Sustainable Agriculture Institute
Record Retention Policy
Policy brief & purpose
SAI’s Record Retention Policy describes our guidelines to create, preserve and access our company’s records. To ensure that our records are accurate and secure, we ask our employees to adhere to this policy.
In this policy, a “record” is any type of electronic or paper file (document, spreadsheet, database entries) that we store in our systems. This includes files both employees and external sources create. All legal and business documents, as well as formal internal and external communications, fall under this policy’s purview.
This policy applies to employees who may create, access, and manage records. The HR and finance departments, which manage sensitive and critical information, are primarily responsible for keeping accurate and secure records. g. Every other employee who creates and stores important records should follow this policy too.
We place a high value on our company’s records.
By storing information, we are able to:
- Make better decisions
- Support our day-to-day operations
- Forecast and prepare for the future
- Learn from past mistakes
- Preserve and defend our company’s legality
- Evaluate our operations and employee productivity over time
- Develop plans to improve and grow the company
What records do employees need to create?
Creating and storing certain types of records are mandatory.
Employees should keep records that:
- Are mandated by law (e.g. record-keeping requirements of the Equal Employment Opportunity Commission (EEOC))
- Are necessary for them or other employees to perform their jobs
- Indicate internal or external changes that affect our operations, employees, partners, or customers
- Include decisions, reports, data, and activities that are important to our business
- Describe business ventures, deals, and communication with regulatory bodies or the public
Employees, teams, and departments may keep other records if they decide they’re useful to their jobs.
We have a few general guidelines for creating records.
- Ensure that information is accurate and complete
- Store records in appropriate mediums
- Name, categorize and share records properly
- Mark appropriate records as confidential
- Clarify who’s authorized to access records
Employees should also check records electronic systems automatically generate to ensure their accuracy and proper storage.
Records may have different levels of authorization that limit their accessibility. The authorization level is usually determined by those who create the records, our company’s official policy, or the law (the law always takes precedence.) The following records are strictly confidential and require a high-level authorization:
- Employment records
- Unpublished financial data
- Customer/ vendor/ partner/ job applicant information and contracts
Access to those records is restricted to employees who directly manage that information. Other types of records, like company performance metrics and internal policies, may be accessible by all permanent employees. Employees must not disclose records to people outside of our company unless authorized.
Our confidentiality and data protection policies always apply to all relevant records.
Our employees must protect our records, whether marked as confidential or not.
Printed records must be stored safely in filing cabinets or closed offices. Important, confidential files mustn’t be left in open office areas.
When employees need to carry physical records out of our offices, they must prevent them from being damaged, lost, or stolen. We advise our employees to avoid relocating records as much as possible.
Electronic records will be protected by passwords, firewalls, and other security settings (both locally and in the cloud.)
Employees are responsible for keeping these records intact. For example, if an employee shares a Google spreadsheet, they must decide whether to give colleagues permission to edit, view or comment. Employees should not grant editing privileges unless necessary.
Also, when employees access electronic, confidential records outside of our offices, they should ensure that both their devices and networks are secure. They should not leave their screens and devices unattended while logged in to our company’s accounts.
Data retention period
As a general rule, we will keep all records for a minimum of two years. The law may oblige us to retain certain records for a longer period. In this case, we’ll abide by the law. Also, the following records must be preserved indefinitely:
- Tax returns
- Internal policies
- Employment contracts
- Partnership and vendor contracts
- Financial statements and annual reports
- Results of audits and legal investigations
After the data retention period has passed, authorized employees may choose to discard records for a specific reason. They will usually do this either by shredding physical documents or deleting data from a database or computer. Printed copies of electronic files should be shredded, too.
Records may also be discarded upon request from a stakeholder. For example, a customer or partner may ask us to delete their information from our databases. In this case, managers should authorize employees to discard relevant records.
We expect our employees to always respect our confidentiality policy. When files need to be discarded, employees must not create copies or store information on their devices. This may constitute a security breach and warrant disciplinary action.