Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
Running a business in Australia means handling a lot of information - from invoices and tax records to employee files and customer details. Knowing how long to keep those records, and when to securely delete them, isn’t just good housekeeping. It’s a legal requirement in many cases and a key part of protecting your business.
You might have heard the phrase “Data Retention Act Australia.” While that’s not the official name of a single law, it’s a handy shorthand people use to talk about a mix of Australian rules that require businesses to keep (and eventually destroy) certain records. The details can feel complex, but with a clear plan, staying compliant is totally manageable.
In this guide, we’ll break down what “data retention” actually means in Australia, which laws may apply to you, how long to keep different types of records, and practical steps to build a sensible, compliant retention program for your business.
What Is Meant By “Data Retention” In Australia?
When people refer to “data retention” in Australia, they’re usually talking about two different buckets of obligations:
- Business record-keeping rules that require you to keep financial, company and employment records for set periods (for example, keeping company financial records for seven years under the Corporations Act 2001).
- Privacy and data protection rules that require you to keep personal information only as long as you need it, then destroy or de‑identify it once it’s no longer required (primarily under the Privacy Act 1988 and the Australian Privacy Principles).
There’s also a highly specific regime for telecommunications providers. Amendments to the Telecommunications (Interception and Access) Act 1979 (often discussed in “data retention” conversations) require certain telcos and ISPs to retain metadata for two years. If you’re not operating as a carrier or carriage service provider, those particular rules won’t apply to you.
For most businesses, the practical questions are: what do we have to keep, for how long, and how do we securely get rid of it when the time comes? If you want a deeper dive into the concepts, see our primer on data retention laws in Australia.
Who Must Keep Records, And For How Long?
Nearly every Australian business must keep some form of records for specific periods. The exact timeframe depends on the type of record and the law governing it. Below are the common categories you’re likely to deal with.
Tax and Accounting Records (Generally 5 Years)
As a general rule, the Australian Taxation Office (ATO) requires businesses to keep tax records for at least five years from when you lodge your return or from when a transaction is completed (depending on the record). The exact period can vary based on what’s being substantiated, so it’s wise to confirm your specific obligations with your accountant or tax adviser.
Tip: Align your bookkeeping system so tax records are quickly retrievable for at least five years, and avoid deleting anything that still relates to an open review period.
Company Financial Records (7 Years)
If you operate through a company, the Corporations Act requires you to keep financial records for at least seven years. These records must correctly record and explain your company’s transactions and financial position. This often includes bank statements, invoices, receipts, ledgers and working papers.
Employment Records (7 Years)
If you employ staff, workplace laws require you to keep certain employment records - such as pay records, hours worked, leave, and superannuation contributions - for at least seven years. Keeping these securely and in an easily accessible format is critical if the Fair Work Ombudsman requests them.
Contracts And Commercial Documents (Good Practice: 7 Years After Expiry)
While not always dictated by a specific statute, it’s common risk management to retain key commercial contracts (for example, supplier agreements and major customer contracts) for at least seven years after the contract ends, given limitation periods for potential disputes. If you’re engaging third parties who process data for you, build retention and deletion duties into your Service Agreements.
Industry-Specific Records (Varies)
Some sectors have longer or more prescriptive retention timelines. Health service providers, education providers, financial services and government contractors often face specific minimum periods or content requirements for records. Always check the rules that apply to your industry and location and document them in your retention schedule.
A Quick Word On “7 Years” And ATO Rules
It’s common to hear “keep everything for seven years” because that timeframe captures several requirements (company and employment records in particular). That approach is often practical. However, for tax records specifically, the ATO’s default position is five years for many records. Because tax rules can be nuanced and situation‑dependent, it’s best practice to confirm your exact retention periods with your accountant.
How Does Privacy Law Interact With Data Retention?
This is where many businesses get confused: some laws tell you to keep records for minimum periods, while privacy law says don’t keep personal information longer than necessary. Here’s how to reconcile those ideas.
Who Must Comply With The Privacy Act?
The Privacy Act 1988 (and the Australian Privacy Principles, or APPs) applies to “APP entities.” In broad terms, that includes most Australian businesses with an annual turnover of more than $3 million, plus some smaller businesses in specific categories (for example, health service providers). If your business is an APP entity, you must manage personal information in line with the APPs.
Many smaller businesses that aren’t APP entities still choose to adopt privacy best practice to build trust and meet customer expectations. If you are an APP entity, you should publish a clear, accessible Privacy Policy that explains how you handle personal information. The detail about how long you keep personal information forms part of being open and transparent (APP 1).
Keep Only What You Need, Then Destroy Or De‑Identify (APP 11.2)
Under APP 11.2, APP entities must take reasonable steps to destroy or de‑identify personal information when they no longer need it for any purpose (including legal or regulatory obligations). In other words, if another law requires you to keep a record for a set period (for example, employment records for seven years), you can retain it for that purpose. Once it’s no longer required, you should securely destroy or de‑identify it.
Cross-Border Storage And Third-Party Processors
If you store data in the cloud or use overseas tools, make sure you understand where the data resides and who can access it. For vendors that process personal information on your behalf, it’s best practice to have a Data Processing Agreement that covers security standards, retention and deletion obligations, and cooperation in the event of a breach.
Be Ready For Data Breaches
Under the Notifiable Data Breaches scheme, APP entities must assess suspected eligible data breaches and, if required, notify affected individuals and the OAIC. A practical way to prepare is to maintain a written Data Breach Response Plan so your team knows what to do - and who’s responsible - if something goes wrong.
Security Measures Matter
Whether or not you are an APP entity, strong security protects your business and your customers. Many teams formalise this in an Information Security Policy that sets minimum standards for access control, encryption, backups, incident response and vendor management.
Practical Steps To Build A Compliant Retention Program
You don’t need a huge budget to get retention right. A clear, written approach and consistent habits will take you a long way. Here’s a sensible roadmap you can follow.
1) Map What You Hold And Why
- List key categories of information (e.g. financial records, employment records, customer personal information, contracts). Note the systems or locations (email, accounting software, cloud storage, hard copy).
- Record the business purpose and any legal obligation attached (e.g. ATO substantiation, company obligations, Fair Work requirements).
2) Set Retention Periods You Can Actually Follow
- For each category, set a clear minimum retention period aligned with law or business need (for example, five years for tax, seven years for employment, seven years for company financials).
- When the same record serves multiple purposes, keep the longest applicable period. If in doubt for tax records, confirm with your accountant.
3) Document Your Rules
- Create a short retention and destruction schedule that’s easy for your team to understand and use. If you’re an APP entity, make sure the high-level approach is reflected in your Privacy Policy (APP 1).
- Include how you destroy or de‑identify data once the period ends (for example, certified shredding for hard copy, secure wiping for digital).
4) Build Controls Into Contracts And Tools
- With service providers who access your information, include retention, deletion and confidentiality terms in your Service Agreement or a Data Processing Agreement.
- When sharing sensitive business information with third parties, use a Non‑Disclosure Agreement and specify how long information can be kept and how it must be returned or destroyed.
5) Train Your Team And Schedule Clean‑Ups
- Tell staff what to keep, where to store it, who is responsible, and how to dispose of it safely. Keep training short and practical.
- Run periodic “data spring‑cleans” to securely delete or de‑identify records that have reached the end of their retention period (unless there’s a legal hold or ongoing dispute).
6) Keep An Audit Trail
- Maintain a simple log of destruction actions (what was destroyed, when, and by whom). This helps demonstrate compliance if regulators or auditors ask questions.
7) Review Annually
- Revisit your schedule when laws change, you enter a new industry, or you adopt new systems. A quick annual review keeps things current.
Risks Of Non‑Compliance (And Common Mistakes To Avoid)
Failing to manage data retention properly can cause legal headaches and real commercial harm. Here are the big risks and pitfalls to watch:
- ATO or corporate penalties: Inadequate records can trigger penalties or assessments during audits. Companies that fail to keep required financial records for seven years breach the Corporations Act.
- Fair Work action: Not keeping employment records for seven years can lead to infringement notices and other enforcement outcomes from the Fair Work Ombudsman.
- Losing disputes you should have won: If you can’t produce a contract, approval, or email trail, you may struggle to prove your side of a dispute.
- Privacy and security incidents: Over‑retaining personal information increases your exposure if there’s a data breach. Under the Notifiable Data Breaches scheme, you may have to notify affected individuals and the OAIC.
- Reputational damage: Poor handling of customer or employee information erodes trust quickly, and rebuilding that trust can be costly.
And a few common mistakes we see:
- Keeping everything “just in case”: This creates unnecessary risk and cost. Set a rule, stick to it, and securely delete when the time comes.
- Assuming one number fits all: The “seven years” rule is a useful shorthand, but some records (notably tax) can have different periods. Confirm tax retention periods with your accountant.
- Forgetting backups and archives: If you keep backups, ensure your deletion process addresses archived copies too.
- Ignoring vendor risks: If a supplier stores your data, ensure contract terms clearly require secure storage, timely deletion, and help with breach response. A combination of a solid Service Agreement and a Data Processing Agreement is often the best approach.
Key Takeaways
- “Data retention” in Australia covers record‑keeping rules (keep certain records for minimum periods) and privacy rules (don’t keep personal information longer than necessary).
- Expect to keep company financial records and employment records for at least seven years, while many ATO tax records are generally kept for five years - confirm specifics with your accountant.
- If you’re an APP entity under the Privacy Act, publish a clear Privacy Policy (APP 1) and destroy or de‑identify personal information once you no longer need it (APP 11.2).
- Telecommunications metadata retention rules apply to carriers and ISPs, not most regular businesses.
- Put your approach in writing, build requirements into contracts with suppliers, train your team, and keep an audit trail of secure deletion.
- Strong security and breach readiness - supported by an Information Security Policy and a Data Breach Response Plan - reduce risk and help you respond quickly if something goes wrong.
If you would like a consultation on data retention compliance for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.
