How Long Should Your Business Keep Customer Data?

Many business owners operate on a "keep it just in case" principle when it comes to data. Old customer lists, past transaction records, years-old contact forms — it's all sitting in a folder somewhere on the server, or in a dusty spreadsheet nobody's opened since 2019. The problem? Data you hold is data you're responsible for. The more unnecessary data you keep, the bigger your exposure if something goes wrong.

The Legal Principle: Don't Keep Data Longer Than You Need It

Under Australian Privacy Principle 11.2 (APP 11.2) in the Privacy Act 1988, if your business holds personal information that you no longer need for the purpose for which you collected it, and there's no law requiring you to keep it, you must take reasonable steps to destroy or de-identify it.

In plain English: if you don't need the data anymore, and no law says you have to keep it, you should get rid of it — properly.

This principle exists because every piece of personal information you hold creates risk. If your systems are breached, or if an employee makes an error, older unnecessary data can harm people whose relationship with your business ended years ago. Holding data indefinitely — without a reason — is both a legal issue and an ethical one.

What About Legal Record-Keeping Requirements?

Now, "destroy data you don't need" needs to be balanced against the many laws that require you to keep certain records for specific periods. These aren't optional. Common Australian record-keeping obligations include:

Tax and Financial Records

The Australian Taxation Office (ATO) requires most businesses to keep financial and tax records for five years from the date you lodged the relevant return or prepared the document. This includes income, deductions, invoices, receipts, and business activity statements. For capital gains tax purposes, records may need to be kept even longer — for five years after the relevant asset is sold.

Employment Records

Under the Fair Work Act 2009 and Fair Work Regulations 2009, employers must keep employee records for seven years. This includes pay records, leave records, hours worked, and other employment terms. Superannuation records must also be kept for five years.

Company Records

Under the Corporations Act 2001, companies must keep financial records for seven years. This applies to things like financial statements, registers of shareholders, and minutes of meetings.

GST Records

GST-related records must be kept for five years from when you prepared them, or from when a transaction occurred, whichever is later.

Contracts

There's no single rule for contracts, but as a general guide, keep signed contracts for at least six to seven years after the contract ends, to cover potential limitation periods for legal claims. Seek legal advice for high-value or complex contracts.

Building a Data Retention Schedule

The practical way to manage all of this is with a data retention schedule — a simple document that lists the types of data you hold, how long you're required to keep them, and what happens to them at the end of that period.

Here's a simplified example for a small services business:

• Customer enquiries and contact forms: Keep for 12 months after last contact, then delete
• Customer invoices and payment records: Keep for 5 years (ATO requirement), then securely delete
• Signed service contracts: Keep for 7 years after contract end, then securely delete
• Employee pay records: Keep for 7 years after employment ends, then securely delete
• Marketing email lists: Keep while consent is current; delete promptly when individuals unsubscribe or withdraw consent
• CCTV footage: Typically 30 days unless relevant to an incident, then delete
• Website analytics data (anonymous): Retain as long as useful for business purposes

Your schedule will look different depending on your industry. A health practice, for example, must keep health records for adult patients for at least seven years after last contact (and until a patient turns 25 if they were a minor). Legal and financial services have their own specific requirements.

How to Securely Delete Data

"Delete" doesn't always mean gone. When you delete a file on a computer, the data often remains on the disk until overwritten. For sensitive information, proper deletion requires more care:

• Digital files: Use secure deletion software (on Windows, tools like Eraser; on Mac, overwriting with Disk Utility) or — better yet — use encryption from the start, so that even if data isn't perfectly overwritten, it's unreadable
• Cloud storage: Follow the service provider's process for permanent deletion; be aware that some services have retention periods of their own after you "delete" something
• Email: Don't forget emails often sit in both sent folders and server archives — ensure these are purged as part of your retention process
• Physical documents: Use a cross-cut shredder (not a strip shredder) for sensitive documents, or use a professional secure document destruction service
• Devices being disposed of: Factory reset is not sufficient for business devices containing sensitive data — use certified data destruction or physical destruction of storage media

Marketing Data and Consent

A special note on marketing lists: under the Spam Act 2003, you must stop sending commercial electronic messages to individuals who have unsubscribed. The practical implication is that you should remove unsubscribed contacts from your active lists promptly — keeping them "just in case" doesn't serve any legitimate purpose and creates risk. Your email marketing platform (Mailchimp, Campaign Monitor, etc.) should handle automated unsubscribe processing, but make sure you're not separately maintaining spreadsheets of contacts that bypass this process.

Key Takeaways

• Under APP 11.2 of the Privacy Act, you must destroy or de-identify personal information you no longer need and have no legal obligation to keep.
• Key retention minimums: tax records (5 years), employment records (7 years), company/financial records (7 years), contracts (6–7 years after expiry as a guide).
• A data retention schedule — listing data types, retention periods, and deletion processes — is the practical tool for managing this.
• Deleting data means securely deleting it, not just moving a file to the recycle bin.
• Marketing and contact lists must be kept current; unsubscribed contacts should be removed promptly.
• Industry-specific rules (especially in health) may impose longer retention requirements — check the rules relevant to your sector.

Data retention is one of the areas the free assessment at flagged.com.au examines. Find out whether your current data handling practices are creating unnecessary risk — and get a clear action plan to address any gaps.