Document retention requirements in Australia
Australian document retention requirements by industry. Statutory periods under the Corporations Act 2001, Taxation Administration Act 1953
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokAustralian businesses must retain most financial and corporate records for at least 5 to 7 years, driven primarily by the Corporations Act 2001, the Taxation Administration Act 1953, and ATO requirements. However, specific industries face longer retention periods: health records must be kept for 7 years minimum (or until a minor patient reaches 25 years of age), and construction records linked to building safety may need to be preserved for up to 10 years or longer depending on the state or territory. Failing to meet these requirements can result in criminal penalties, regulatory fines and the inability to defend against legal claims. This guide covers the statutory retention periods applicable to Australian businesses, organised by document type and industry sector.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for guidance specific to your situation.
Statutory framework for document retention in Australia
Australia has no single piece of legislation that governs document retention across all sectors. Instead, retention obligations arise from multiple statutes, each covering a specific domain of business activity.
Core legislation
The Limitation Act 1969 (NSW) and equivalent state and territory legislation set the general limitation period for contractual and tortious claims at 6 years from the date of the cause of action. This creates a practical minimum retention period for most commercial documents, since destroying records before the limitation period expires removes the ability to defend against claims.
The Corporations Act 2001, section 286 requires every company to keep adequate financial records for 7 years after the transactions covered by the records are completed. This is a strict requirement enforced by ASIC.
The ATO requires businesses to keep records that support their tax returns for at least 5 years from the date of lodgement. Records include invoices, receipts, bank statements, payroll records and GST documentation.
Retention periods by document type
| Document type | Minimum retention period | Legal basis |
|---|---|---|
| Financial records (all companies) | 7 years | Corporations Act 2001, s.286 |
| Tax records (income tax) | 5 years after lodgement | Taxation Administration Act 1953 |
| GST records | 5 years | A New Tax System (Goods and Services Tax) Act 1999 |
| Payroll records | 7 years after employment ends | Fair Work Act 2009, s.535 |
| Contracts and agreements | 7 years after expiry | Limitation Acts (state/territory) |
| Board minutes and resolutions | Permanently | Corporations Act 2001, s.251A |
| Share registers | Permanently | Corporations Act 2001, s.169 |
| Insurance policies | 7 years after expiry (or longer for latent claims) | Limitation Acts |
| Personnel records | 7 years after employment ends | Fair Work Act 2009 |
| WHS records (exposure/monitoring) | 30 years | Work Health and Safety Act 2011 |
| Superannuation records | 5 years | Superannuation Industry (Supervision) Act 1993 |
Industry-specific retention requirements
Beyond the general statutory framework, individual sectors face additional obligations imposed by their regulators or sector-specific legislation.
Financial services
APRA requires regulated entities to maintain records sufficient to demonstrate compliance with prudential standards. Under CPS 234, APRA-regulated entities must maintain information security-related records. ASIC requires Australian Financial Services Licence (AFSL) holders to maintain financial records and compliance records for at least 7 years.
Anti-money laundering records under the AML/CTF Act 2006 must be kept for 7 years after the end of the business relationship or after the date of a one-off transaction. Customer identification records, transaction records and suspicious matter reports all fall within this scope. For more on business verification obligations, see our complete KYB guide.
Healthcare
State and territory health records legislation sets detailed retention periods. In most jurisdictions, adult patient health records must be kept for at least 7 years after the last entry. For children, records are typically retained until the patient reaches 25 years of age. The My Health Records Act 2012 governs the retention of digital health records in the national My Health Record system.
Construction and building safety
Building legislation varies by state and territory. In NSW, the Design and Building Practitioners Act 2020 requires retention of design compliance declarations and building compliance declarations for 10 years. The National Construction Code and various state building Acts impose requirements for retaining structural calculations, fire safety assessments, material specifications and maintenance logs.
Legal profession
State and territory legal profession legislation and the Law Council of Australia guidance require law firms to keep files for at least 7 years after the matter is concluded. However, longer periods are recommended for property transactions (15 years), matters involving minors (until the minor reaches 25 years of age) and wills and trust deeds (indefinitely).
Education
Schools and educational institutions must retain student records in accordance with state and territory requirements. In general, student records are retained for the life of the institution or until the student reaches 25, whichever is later. Examination results are kept for 7 years.
Data protection and retention: the Privacy Act balance
The Privacy Act 1988 and the Australian Privacy Principles (APPs) require organisations to keep personal information only for as long as necessary for the purpose it was collected. This principle of storage limitation (APP 11.2) must be balanced against the statutory retention obligations described above.
Lawful basis for retention
When a statutory obligation requires the retention of documents containing personal information, the lawful basis under the Privacy Act applies. This means the organisation can retain the data for the legally required period.
However, once the statutory retention period expires, the organisation must take reasonable steps to destroy or de-identify the personal information. Retaining personal data beyond the required period without lawful justification breaches APP 11.2.
Practical implementation
The OAIC recommends that organisations implement a retention schedule that maps each category of personal information to its retention period and lawful basis. Automated deletion or de-identification processes should trigger at the end of each retention period. Manual processes are acceptable for smaller organisations but increase the risk of non-compliance.
Access controls should ensure that archived records are accessible only to authorised personnel for the specific purposes permitted by law. A payroll record retained for ATO purposes should not be accessible to a marketing team.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotDigital retention and electronic records
Australian law treats electronic records as equivalent to paper records in most circumstances, provided certain conditions are met.
Admissibility of electronic records
The Evidence Act 1995 (Cth) and equivalent state and territory legislation provide for the admissibility of electronic records as evidence. The key requirement is reliability: the party relying on the record must be able to demonstrate that it was produced from a properly functioning system and accurately represents the information recorded.
Metadata, audit trails and digital signatures all strengthen the evidential weight of electronic records. Organisations should ensure their document management systems maintain comprehensive audit logs showing when documents were created, modified, accessed and by whom.
ATO requirements for digital records
The ATO accepts electronic records provided they are in a form that is readily accessible and convertible into English. Digital records must be maintained in a form that allows the ATO to access them during a review or audit. The ATO's guidance on keeping records provides detailed requirements.
Building a document retention policy
A retention policy document transforms scattered legal obligations into a structured, operational framework that every department can follow.
Key components
Document inventory. Catalogue every type of document produced or received across the organisation. Include physical files, digital records, emails, instant messages and cloud-stored documents.
Retention schedule. Map each document type to its applicable retention period, citing the specific legal basis. Where multiple obligations apply (e.g., a contract that is both a commercial record and contains personal information), apply the longest required period.
Storage and security. Define where documents are stored, who has access and what security measures protect them. Encryption, access controls and backup procedures should be documented.
Disposal procedures. Specify how documents are destroyed at the end of their retention period. Physical documents should be cross-cut shredded. Digital records should be securely wiped using methods that prevent recovery.
For guidance on automating these processes, see our article on automated document verification workflows.
Common retention mistakes and how to avoid them
Keeping everything indefinitely. This is not a safe default. Retaining personal information beyond the required period breaches the Privacy Act and exposes the organisation to OAIC enforcement action.
Applying a single retention period to all documents. Different document types have different legal requirements. A one-size-fits-all approach will inevitably result in some records being destroyed too early and others being kept too long.
Ignoring litigation holds. When litigation is anticipated or underway, normal disposal procedures must be suspended for all documents relevant to the dispute. Destroying documents subject to a litigation hold can constitute contempt of court.
Failing to account for limitation periods. The 6-year general limitation period extends to 12 years for deeds in most states. Latent damage claims can be brought up to 15 years in some jurisdictions. Retention periods should account for these extended limitation periods where relevant.
How CheckFile helps manage document retention
CheckFile automates document collection, verification and lifecycle management. Our platform processes over 180,000 documents per month with 98.7% OCR accuracy and a 67% cost reduction compared to manual document management. The platform automatically classifies incoming documents, applies the correct retention period based on document type and industry and triggers alerts before retention deadlines.
Integration with existing document management systems via API means no manual re-entry of data. Visit our pricing page to find the plan that matches your document volume, or request a personalised demo.
For a comprehensive view of document verification processes, see our document verification guide.
For a comprehensive overview, see our document verification complete guide.
Frequently asked questions
How long must Australian businesses keep tax records?
The ATO requires businesses to retain records supporting their tax returns for at least 5 years from the date of lodgement for the relevant income year. GST records must also be kept for 5 years. The Corporations Act 2001 requires financial records to be kept for 7 years, which in practice means most financial records should be retained for at least 7 years.
Are electronic records legally equivalent to paper records in Australia?
Yes. The Electronic Transactions Act 1999 and the Evidence Act 1995 establish that electronic records are admissible as evidence and have equivalent legal standing to paper records. The key requirement is that the organisation can demonstrate the reliability and integrity of the electronic record through audit trails, access controls and appropriate storage.
What happens if a company destroys documents too early?
Destroying documents before the statutory retention period expires can have several consequences. If the ATO conducts a review and records are unavailable, the company may face estimated assessments, penalties and potential prosecution. In civil litigation, the court may draw adverse inferences from the destruction of relevant documents. Under the Privacy Act 1988, the OAIC can investigate whether destruction procedures were applied correctly.
Do retention periods apply to emails?
Yes. Emails are business records and are subject to the same retention requirements as any other document. An email containing a contractual agreement must be retained for the same period as a paper contract. Organisations should implement email archiving solutions that apply retention rules automatically based on content classification, sender/recipient and metadata.
The information presented in this article is provided for informational purposes only and does not constitute legal advice. Regulatory obligations vary by state and territory and by organisation size. Consult a legal professional for analysis specific to your situation.
Take action
CheckFile verifies 180,000 documents per month with 98.7% OCR accuracy. Test the platform with your own documents โ results within 48h.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.