deletion activities if there’s an ongoing investigation or anticipated litigation. Train staff on secure methods for destroying both physical and digital records. For digital data, make sure deletions include all locations, such as backups and secondary servers.
Align your secure deletion process with your retention schedule to maintain compliance and minimize risk. As Brady Ware highlights:
"In 2026, many organizations have transitioned to automated expense management tools to ensure that IRS-compliant electronic recordkeeping for nonprofits is handled in real-time, reducing the risk of lost receipts or faded ink".
Keep detailed records of all deletion activities. Melissa Frazier of Carr, Riggs & Ingram emphasizes the risks of improper retention:
"Retaining documents beyond their necessary period can be as risky as their premature destruction. Excess retention can lead to increased costs, complexity, and difficulty in locating specific records, while also potentially exposing irrelevant records to legal scrutiny".
Regularly schedule document destruction while ensuring that IRS-required records remain accessible for inspections. These records support reported income, expenses, and credits on annual returns.
Share Policies with Staff and Stakeholders
Train Staff on Retention Practices
Good data retention starts with making sure everyone knows their role. For policies to work, staff need to understand them inside and out. Offer training tailored to specific roles – whether it’s staff, volunteers, board members, or outside partners. For example, finance teams should know what payroll records to keep for IRS audits, while program managers need to be clear on how long to hold onto participant data and grant documents.
It’s also important to stress that destroying documents isn’t just for big cleanups or pre-audit prep. It’s a routine, ongoing process that helps avoid any perception of wrongdoing during legal investigations. Training should cover both physical and digital records, including emails, files in cloud storage, and data on servers. Don’t forget to include your digital backup plan in these sessions to prevent accidental data loss. For added clarity, work with your legal advisor or accounting firm to identify documents required for IRS compliance.
Once training is complete, follow up with clear, ongoing communication about retention procedures to keep everyone on the same page.
Set Clear Communication Guidelines
Even with well-trained staff, clear communication is critical. Your retention policy should address modern forms of communication – emails, voicemails, meeting notes, and even social media – as records that fall under retention rules. Ignoring these digital communications can lead to compliance issues.
Create a legal hold protocol to pause normal deletion processes when there’s a chance of litigation or a government investigation. This system should be well-documented and tested regularly to ensure it works when needed. Keep in mind that the IRS specifically asks on Form 990 whether your nonprofit has a written record retention policy. Transparency isn’t just good practice – it’s a governance requirement. By giving staff a clear destruction schedule, you’ll make it easier to manage files efficiently while staying compliant with federal and state laws.
Monitor Compliance and Update Policies
Keeping retention policies effective means staying on top of changes – whether they’re regulatory, technological, or tied to your organization’s growth. Regular monitoring ensures your policies remain relevant and compliant.
Schedule Regular Policy Reviews
Retention policies aren’t a “set it and forget it” kind of thing. They need regular updates. Designate someone – whether a staff member or a board officer – to manage compliance and schedule yearly reviews to keep everything up to date.
During these reviews, consult with both your accounting firm and legal counsel to confirm you’re meeting IRS audit requirements and staying aligned with evolving tax-exempt regulations. This is especially critical because the IRS Form 990 asks whether your nonprofit has a written record retention policy, making it a governance benchmark.
Don’t forget state-specific requirements. These can include statutes of limitations and other legal mandates. For instance, Florida Statute 496.418 requires charitable organizations to maintain accurate records for at least three years and provide them within 10 working days if requested. If your organization serves minors, remember to retain records until the child reaches adulthood, plus the length of your state’s statute of limitations.
"…[T]he adoption of a document retention policy sets guidelines and facilitates directors’ fulfillment of the duty of care, establishes transparency and ensures compliance." – Minnesota Council of Nonprofits
Regular reviews like this help ensure your retention schedule evolves alongside legal and operational changes.
Conduct Routine Compliance Audits
Policy reviews are just one piece of the puzzle. You also need to audit your compliance processes to ensure they’re working as intended. Set up a recurring schedule to check that archiving and backup systems are functioning properly.
These audits should cover everything – physical files, cloud storage, server data, emails, voicemails, and even social media content. Confirm that all digital backups and staff practices align with your retention policies. Be on the lookout for excess retention, as keeping unnecessary records can drive up costs, complicate processes, and increase legal risks.
Make it a habit to purge outdated files periodically. This keeps your record system organized and efficient. If any state or local laws change, update your policy immediately, especially when it comes to statutes of limitations. Lastly, include a legal hold provision in your policy to suspend deletion schedules during investigations.
Conclusion
With your monitoring and compliance systems in place, you’re now equipped to see the full impact of an effective retention policy.
A well-crafted data retention policy isn’t just about checking boxes for compliance – it’s a way to mitigate legal risks and bring efficiency to your operations. For example, the IRS asks on Form 990 whether your organization has a written record retention policy, highlighting its importance as a hallmark of good governance.
Think of data retention as part of a broader approach to document management. Attorney Thomas Silk puts it best:
"Think about this as part of document management, rather than simply document retention; holding on to documents too long is an unnecessary expense".
By implementing routine destruction schedules, you can cut down on clutter, reduce costs, and maintain practices that align with legal standards. Keeping documents longer than necessary doesn’t just waste space – it wastes resources.
A solid policy also underscores your board’s fiduciary responsibilities. As the Minnesota Council of Nonprofits explains:
"…the adoption of a document retention policy sets guidelines and facilitates directors’ fulfillment of the duty of care, establishes transparency and ensures compliance".
Your retention framework does more than protect legal interests – it preserves essential records that support your organization’s long-term mission and institutional memory.
Retention rules don’t discriminate by format – they apply to physical files, cloud storage, emails, and server data. Keep in mind state-specific requirements, like California’s 10-year statute of limitations for breach of charitable trust. Regularly review your checklist to ensure your policy adapts to these nuances and upholds its core objectives.
FAQs
Which nonprofit records should be kept forever?
Nonprofits must permanently keep legal documents like those tied to lawsuits, tax law compliance, charitable trusts, board meeting minutes, and other key legal records. These records play a crucial role in proving legal and tax compliance throughout the organization’s history.
How do I set retention periods for my state?
To establish retention periods, start by creating a document retention policy tailored to your state’s laws and regulations. Check state-specific guidelines or recommended practices, and take into account statutes of limitations that apply to legal or financial records. Your policy should clearly outline document categories along with their respective retention timelines. For added precision and compliance, consider consulting legal or tax professionals who are well-versed in your state’s requirements.
What should we do when a legal hold happens?
When a legal hold is in place, it’s essential to pause your usual document retention or destruction policies. This ensures that all relevant records – whether physical or electronic – are preserved without any changes. Identify these documents carefully and secure them for the duration of the legal matter. Make sure to inform all staff and volunteers about the legal hold, and keep a detailed record of every step taken to comply. These records should remain in their original state, ready for legal review if required.
