Principle 5

A charitable organization should establish and implement policies and procedures to protect and preserve the organization’s important data, documents, and business records.

Charitable organizations are required to maintain their organizational documents, board minutes and policies, and materials related to their state and federal tax-exempt status permanently. Other documents related to the governance, administration, fundraising, and programs of the organization, including employment and volunteer records, must be kept in paper or electronic form for specific periods, depending on applicable laws and reporting requirements. When those documents and key financial and program data are maintained electronically, the organization must take appropriate action to protect that information from unauthorized access or manipulation.

A written data and document-retention policy, consistently monitored over time, is essential for protecting key organizational documents and records, as well as protecting the privacy of individual clients, consumers, employees and volunteers. The policy should address the length of time specific types of documents and data must be retained, as well as when it is permissible or required to destroy specific types of documents. It should include guidelines for backing up and archiving paper and electronic data and documents (including e-mail messages), as well as procedures for verifying their security from theft, manipulation, or destruction.

Board members, staff, and volunteers should be thoroughly familiar with the policy and informed of their responsibilities in carrying it out. Board members and senior staff managers should ensure that there is an ongoing process for ensuring compliance with the policy and for updating procedures as necessary. The Form 990 requires organizations to report whether they have a written document retention and destruction policy.

Federal and some state laws prohibit the destruction, alteration, mutilation, or concealment of records related to an official legal proceeding. Policies should outline specific procedures to ensure that any destruction of documents or data is immediately halted if an official investigation of the organization is underway or anticipated.