Nonprofits are increasingly going paperless with their documentation, and all organizations should have protocols for addressing document management, retention, and destruction. So how should responsible nonprofit organizations develop new document retention policies or upgrade their old policies, in light of technological advances and legal compliance requirements? Key aspects including clear guidance for nonprofit workers, liability-related issues, related best practices, IRS Form 990 reporting requirements, important accessibility considerations, and data security.
Why do we need a document retention policy?
The most basic answer is that a document retention policy provides clear instructions for a nonprofit’s governing body and staff as to which records must be kept, for how long, and whether some or all records may be stored electronically instead of physically. The retention periods associated with specific records are generally tied to the statute of limitations for actions that could arise under state or federal laws. The time frames can vary widely from one year to permanent retention. Without clear guidelines, a nonprofit will often fail to retain important records needed for appropriate legal, tax, or accounting protection. As an organization grows and more employees and volunteers are involved in handling records, the need for a uniform and clear policy becomes critical.
In addition, a document retention policy helps substantially keep legal and accounting costs down –whether the organization is in crisis or is seeking guidance proactively. In the event of litigation, IRS or state tax audits, and other government investigations, a nonprofit may need to provide records to explain and demonstrate that actions taken or information reported was correct and reasonable. If a nonprofit is unable to produce the pertinent records, the law often will imply culpability. In some situations, failure to properly retain documents for use in legal proceedings can even result in criminal liability. (See below regarding Legal Holds.) Thus, having a good policy regarding document retention and destruction – and actually following that policy – is crucial to minimizing liability.
A sound document retention policy will thus set forth procedures for retaining many types of records that attorneys and accountants need to be able to review when providing legal or financial advice. Attorney and accountant fees increase if the records are incomplete, unorganized, or need to be requested from government offices, prior volunteer officers or staff, or old law firms and accountants because the organization has not properly kept the records. Without full access to certain records, it is often very challenging to understand what occurred and why a corporation took a certain action, reported in a particular manner, or was legally structured in a specific way. Significant legal and accounting fees are then incurred to determine what transpired, why, and if the actions need to be corrected.
A document retention policy is also simply a wise best business practice. Nonprofits hold assets in trust for specific purposes, most often for a charitable class of beneficiaries. The directors have fiduciary duties to these beneficiaries to demonstrate that the assets are being properly used to further the organization’s purposes. Maintaining the records that demonstrate these duties have been fulfilled is essential to show good stewardship.
The IRS and state regulators understand the best practices aspect too. Several years ago when the Form 990 was redesigned, the IRS added a question in its governance section asking whether the reporting nonprofit has adopted a written document retention policy. While the policy is not legally required for tax exemption, the IRS views it as an important question of good governance, the answer to which potential donors and the general public should be entitled to know.
For many nonprofits, the Form 990 question has been a healthy wake-up call and a reason to adopt a policy. We do not generally recommend that a form policy be adopted solely for purposes of the Form 990; rather, an organization should assess the need for such a policy and tailor one to their specific circumstances. Further, the lack of this “written policy” question on shorter versions of the annual information return available to small organizations, such as the 990-EZ or 990-N, does not mean that such a policy is not also essential for a small nonprofit. There are numerous circumstances under which even the smallest of nonprofits should maintain a document retention policy.
What Should Be Included, and How Should Electronic Data Storage Be Addressed?
The following list outlines some of the provisions necessary for a useful document retention policy that meets legal standards and best practices for nonprofit organizations.
1. Administrator. The policy should, first and foremost, identify a responsible party (an individual or group) who will be responsible for overseeing compliance with the policy. (Typically, this may be one of the officers or a high-level employee.) Responsibilities include training employees and volunteers on their document retention responsibilities. This person or group should be familiar with the policy and should be able to answer questions from employees or volunteers. While the Board should exercise oversight, periodically review whether updates to the policy are necessary, and get involved if needed to address failures of compliance, the Administrator(s) should be handling any day-to-day considerations, such as helping a volunteer to determine whether a particular document must be retained.
2. Retention Schedule. The policy should include a schedule showing the time periods for which various records should be retained. The organization should consult with legal counsel to ensure that its retention schedule not only complies with applicable laws but also adequately addresses the right records. We have seen many policies that include documents that would never apply to a particular nonprofit and at the same time miss major areas of records that do. The schedule may also indicate who is in charge of keeping specific records. For example, corporate records such as the organization’s Articles of Incorporation, Bylaws, and board meeting minutes are typically maintained by the corporate Secretary, whereas financial records may be retained by the Treasurer or CFO.
3. Electronic Records. The policy should address the use of electronic record-keeping. Other than a few documents that may need to be kept as originals in physical form, it is generally acceptable to maintain records in electronic form, as long as the records are appropriately secure and are easily accessible by those who need to have access. Organizations should evaluate the level of security needed, such as programs providing data encryption and password-only access, particularly if the organization keeps personal information of employees, donors, program participants, or other individuals. For accessibility, organizations will need to consider how to name and index electronic files so they can be easily found for future review.
4. Legal Holds. Organizations have a legal duty to preserve relevant records once litigation, an audit, or a government investigation is reasonably anticipated. Section 1102 of the Sarbanes-Oxley Act, enacted in 2002, even imposes criminal liability on anyone who alters, covers up, falsifies, or destroys documents to prevent their use in an official proceeding. The document retention policy thus should reflect the legal hold requirement and should explain how legal holds will be communicated to employees and volunteers. The policy should also clarify that employees and volunteers who learn of the need for a legal hold (such as through receipt of a subpoena or audit notice) must report this information to the Administrator.
5. Transitions. The policy should cover how records are transitioned from one individual to another, such as how corporate records are transitioned from one secretary to the next. This could include requirements such as leaving physical documents in a certain location, providing passwords to electronic records (and changing them after the transition), and/or working with the Administrator to properly transfer records.
6. Destruction. Before the use of electronic document retention, organizations generally destroyed records after certain periods of time in order to cut down on the need for storage space. With the advent of cloud storage, organizations now have options for virtually unlimited storage. Despite no longer having a space limitation, organizations still need to consider whether they have sufficient need for a policy requiring “destruction” of documents once they have been held for the required period of time. For example, regularly destroying documents containing individuals’ personal information could help limit exposure if the organization were to be a victim of hacking.
If destruction is necessary, the policy should specify how an employee or volunteer needs to go about such destruction, such as shredding physical documents and using “secure deletion” of electronic documents (or such procedures could be listed separately and referenced in the policy). Additionally, electronic documents may be stored in many locations, such that back-up copies may also need to be destroyed. It may be helpful to have the organization’s Information Technology Department or an IT consultant review the destruction procedures for adequacy.
7. Emails and Personal Devices. The organization should specifically consider how to address retention and/or destruction of emails and organization documents maintained on individuals’ personal devices. These considerations may overlap with provisions in a “communications” or “technology” policy covering such matters as the use of personal devices for organization matters and lack of privacy when using the organization’s technology.