For sure, many businesses are required to keep a variety of records and documents for a minimum amount of time, usually seven years. But the answer really depends on the industry you are in and the legal requirements and privacy laws that pertain to the information. Also, laws and requirements can differ by state and country.
For organizations in the healthcare field Health Insurance Portability and Accountability Act, (HIPAA), requires appropriate safeguards to protect privacy of information for as long as you maintain records. HIPAA also requires that all patient information be properly destroyed when it is no longer needed.
Of course, the legal requirements are not only about keeping documents but also about securely disposing of them when they’re no longer needed.
Other privacy legislation including the Fair and Accurate Credit Transaction Act (FACTA) and the Personal Information Protection and Electronics Documents Act (PIPEDA) in Canada stipulate that businesses have a procedure to destroy sensitive information.
At the end of the day, what’s most important is that every business creates appropriate records retention programs that includes both retention guidelines and secure document destruction.
A shred-all policy and regularly scheduled shredding will protect information and eliminate the potential for identify theft and fraud.