A practical guide to how long Canadian small businesses must keep physical documents. Translated from the legalese of CRA, ESA, PHIPA, and PIPEDA into plain language you can actually use.

Your First Line of Compliance Defence

Most small business owners think about document retention the wrong way — as a filing problem. Boxes pile up, filing cabinets overflow, and eventually someone makes a judgment call to purge. That judgment call, made without a retention schedule, is where compliance risk quietly takes root.

A retention schedule is simply a written policy that answers one question for every document type your business generates: how long do we keep it? It sounds administrative. It is, in fact, strategic.

The CRA doesn’t care that the flood destroyed your records. PHIPA doesn’t accept “we ran out of storage space” as a defence. A retention schedule forces the decision before the crisis.

Here’s what a retention schedule actually protects you from:

  • CRA audits reaching back 6–7 years If you can’t produce records, CRA can reassess based on estimates — always to your disadvantage.
  • Employment disputes and wrongful dismissal claims HR records without a clear retention trail leave you exposed long after the employee has moved on.
  • PHIPA complaints involving patient or client health data Ontario’s health privacy legislation requires you to keep records — and to destroy them correctly once the period expires.
  • PIPEDA obligations around unnecessary data retention Holding personal information longer than needed is, itself, a violation. Less isn’t just tidier — it’s legally required.
💡 Pro Tip

A retention schedule also cuts costs. Businesses that document their destruction timelines pay significantly less for offsite records storage because volumes stay controlled.

Quick-Reference Retention Table

The table below consolidates the major retention requirements under federal and provincial law. Where ranges appear, the longer end is recommended unless you have counsel advising otherwise. When multiple laws apply to the same document, always defer to the longest retention period.

Document Category Retain For Governing Rule Notes
Tax returns & supporting records 6 years CRA / Income Tax Act s.230 From the end of the tax year they relate to. Extend to 7 years if loss carryforward applies.
GST/HST records & invoices 6 years Excise Tax Act s.286 From the end of the fiscal year of the last transaction in the record.
Payroll records & T4 slips 6 years CRA / ESA CRA mandates 6 years; many provincial ESAs require 3–5 years from termination date — keep the longer.
Employee personnel files 3–7 years Provincial ESA (varies) Most provinces: 3 years post-termination. Ontario ESA: minimum 3 years. BC and AB: similar. Recommended practice is 7 years given litigation timelines.
Employment contracts & offer letters 7 years Limitation Acts + ESA Retain for the full duration of employment plus 7 years. Wrongful dismissal claims can surface years after departure.
Health records (PHIPA-regulated entities) 10 years PHIPA (Ontario) 10 years from the last entry, or until the patient turns 18 — whichever is later. Mental health records: indefinite in some circumstances.
Personal information (PIPEDA) As needed only PIPEDA Principle 5 Retain only as long as necessary for the identified purpose. Longer retention without purpose is a violation.
Commercial contracts & agreements 7 years Provincial Limitation Acts From contract expiry or last activity. Limitation periods for breach of contract claims are typically 2–6 years, but discovery rules can extend exposure.
Insurance policies & claims 7–10 years Insurer requirements + Limitation Acts Retain current policy plus prior 7 years minimum. Retain any claim file for 10 years from final resolution.
Corporate records (minute books, share registry) Permanent CBCA / Provincial corporations Acts Incorporated entities must retain these indefinitely. They follow the company, not the fiscal year.
Accounts payable / receivable records 6 years CRA Supporting documentation for amounts claimed or received. Invoices, receipts, statements of account.
WCB / WSIB records 5–10 years Provincial Workers’ Comp legislation Injury and incident records: 10 years minimum. Premium calculation records: 5 years. Retain whichever is longer.
⚠️ Important

This table reflects general federal and common provincial standards. Quebec businesses are subject to additional requirements under the Act Respecting the Protection of Personal Information in the Private Sector (Law 25). If you operate in multiple provinces, your retention schedule should reflect the strictest applicable standard for each document type.

The “When in Doubt, Don’t Keep It” Rule

There’s a persistent instinct in small businesses to hold onto everything, forever, just in case. It feels safe. It isn’t.

PIPEDA is built on the principle of data minimisation — the idea that retaining personal information beyond its useful life is not neutral, it’s a liability. Every document you hold past its required retention period is a document that could be subject to a breach, a complaint, or a regulatory inquiry. The Office of the Privacy Commissioner has been clear: keeping data longer than necessary is itself non-compliance.

What this means in practice

The rule has two parts. First, when a document reaches the end of its retention period and there is no active legal matter, audit, or known litigation on the horizon, destroy it. Document the destruction — date, method, and category of records — in a destruction log. That log, paradoxically, should be kept permanently.

Second, when you’re uncertain whether a document has value beyond its standard retention period, ask these questions before defaulting to keeping it:

  1. Is there an active or anticipated legal matter involving this document?
    If litigation is underway or reasonably foreseeable, trigger a “legal hold” — suspend the normal retention clock until the matter resolves.
  2. Is there a regulatory audit or review in progress?
    CRA audits, ESA investigations, and PHIPA reviews all create obligations to preserve related records regardless of their normal schedule.
  3. Does the document contain personal information governed by PIPEDA or PHIPA?
    If yes and the purpose for which it was collected has expired, destruction isn’t optional — it’s required.
  4. Could this document prove business value that doesn’t exist elsewhere?
    If a copy exists in another form, or the information is redundant, the physical record has no incremental compliance or business value. Destroy it.

If you answer “no” to all four — destroy. Schedule it. Do it consistently.

The businesses that get caught by auditors aren’t usually the ones who destroyed records on schedule. They’re the ones who kept everything haphazardly, couldn’t find what was needed, and couldn’t demonstrate a coherent system.

Onsite vs. Offsite Storage: The Real Trade-offs

Once you know what to keep and for how long, the next question is where. This is less about preference and more about matching the storage method to the document’s access frequency, sensitivity, and retention length.

Onsite Document Storage
Immediate access — no retrieval request required
No ongoing storage fees beyond your own space costs
Better for documents needed frequently (current year tax records, active contracts)
Vulnerable to fire, flood, theft, or water damage without proper controls
Consumes valuable office or warehouse space
Security and access control falls entirely on you
Hard to scale — one bad retention decision fills a room
Offsite Document Storage
Climate and humidity controlled — better document preservation
Chain of custody documentation — supports audit readiness
Scales easily as record volumes grow
Reputable providers carry liability for loss or damage
Retrieval takes time — usually 24–48 hours for physical files
Monthly per-box fees add up over long retention periods
Destruction requires formal instruction — can’t just shred yourself

A third option: professional scanning

Scanning services sit between onsite and offsite storage — and for the right document types, they’re worth considering seriously. A professional scanning provider will digitise your physical records, index them for search, and return or securely destroy the originals. The result is instant digital retrieval without the ongoing box fees.

One important compliance note: digitising a document does not automatically replace the original for CRA purposes. The CRA will accept electronic records if they are an accurate reproduction and your imaging system meets their requirements — but it’s worth confirming this with your accountant before shredding the originals. For PHIPA-regulated health records, the same caution applies. Where scanning is done correctly and compliantly, it can dramatically reduce your physical storage footprint while keeping you fully audit-ready.

A practical split for most SMBs

The most cost-effective approach for a small or medium business is a tiered system based on how old the records are:

  • Current year + 1: Keep onsite. You’ll need these regularly for GST remittances, payroll queries, and general operations.
  • Years 2–4: This is the judgment zone. If your office space is limited or your record volume is high, this is where offsite storage starts to make economic sense.
  • Years 5+: Move offsite or to a dedicated storage area with a clear destruction date labelled on every box. These should be rarely accessed but securely held.
  • Permanent records: Minute books, share certificates, and CBCA-required corporate documents should be stored with your lawyer, in a fireproof safe, or with a professional records management provider — not in a cardboard box in the back of a cabinet.
One Thing Worth Doing This Week

Label every box or folder in your physical filing system with three things: the document category, the date range it covers, and the destruction date. Nothing about document management returns more value per hour of effort than this single habit. When destruction day arrives, it’s mechanical — no decisions required.

Putting It Together

A retention schedule doesn’t need to be a complex legal document. For most SMBs, a one-page reference — built from the table above, adapted to your industry, and reviewed annually with your accountant or lawyer — is enough. The goal is a system that takes the decision out of the moment and makes compliance the path of least resistance.

Regulators aren’t primarily looking to punish businesses that tried. They’re looking for businesses that never thought about it. A written, consistently applied retention schedule — even an imperfect one — demonstrates intent. That intent matters more than you’d expect when something goes sideways.

If you’re ready to act on your schedule but unsure where to start with the physical side, Blue-pencil offers the full range of services Canadian SMBs typically need: secure offsite document storage, professional scanning, certified shredding, and hard drive and product destruction (including ITAD). Having one provider handle storage, scanning, and end-of-life destruction simplifies your chain of custody documentation considerably — which matters when an auditor asks how a record was handled from creation to destruction.

This article is provided for general informational purposes and does not constitute legal advice. Retention obligations vary by province, industry, and specific business circumstances. Consult a lawyer or accountant to confirm the requirements applicable to your business.