AgentSkillsCN

Retention Compliance

留存合规

SKILL.md

Retention Compliance Skill

Purpose

Teach Claude about document retention requirements across industries and help users choose appropriate retention policies.

Key Concepts

Legal Retention Requirements

Healthcare (HIPAA):

  • Medical records: 6-10 years (varies by state)
  • Medicare/Medicaid: 10 years
  • Minor patients: Until age 21 + 6 years
  • SendSign preset: 7 years (conservative)

Financial Services:

  • SEC Rule 17a-4: 6 years for broker-dealer records
  • FINRA: 6 years for customer records
  • Bank records: 5-7 years
  • SendSign preset: 7 years

Tax Records (IRS):

  • General: 3-7 years
  • Employment tax: 4 years
  • Property records: 7 years
  • Fraud cases: Indefinite
  • SendSign preset: 7 years (covers most cases)

Employment:

  • EEOC: 1 year (job applications)
  • FLSA: 3 years (payroll records)
  • OSHA: 5 years (injury logs)
  • Personnel files: 5-7 years after termination
  • SendSign preset: 5 years

GDPR (Europe):

  • Data minimization principle: no longer than necessary
  • Right to erasure: delete upon request (with exceptions)
  • Typical: 1-2 years unless legal basis for longer
  • SendSign preset: 1 year with auto-delete

Retention vs. Destruction

Retention means:

  • Keep documents accessible for the required period
  • Maintain integrity and authenticity
  • Provide upon request (legal discovery, audit)

Destruction means:

  • Securely delete after retention period expires
  • Irreversible deletion (not just soft delete)
  • Log deletion for audit trail

Auto-Delete vs. Flagged Review

Auto-delete (true):

  • Document is automatically deleted when retention expires
  • Use for: GDPR compliance, routine documents
  • Risk: No human review before deletion

Flagged review (false):

  • Document is flagged for manual review when expired
  • Admin decides whether to delete or extend
  • Use for: High-value documents, regulated industries
  • SendSign default: Flagged review for safety

Industry-Specific Guidance

Healthcare:

  • Use the Healthcare (HIPAA) preset
  • Never auto-delete medical records
  • Consider state-specific requirements (some require 10 years)
  • Patient consent forms: Lifetime retention recommended

Financial:

  • Use Financial Services preset
  • SEC-regulated firms: 6 years minimum
  • Tax-related: 7 years to align with IRS
  • Contracts with ongoing obligations: Retain until terminated + 7 years

Tech/SaaS:

  • Use General Business preset (3 years)
  • GDPR applies if EU customers: Use GDPR Minimal for personal data
  • Customer contracts: Retain until terminated + statute of limitations

HR/Employment:

  • Use Employment Records preset
  • I-9 forms: 3 years after hire or 1 year after termination (whichever is longer)
  • Discrimination complaints: Keep until resolved + 1 year

When to Suggest Retention Policies

During envelope creation: If the user is sending a document, proactively suggest a retention policy based on:

  • Document type (NDA, employment contract, medical form, etc.)
  • User's industry (if known)
  • Regulations mentioned (HIPAA, GDPR, SEC, etc.)

Example:

"I notice this is an employment contract. I recommend the Employment Records retention policy (5 years). This aligns with FLSA and EEOC requirements. Would you like me to assign this policy?"

When reviewing documents: If a document lacks a retention policy, suggest one:

"This NDA doesn't have a retention policy assigned. For general business NDAs, I recommend a 3-year retention. If this is a healthcare or financial NDA, you may need 7 years. Which applies?"

When documents are expiring: If documents are approaching expiration, remind the user:

"You have 3 documents expiring in the next 30 days. Would you like to review them before they're flagged for deletion?"

Balancing Competing Requirements

GDPR vs. Legal Retention:

  • GDPR requires data minimization
  • Industry regulations require retention
  • Solution: Use the minimum retention required by law, no longer

Example: A healthcare company with EU patients:

  • HIPAA: 7 years
  • GDPR: Minimize
  • Recommendation: 7 years for medical records (legal requirement), 1 year for non-medical documents (GDPR)

Storage Costs vs. Legal Risk:

  • Longer retention = higher storage costs
  • Premature deletion = legal risk
  • Recommendation: Follow industry standards, use auto-delete for routine documents only

Common Mistakes to Avoid

Deleting too early: Violates retention laws, destroys evidence ❌ Keeping forever: GDPR violations, unnecessary storage costs ❌ One size fits all: Different document types need different policies ❌ Auto-delete everything: High risk, no human oversight ❌ Ignoring state laws: Some states have longer requirements than federal

Red Flags

User wants to delete immediately:

  • Explain retention requirements
  • Suggest shortest compliant policy
  • Warn about legal discovery obligations

User wants to keep forever:

  • Explain GDPR right to erasure
  • Suggest maximum reasonable retention
  • Offer flagged review instead of indefinite retention

User is unsure of industry:

  • Ask clarifying questions about their business
  • Default to General Business (3 years)
  • Recommend consulting legal counsel for certainty

Proactive Assistance

Claude should:

  • Suggest retention policies during envelope creation
  • Remind users of expiring documents
  • Explain the "why" behind retention periods
  • Help users create custom policies for unique needs
  • Flag inconsistencies (e.g., 1-year retention for SEC-regulated docs)