HR Glossary 8 min read Updated 2026

What Is a Data Retention Policy?

A data retention policy answers three core questions: What data do we keep? For how long? And what happens when that period expires? Rather than a single uniform rule, an effective policy assigns specific retention windows to different record types — payroll data, I-9 forms, performance reviews, benefits enrollment, and OSHA exposure records all carry distinct legal obligations. Without a formal policy, organizations risk keeping data too long (breach exposure, regulatory liability) or deleting it too early (audit failures, discrimination-claim vulnerability, fines).

What Is a Data Retention Policy?

A data retention policy is a formal, documented set of rules that defines how long an organization stores each category of data, where and in what format that data is held, who is responsible for managing it, and how it is securely destroyed once the retention period ends. In HR, it governs the entire lifecycle of employee and applicant data — from the moment a resume is submitted to years after an employee leaves.

It answers: What data do we keep? For how long? And what happens when that period expires? Rather than a single uniform rule, an effective policy assigns specific retention windows to different record types — payroll data, I-9 forms, performance reviews, benefits enrollment, and OSHA exposure records all carry distinct legal obligations. Without a formal policy, organizations risk keeping data too long (breach exposure, regulatory liability) or deleting it too early (audit failures, discrimination-claim vulnerability, fines).

Why it matters in the U.S. workplace: U.S. employers operate within a patchwork of federal and state recordkeeping mandates. FLSA, EEOC, IRS, OSHA, HIPAA, and state privacy laws like California's CPRA each impose their own retention timelines, often on overlapping categories. A good policy helps demonstrate legal compliance during audits, protect against discrimination and wage-and-hour claims via defensible records, reduce breach exposure by limiting sensitive data in active storage, support employee privacy rights (access and deletion), enable consistent responses to e-discovery and legal holds, and build trust with employees and applicants. Bottom line: a retention policy is a risk-management tool, not just a compliance document.

U.S. Legal Requirements: Federal Mandates

U.S. employers must satisfy a layered set of federal recordkeeping mandates, each with its own retention timeline:

  1. 1

    FLSA (DOL)

    Retain payroll records (names, addresses, SSNs, pay rates, hours) for a minimum of 3 years and wage-computation records (timecards, schedules, commission) for a minimum of 2 years. Applies to every private-sector employer covered by FLSA.

  2. 2

    EEOC

    Retain all personnel and employment records 1 year from creation or action (whichever is later), including applications, interview notes, promotion decisions, compensation changes, and termination documents. Keep 2 years for employers with 100+ employees filing EEO-1. If a discrimination charge is filed, preserve all relevant records until resolved.

  3. 3

    I-9 (USCIS)

    Retain 3 years from hire OR 1 year from termination (whichever is later). Store separately from personnel files and keep available to ICE, DHS, and DOJ.

  4. 4

    IRS

    Retain employment tax records a minimum of 4 years after tax is due or paid (W-2, W-4, 1099s, federal income tax deposits, and payroll tax documents).

  5. 5

    OSHA

    Retain medical and exposure records for the duration of employment plus 30 years (hazardous material exposure), and injury/illness logs (Form 300 series) for 5 years from the end of the calendar year.

  6. 6

    HIPAA

    For self-insured employers and health plan administrators, retain compliance documentation (policies, BAAs, training records, audit logs) for 6 years from creation or last effective date. Applies to compliance docs, not patient medical records.

  7. 7

    ERISA (DOL/IRS)

    Retain plan descriptions, funding reports, and participant benefits communications generally for 6 years. 401(k) and pension documents may carry additional IRS requirements.

  8. 8

    FMLA

    Retain leave requests, medical certifications, notices, and approvals for 3 years. Store in a confidential file separate from the general personnel file.

Key Components of a Data Retention Policy

These components should be reviewed and updated annually, or immediately after any regulatory change.

  • Data Classification Categorizes data by type: HR, payroll, legal, financial, and operational.
  • Retention Schedule Assigns a minimum and maximum holding period to each data category.
  • Storage Location Specifies where data lives: HRIS, cloud, on-premise, or third-party vendor.
  • Access Controls Defines who can view, modify, or delete specific data sets.
  • Deletion / Disposal Method Details secure deletion protocols such as shredding, encryption-based erasure, and anonymization.
  • Legal Hold Exceptions Suspends scheduled deletion when litigation, audit, or investigation is pending.
  • Policy Owner & Review Cycle Assigns accountability and a timeline for regular policy updates.

The Role of HRIS / HR Technology

Automated Deletion Flags

Modern HRIS platforms automatically flag records for deletion or archival review at expiry.

Retention Metadata Capture

Capture retention metadata (hire date, termination date, last action date) at record creation.

Sensitive Category Segregation

Segregate sensitive categories (medical, I-9, FMLA) into access-controlled modules.

Audit Logging

Generate audit logs of access, modification, retention, and deletion. Without HRIS-level enforcement, organizations rely on manual processes that create inconsistencies.

Legal Hold Overrides

Enable legal-hold overrides that suspend automated deletion when litigation or investigation is anticipated.

U.S. HR Data Retention Schedule

Always consult legal counsel before finalizing retention schedules, particularly for multi-state employers.

Record TypeGoverning Law/AgencyMinimum Retention PeriodNotes
Payroll records FLSA / DOL3 yearsIncludes pay rates, hours worked, overtime.
Wage computation records FLSA / DOL2 yearsTimecards, schedules, rate calculations.
I-9 Employment Eligibility IRCA / USCIS3 yrs from hire OR 1 yr post-termination (whichever later)Must be kept separate from personnel files.
Personnel & hiring records EEOC1 year (2 yrs for 100+ employee firms)Applications, interview notes, performance reviews.
Involuntary termination records EEOC1 year from termination dateExtended if a charge is filed — retain until final resolution.
Payroll & employment tax records IRS4 yearsW-2s, 1099s, withholding records.
OSHA medical & exposure records OSHAEmployment duration + 30 yearsHazardous material exposure records.
HIPAA compliance documentation HHS / HIPAA6 years from creation or last effective datePolicies, BAAs, training records, audit logs.
FMLA records DOL / WHD3 yearsLeave requests, approvals, medical certifications.
ERISA / Benefits plan records DOL / IRS6 yearsPension, 401(k), benefits administration records.
California employee data (CCPA) CPRA / CA DOJNo longer than reasonably necessary; privacy risk assessment required as of Jan 1, 2026Applies to CA-based employees and job applicants.

Data Retention Policy vs Data Deletion Policy

Both are necessary. Retention without deletion means holding data indefinitely; deletion without retention guardrails means premature destruction of legally required records. Together they form the backbone of data governance.

AspectData Retention PolicyData Deletion Policy
Defines What to keep and for how longHow to dispose of data once retention ends
Orientation Forward-looking; governs active and archived data during the holding periodSecure wipe, cryptographic erasure, physical shredding; documents disposal for audit

How to Build a Data Retention Policy

Building a defensible policy follows seven structured steps, with a parallel awareness of state-law variations and legal holds.

1. Conduct a Data Inventory

Map all data categories collected, stored, and processed (applicant data, employee records, payroll, benefits, offboarding) and identify where each lives: HRIS, payroll software, email archives, cloud, and third-party vendors.

2. Identify Applicable Legal Requirements

Cross-reference each category against federal mandates (FLSA, EEOC, IRS, OSHA, HIPAA, ERISA) and applicable state laws. Apply the most protective requirement org-wide for multi-state employers.

3. Define Retention Periods by Category

Assign minimum and maximum windows with documented legal or operational justification. Avoid arbitrary periods.

4. Establish Storage and Access Controls

Specify storage, encryption standards, and role access. Store FMLA medical, I-9, and HIPAA docs in segregated, access-controlled locations.

5. Automate Deletion Triggers

Use HRIS or records management to flag for review or automated deletion at expiry. Manual enforcement doesn't scale.

6. Define Legal Hold Procedures

Document the suspension process, assign authority, and maintain a hold log. A legal hold (litigation hold or preservation notice) is an exception to the standard schedule: when litigation, an agency investigation, or an audit is reasonably anticipated, automated deletion of potentially relevant data must be suspended immediately, even if the retention period has ended. Failure can constitute spoliation of evidence, leading to court sanctions, adverse-inference instructions, and financial penalties.

7. Assign Policy Ownership and Review Cycles

Name an owner (HR leadership plus legal counsel) and schedule an annual review. Revise promptly for regulatory changes like the CPRA update effective January 2026.

State law: California (CCPA/CPRA)

From January 1, 2026, employer-related info is covered. Businesses must perform a privacy risk assessment before using HR data, retain no personal info beyond what is reasonably required, and document the legal rationale.

State law: New York

Retain payroll records 6 years (twice the FLSA minimum), including wages paid, hours, and deductions. Failure to maintain shifts the burden of proof to the employer in wage disputes.

State law: Illinois

Retain personnel records 5 years after an employment action or separation. Under the Personnel Record Review Act, current and former employees can inspect and copy their records.

State law: Multi-State Employers

Build a schedule that satisfies the most protective requirement across all jurisdictions. Apply the longest mandatory retention per category org-wide.

Mistake: Treating it as a one-time document

A retention policy is a living framework, not a static file. Schedule regular reviews and update for regulatory change.

Mistake: Applying a single blanket retention period

A uniform rule ignores category-specific legal requirements. Assign distinct windows per record type.

Mistake: Failing to sync schedules across systems

Records deleted in the HRIS may persist in email, payroll, or vendor systems. Enforce retention consistently across all integrated systems.

Mistake: Ignoring state-law variations

Multi-state workforces require accounting for each jurisdiction. Apply the most protective rule across the org.

Mistake: Overlooking applicant data

Rejection letters, interview notes, and reference checks carry EEOC obligations even when no hire is made. Include applicant data in the schedule.

Mistake: Lacking documented legal-hold procedures

Without a defined hold process, scheduled deletion can destroy evidence. Document who issues and lifts holds and maintain a log.

Mistake: Storing I-9 forms in the personnel file

I-9s in the general personnel file are subject to unauthorized access or commingled retention rules. Store them separately in an access-controlled location.

Frequently Asked Questions

What is the difference between a data retention policy and a records retention policy?

They are often interchangeable in HR. A records retention policy generally relates to physical or formal documents (legal matters, financial reports), while a data retention policy is broader, covering all data — formal records in the HRIS plus informal data from emails.

How long should employee records be kept after termination?

It depends on the record type. Most employment lawyers advise keeping complete personnel files at least 7 years post-termination for the broadest protection. Some documents have their own rules: 3 years for payroll (FLSA), 1 year for EEOC docs, 3 years from hire or 1 year after termination for I-9s, and 30 years for OSHA exposure reports.

Does a data retention policy need to cover job applicants who were not hired?

Yes. Per the EEOC, all applicant files (even those not hired) must be kept 1 year from creation or the personnel decision, and 2 years for employers with 100+ employees filing EEO-1.

What happens if an employee requests deletion of their data under CCPA?

California staff and candidates can request deletion, but the right has exceptions — you may retain information necessary for legal obligations, contracts, or to protect legal interests.

How often should a data retention policy be reviewed?

At least annually, and also when laws change (such as the CPRA amendments effective January 2026), after substantial data-ecosystem changes (new HRIS, acquisitions), and after audits or litigation that expose deficiencies.

Sarad Kumar

Sarad Kumar

Senior Executive – Content Writer at Zimyo

LinkedIn

I am Sarad Kumar, working as a Senior Executive – Content Writer at Zimyo, where I create engaging and insightful content around HRTech, payroll, workforce management, employee experience, and workplace trends. I focus on turning complex topics into clear, impactful narratives through blogs, website content, social media, and thought leadership pieces. Passionate about content strategy and storytelling, I aim to create meaningful content that educates audiences, strengthens brand presence, and drives business growth.

Keep exploring

More HR terms in our glossary

Browse all terms

Ready to Let AI Run Your HR?

Join 500+ US companies that replaced HR busywork with AI agents. Sign up and start in minutes.

Get Started