Data Retention Policy Guide for Small Businesses

## Why Data Retention Matters Every business accumulates data. Customer records, financial documents, emails, contracts, employee files — the list grows constantly. Keeping everything forever creates storage costs, security risks, and compliance problems. Deleting too quickly can violate legal requirements or lose valuable information. A data retention policy helps you keep what you need, for as long as you need it, and dispose of the rest appropriately. ## Legal Retention Requirements ### Tax Records The Australian Taxation Office requires: **Five years minimum:** Most tax records, including income statements, deductions evidence, and financial records. **Longer for specific situations:** Capital gains records (until five years after the asset is disposed), superannuation records, and records related to disputes or audits. **From when:** The five-year period typically starts from when you lodge your tax return, not when the record was created. ### Employment Records Fair Work and other requirements: **Seven years:** General employment records, pay slips, leave records, superannuation contributions. **Longer for specific categories:** Records related to injuries or workers compensation claims. **Terminated employees:** Retention periods continue after employment ends. ### Business Records Various requirements depending on business type: **Financial records:** Generally seven years for companies. **Contracts:** Duration of contract plus six years (limitation period). **Corporate records:** Permanently for some company records. **Industry-specific:** Healthcare, financial services, and other industries have additional requirements. ### Privacy Considerations The Privacy Act affects retention: **Only keep what you need:** Do not retain personal information beyond its purpose. **Secure destruction:** When retention periods expire, destroy information securely. **Individual rights:** People can request their information be deleted (with exceptions). ## Types of Data to Consider ### Customer Data **Contact information:** As long as the customer relationship exists, plus marketing consent duration. **Transaction records:** At least seven years for tax purposes. **Communication records:** Based on business need, typically two to five years. **Contracts and agreements:** Duration plus six years. ### Financial Data **Accounting records:** Seven years. **Bank statements:** Seven years. **Invoices (sent and received):** Seven years. **Expense receipts:** Five to seven years. **Payroll records:** Seven years. ### Employee Data **Current employees:** Keep current throughout employment. **Terminated employees:** Seven years after termination. **Recruitment records:** Generally six to twelve months for unsuccessful candidates. **Training records:** Duration of employment plus period relevant to certifications. ### Operational Data **Emails:** Consider business value — routine emails might be two years, significant communications longer. **Projects:** Depends on ongoing relevance, typically project completion plus two to five years. **System logs:** Based on security and troubleshooting needs, typically one to three years. **Backups:** Aligned with retention policies for underlying data. ## Creating Your Retention Policy ### Step 1: Inventory Your Data Understand what you have: - What types of data does your business hold? - Where is it stored (systems, locations, formats)? - Who is responsible for different data categories? - What is the sensitivity of each category? ### Step 2: Determine Requirements For each category: - What legal retention requirements apply? - What business needs exist for the data? - What is the longest applicable requirement? When in doubt, consult with legal or compliance advisors. ### Step 3: Document Your Policy Create clear documentation: **Data categories:** List each type of data. **Retention periods:** How long each category is kept. **Trigger events:** When the retention period starts (creation, transaction, relationship end, etc.). **Disposal method:** How data will be destroyed when retention expires. **Responsibilities:** Who manages retention for each category. ### Step 4: Implement and Maintain Make the policy operational: - Configure systems to support retention periods where possible - Establish regular review and disposal processes - Train staff on retention requirements - Audit compliance periodically - Update as requirements change ## Practical Implementation ### Email Retention Managing email retention: **Archive solutions:** Move older email to archive systems that support retention. **Automated policies:** Configure systems to move or delete based on age. **Litigation holds:** Ability to preserve specific content when legal matters arise. **Realistic expectations:** Very granular email retention is difficult; category-level policies are more practical. ### File Storage Retention Managing files and documents: **Organised structure:** Folder organisation that aligns with retention categories. **Metadata:** Use properties to track creation dates and categories. **Periodic review:** Regular audits of old content for disposal or archiving. **Automation where possible:** Systems that flag or move content based on age. ### System Data Retention Application and database data: **Built-in features:** Many systems have retention configuration options. **Archive strategies:** Moving old data to cheaper, less accessible storage. **Database cleanup:** Regular removal of data beyond retention periods. **Backup alignment:** Ensure backup retention matches data retention. ## Secure Disposal ### Digital Data When retention expires: **Secure deletion:** Use tools that overwrite data, not just delete file references. **Storage device disposal:** Proper destruction of drives containing sensitive data. **Cloud data:** Understand how providers handle deletion requests. **Backup consideration:** Data in backups may persist beyond primary deletion. ### Physical Records For paper and physical media: **Shredding:** Cross-cut shredding for confidential documents. **Secure destruction services:** For large volumes or highly sensitive material. **Certificates of destruction:** Documentation that destruction occurred. ## Common Challenges ### Legacy Data Dealing with historical data: - Conduct inventory to understand what exists - Apply current policy going forward - Address backlog systematically - Accept that perfect cleanup may not be practical ### System Limitations When technology does not support policy: - Document gaps between policy and capability - Implement manual processes where needed - Factor retention into system replacement decisions - Accept pragmatic compromises while working toward compliance ### Staff Compliance Getting everyone to follow policy: - Make policies clear and accessible - Provide practical guidance, not just rules - Make compliance as easy as possible - Address the most important data first ### Exceptions and Holds When normal retention does not apply: - Legal holds when litigation is anticipated or active - Regulatory investigations or audits - Business needs for specific historical data - Clear processes for creating and lifting holds ## Getting Started ### Minimum Viable Policy If you have nothing now, start with: 1. Keep all financial records for seven years 2. Keep all employment records for seven years after termination 3. Keep contracts for their duration plus six years 4. Review and clean up email and files older than seven years 5. Improve from there ### Incremental Improvement Over time: - Refine categories based on your actual data - Implement automation where practical - Address higher-risk areas first - Regular review and updates ## Working with Advisors When to seek help: **Legal advice:** For retention requirements in your specific situation. **IT support:** For implementing retention in your systems. **Industry guidance:** For sector-specific requirements. **Privacy specialists:** For personal information handling. Data retention is not glamorous, but good retention practices reduce costs, lower risks, and demonstrate mature information management.