Australian Record-Keeping Retention Periods: How Long To Keep Documents

Running a small business means you’re constantly creating (and receiving) paperwork: invoices, employee records, contracts, customer messages, bank statements, screenshots, CCTV footage, and more.

At some point, the question becomes practical as well as legal: what’s the right retention period for each type of document? In other words, how long do you need to keep it before you can securely delete or dispose of it?

Getting your document retention period right is one of those “unsexy” compliance tasks that can save you serious stress later. If the ATO audits you, if a customer complains, or if an employee dispute pops up, your records are often your best protection.

Below, we’ll walk you through how document retention laws work in Australia, the common retention period rules that apply to many businesses, and a simple way to build a retention system that fits your business.

Important: This guide is general information only and isn’t legal advice or tax advice. Retention rules can vary depending on your business, industry, and the exact record. For tax record-keeping (including CGT and asset records), it’s a good idea to confirm your requirements with your accountant or a registered tax agent.

Why Retention Periods Matter For Small Businesses

A clear retention period isn’t just about “keeping everything forever” (which is expensive, messy, and risky). It’s about keeping the right records for the right amount of time so you can:

• Meet legal obligations under tax, corporate, employment, privacy, and industry rules
• Respond quickly to audits or information requests (ATO, Fair Work, regulators, insurers, accountants)
• Defend your business if you face a dispute, chargeback, warranty claim, or complaint
• Protect confidential information by not holding personal data longer than you need to
• Improve operations (it’s easier to find what you need when you’re not drowning in old files)

Most compliance headaches happen because businesses either:

• don’t keep key documents long enough (so they can’t prove what happened), or
• keep everything forever (creating privacy and security risks, and making it harder to find the important records).

A sensible retention period is the balance.

What Australian Laws Set Document Retention Period Rules?

In Australia, there isn’t one single “document retention law” that covers every business record. Instead, your required retention period depends on what the document is and which laws apply to you.

Here are the most common legal sources that drive document retention laws in Australia for small businesses.

Tax And GST Records (ATO Rules)

Most businesses need to keep records that explain all transactions related to their tax affairs. This usually includes:

• sales and expense invoices
• receipts
• bank statements
• PAYG withholding records
• GST and BAS working papers
• asset purchase and depreciation records

As a general rule, ATO-related business records are commonly kept for at least 5 years. However, some records may need to be kept for longer (for example, records relating to capital gains tax (CGT) or assets may need to be kept for longer than 5 years, depending on the circumstances).

If your invoicing is part of your compliance system, it also helps to understand what must be included on a valid tax invoice (and what should be retained with it), including adjustments and credits-see ATO tax invoice requirements.

Company Records (Corporations Act Requirements)

If you operate through a company, there are additional requirements to keep certain financial records (and keep them in a way that correctly records and explains transactions).

In many cases, a 7-year retention period applies to company financial records. The exact rules depend on what documents you’re talking about and your corporate structure.

Employment Records (Fair Work Requirements)

If you have employees (including part-time and full-time employees, and often casual employees depending on the record), you generally need to keep key employment records for a set retention period.

This commonly includes:

• pay records and payslips
• leave records
• superannuation contribution records
• time and attendance records (where applicable)
• contracts and role classification information

A lot of employment-related records are typically kept for 7 years. It also helps to get your starting documents right, because what you create at the beginning becomes part of the record trail later (for example, your Employment Contract and any written changes to role, pay, or hours).

Privacy And Data Rules (Keep It Only As Long As You Need It)

Privacy law doesn’t usually say “keep customer data for X years” in the same way tax and employment laws do. Instead, the focus is typically on:

• collecting only what you need
• storing it securely
• not keeping personal information longer than necessary for the purpose you collected it for

This means your retention period can’t just be “forever” by default, especially for sensitive data.

If you collect personal information (for example, through online enquiries, email marketing lists, accounts, or customer bookings), it’s wise to set expectations clearly in your Privacy Policy and align your actual retention practices with it.

There are also specific issues around “data retention” in Australia that can affect certain industries or telecommunications providers-see the data retention act discussion for context (even if it doesn’t apply directly to your business, it’s a good reminder that retention obligations can be industry-specific).

Surveillance, Call Recording, And CCTV

If your business uses CCTV or records calls for training, security, or quality purposes, your retention period needs to consider both:

• why you are recording in the first place, and
• what privacy and surveillance rules apply where you operate.

These rules can differ by state/territory and depending on the circumstances of the recording. It’s also not just about whether you can record, but how you inform people, store footage, and who can access it.

If you use video surveillance, the overview in CCTV laws is a useful starting point, and if you’re handling broader audio/video recordings in your business (including meetings or calls), recording laws in Australia is worth keeping in mind as you design your retention and deletion process.

Common Retention Periods By Document Type (A Practical Checklist)

Because different rules can overlap, many businesses choose a “minimum retention period” that satisfies the strictest obligation that applies to that record type.

Below is a practical guide to common business records and typical retention period approaches Australian small businesses use. Treat this as a starting point, not a one-size-fits-all rule-your business, industry, structure, and risks will affect the right retention period for you.

Document Type	Typical Retention Period (Common Practice)	Why It Matters
Tax invoices, receipts, expense records, BAS/GST working papers	At least 5 years (often longer if linked to assets/CGT or disputes)	ATO compliance, audit defence, cashflow tracking
Company financial records (if you operate via a company)	Often 7 years	Corporate compliance and financial reporting
Employee pay records, leave records, time records, super records	Often 7 years	Fair Work compliance and dispute management
Signed contracts with customers/suppliers, SOWs, variations	Risk-based (commonly at least 6 years after the contract ends; sometimes longer, including for deeds)	Proof of terms, liability allocation, enforcing rights
Customer complaints, warranty claims, refund discussions	Often 2-7 years depending on what was sold and risk profile	Consumer law compliance and dispute history
Insurance policies, claims, incident reports	Often 7 years (or longer if claim may arise later)	Claims evidence, regulatory reporting
CCTV footage and access logs	Often short (e.g. 14-90 days) unless needed for an incident	Privacy risk if retained too long; evidence if incident occurs
Marketing consent records (email/SMS opt-ins)	Keep while marketing + a buffer after opt-out (risk-based)	Proof you had consent if a complaint is made
Credit card/payment info (if stored)	Avoid storing unless necessary; if stored, keep minimal and secure	Major security and compliance risk if mishandled

A helpful rule of thumb: if a record supports a number in your financials, supports someone’s employment entitlements, or could become evidence in a dispute, you want a clear retention period and a reliable storage method.

What About “Indefinite” Retention?

Some documents are worth keeping indefinitely (or at least for as long as your business exists) because they form part of your business’s legal identity or ownership history.

Depending on your structure, this might include:

• founding documents and governance records
• key intellectual property registrations or assignments
• share registers and historic ownership documents
• long-term leases and property documents

If you’re not sure what should be “permanent”, it’s usually better to get advice rather than guess-especially if you’re a company or you’re planning to sell the business later.

How To Set Up A Document Retention Policy That Actually Works

It’s one thing to know the “right” retention period in theory. It’s another thing to implement a system your team will follow on busy Mondays.

Here’s a practical approach that works for many small businesses.

1. Map Your Documents Into Categories

Start by listing the buckets of documents your business creates and receives. For example:

• Tax & finance: invoices, receipts, BAS files, bank statements
• People: employment contracts, payslips, leave approvals, performance records
• Sales & customers: quotes, signed agreements, refunds, warranty claims
• Operations: supplier terms, purchase orders, delivery records
• Compliance & risk: incident reports, insurance, safety checklists
• Data & security: CCTV footage, access logs, call recordings (if any)

This step matters because different categories often have different retention period rules.

2. Assign A Minimum Retention Period To Each Category

Once your categories are clear, assign a baseline retention period. Many businesses use something like:

• 5 years for most tax records (noting some tax-related records may need longer, such as CGT/asset records)
• 7 years for employment and many company financial records (particularly if you operate through a company)
• short periods for CCTV and recordings (unless required for an incident)

Then apply a simple override rule: if a record is connected to a dispute, complaint, audit, incident, or insurance claim, pause deletion until the matter is fully resolved (and then keep it for a sensible buffer period).

It’s also worth remembering that retention for contracts is often driven by limitation periods. Many contractual claims are commonly subject to a 6-year limitation period, but deeds can be longer (often 12 years). That’s why contract retention is usually best handled on a risk-based approach rather than a blanket “7 years for everything”.

3. Decide Where Records Will Live (And Who Owns Them)

Retention periods only work if people can find records. Decide:

• what systems will store each record type (accounting software, HR platform, shared drive, CRM)
• who has access (limit access on a need-to-know basis)
• who is responsible for keeping the “source of truth” file

If you take card payments or store any payment-related details, be especially careful. Many businesses choose not to store card details at all unless absolutely necessary, and if they do, they set strict access controls and deletion rules-see storing credit card details for the key compliance issues to keep in mind.

4. Create A Simple Deletion And Archiving Workflow

You don’t need an enterprise system to do this well. You just need consistency.

For example:

• Monthly: archive completed contracts and close out monthly finance folders
• Quarterly: review HR records created that quarter and confirm they’re stored correctly
• Annually: archive the year’s records, set “delete after” dates, and dispose of anything past its retention period

For CCTV or call recordings, it’s common to set up an automated retention period (for example, auto-delete after a set number of days) and then manually “lock” footage if an incident occurs.

5. Train Your Team (And Build It Into Onboarding)

A retention policy is only as strong as the habits around it. When you onboard new staff, make sure they understand:

• where to save documents
• how to name files consistently
• what should never be stored in an insecure way (like personal devices or personal email)
• what to do if they think a dispute might be brewing (so records aren’t deleted)

This is also where your written workplace rules and templates make a difference, because they create a repeatable system rather than ad hoc decisions.

Common Mistakes With Retention Period Compliance (And How To Avoid Them)

In our experience, most document retention issues come down to a few patterns. If you can avoid these, you’ll be in a much stronger position.

Keeping Records, But Not Being Able To Find Them

Saving documents across inboxes, texts, multiple cloud drives, and paper folders usually means you’ll struggle when you actually need the record.

Try to centralise key records and decide what the “final” signed version is (especially for contracts and HR documentation).

Mixing Personal Data With General Business Files

If you store customer identity documents, employee medical information, or other sensitive personal data in the same place as general admin files, you increase privacy and security risk.

Segment storage by sensitivity, limit access, and set shorter retention periods for sensitive data where possible. Your Privacy Policy should reflect what you actually do in practice.

Not Keeping Evidence Of Agreements And Changes

Disputes often turn on “what was agreed” and “when was it changed”. If you negotiate by email or messaging apps, make sure key terms are captured properly and filed with the relevant contract or customer record.

Deleting Records During A Dispute Or Investigation

Once a dispute is on the horizon, deletion can create serious legal and reputational risks. A good policy includes a clear “legal hold” process: pause deletion until the issue is resolved.

Forgetting That “Short Retention” Can Still Require Compliance

CCTV and recordings often have shorter retention periods, but that doesn’t mean you can be casual about them. You still need to think through notice, access, storage, and lawful use, which is why it’s worth reviewing CCTV laws and broader recording laws in Australia if your business uses surveillance or call monitoring.

Key Takeaways

• A clear retention period helps you comply with Australian record‑keeping laws and makes it much easier to deal with audits, disputes, and complaints.
• Different documents have different retention period rules-tax records are commonly kept for at least 5 years (but some tax records, including CGT/asset records, may need to be kept for longer), while many employment and company financial records are commonly kept for 7 years.
• Contract retention is often influenced by limitation periods (commonly 6 years for many contracts, and often 12 years for deeds), so it’s best handled on a risk-based approach.
• Privacy compliance isn’t just about collecting data lawfully; it also means not keeping personal information longer than you need it, and protecting it with secure storage and access controls.
• Surveillance and recordings (like CCTV and call recordings) often need shorter retention periods, but still require careful compliance with privacy and state-based recording rules.
• The easiest way to stay compliant is to categorise your records, assign retention periods, centralise storage, and build a simple archiving/deletion workflow your team can actually follow.

If you’d like help setting up a document retention policy, reviewing your record‑keeping obligations, or putting the right legal documents in place for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.