Data Retention Laws In Australia: Essential Guide For Businesses

If you’re running a business in Australia, handling data responsibly isn’t just good practice - it’s the law. Data retention rules shape how you collect, store, use, disclose and ultimately dispose of information about customers, team members and other stakeholders.

While telecommunications providers have very specific retention obligations, every Australian business that touches personal information needs to understand how retention intersects with privacy, cyber security and record-keeping. Getting this right protects your customers, reduces risk and builds trust.

In this guide, we’ll break down what data retention laws are, who they apply to, how long you should keep different types of records, and the practical steps to stay compliant. We’ll also clarify common pain points - like the two‑year metadata rule for telcos, how the Privacy Act applies (including the small business threshold) and what documents help you stay on track.

What Are Data Retention Laws In Australia?

Data retention laws are rules that require certain entities to keep specific kinds of data for a minimum period so information is available for law enforcement, regulatory oversight and legal compliance.

In Australia, the key regime is the Telecommunications (Interception and Access) Act 1979, as amended by the Telecommunications (Data Retention) Act 2015. This framework primarily applies to telecommunications service providers (for example, internet service providers and carriage service providers) and requires them to retain defined categories of communications metadata.

What Counts As “Metadata” Under The Telco Regime?

• Information about communications, not the content itself - for example, the source and destination of a communication, the date and time, the type of communication and connection, session times and subscriber/account identifiers.
• It can relate to phone calls, SMS, email routing and internet connection records, but it does not include the actual content of calls, texts, emails or web pages visited.

Who Does This Apply To?

• Primarily telecommunications service providers have mandatory retention obligations for prescribed metadata.
• Other Australian businesses aren’t usually subject to the telco retention scheme, but they still have obligations under privacy, employment, tax and sector‑specific laws that influence how long they must keep certain records and when they must destroy or de‑identify data.

If your product or platform provides a communications service (for example, messaging or VoIP as part of your app), you may fall within scope of parts of the telco regime. It’s wise to get tailored advice if you’re unsure.

How Long Do Businesses Need To Keep Data In Australia?

The right retention period depends on what the information is, which law applies and your industry. Here’s a practical overview.

Telecommunications Providers: The Two‑Year Rule For Metadata

• Telecommunications providers must retain specified communications metadata for a minimum of two years.
• This obligation covers metadata only (who, when, how a communication occurred) - not the content of messages, emails or web pages. A common misconception is that ISPs store browsing history; they don’t retain the content of sites viewed under the regime.
• Access by law enforcement and security agencies occurs under strict legal processes.

All Other Businesses: Key Record Types And Typical Periods

• Personal Information (Privacy Act 1988): If you are covered by the Privacy Act, you should not keep personal information longer than necessary for the purpose it was collected, unless a law requires you to retain it. When it’s no longer needed, take reasonable steps to destroy or de‑identify it.
• Tax And Accounting Records: Many tax records must be kept for at least five years. Requirements can vary by record type and circumstance, so confirm specifics with the ATO or your tax adviser. This article provides general legal information - it’s not tax advice.
• Employment Records: Keep certain employee records (for example, pay, hours, leave, superannuation contributions) for at least seven years to meet Fair Work and super obligations.
• Contracts And Corporate Records: Retain company records (for example, board and member resolutions, registers, key contracts) for statutory periods under corporations law and your internal governance requirements.
• Sector‑Specific Rules: Some industries (for example, financial services or health) have additional retention requirements under regulator standards and state or Commonwealth legislation.

Your retention schedule should map each record type to a lawful basis and a clear timeframe. When in doubt, seek tailored guidance to strike the right balance between “keep long enough” and “don’t keep longer than necessary.”

Does The Privacy Act Apply To My Business?

This is a key question. The Privacy Act 1988 (Cth) applies to “APP entities,” which generally include:

• Most Australian businesses and not‑for‑profits with an annual turnover of more than $3 million; and
• Some small businesses under $3 million if they meet certain criteria (for example, health service providers, businesses trading in personal information, credit reporting bodies, or organisations that have opted in to the Privacy Act).

If you are an APP entity, you must comply with the Australian Privacy Principles (APPs). That means collecting information lawfully, taking reasonable steps to keep it secure and up to date, allowing access and correction, and destroying or de‑identifying personal information that’s no longer needed unless another law requires retention.

Even if you fall under the small business exemption today, many growing businesses choose to adopt privacy best practice early - especially if you plan to scale, deal with sensitive information or work with enterprise customers who require strong privacy controls.

Having a clear Privacy Policy and aligning your internal retention practices to what you say externally helps build trust and demonstrate compliance.

How Do Data Retention, Privacy And Security Fit Together?

Think of these as three parts of the same compliance picture.

Data Retention

Decide what information you collect, why you need it, the legal basis for holding it, where it lives, who can access it and when you’ll securely dispose of it. Document this in your retention schedule and policy.

Privacy Compliance

Ensure your collection, use and disclosure of personal information follow the APPs (where applicable). Be transparent in your Privacy Policy, use concise and targeted Privacy Collection Notices at the point of capture and only keep information while it serves a legitimate purpose or a legal requirement.

Security Controls

Retention is only safe if your security is robust. Put administrative, technical and physical safeguards in place and capture them in an Information Security Policy. Limit access on a need‑to‑know basis, encrypt sensitive data and log access to critical systems.

Data Breach Readiness

Under the Notifiable Data Breaches scheme, eligible data breaches must be assessed and, where likely to cause serious harm, notified to the Office of the Australian Information Commissioner (OAIC) and affected individuals. Having a practical Data Breach Response Plan and clear data breach notification process makes a stressful day far easier.

Cloud And Overseas Providers

If you use cloud services or share information overseas, you remain responsible for privacy compliance. Put appropriate contract terms in place - including processing, security and sub‑processor controls - with a fit‑for‑purpose Data Processing Agreement.

What Should A Data Retention Policy Include?

A clear policy turns legal obligations into day‑to‑day processes your team can follow. Your policy should cover:

• Scope and Purpose: What information your business holds and why retention is necessary.
• Retention Schedule: Specific retention periods by record type (e.g. customer accounts, support tickets, device logs, employee records, financial records).
• Destruction And De‑Identification: How and when you securely destroy or de‑identify data that’s no longer required.
• Security Measures: Storage locations, encryption, access controls, back‑ups and logging.
• Role‑Based Responsibilities: Who owns the policy, who approves changes and who performs disposal activities.
• Requests And Legal Holds: How you respond to law enforcement, regulatory requests and litigation holds that pause routine deletion.
• Review Cycle: How often you review and update the policy (at least annually, and when laws or your systems change).

Keep it practical. Map where each record lives (systems, vendors, paper), identify the system owners and build deletion steps into business processes so retention isn’t an afterthought.

Step‑By‑Step: How To Get Your Business Compliant

1. Audit What You Collect: Catalogue personal, employee and operational data by category, system and location. Note why you collect each category and who has access.
2. Identify The Laws That Apply: Consider privacy (including whether you’re an APP entity), employment laws, tax record‑keeping, sector rules and, if relevant, the telco regime.
3. Design Your Retention Schedule: For each record type, confirm the legal basis and minimum/maximum timeframes. Balance your operational needs against “don’t keep longer than necessary.”
4. Document Your Policies: Finalise and roll out your retention policy, Information Security Policy, Privacy Policy and Data Breach Response Plan. Align internal procedures with what your public‑facing documents say.
5. Build In Deletion: Configure automated deletion and archival in your core systems. Where automation isn’t possible, schedule manual tasks and assign owners.
6. Train Your Team: Educate staff on why retention matters, how to spot privacy risks and what to do if a breach is suspected.
7. Review Vendors: Ensure your providers can support your retention and deletion requirements. Put a robust Data Processing Agreement in place and confirm how they handle backups and restores.
8. Monitor And Improve: Review at least annually, test your breach response, and update schedules when your products, systems or laws change.

Frequently Asked Questions

Do ISPs Keep Browsing History In Australia?

Telecommunications providers must retain specified communications metadata for two years, but not the content of communications. That means connection details (such as time, date, source and destination identifiers) - not the content of calls, emails or the specific pages a person viewed.

Do All Businesses Need A Data Retention Policy?

There’s no one-size-fits-all law that forces every business to have a formal retention policy, but if you handle personal information or operate in a regulated industry, a clear policy is essential to meet your privacy and record‑keeping obligations and to manage risk as you grow.

Are Small Businesses Under $3 Million Exempt From Privacy Laws?

Some small businesses are exempt from the Privacy Act, but there are important exceptions (for example, health service providers, organisations trading in personal information or those that opt in). Even if exempt, many small businesses adopt privacy best practice to meet customer expectations and prepare for growth.

Can I Delete Customer Data Whenever I Want?

No. If a law requires retention (for example, tax or employment records), you must keep those records for the minimum period. Outside those requirements, personal information should be destroyed or de‑identified when it’s no longer needed for your lawful business purposes.

What About Cloud Backups And Overseas Storage?

You remain responsible for personal information you hold, wherever it is stored. Make sure your cloud vendors can action deletion requests, support your schedules and meet privacy and security requirements through appropriate contract terms, such as a Data Processing Agreement.

Is This Tax Advice?

No. Tax record‑keeping requirements can be nuanced. Use the five‑year rule as a baseline only and check the Australian Taxation Office’s current guidance or speak with your tax adviser for your situation.

What Legal Documents Help With Data Retention Compliance?

• Privacy Policy: Explains how you collect, use, disclose and store personal information and how individuals can access or correct it. Align it with your internal practices. Link yours to a tailored Privacy Policy.
• Privacy Collection Notice: A concise notice at the point of collection that tells people what you’re collecting and why. Use a consistent Privacy Collection Notice across forms and channels.
• Information Security Policy: Sets the technical and organisational measures you use to protect data, including access controls, encryption, logging and incident response. See Information Security Policy.
• Data Breach Response Plan: A step‑by‑step playbook for assessing incidents and, if required, notifying under the Notifiable Data Breaches scheme. Keep your Data Breach Response Plan tested and up to date.
• Data Processing Agreement (with vendors): Contract clauses that require processors to follow your instructions, secure data, assist with deletion and support breach notifications. A robust Data Processing Agreement is essential when you use third‑party platforms.
• Internal Procedures And Training: Practical “how to” steps for your team to apply the policy - for example, how to tag records for legal hold, action deletion tickets and verify identity before disclosing information.
• External Notices And Terms: Ensure customer‑facing terms and help centre articles consistently reflect your retention and account closure practices.

If you need tailored help across these documents and processes, our data privacy lawyer team can work with you to design a retention approach that fits your systems and risk profile.

Key Takeaways

• Telecommunications providers must keep defined metadata for two years, but not the content of communications.
• All businesses need a clear retention approach that aligns with privacy, security, employment and tax record‑keeping obligations.
• The Privacy Act applies to APP entities (generally over $3 million turnover) and certain small businesses; if it applies, don’t keep personal information longer than necessary.
• Map each record type to a legal basis and timeframe, then build secure deletion into your systems and processes.
• Core documents - a Privacy Policy, Privacy Collection Notice, Information Security Policy, Data Breach Response Plan and Data Processing Agreement - help you operationalise compliance.
• Cloud and overseas storage doesn’t remove your obligations; ensure your contracts and vendors support your retention and deletion requirements.
• Review and refine your schedule regularly as your products, vendors and the legal landscape evolve.

If you’d like a consultation about your business’s obligations under data retention laws in Australia, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.