Navigating Data Retention Laws for Background Screening Records

For HR and talent professionals, ensuring compliance with data retention laws for background screening records is a critical and often complex responsibility. The stakes are high: regulatory violations can lead to legal consequences, financial penalties, and reputational risk. But just as importantly, improper record retention, whether by holding onto data too long or discarding it too early, can compromise privacy, security, and operational efficiency.

This guide walks you through what must be retained, for how long, and under which state and federal laws you’re governed when handling background screening documentation. 

With the proper framework, you can confidently manage records while staying aligned with compliance expectations across your industry and geography.

Understanding What Must Be Retained

When conducting background checks, companies gather various documents and data points. 

These typically include:

• The applicant’s signed disclosure and authorization forms, as required by the Fair Credit Reporting Act (FCRA)
• Completed background screening reports
• Adverse action documentation, if applicable (including pre-adverse and final adverse action notices)
• I-9 forms and E-Verify confirmations (for employment eligibility verification)
• Any related correspondence or documentation that supports hiring decisions based on the results

The retention of each of these items is subject to different federal and state requirements. The key is to map each document to the governing regulation.

Federal Retention Requirements

Several federal regulations dictate retention timelines, primarily:

1. FCRA (Fair Credit Reporting Act)
   The FCRA requires that businesses retain background check documentation for at least five years if any adverse action was taken based on the report. This includes the report itself and any adverse action notices. The law also mandates secure disposal once the retention period expires.
2. Title VII of the Civil Rights Act / EEOC Guidelines
   Employers must retain all personnel or employment records, including background checks, for at least one year from the date the record was made or the employment action was taken (whichever is later). Records must be kept if a discrimination charge is filed until the case is resolved.
3. I-9 Employment Eligibility Verification
   Under the Immigration Reform and Control Act (IRCA), employers must retain I-9 forms for three years after the date of hire or one year after the date of termination, whichever is later.
4. Americans with Disabilities Act (ADA) and Genetic Information Nondiscrimination Act (GINA)
   Health-related information collected during the hiring process (e.g., medical exams, drug screening data) must be stored separately from general personnel files and retained for at least one year.

State-Level Variations

While federal laws set a baseline, many states impose longer or more specific retention rules:

• California requires that background check reports be kept for two years and that employers provide access to those reports upon request.
• New York mandates a six-year retention period for personnel records that could be relevant to a human rights complaint.
• Illinois employers must preserve application forms and records of hiring decisions for at least one year.
• Massachusetts requires that criminal offender record information (CORI) be retained for no more than seven years after employment, unless there’s a business necessity or legal justification.

Because state laws often shift in response to privacy and employment litigation trends, employers operating in multiple states must develop a centralized policy informed by the most stringent applicable law.

Best Practices for Record Retention

To make compliance easier and more consistent, it’s essential to implement a few key record retention practices. 

• Start by creating a clear records map that outlines the length of time each type of document must be kept, based on federal and state regulations.
• Use a document management system that can automatically purge outdated files to reduce manual oversight and minimize risk.
• Be sure your disposal methods are secure, whether that means shredding paper files or digitally wiping electronic records.
• Sensitive data, such as medical or financial information, should be stored separately in systems with restricted access. 
• Make retention training a regular part of your HR process by updating your team annually on policies, timelines, and compliance responsibilities.

Digital Considerations and Vendor Responsibilities

Ensuring proper digital retention and deletion protocols is essential, with most background checks handled electronically. 

It’s also critical to ensure that vendor agreements clearly state data segregation measures (to prevent co-mingling of client information), audit support readiness, and adherence to frameworks such as SOC2 or ISO 27001 for security assurance.

When to Purge and When Not To

Knowing when to delete data is just as important as knowing when to retain it. Holding onto personal data longer than necessary creates risk. Under regulations like the FCRA and California Consumer Privacy Act (CCPA), individuals have the right to request deletion of their data, which businesses must honor unless retention is legally required.

That said, prematurely deleting information that might be relevant to future litigation (e.g., wrongful termination claims, EEOC investigations) can be equally dangerous. A defensible retention policy should balance legal, operational, and risk management needs and be reviewed regularly with your legal team.

Treating Retention as a Strategic Asset

It’s important to recognize that retention is part of the broader framework of employment risk management. Inconsistent or poorly defined retention practices can create downstream consequences that affect your ability to defend hiring decisions, respond to audits, or comply with subpoenas.

By designing a retention policy that accounts for both federal and state laws and leveraging compliant vendors like S2Verify, which prioritize data security and transparency, you’re building a hiring process your organization can stand behind. When done right, data retention becomes one of the silent strengths of a well-run HR operation.