As record retention is regulated by many different state and federal statutes, the protection of private information for state and federally mandated record retention is not specified by any singular statute. Various state and federal statutes govern the administrative, technical and physical safeguards for records retention and records destruction.
As an example of a federal requirement for the protection of private information in federally mandated record retention, The Fair & Accurate Credit Transactions Act requires shredding of any information derived from a credit report after the retention period of one year.
The Health Information Portability and Protection Act privacy rule does not apply to medical records retained as part of federal or state retention requirements, but HIPAA-covered entities, including health plans, health care clearinghouses and health care providers who transmit any health information electronically, are required to keep applicable information for six years and are subject to the HIPAA privacy rule.
Record retention is federally required by the following legislation: Age Discrimination in Employment Act, Americans with Disabilities Act, Civil Rights Act of 1964, Consolidated Omnibus Budget Reconciliation Act and the Davis-Bacon Act. There are many other pieces of legislation addressing record retention, including the Fair and Accurate Credit Transactions Act, Vietnam Era Veterans Readjustment Assistance Act, Equal Pay Act, Fair Labor Standards Act and Immigration Reform and Control Act.
State legislation furthermore specifies record retention requirements.The above legislation individually specifies to which entities it applies, those entities' obligations to retain records and how private information is protected if applicable.