How long must federal agencies keep Privacy Act records and what happens if they over-retain?
There is no single retention period for “Privacy Act records.” Instead, how long an agency keeps records about individuals is governed by records schedules, while the Privacy Act of 1974 sets rules for how those records are maintained, used, and protected.
What sets the retention period
Federal records — including systems of records covered by the Privacy Act — are kept according to approved disposition schedules. These come from two main sources:
- General Records Schedules (GRS) issued by the National Archives, which cover common administrative records found across agencies.
- Agency-specific schedules approved by the National Archives for mission records unique to that agency.
A schedule states whether a record series is temporary (destroyed after a set period or triggering event) or permanent (eventually transferred to the National Archives). The retention period reflects legal, fiscal, operational, and historical needs — not a flat Privacy Act timeline.
The Privacy Act overlay
The Privacy Act layers principles on top of scheduling. Agencies are expected to:
- Maintain only personally identifiable information that is relevant and necessary to a lawful purpose.
- Publish a System of Records Notice describing the records and their retention.
- Keep records accurate, timely, and complete for the purposes for which they are used.
These principles point toward data minimization: collecting and holding only what is needed, for only as long as it is needed.
What happens if an agency over-retains
Over-retention — keeping records past their approved disposition date — creates real risk:
- Larger breach exposure. Every extra record of personal information is additional data that can be lost, stolen, or improperly disclosed.
- Discovery and FOIA burden. Records still in custody generally remain subject to search, review, and potential release.
- Tension with Privacy Act principles. Holding unnecessary information undercuts the relevance, necessity, and accuracy expectations.
- Accountability findings. Inspectors General and oversight bodies frequently flag failure to dispose of records on schedule.
Importantly, agencies generally cannot destroy records simply because they seem outdated; destruction must follow the approved schedule. The compliant path is to apply disposition on time — neither early nor late.
For broader guidance on handling personal information in records programs, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- Privacy Act of 1974 — U.S. Department of Justice
- General Records Schedules — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). How long must federal agencies keep Privacy Act records and what happens if they over-retain?. Records Management University. https://www.recordsmgmt.org/questions/how-long-federal-agencies-keep-privacy-act-records-over-retention/
MLA
RM University Editorial. "How long must federal agencies keep Privacy Act records and what happens if they over-retain?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-long-federal-agencies-keep-privacy-act-records-over-retention/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?