Have You: Drafted a Records Management Policy?
After writing about the IRS not having a statute of limitations for auditing non-profit’s, I got to thinking about what organizations can do to protect themselves. One thing brought to my attention, and something that I’ve seen myself, is the propensity of non-profit’s to hang on to documents far longer than they need to. Though this usually stems from a good faith attempt to comply with the law, holding on to documents for longer than their legal or financial purpose can actually put organization’s at the same, if not a larger, risk than destroying them too early. For example, the time in which the IRS must audit an organization on a given tax return is usually within 3 years from filing (read that post for the specifics). Should the IRS decide to open an investigation based on a return filed 8 years before, and that organization just so happens to keep each and every document for as long as they can, all the IRS’ work has essentially been done for them. Everything needed to prosecute could potentially be somewhere in those stacks, and alot of the trouble could have been avoided had documents been destroyed when appropriate. Holding on to those documents past the time necessary did absolutely no good other than serving as evidence against them (provided no other laws or statutes required that they be held on to).
Seeing as how the number of audits on exempt organizations is expected to increase this year, I think now is a great time to implement a records management policy. This way, if an employee should decide to sue, or agency investigate, your fate isn’t sealed from the start. If you don’t currently have anything in place, here are a few things to keep in mind when drafting one.
- Clearly articulate the purpose of the policy. What is the policy supposed to achieve? Who does it apply to? In the end, what are your goals in implementing the policy?
- To ensure uniform and easy application, make sure to define any broad or ambiguous terms. What will encompass a “record”? If you say that records must be kept for X amount of time, rather than stating it throughout can you just provide a definition of a “record retention period”? Any time you make a directive that is used several times throughout the policy, try to provide a definition.
- Explain how records will be kept and how they will be disposed. What are the exceptions? As with anything in the policy don’t leave anything up to guessing. Make it explicitly clear what you want to happen.
- Provide a section covering the exceptions. Make sure you address what happens in case litigation or a governmental investigation ensues. How are these to be handled from start to finish?
- Who will oversee the policy? Who should people report to if there are any questions? Who will provide continuing education on the policy?
- Make sure to think outside the box. Don’t just think about paper documents. Make sure you cover emails, documents used in cloud computing, documents produced by those you contract with. How will these be covered?
- Always ensure that your policy is in compliance with any applicable federal, state and local laws. Also, if you accept money from the government, or involved in a specific industry such as health, make sure there aren’t any additional retention rules you must adhere to.
If you’d like to look at examples or other guidelines take a look at the links I provided when I wrote about a case concerning retention policies here.
- Court Holds That The Ignorance of Retention Laws Is No Excuse
- Non-Profits May Soon Face A Privacy Bill Like No Other
Other Posts You Might Like
- Court Rules that CAN-SPAM Means You can’t Spam On Facebook
- Privacy Policies for the Non-profit Organization Podcast