By Esther Shainblum and Martin U. Wissmath

A well-structured Records Retention and Destruction Policy helps charities and not-for-profits manage personal and organizational data responsibly. A clear policy supports compliance with best practices, facilitates operational efficiency, and mitigates risks. In the digital age, with electronic records and cloud computing, the prospect and problem of “forever” records brings the issue of retention and destruction to the forefront of privacy law. The following offers a brief outline of key aspects to consider for Records Retention and Destruction policies.

In Canada there is a patchwork of federal and provincial legislation concerning privacy, all of which are based on 10 fair information principles.  Which law applies is determined by reference to a number of factors, including the nature of the organization that holds the personal information, what kinds of activities it is engaged in, whether it is federally or provincially regulated, where it is based and whether the personal information will cross national or provincial borders. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private-sector organizations that collect, use, or disclose personal information in the course of “commercial activities”, and is therefore not normally  directly applicable to charities and not for profits operating in Ontario. However, its Schedule 1, entitled “Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information” (“Schedule 1”) offers a best-practice standard for handling personal information and privacy protection.

Other statutes that may be applicable include Ontario’s Personal Health Information Protection Act (PHIPA) for handling personal health information for organizations that fit the statutory definition of a Health Information Custodian, Ontario’s Freedom of Information and Protection of Privacy Act R.S.O. 1990 (FIPPA) and Ontario’s Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990 (MFIPPA) for entities that fall within the scope of those statutes, the Income Tax Act (Canada) for financial record-keeping, corporate statutes such as the Ontario Not-for-Profit Corporations Act (ONCA) or the Canada Not-for-Profit Corporations Act (CNCA), as well as employment standards in the Employment Standards Act, 2000.

Some of the principles set out in Schedule 1 that are most relevant to the issues of record management include identifying the purposes for which information is being collected at or before the time of collection, limiting the collection of personal information to that which is necessary for the purposes identified, retaining the personal information only as long as necessary for the fulfillment of those purposes and developing guidelines and procedures for the retention of personal information and its secure destruction.

A Records Retention and Destruction Policy serves multiple functions: compliance with privacy laws and regulatory requirements; mitigation of risks associated with privacy breaches by limiting the amount of personal information retained, the length of time for which it is retained and ensuring that it is securely destroyed at the appropriate time; providing for secure retention and handling of personal information; facilitating operational efficiency; preparedness for audits and disputes, and maintaining stakeholder trust.

Key elements of a Records Retention and Destruction Policy include:

• Scope and Purpose: Defines which records and stakeholders the policy applies to, as well as the objectives of the policy.
• Categories of Records and Retention Periods: The policy should specify the retention period for each type of record. Examples include financial records such as donation records and tax filings, human resources records such as payroll and employee files, program and service records, and board governance documents. Certain types of documents may require indefinite retention in accordance with regulatory or insurance requirements.
• Secure Storage and Access Control: Sets out the location and manner in which physical and electronic records are to be retained and requiring access to be limited to authorized personnel.
• Record Destruction Protocols: Outlines appropriate and secure disposal methods for different types of media, such as crosscut shredding, pulverization or incineration for paper records, and secure destruction of electronic records utilizing the various methods applicable to the nature of the storage media, such as physical destruction of devices, drives or discs, degaussing and sanitization using specialized software so that the records are permanently deleted.
• Connection to Privacy Policy: Aligns retention and destruction practices with the organization’s Privacy Policy.
• Implementation and Training: Assigns responsibility for implementation and overseeing policy enforcement, staff training, and periodic policy review.

Best practices include regularly reviewing retention schedules, limiting access to sensitive information, using secure cloud storage, and conducting annual data audits.

A Records Retention and Destruction Policy is a key governance component for charities and not-for-profits. Implementing a clear policy supports responsible data management, protects personal information from unauthorized access or disclosure, aligns with best practices for security and compliance and protects the reputation of a charity or not for profit.

​Read the February 2025 Charity & NFP Law Update