Effective records management not only strengthens nonprofit operations—it also builds trust with regulators, donors, and the public. Records management includes oversight of both physical and electronic records, which are increasingly replacing the need for physical versions and, in most cases, are sufficient for legal and compliance purposes. Good records retention policies position nonprofits to confidently respond to audits, complaints, and legal challenges—turning potential crises into moments of credibility. This article focuses on why records retention policies matter, especially for legal risk management, as well as how nonprofit leaders can follow through effectively and conscientiously.
Introduction: Two Cautionary Tales
Consider two scenarios illustrating the high stakes of records management and the importance of establishing and enforcing strong records retention policies:
A former employee files a whistleblower complaint with a government agency, alleging financial misconduct for the prior four years. The nonprofit scrambles to locate old board minutes, donor letters, and audit reports. Some records were deleted during a “spring cleaning” of shared drives. Others were never organized or centralized. Nothing was formally retained.
A nonprofit learns that an upset vendor may sue over a terminated contract. The board fails to issue a “litigation hold” (as should be customary). A worried staff member deletes emails, shreds correspondence, and clears their inbox. Months later, a lawsuit is filed. The nonprofit now must defend not only the vendor’s claims but also allegations of spoliation, which is a legal claim for destruction of evidence that could result in enormous adverse consequences.
Nonprofits need enforceable records retention and destruction policies—both for good governance and legal risk management. How a nonprofit stores, protects, and disposes of its documents can make the difference between smooth regulatory/legal compliance and crisis.
The Legal Framework: Why Records Retention Matters
Records constitute a nonprofit’s institutional memory. An organization’s records demonstrate history of legal compliance, document board actions, preserve donor intent, and support claims for grants or tax exemption. But not all records warrant permanent storage. In fact, retaining everything forever burdens operations, and may increase risk in litigation – since the vast majority of records are discoverable. Effective retention policies balance compliance and recommended transparency without operational burdens.
Certain federal and state laws mandate record retention with specific required retention timelines.[1] In addition to these legal requirements, it is advisable to retain some records—such as contracts—for the duration of the applicable statute of limitations (e.g., four years in California, six in Oregon, ten in Illinois). Other records should be kept permanently, like IRS Form 990s, IRS determination letters, articles of incorporation and any amendments thereto, real estate deeds, and insurance policies. These permanently retained documents could become critically important for a nonprofit’s leadership and operations later, depending on issues or concerns that may arise.
Correspondingly, potential civil or even criminal penalties could result from records retention issues. In the first scenario described above, the government whistleblower complaint could give rise to problems under the Sarbanes-Oxley Act of 2002 (“SOX”). Although SOX focuses on for-profit companies, SOX makes it a federal crime to knowingly destroy, alter, or conceal any record with intent to obstruct a federal investigation. (See 18 U.S.C.A. § 1519, 1520). Per the second scenario, spoliation issues have been increasingly common, particularly in our modern era of so much electronically stored information. If a nonprofit’s records are not properly maintained and preserved and later faces litigation, such as for employment or safety-related issues, the other side may claim that the nonprofit deliberately, negligently, or accidentally destroyed relevant evidence and therefore has engaged in spoliation of evidence. If true, the nonprofit could then face sanctions such as a court fine, jury instructions to presume that the lost information was unfavorable to the nonprofit, restrictions on or even a default judgment.
The stakes are thus quite high for a nonprofit, especially given our increasingly litigious society Depending on the nature and extent of its operations, a plethora of potential claims could develop. Even if a nonprofit has ample insurance, it still needs to protect its records! In a nutshell, nonprofits simply cannot afford to treat recordkeeping as an afterthought.
Records Retention Fundamentals
A good records retention policy establishes clear rules covering the following areas:
1. What counts as a “record” and what can be deleted or discarded as “disposable;”
2. Retention timelines suitable for the document type;
3. Secure storage and accessibility for records, whether digital or physical;
4. Designated responsibility for each record;
5. Procedures for destruction—shredding, wiping drives, the cloud, or secure deletion—after documents’ retention period expire; and
6. No destruction for any anticipated or known litigation, investigation, or audit.
To apply these principles consistently, the organization should maintain a detailed records retention table or schedule. Properly constructed, this detailed schedule outlines categories of records (e.g., personnel files, financial statements, grant documentation, and donor correspondence) and specifies the legally required retention periods for each.
Leadership, legal counsel, and key staff should collaborate develop the table. The goal is to align legal requirements with real-world workflows, ensuring retention periods are both compliant and manageable.
Retention protocols do not exist in isolation. They intersect with data privacy, whistleblower protections, financial controls, and governance practices. A charitable beneficiary record may also be protected health information. In such cases, HIPAA or other laws may override general retention periods and require special handling and safeguards. A stakeholder’s file may contain wage data, background checks, or other protected PII (personally identifiable information). A whistleblower complaint might trigger both an internal investigation and an external legal hold.
To ensure consistent implementation of the foregoing, the records retention policy should assign oversight to a specific officer or administrator. That person ensures compliance, trains staff, and updates procedures. All employees and volunteers who handle records should acknowledge the policy in writing.
Legal counsel should be consulted for any state-specific or other legal compliance considerations, as well as for consideration of best practices and related risk management. Our law firm regularly handles such matters, both for effective advance planning and in response to disputes and other issues that periodically arise.
The High Cost of Poor Practices – Too Little, Too Much, Just Right?
Poor retention practices create legal risk on multiple fronts. Missing records can undermine a nonprofit’s ability to respond to audits, enforce contracts, or defend itself in litigation. If key documents—such as board minutes, donor restrictions, or grant terms—cannot be located, the organization may face negative legal presumptions or lose the ability to prove compliance with obligations. Here are some key related points for achieving the right balance for records retention policies and practices.
First, and expanding on potential litigation risks per Section 2 above, courts may and will infer wrongdoing from the absence of records that should have been preserved, particularly if their loss appears negligent or intentional. Court rulings provide cautionary guidance, such as a New York court’s jury instruction to infer that deleted messages were unfavorable, as a sanction against the defendant for failing to preserve relevant emails. Zubulake v. UBS Warburg LLC, 229 F.R.D. 422 (S.D.N.Y. 2004). More recently, a federal appeals court entered a default judgment against a defendant for intentionally destroying key electronic records during litigation. Quetel Corp. v. Abbas, 819 F. App’x 154 (4th Cir. 2020). These cases amply demonstrate how courts may treat negligent or willful destruction of records as grounds for adverse inferences, even when some of the loss results from breakdowns in internal communication and oversight.
Second, over-retention can cause problems too. Keeping everything indefinitely may burden organizations and signal a lack of internal control. Worse, it increases the chance of unauthorized access to sensitive or outdated personal data—such as social security numbers, sensitive health information, or financial details—which may trigger obligations under data breach notification laws and potential liability too. Storing outdated records without business need may also violate data minimization principles under privacy laws like GDPR or state consumer data protection statutes. In litigation, over-retained records may also expand discovery obligations, increase legal costs, and expose information that would otherwise no longer be accessible.
Third, retaining recorded board meetings, programs, or other operations, retention of such materials may or may not be wise, as addressed more fully in our firm’s related blog article. As one example, it may be helpful to record board meetings, other leadership meetings, or even organizational membership meetings, such as in case of any disagreement over what happened or to help a secretary prepare minutes. But such recording should never become a substitute for written minutes, rather only serving as an aid. Additionally, recording meetings may have a “chilling” effect, inhibiting robust discussion, and any imprudent or inappropriate disclosure could also be quite damaging.
Fourth, video camera footage and retention thereof can raise additional issues. As a matter of technological limitations, such recordings may be periodically overwritten. Additionally, they may involve significant privacy concerns and implicate surveillance consent laws, as addressed more fully in our firm’s blog on video camera footage. For these reasons, video camera footage may warrant special attention in a records retention policy, such as for much more limited retention period but always subject to litigation hold situations.
Fifth, a records retention policy signals to donors, funders, and board members that the nonprofit operates with integrity, respects its fiduciary duties, and values transparency in all aspects of governance.
Sixth, and on a related note, Part VI of the IRS Form 990 contains a board governance question asking whether the nonprofit maintains a records retention policy. For nonprofits subject to the Form 990 requirement (i.e., not exempt, or responsible only for a Form 990-N or Form 990-EZ filing), the answer should be yes!
Following Through – Best Practices
A clear, enforceable policy not only reduces legal risk—it reflects a culture of accountability and integrity. A well-drafted, faithfully implemented retention policy thus acts as a shield. It provides a clear, defensible rationale for how long records are kept and when they are destroyed, all as a matter of normal best practices with nothing that could be reasonably construed later as suspect or otherwise concerning. Such policy thus ensures the organization treats records as legal assets—not just administrative clutter.
Nonprofits thus should approach records management not merely as a housekeeping task but as a critical component of legal compliance, risk mitigation, and organizational integrity. The following best practices offer practical guidance for nonprofits seeking to strengthen their records retention and destruction policies.
• Maintain a written records retention and destruction policy tailored to the nonprofit’s operations within the policy: (1) Designate a responsible staff member or officer to oversee records management; (2) Use a clear retention time schedule that reflects legal requirements and operational needs; and (3) Seek legal counsel for optimal compliance tailored to the organization;
• Train staff and volunteers on the policy and obtain written acknowledgments of their comprehension and willingness to comply.
• Store records securely, using tamper-resistant and searchable systems. Back up essential records and store copies offsite or in the cloud.
• Apply consistent protocols including legally compliant timeframes for secure destruction of expired records.
• Immediately suspend any record destruction when litigation, audit, or investigation is anticipated, and instruct personnel accordingly.
• Review and update the records retention policy regularly to reflect legal and organizational development;
• Align the policy with other governance policies such as whistleblower and data privacy policies, audit compliance periodically, and correct gaps or inconsistencies.
Summing up, the best approach for responsible nonprofit records retention may be multi-faceted but should not be onerous: (a) adopt an excellent policy that is legal compliant, consistent with best practices, and tailored to the nonprofit; (b) follow it carefully; (c) remain attentive to litigation hold issues; and (d) be ready to review and modify the policy later as part of good nonprofit practice. Whatever the context, a records retention policy that is properly followed should demonstrate that the nonprofit takes its obligations seriously, applies them consistently, and acts in good faith – all amply reflecting good governance, effective risk management, and wise leadership.
[1] See for example, this IRS Compliance Guide relating to record retention requirements for charities and with respect to employees. See also audit requirements for California public charities with gross revenues in excess of $2 million.
