Most Australian businesses know they need to keep records. What fewer realise is that keeping them too long is now just as much of a legal problem as not keeping them long enough.

The rules around record retention in Australia have always been clear on the minimum: five years for most tax records, seven for employment and company financials. But since mid-2025, the Privacy Act now adds an upper limit too: personal information held past its useful life is a liability, not a safety net.

Australian law now pulls in two directions at once. And if your records management approach only accounts for one of them, you’re carrying more risk than you probably realise.


Australia’s Record Retention Laws: What Changed in 2025

In June 2025, major reforms to the Privacy Act 1988 (Cth) came into effect. Now a year on, their implications are still working their way through how Australian businesses actually operate. These weren’t tweaks. They represent the most substantial change to Australian privacy law since the Act was introduced, bringing Australia considerably closer to GDPR territory.

Here’s where it gets complicated.

The ATO, ASIC, and Fair Work all require you to hold records for specified minimum periods. The Privacy Act now requires that you do not hold personal information any longer than necessary. A genuine balance has to be struck between keeping what the law says you must keep, and destroying what the law says you shouldn’t still have.

Two obligations. Running in opposite directions. Both with real consequences.

That’s the compliance trap, and it’s catching more Australian organisations off guard than almost any other records management issue right now.


How Long Do You Need to Keep Business Records in Australia?

Retention obligations in Australia don’t come from a single place. They come from dozens of different pieces of legislation, and the baselines that most people quote (five years, seven years) are starting points, not complete answers.

  • Tax records: The ATO requires records relating to tax returns (income, expenses, GST, PAYG, superannuation) for at least five years from when you lodge your return, or from when the relevant transaction finished, whichever is later.
  • Employee and payroll records: Pay slips, leave records, overtime, superannuation contributions: seven years minimum under Fair Work (s.535, Fair Work Act 2009).
  • Company records: ASIC requires financial records for seven years. Board minutes, meeting records, and company constitution documents must also be retained.

There are around 80 Acts at both State and Federal level that regulate how long you hold records and when you can destroy them. Healthcare carries different obligations to financial services. Some jurisdictions add their own layer on top. “Five to seven years” is the shorthand that gets passed around, but it’s not a universal answer, and treating it like one is how gaps appear.

What happens if I don’t keep records for long enough?

Failing to hold records you were legally required to keep isn’t primarily a paperwork problem. If a dispute arises or an audit is triggered and you can’t produce what you should have had, courts can draw adverse inferences. The burden of proof can shift. Insurance claims can be invalidated. And for directors and officers of companies, the consequences can become personal.

It goes beyond fines and warnings. The absence of a record that should exist is itself evidence of something. Rarely anything good.


Can You Destroy Business Records After Scanning Them?

Yes, generally. But with conditions that most guides gloss over.

Most records can be destroyed after digitisation, provided the quality assurance process is properly completed and the digital copies are retained for the required periods. In New South Wales, the General Retention and Disposal Authority GA45 covers this formally.

But there are exceptions, and they matter. Certain records cannot be destroyed after digitisation regardless of scan quality: State archives created prior to 1980, and categories where the original physical document retains legal primacy. Digitising them is fine. Shredding them afterward is not.

Before destroying paper originals post-scan, you need to know:

  • Whether the scan meets the required quality standard
  • Whether a proper disposal instrument actually covers that record type
  • Whether any specific legal requirement demands the original be kept
  • Whether the quality assurance process is documented and traceable

A certificate of destruction still matters here too. The act of destruction, even of paper records you’ve already scanned, needs to be defensible. Learn more about how ZircoDATA manages secure destruction with certified chain of custody.

Is it legal to keep records forever just to be safe?

No, and this is exactly where the 2025 Privacy Act reforms change the picture. Under Australian Privacy Principle 11, once personal information is no longer needed for the purpose it was collected for, organisations are required to take reasonable steps to destroy or de-identify it, unless a law says otherwise.

Once you’ve satisfied the legal minimum retention period and there’s no legitimate business reason left to hold the data, keeping it isn’t playing it safe. It’s creating risk.


The Privacy Act Penalty Risk of Keeping Records Too Long

This is the side of compliance that most Australian businesses haven’t caught up with yet.

The Office of the Australian Information Commissioner has received significant additional funding. More enforcement is coming. The penalties under the current framework are substantial: up to $50 million, or three times the benefit obtained through misuse, or 30 per cent of adjusted domestic turnover during the breach period, whichever is greatest.

In October 2025, Australian Clinical Labs became the first organisation to receive a civil penalty under the Privacy Act: $5.8 million, for a 2022 data breach affecting 223,000 individuals. The OAIC has also commenced civil penalty proceedings against two of Australia’s largest telecommunications and health insurers in separate cases that remain before the Federal Court.

The lesson isn’t just about breach response. It’s about what data you’re still holding when a breach occurs. The data that can’t be exploited is the data that was already properly destroyed.


What Does Secure Document Destruction Actually Require?

It means more than most people assume.

For paper records, cross-cut shredding to industry standard is the baseline. But not all shredding services meet the same standard, and for records containing sensitive personal information, health data, or financial information, the process needs to produce a certified chain of custody. A certificate of destruction is what you show a regulator or a court if ever challenged. Without it, the destruction didn’t happen in any way that matters legally.

For digital records, moving a file to the recycle bin is not destruction. Secure deletion means the data is actually overwritten and unrecoverable, not just removed from the directory.

This is harder to manage than it sounds, because records now exist across more places than most organisations have fully mapped: cloud platforms, email archives, legacy document management systems, shared drives, old backups, and personal devices. The risk isn’t usually in the records someone is actively managing. It’s in the ones nobody is paying attention to.

What is a litigation hold and when does it apply?

If you reasonably expect a dispute, claim, investigation, or audit, your normal destruction schedule stops for relevant records, even if their retention period has technically ended. Even if you would otherwise have destroyed them last month.

The obligation to implement a litigation hold can arise before any formal legal proceedings start. A complaint that looks like it’s escalating, a regulator making enquiries, a commercial dispute that hasn’t resolved cleanly. These are all potential triggers. Once you have reasonable grounds to anticipate litigation, you cannot continue destroying potentially relevant records.

Getting this wrong doesn’t just create a compliance issue. Destroying documents you had reason to preserve can be treated as a deliberate act. Criminal liability follows in some circumstances.


How to Manage Document Retention Compliance in Australia

The answer isn’t to keep everything forever. That’s a liability. It also isn’t to destroy everything as quickly as the minimum periods allow. That creates a different kind of exposure.

What actually works is a retention schedule that’s treated as a living document, not something drafted once and filed.

A well-run retention schedule:

  • Maps every record type to the applicable legal minimum across all relevant legislation, defaulting to the longer period where there’s ambiguity
  • Sets an upper limit: personal information with no remaining legal or legitimate business justification is scheduled for destruction, not left to accumulate
  • Documents every destruction decision: the what, the when, the how, and the authority behind it

The organisations that manage this well aren’t necessarily the ones with the most sophisticated technology. They’re the ones where records management is treated as a governance function. Retention schedules get reviewed annually. Destruction is certified and logged. Nobody’s clearing out a filing room without a paper trail.

ZircoDATA’s information governance and retention management solution helps organisations build and maintain defensible retention schedules that stay current with regulatory changes.


Common Records Management Compliance Failures in Australian Businesses

After working with organisations across most sectors of the Australian market, certain patterns come up again and again.

  • Records held beyond their legal minimums because no active review process exists. Storage accumulates. Then a breach happens, or a storage provider bills for cubic metres nobody knew they had, and suddenly there’s a conversation about what’s actually in there. Often it turns out a lot of it should have gone years ago.
  • Destruction happening informally. Someone clears out a storeroom, or deletes an old shared drive, with no record of what was destroyed or when. That gap can’t be reconstructed after the fact.
  • Physical and digital records governed differently, or one of them not governed at all. Paper documents get clear retention policies while years of personal data sits in email archives and legacy systems with no equivalent oversight.
  • Policies not updated for recent reforms. Many businesses updated their records policies after the 2022 penalty increases but haven’t revisited them since. The changes that came into effect in 2024 and 2025 are still not reflected in how most organisations actually operate.

Next Steps: Review Your Record Retention Policy

If you don’t have a current, documented retention schedule (one that maps record types to legal minimums, sets destruction timelines, and assigns accountability for reviewing both), that’s the gap worth addressing first.

Not as a compliance exercise. Because data you no longer need is data you’re still responsible for securing, managing, and defending if something goes wrong. Penalties from the OAIC are now measured in the tens of millions. A breach doesn’t just expose the data you knew you had. It exposes everything sitting in systems you’d stopped thinking about.

The goal isn’t to keep as much as possible for as long as possible. It’s to know exactly what you hold, exactly why you still need it, and exactly what happens to it when you don’t.


ZircoDATA provides secure records storage, document destruction, and information governance services to organisations across Australia. To understand how your current records management approach maps to your obligations under Australian law, speak with our team.