Records Retention Basics for Ontario Businesses

Records retention is the unglamorous side of compliance. Most Ontario businesses keep records far longer than the law requires, which creates exposure (more data to lose in a breach), cost (storage and management), and PIPEDA compliance risk (PIPEDA requires limiting retention to what is necessary). This guide covers the actual retention requirements for the common record categories and how to build a defensible schedule.

Why Retention Matters Both Ways

Retention is a two-sided problem. Keep records too short and you violate statutory requirements (tax law, employment standards, industry regulations). Keep them too long and you violate privacy law that requires limiting retention, plus you carry unnecessary risk if you suffer a breach.

The Office of the Privacy Commissioner of Canada has been increasingly explicit that "we kept it because storage is cheap" is not a defensible answer under PIPEDA. Personal information must be retained only as long as necessary to fulfill the purpose for which it was collected, then destroyed, erased, or anonymized.

Tax and Corporate Records

The Canada Revenue Agency requires businesses to keep records for at least six years from the end of the last tax year they relate to. This covers accounting records, general ledger, supporting source documents, payroll records, and the documents needed to verify tax positions.

Permanent record categories under the federal and Ontario corporate statutes include articles of incorporation and amendments, by-laws, minutes of shareholder and director meetings, share registers, and registers of directors and officers. Permanent means permanent: these survive the life of the corporation.

Practical retention schedule:

• Tax returns and supporting documents: 6 years after the relevant tax year
• Sales tax records: 6 years
• Payroll records: 6 years (CRA), but employment standards reach further (see below)
• Corporate records (minute book, share register): permanent
• Major contracts: contract term plus 6 years for tax purposes, plus limitations period (2 years in Ontario) for disputes

Employment Records

Ontario's Employment Standards Act requires employers to retain specific records for three years after they were made. This includes hours worked, wages paid, vacation accrual, public holiday pay, and overtime calculations. Workplace Safety and Insurance Board (WSIB) records have longer retention requirements.

Hiring records (applications, resumes, interview notes, offer letters) are typically retained for one to three years for unsuccessful candidates, longer for hires (often keeping the offer letter and signed employment agreement for the duration of employment plus the limitations period after termination).

Discipline and performance records are usually kept for the duration of employment plus the limitations period for wrongful dismissal claims (two years in Ontario). Sensitive records (medical accommodations, drug and alcohol assessments) have specific privacy protections and shorter retention.

Customer Records and PIPEDA

PIPEDA does not specify retention periods. It requires that personal information be retained only as long as necessary to fulfill the purposes for which it was collected, then destroyed, erased, or anonymized in a manner that prevents reconstruction.

For customer records, the practical question is "what is the necessary purpose and when does it end." The relevant durations:

• Active customer relationship: necessary for as long as the relationship is active
• Post-relationship: necessary for the limitations period for any disputes (2 years in Ontario for most contract disputes, longer for some claims)
• Tax purposes: 6 years after the relevant tax year if the records support tax positions
• Marketing consent: until the consent is withdrawn

A defensible default for customer records is the relationship duration plus seven years. After seven years post-relationship-end, the records should be destroyed, anonymized, or transferred to a long-term archive with documented retention justification. For the underlying PIPEDA requirements, see our PIPEDA compliance checklist.

Industry-Specific Retention

Some industries have specific record retention rules that override the defaults.

Healthcare in Ontario operates under PHIPA. Patient records are generally retained for 10 years after the last entry or until the patient turns 28, whichever is later. Specific subsets (consent, advance directives) have permanent retention. We cover this in our piece on PHIPA IT requirements.

Legal firms retain client files for at least 15 years after the last billing or representation activity per Law Society of Ontario expectations, with permanent retention for certain document types like wills and corporate records.

Financial services firms (investment advisors, dealers) have specific retention requirements from CIRO (formerly IIROC) typically running 7 years post account closure, plus client onboarding records.

Construction firms retain project records for the duration of the Construction Act limitation period (which can extend years past project completion) plus the tax retention period.

Building a Retention Schedule

A defensible retention schedule covers four columns:

1. Record category: What the records contain (customer master, payroll, project files, etc.)
2. Retention period: How long they are kept, in years or by event trigger
3. Justification: Statute, regulation, contract, or business need that drives the retention
4. Disposition: What happens when retention ends (destroy, anonymize, archive)

Schedules typically end up with twenty to forty categories for a mid-size business. Once approved by leadership, the schedule needs to be reflected in actual systems: labels on file shares, retention policies in Microsoft 365 or Google Workspace, purge cadence in line-of-business apps, and physical destruction procedures for paper.

Storage and Disposal

Storage matters because over-retention is a real risk under PIPEDA. The cleanest approach is automated lifecycle policies that move active records to short-term storage, archived records to long-term storage, and trigger destruction at the retention horizon. Microsoft 365 retention labels handle this well for the documents that live in M365. For SharePoint storage specifically, see SharePoint archiving.

Disposal must be effective. Deleting a file from a file share does not destroy it for privacy purposes if it remains recoverable in backups indefinitely. The schedule should include backup expiry that aligns with the retention horizon, not exceeds it by years. Physical disposal of paper records and old media should use a documented destruction service with certificates.

For the broader compliance picture covering PIPEDA, PHIPA, SOC 2, breach notification, and how retention fits with each, see our compliance guide for Ontario businesses.