KRA requires five years. PPADA requires six. SASRA has its own rules for SACCOs, and the Data Protection Act adds a further layer for anything containing personal data. Faced with that complexity, most Kenyan organisations do one of two things: keep absolutely everything forever, or dispose of things ad hoc whenever storage runs out. Neither is compliance. Here is how to build a retention policy that actually holds up.

What is a Records Retention Policy, and Why Does It Matter?

A records retention policy is a written document that specifies, for every category of record your organisation holds, how long it must be kept and what happens to it afterwards. It is not a suggestion — it is the operational rulebook that determines whether a document sits in storage, gets archived, or gets destroyed on a given date.

Without one, two failure modes are almost guaranteed. Either your organisation keeps everything indefinitely, which is expensive, creates unnecessary data protection exposure, and makes genuinely important documents harder to find in the clutter — or records get disposed of informally, sometimes destroying evidence you were legally required to keep. A written policy, properly followed, protects you from both.

Retention periods in Kenya are not one-size-fits-all. Different regulators set different minimums depending on your sector and the type of document involved.

KRA — 5 Years

Under the Tax Procedures Act, taxpayers must retain records supporting their tax filings for a minimum of five years from the end of the relevant reporting period. This covers invoices, receipts, payroll records, VAT schedules, and bank reconciliations.

PPADA — 6 Years

The Public Procurement and Asset Disposal Act requires procurement records — tender documents, evaluation reports, contracts, and disposal records — to be retained for six years. This applies to NG-CDF offices, county departments, and any organisation subject to public procurement rules.

SASRA Requirements for SACCOs

SACCOs regulated by SASRA must maintain member records, loan files, and statutory returns for periods tied to membership duration and loan terms, with particular attention to records that support ongoing prudential supervision and audit.

Kenya Data Protection Act 2019

The DPA 2019 adds a different kind of requirement: personal data must not be kept for longer than necessary for the purpose it was collected. This applies on top of any sector-specific minimum — you may be required to keep a document for tax purposes, but you must still handle any personal data within it in line with DPA principles, including eventual secure disposal.

How to Build a Retention Schedule, Document by Document

A retention schedule is the practical heart of your policy — a document-by-document list of what to keep, for how long, and what happens next. Building one properly involves five steps:

  • Inventory every document type your organisation actually creates or receives — not a generic template, your real list
  • Classify each type against the relevant legal minimum (KRA, PPADA, SASRA, or none, if no statutory rule applies)
  • Add any business-need period beyond the legal minimum — for example, a donor may require you to keep grant records for the life of a multi-year relationship
  • Assign a final action to each document type: secure destruction, permanent archive, or further review at the retention date
  • Document the rationale for each decision, so the schedule can be defended if ever questioned by an auditor or regulator
💡 Practical Tip

When legal minimums differ for the same document — for example, a donor requirement of 7 years against a KRA minimum of 5 — always apply the longer period. Retention schedules should reflect the most conservative applicable rule, not the shortest one.

What a Proper Disposal Procedure Looks Like

Reaching a document's retention date does not mean throwing it in a bin. A defensible disposal procedure includes a review step, a formal sign-off, and a secure destruction method — typically shredding for paper and secure deletion for digital files — followed by a logged record of what was destroyed, when, and by whose authority.

"Disposal without authorisation is not compliance, even if the retention period has technically expired — it is simply a different kind of records failure."

— Digi Records Consulting Ltd

Destruction Certificates: Why You Need Them

Every disposal event should generate a destruction certificate — a short, formally worded record stating what was destroyed, the retention rule that applied, who approved the disposal, and the date and method of destruction. If an auditor later asks why a particular document no longer exists, the certificate is your answer. Without one, a missing document simply looks like a records failure, regardless of whether disposal was actually lawful.

Common Mistakes Organisations Make With Retention

  • Keeping everything forever and calling it caution — in reality this increases storage cost, data protection exposure, and the time it takes to find anything that matters
  • Having no written policy at all, relying instead on informal habits that vary by staff member and are impossible to defend under audit
  • Disposing of records without documented authorisation, leaving no evidence that disposal was lawful and deliberate
  • Applying a single blanket retention period to every document type, ignoring the different legal minimums that actually apply
  • Treating physical and digital retention as separate problems, resulting in a scanned copy being kept after the original was authorised for destruction, or vice versa

Retention Policy Readiness Checklist

Full inventory of every document type your organisation holds
Legal minimum retention period identified for each document type
Written retention schedule, approved by management or the board
A defined, documented disposal procedure with sign-off requirements
A destruction certificate template ready for every disposal event

Building this properly, document type by document type, typically takes two to four days of focused work with a records specialist — considerably less time than the cost of getting it wrong during an audit.

DR
Written by the Digi Records Consulting team — records management professionals serving SMEs, NGOs, and government offices across Nairobi, Kenya.