Document management is a big part of modern business, as collections of internal and external data allow businesses to monitor their performance, maximise their marketing and meet compliance requirements. Once documents have served their initial use, it can be tricky knowing how long to store documents, especially given the costs of storing data in a secure manner.
However, the most important consideration is ensuring that you meet the range of legal requirements for document retention that apply to your business. Broadly speaking, these come in three forms:
- Legislative obligations to retain documents for prescribed periods.
- Legislative obligations to destroy, de-identify, or limit the retention of data within prescribed periods.
- The duty to preserve evidence in a litigation context.
Proper document management is crucial for companies to avoid legal penalties. This article will outline what your retention obligations are and how to incorporate them into your document management system.
Table of Contents
Requirements to Retain Documents
There is a range of legislation that requires business to retain documents for various purposes. Each legislation pertains to particular kinds of documents and stipulates a different time period. Breach of any of the following requirements will incur penalties, for the company and potentially also for individuals involved.
In any event, lawyers generally recommend following a rule of thumb that all documents should be kept for at least seven years, as this meets all of the requirements outlined below.
Corporations Act 2001: This Act requires companies to maintain a range of documents for varying periods of times. Companies must retain:
- Any documents related to company meetings (including director and shareholder meetings) for a minimum of five years.
- Accurate financial records of transactions for a minimum of seven years. It is recommended that these records are audited.
- Other records, including registers of members, charges and option holders, for a minimum of five years.
Fair Work Act 2009: The Act requires employers to maintain accurate and complete records for all employees for seven years. The employee information required to be taken and provided to the FWC and ATO is quite broad in that it includes not only pay, hours and leave but also superannuation and flex arrangements; employers should assume that all information gathered in relation to the employee’s employment should be kept for seven years.
Income Tax Assessment Act 1936: This Act mandates that a person carrying on a business must keep records that record and explain all transactions and other acts engaged in by the person relating to taxable income for five years. This is measured from the date when the documents were prepared or gathered, or the completion of the transactions or acts, whichever is later.
Where should documents be stored?
It is recommended that the documents outlined above be kept in the company’s registered office, and backed up to the cloud. Every storage system used should be secure in terms of protection from external parties, but also employee access should be controlled to ensure that documents are not wrongly tampered with. Any storage system however should be flexible enough to also allow for the destruction or de-identification of some documents and the preservation of others for extended periods. There are other sources of legal obligations regarding document retention and destruction, as will be outlined below.
Good Business Practice
Some documents should be kept for extended periods, or permanently, as a matter of good business practice. This includes company set-up documents, trust documents, and documents relating to the possession of property.
Requirements to Destroy Documents
Australian Privacy Principles (APPs) (Privacy Act 1988): The APPs contain a range of requirements for what kind of data must be collected and how it must be stored. They state that personal data collected must be relevant and limited to the purpose for which they will be used. Correspondingly, when the company no longer needs that information for that use or another use that may be disclosed according to the APPs, it should delete or de-identify that information (APP 11).
De-identification is where “the information is no longer about an identifiable individual or an individual who is reasonably identifiable”. Companies should also be careful that the information is not “re-identifiable”, which means that the identity of the information may be inferred from the information that still exists. This is an increasingly greater risk in the age of big data.
Privacy (Tax File Number) Rule 2015: This rule operates to the same effect as APP 11. Information regarding a tax file number must be deleted of de-identify when the company no longer needs it for the original purpose or for another use related to taxation law, personal assistance law or superannuation law.
When litigation (civil or criminal) is underway, pending or reasonably anticipated, companies have a positive duty to preserve documents relevant to the dispute. The legal requirements associated with this are complex, and take on the following forms:
- Destroying evidence that is the subject of current litigation, or is reasonably likely to be used as evidence in a future proceeding, is a criminal offence. The laws around this vary slightly from state to state, but the offence remains broad and applies even where an individual or company did not know that a document could be used as evidence (but this possibility was reasonably likely).
- The destruction of documents in a context where it is otherwise legal, if those documents later become the subject of litigation, may be considered by a court to justify an assumption that the evidence would be to the detriment of that party.
Although the legal process or concept of a “litigation hold” does not apply in Australia in the same way as it does in the US, it is important for companies to have procedures in place to ensure that destroying documents does not violate these duties and become a legal liability.
Importantly, both the National Privacy Principles and the Privacy Act allow for documents to be kept for longer than otherwise permitted where it might be required by the duties outlined above. So it is important for a document retention policy to specify such an exception to document destruction procedures, and to take a cautionary approach whenever there is the possibility of litigation arising for a company. Where there is any doubt about this question, we recommend speaking to a lawyer.
The possibility of litigation is another important reason why all documents should be kept for at least seven years.
In summary, record retention and destruction in Australia are regulated by a complex network of federal laws. Businesses must balance the obligation to retain records for specified durations while also ensuring appropriate destruction of certain documents in line with privacy and data protection laws. It’s also important to note that good document retention and storage practices benefit businesses in other ways, by allowing them to develop from a strong base of institutional knowledge and memory.
A good first step to setting up sound and compliant practices for your business is putting in place a document retention policy that provides a set of processes and guidelines for your employees to follow. You can access Lawpath’s Document Retention Policy here. If in doubt, it is recommended to consult with a legal expert to understand these requirements thoroughly in the context of your specific business needs.
The Australian Privacy Principles national principles outline how information should be gathered, used, and protected by APP entities (as defined by the act). These principles have been compiled from the Privacy Amendment (Enhancing Privacy Protection) Act 2012. In this article, we’ll provide a breakdown of each of the 13 Australian Privacy Principles.
Get a free legal document when you sign up to Lawpath
Sign up for one of our legal plans or get started for free today.