Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a small business, it’s easy to treat record keeping as “something we’ll tidy up later”. But when a dispute pops up, the ATO asks questions, or you’re getting ready to sell your business, the way you’ve kept (or not kept) your records suddenly matters a lot.
That’s where a record retention policy comes in. It’s a practical, written set of rules for what your business keeps, where it’s stored, who can access it, and when it can be safely destroyed.
In this guide, we’ll walk you through key document retention requirements in Australia, common retention timeframes, and how to build a simple policy that actually works for day-to-day operations. This article is general information only (not legal or tax advice). For tax-specific guidance, it’s a good idea to speak with your accountant or a registered tax agent about what you should keep and for how long.
What Is A Record Retention Policy (And Why Do Small Businesses Need One)?
A record retention policy is an internal business policy that sets out:
- what records your business creates and receives (and which ones are “official” records)
- how long each type of record must be kept
- where and how those records are stored (paper, cloud, software platforms)
- who is authorised to access or change records
- how records are securely disposed of when the retention period ends
Even if you’re a solo operator, having a written policy can save you time and reduce risk. It also helps you:
- stay compliant with ATO, employment, corporate, privacy and industry requirements
- respond faster to audits, disputes, chargebacks, and customer complaints
- protect confidential information (including client data and pricing)
- avoid “over-retention” (keeping sensitive data longer than needed, which can create privacy and cyber risk)
- standardise your processes so record keeping doesn’t depend on one person’s memory
In other words: it’s not just admin. A solid record retention policy is part of running a well-managed business.
Record Retention Requirements In Australia: The Key Rules To Know
There isn’t one single law called “the record retention law”. Instead, your record retention requirements in Australia usually come from a mix of:
- tax laws (especially ATO record keeping requirements)
- corporate law (for companies, under the Corporations Act)
- employment law (Fair Work record keeping rules)
- privacy and data protection expectations (how long you should hold personal information)
- industry-specific obligations (for example, health services, finance, NDIS providers, builders, and others)
The right question is often not just “how long do companies need to keep records?” - it’s “which records, under which rules, for which purpose?”
ATO Record Keeping (Most Businesses: 5 Years As A Baseline)
For most small businesses, the most common retention period you’ll hear is 5 years. This is because Australian tax record keeping rules generally require you to keep records that explain your transactions for at least five years (for example: sales and purchase invoices, receipts, bank statements, and accounting records).
However, what you need to keep (and for how long) can vary depending on the type of transaction, your tax position, and the specific record. If you’re unsure about the right approach for your business, your accountant or registered tax agent can help you set a retention schedule that matches your situation.
Practically, this means your record retention policy should cover:
- income and sales records
- expense records
- asset purchase and sale records
- GST records and tax invoices
- PAYG withholding records
Tip: some tax-related records may need to be kept longer depending on what they relate to (for example, asset and capital gains tax events). Your policy should be flexible enough to extend retention where needed.
Company Record Keeping Requirements (Companies Often Need Longer)
If you operate through a company, your company record keeping requirements are usually broader than tax alone.
Companies generally need to keep financial records that correctly record and explain transactions and financial position. In many cases, those financial records need to be kept for 7 years.
On top of financial records, companies also have governance records to maintain (for example, registers and resolutions). If you’re maintaining a Company Constitution or other governance documents, your policy should treat these as “permanent” or “long-term” records.
Employment Records (Often 7 Years)
If you have employees (even one casual), you also have record keeping obligations as an employer. Employment records typically need to be kept for 7 years under workplace laws.
These records often include:
- employee details and commencement information
- hours worked (including overtime, penalties and loadings)
- pay records (gross and net amounts, deductions, allowances)
- leave records
- superannuation contributions
Having the right documents in place at the start also makes record keeping easier. For example, if you use a properly drafted Employment Contract, the terms you need to administer (pay, duties, notice, confidentiality) are much clearer.
Privacy And Data Retention (Don’t Keep Personal Information “Just In Case”)
Many businesses focus on minimum retention, but forget the other side of the equation: privacy risk. If you collect customer personal information (for example, names, emails, delivery addresses, ID documents, health information, or even CCTV footage), holding onto it indefinitely can create unnecessary exposure.
A good record retention policy should align with your privacy practices, including what your Privacy Policy says you do with personal information. As a general principle, you should only keep personal information for as long as you need it for a legitimate business purpose or to meet legal requirements, and then securely delete or de-identify it.
It’s also worth thinking about what happens if something goes wrong. Your internal processes (including record keeping) should support a quick response, particularly if there’s a cyber incident. Many businesses build record handling into an Data Breach Response Plan, so your team isn’t scrambling when time matters most.
What Business Records Should You Keep? (A Practical Checklist)
A record retention policy is easier to build when you categorise records. Below is a practical, small-business-friendly way to think about your documents.
1. Financial And Tax Records
These are the core records most businesses must keep for at least 5 years (and sometimes longer):
- sales invoices and receipts
- purchase invoices and supplier bills
- bank statements and reconciliations
- BAS and GST records
- payroll summaries and PAYG withholding records
- asset purchase documents (vehicles, equipment, IP, goodwill)
- loan agreements and finance documents
2. Corporate And Ownership Records (If You Have A Company Or Partners)
These documents help prove who owns what, who can make decisions, and what rules the business follows.
- company registration documents and registers
- director/shareholder resolutions and minutes
- share issue/transfer documents
- trust deeds (if applicable)
- key governance documents (often long-term/permanent)
If you have co-owners, your Shareholders Agreement (or partnership agreement) is a document you’ll want to store securely and retain long-term, because it can be critical in disputes and exit events.
3. Contracts And Legal Documents
Contracts often need to be kept well beyond the date they were signed. A practical approach is to keep contracts for at least the life of the relationship, plus a buffer period after it ends (to cover warranty issues, disputes, and limitation periods). The right buffer can vary depending on the contract, where you operate, and the type of claim that could arise, so it’s worth getting advice if you’re unsure.
- customer contracts and terms and conditions
- supplier and vendor agreements
- service agreements
- leases, licences, and property agreements
- NDAs and confidentiality deeds
- variations, amendments, and renewal documents
If your business uses a General Security Agreement (for example, as part of a finance arrangement), your policy should clearly specify where it’s stored and who can access it, because it may affect your assets and enforcement rights.
4. Employment And Contractor Records
- employment contracts, position descriptions, and onboarding documents
- contractor agreements and invoices
- timesheets and rostering records
- leave requests and approvals
- performance management records (kept carefully and consistently)
- termination and redundancy records
5. Customer Communications And Complaints
For many small businesses, disputes are less about what happened and more about what you can prove happened. Good record keeping helps you deal with complaints quickly and fairly.
- customer complaint records and outcomes
- warranty claims and returns records
- refund requests and correspondence
- quotes and accepted proposals
If you record phone calls (for example, customer service or sales), make sure you understand business call recording laws, because retention is only one part of compliance - lawful collection is just as important.
6. Privacy, Security, And Operational Records
- privacy consents and marketing consents
- identity verification records (where relevant)
- incident logs (including cyber and security incidents)
- IT admin access logs (where possible)
- internal policies and procedures
If you’re formalising your approach to cyber and data handling, an Information Security Policy can sit alongside your record retention policy, so your team has clear guidance on storage, access, and protective measures.
How Long Should You Keep Records? (A Simple Retention Guide)
One of the most common questions we hear is: how long do companies need to keep records?
There isn’t a single answer, but you can build a practical baseline schedule and then adjust for your industry, your risk profile, and specific legal requirements.
Here’s a general guide many Australian small businesses use as a starting point (but keep in mind that retention periods can vary depending on the document type, how the record is used, and any industry-specific rules that apply to your business).
| Record Type | Common Retention Period (General Guide) | Why It Matters |
|---|---|---|
| Tax and transaction records | At least 5 years | ATO compliance and audit support |
| Company financial records (companies) | Often 7 years | Corporate compliance and reporting |
| Employee records (pay, hours, leave) | Often 7 years | Fair Work compliance and dispute protection |
| Contracts (customer/supplier/lease) | Life of contract + additional years | Disputes, warranties, enforcement, limitation periods |
| Corporate governance documents | Long-term / permanent | Proves ownership and decision-making history |
| Customer personal information | Only as long as needed | Privacy risk reduction and good governance |
Two practical rules to include in your record retention policy:
- Minimum periods are minimums. If a record is relevant to an ongoing dispute, investigation, or audit, you may need to keep it longer.
- Don’t keep records forever by default. Over-retention can increase cyber and privacy risk (particularly for sensitive customer information).
How To Create A Record Retention Policy That Works Day-To-Day
Most policies fail for a simple reason: they’re written like a legal textbook, then forgotten. Your record retention policy should be easy for your team to follow in real life.
Here’s a practical structure that works well for small businesses.
Step 1: Define What “Records” Mean In Your Business
Start by clarifying what counts as a business record, such as:
- documents you create (contracts, invoices, reports)
- documents you receive (supplier invoices, customer complaints)
- records stored in software (accounting entries, payroll reports)
- communications that form part of a transaction (accepted quotes, key emails)
You can also specify what is not an official record (for example, duplicates, drafts, internal chat messages that don’t record decisions).
Step 2: Build A Retention Schedule (By Category)
Create a simple table inside the policy that lists:
- record category (tax, HR, contracts, privacy, etc.)
- storage location (cloud folder, HR platform, accounting system)
- owner (who is responsible internally)
- retention period
- destruction method (delete, shred, de-identify)
This is the “engine room” of your document retention policy in Australia.
Step 3: Set Rules For Storage, Access And Version Control
Your policy should answer:
- Where are records stored (and are there approved tools only)?
- Who can access sensitive records (HR files, customer data, financials)?
- How do you name files and manage versions?
- How often are backups taken, and where are they stored?
This is also where privacy and cyber security overlap. The more personal and sensitive the record, the tighter your access controls should be.
Step 4: Include A “Legal Hold” Process
A “legal hold” (sometimes called a litigation hold) is a rule that says:
If you reasonably expect a dispute, claim, investigation, or audit, you pause deletion/destruction for relevant records.
This is crucial. Even if a retention period has technically ended, destroying records while a dispute is brewing can seriously undermine your position.
Step 5: Plan Secure Disposal (Not Just Deletion)
When records reach end-of-life, your policy should set out how they’re disposed of safely:
- Paper records: cross-cut shredding or secure document destruction
- Digital records: secure deletion processes (not just moving to the bin)
- Devices: wiping hard drives before disposal
- Customer data: deletion or de-identification where appropriate
This is where many businesses accidentally create risk - especially if old customer data sits in shared folders or old inboxes for years.
Key Takeaways
- A well-written record retention policy helps you stay compliant, reduce risk, and respond faster to audits, disputes, and customer complaints.
- Australian document retention requirements come from multiple areas (tax, corporate, employment, privacy, and industry-specific rules), so your policy should cover more than just receipts and invoices.
- Many businesses use 5 years (tax) and 7 years (company and employment records) as common baselines, but some records should be kept longer - and personal information should not be kept longer than needed.
- Good policies are practical: they clearly categorise records, assign responsibility, specify storage locations, and explain secure disposal methods.
- Make sure your policy includes a “legal hold” rule so you don’t destroy records that may be needed for a dispute, claim, or investigation.
If you’d like help putting a record retention policy in place (or aligning it with your contracts, privacy practices, and internal policies), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
