Sensitive Documents: How to Know What to Destroy

Posted on December 13, 2017

When it comes to your sensitive documents, you want to be sure that you are protecting yourself adequately. Whether you are concerned about your personal files and potential identity theft, or your business records, you will want to ensure that you are staying safe. Part of that might mean destroying certain records, but how do you know what to destroy?


The 7 Year Rule

For your safety, documents with sensitive information should be destroyed as soon as they are no longer needed. There is a commonly-held belief that all business records have a minimum legal retention period of 7 years. While this is not true as a blanket statement concerning all companies and all records, there are numerous documents that should be held for this amount of time. These include employee agreements, business loan documentation, litigation records, as well as general expense reports and records, including overhead expenses and professional consultation fees. Other enterprises, however, may have specific guidelines on how long documents and files should be kept.

In the medical profession, for example, patient records are to be kept for a minimum amount of time before they can be destroyed. For adult patients, records must be kept for at least 10 years following the date of the final entry in the record. In the case of children, the records are to be kept until 10 years following the date on which the child turns, or would have turned 18 years of age.

Other files that should be kept for a specific amount of time include your tax records. The Canadian Income Tax Act, for example, requires specific tax records to be kept a minimum of 6 years following the end of the year to which they relate. You should retain supporting documentation such as receipts, T4s showing your employment income and source deductions, and receipts for donations made to charity. This applies only to income records for Canada.


Other Requirements

The CRA requires businesses to permanently maintain certain records, including share registries, property acquisition and disposal documents, and historical information concerning business share or liquidation.

Records that do not fall under the Income Tax Act include payroll records, business licenses contracts, client records, memoranda, minutes, articles of incorporation, sales and marketing records, and workers compensation records.

Once documents are no longer required to be maintained, they should be disposed of as soon as possible. Keeping old documents containing sensitive data can increase the risk of identity theft, fraud, and financial loss. Documents that are a high priority for destruction include the following:

  • Statements from financial institutions. These should be destroyed once the necessary information has been obtained.
  • Outdated tax information
  • Outdated medical information
  • Old employee and client files
  • Documents containing proprietary data
  • Contracts and proposals

In order to adequately protect yourself from loss of sensitive data and the associated risks of identity theft, fraud, and possible reputational damage, it is important to create a policy for the destruction of records. Determine which documents must be kept and for how long they must be maintained, clearly indicating the date of destruction. Once that date has been reached, ensure that the records are destroyed in a timely manner. By doing so you will be helping to protect yourself, your employees, and your clients.