In the last post in our series on document management, we went over the regulations and requirements surrounding the digitization of your records, and the reasons why digitization is generally a good idea. In this post, we’ll dive deep into records retention policies; or how long you need to hold onto your records, including specific retention requirements and general guidelines.
As a reminder: this series is not intended to serve as official legal counsel, but to complement it by providing more accessible explanations of official regulations. Ultimately, your organization and its leadership are responsible for understanding and adhering to relevant legislation. We hope that you find this series of posts helpful as a preview or complement to the Government of Canada’s official regulation guides, and/or legal counsel.
Why should I keep my records once they’re no longer current?
Canadian federal legislation requires that most organizations hold onto some types of records for several years after they’re no longer relevant. Keeping your records well organized when they pertain to recent and developing events or projects has obvious benefits, but why should you keep them after these events have become old news?
One answer has to do with tax records, as keeping good business records and maintaining them means you have the information you need to submit your tax returns without the risk of being audited or penalized by the CRA. Good records will also help you determine which expenses you are legally allowed to deduct from your taxes, and the income tax credits you are eligible to claim.
However, you would only need your records for this purpose until you had submitted your tax returns. If your organization is on top of its tax situation, then you’ll only need records for this purpose for less than a year. So why is the usual minimum closer to seven years?
If the CRA decides to conduct an audit of your organization, you are going to wish you had complete records for whatever tax year they decide to investigate. Even if you have complete records, audits can be time-consuming and costly. However, where there are gaps in your records, the CRA will need to use related records and other evidence to approximate your income and expenses. If the gaps are significant enough, or if your records seem inconsistent, you or your organization could be prosecuted for tax evasion. There’s no way to guarantee you will never be audited, so it’s better to be prepared to defend the legitimacy of your transactions should they ever come into question.
Keeping complete financial records for a long time can actually be a valuable asset when it comes to showing investors’ the value of your organization. Audits and prosecution are not only financially costly, but they also hurt your organization’s reputation with potential investors. Even if the cause of the audit or prosecution isn’t financial mismanagement (which is intrinsically damaging to your reputation), incurring government investigation or penalties even once can lead investors to believe that it will be more common in the future. Finally, keeping complete, reliable records gives you the raw materials you need to prove your success and reliability to potential investors.
What counts as a record worth retaining?
In general, any digital file, physical document, sheet of paper, or other means of storing and organizing information that is important enough to be used or kept for any amount of time should be considered for retention. There are different rules about retention depending on the type of document.
The category of “Business Records” is used to refer to any financial or legal records pertaining to your organization and its transactions or operations, including its agreements with other organizations. Some examples are property deeds, lease contracts, invoices, and purchase receipts.
“Financial records” includes any formal ledgers in which transactions were recorded, as well as any supporting records for those transactions. In general, your organization needs to be able to provide an official record of all income and expenses, including the original records from that transaction (e.g. receipts provided or received, invoices, etc.). Original records for expenses may not always be possible; when this is the case, you are expected to record a description of the purpose and contents of an expense as soon after it was made as possible.
Your organization may need to collect personal information from clients and partners as part of its regular course of business. This is any information that is about a particular individual and could be used to identify them, either on its own or in combination with other information.
Legal definitions generally include any demographic information, official personal history (e.g. career, medical, or educational history), any financial information, identifying numbers, other people’s views or opinions about you, and even your DNA. If a piece of information is in some sense related to you but is so tangentially or tenuously related that it could not reasonably be used to identify you, then it is not considered personal information. This includes things like information about the company you work at (so long as it does not identify you as an employee) or any anonymized information.
Any records or information which is not of value to the organization in any evidentiary, financial, legal, or other capacities can be defined as “Transitory Records,” and do not require any retention policies. These can be disposed of as soon as the organization desires. This definition needs to be concrete and unambiguous and recorded in the records management manual.
However, it is a good idea to be especially careful with this label and to make sure that it is only applied to records which truly have no larger importance for the organization, its partners, or its clients. Misusing this provision in the regulations by inappropriately labelling unflattering or compromising records as Transitory Records so that you can dispose of them will not protect you from allegations of fraud. Furthermore, banal or uninteresting records may actually have more value to you than is immediately apparent, as they serve as evidence of the absence of wrong-doing. If you dispose of a record too quickly, the gap created by its absence leaves an opening for doubt and allegations.
In general, this category is not likely to include many of the records your organization deals with. If something is important enough to be in your possession for any length of time, it’s probably worth retaining for posterity.
How long do I need to keep my business records?
In general, the minimum retention period for business records is six years. However, when that period begins depends on whether you are an individual, a corporation, or a trust. For individuals and most trusts, this period begins at the end of the calendar year to which the records pertain. So for example, tax records from 14 March 2022 need to be retained until 31 December 2028; the retention period begins on 31 December 2022.
For corporations, this tax period begins at the end of the fiscal period for the year they pertain to. So if a corporation’s fiscal period ends on 31 January, tax records from 14 March 2022 will need to be retained until 1 February 2029; as the retention period began on 1 February 2023.
The gap between the record’s relevance date (i.e. creation or import, or the event it records) will always be less than a year. In order to avoid any confusion or mistakes in disposing of records too soon, and to save you the trouble of determining the exact day when your records can be disposed of, it may be better to use the standard of seven years instead.
Here are some exceptions to the general rule of 6 years (source).
|Business-Historical Records Any records which would have an effect on the sale, liquidation, or ending of the business, including property records.||Forever|
|CRA MandateThe CRA may instruct you to keep your records for a longer time than the standard retention period for a number of reasons.||Dependent on the CRA’s decision|
|Late Tax or GST/HST returnThe retention period begins whenever the return is filed.||6 years from time of filing|
|GST/HST Adjustment Note||6 years from the date issued|
|Objection or AppealIf you file an objection or appeal with the CRA, you must keep the necessary records until the latest of these three options.||Date the objection is resolvedORDate for filing further appeals has passedOR6 Year record-keeping period passes|
|End of an Organization or Non-Incorporated BusinessFormer leaders must retain all records.||6 years from the end of the tax year that the organization ended|
|End of a CorporationFormer leaders must retain all records and supporting records to verify its tax obligations and entitlements, and all other records organizations are required to keep.||2 years after the date of dissolution|
|Mergers and AmalgamationsWhen two or more organizations come together to form a new organization, the new organization must retain the business records of each of the amalgamated organizations.||6 years from the end of the relevant tax year|
|Representing the DeceasedWhen acting as the representative for a deceased taxpayer or trust.||None; can destroy records after receiving a clearance certificate to distribute the property|
|Registered Qualified DoneeMust keep donation receipt duplicates.||2 years from the end of the calendar year when the donation was received|
|Registration RevokedA registered charity or registered amateur athletics association whose registration has been revoked by the CRA must retain all records and supporting records, including the other records that they are legally obligated to retain.||2 years after the date registration was revoked|
|Registered Charity IncorporatedWhen a registered charity is incorporated, it is required to keep its records after it is dissolved.|
De-registered charities must keep general ledgers containing summaries of year-to-year transactions of the business of a person other than the corporation, and related contracts
2 years after dissolution
6 years after the end of the relevant tax year
This is not an exhaustive list, and there are additional exceptions for certain kinds of trusts or political party agents.
There may be other reasons for your organization to retain certain records besides what is required by legislation. It is generally a good idea to retain all records important to the legality and finances of your organization for as long as possible, just in case you might need them.
The Candian General Standards Board document Electronic Records as Documentary Evidence provides some useful guidelines for deciding how long to retain business records. In fact, your organization is responsible for demonstrating that proper consideration has been given to each of these questions (section 6.4.5).
- How is the record used by your organization, internally and externally?
- In the event of a disaster, what would users’ needs for access to it look like?
- What is the records’ financial, legal, social, political, and/or historical value?
- What costs and benefits are incurred by retaining this record?
- What impact would the records’ destruction have on the organization?
- What capacity does the record have to serve as evidence in the event of litigation, audit, or investigation?
How long can I keep personal information from clients or users?
If your organization collects personal information from individuals outside of its membership, there are specific rules about how long you should retain it. Unlike the rules around business records, which indicate minimum retention periods, regulations about personal information indicate maximum retention periods.
Organizations with personal-data-driven business models typically have an incentive to aggregate as much of it as they can, which presents risks for the individuals whose data has been collected. First of all, there is an uncomfortable power imbalance between individual citizens and large corporate entities, making it easy for less scrupulous organizations to abuse the information for profit, or collect it without the individuals’ consent. Regulation exists to prevent both of these and is getting more comprehensive in many countries, but large corporations are usually only prosecuted for violations when caught by a government or a well-organized class-action lawsuit.
Even if a corporation’s collection and use of personal data are always completely legal and ethical, the mere accumulation of that much personal information in one place can be a risk in itself. One average person’s personal information, depending on the content and context, is usually not valuable enough to be a target for cybercriminals. But put thousands or even millions of individuals’ information all in one place, and you’re more likely to be targeted.
It also depends on what that personal information includes; if you put that many people’s banking or legal identification information in one place, having anything less than industry-leading cybersecurity protecting it is a violation of your data subjects’ trust.
These concerns are why government regulations require organizations to securely dispose of personal information once it is no longer of use to them. Like with many other aspects of records management regulations, there are no hard and fast rules about personal information retention, except that you must have your own rules, as well as rules about what those rules must be like.
There are a few guiding principles invoked by the regulations for determining how long to retain a piece of personal information; in order of importance, they are:
- If other regulations are applicable, they take precedence
- If the personal information was used to make a decision about the relevant individual, it should be retained for a reasonable amount of time to allow the individual to access that information in order to understand, and possibly challenge, the basis for the decision
- If retaining personal information any longer would present any sort of risk to the relevant individual, secure disposition should be considered
- If no other legislation or guidelines apply, then the information’s original purpose should be reviewed; the information should only be retained as long as is necessary to serve that purpose
In order to demonstrate unambiguous compliance with principle 4, it may be a good idea to record your organizations’ purpose in collecting a particular type or piece of personal information before it has even been collected. The specific language of the Personal Information Protection and Electronic Documents Act (PIPEDA) is: “personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.”
How do records retention rules integrate into a comprehensive RM program?
Other posts in this series have centred around the development of a comprehensive records management program, or “RM”, as required by federal legislation (see the CGSB document Electronic Records as Documentary Evidence, section 6.4.5). So how do the rules discussed in this post fit into that larger project?
Your organization’s Records Officer (RO) is responsible for determining the retention policies and recording them in the RM program and manual. Where the input of other authorities within the organization would be necessary or helpful, it is required. For example, the Chief Financial Officer should be involved in the decision or retention periods for financial records.
The retention policies decided on by these authorities need to be recorded in the Records Retention Schedule (RRS), part of the larger RM program, and they should be consistent with the way in which the records are classified. So, for example, records classified as highly important probably shouldn’t be given the shortest retention period that is legally allowable. The RRS must include, for each type of record, the planned disposal method (e.g. destruction, transfer to an archive, etc.), any other custodian it will be transferred to, and how it will be transferred to them.
Finally, you have to make sure that your technological environment is suitable for whatever retention policies are deemed necessary. If your organization’s regular course of business involves a high volume of records, you must have the digital or physical storage capacity to accommodate that volume. If you are in control of a large digital database, you must have the appropriate software for organizing and managing that database.