Email archiving is one of the most commonly neglected aspects of Australian business compliance. Most businesses either keep everything indefinitely — creating ever-growing liability with each retained email beyond its justified retention period — or delete emails too early, creating legal risk when records are needed for audits, litigation, or regulatory investigations. A well-designed email retention and archiving strategy satisfies APP 11.2 (destruction and de-identification of personal information no longer needed), meets industry-specific minimum retention requirements, and ensures emails can be produced quickly and completely in response to a legal hold or regulatory request.
Retention Periods by Industry and Record Type
- Tax and financial records — minimum 5 years from the end of the financial year in which the transaction occurred (Tax Administration Act 1953). ATO audits can reach back 5 years; extended to 7 years for companies under complex tax arrangements.
- Health records — 7 years from the date of last contact with the patient (most state health records legislation). For patients who were minors at the time of treatment, records must be retained until the patient turns 25, or 7 years from last contact, whichever is later.
- Employment records — 7 years from the end of employment (Fair Work Act 2009). This includes email correspondence relating to performance management, disciplinary actions, and workplace investigations.
- Legal correspondence — 7 years from file closure is standard best practice recommended by law societies. Statute of limitations for contract disputes is 6 years; tort claims can reach back longer.
- Corporate governance records — 7 years from the last relevant resolution (Corporations Act 2001). Board and management email relating to significant decisions should be retained to this standard.
- APRA-regulated entities — 7 years minimum for all prudentially significant records, with some categories (loan origination, credit decisions) extending to the life of the product plus 7 years.
- Government contractors — retention per the Commonwealth Records Act 1983 for Commonwealth-created records; typically 10+ years for OFFICIAL records, permanent for PROTECTED-level.
- AML/CTF — 7 years from the end of the customer relationship (Anti-Money Laundering and Counter-Terrorism Financing Act 2006).
Legal Hold: What It Is and How Email Archiving Supports It
A legal hold (also called a litigation hold or preservation order) is an internal process triggered when litigation, regulatory investigation, or a formal request makes it reasonably foreseeable that email records may be relevant as evidence. When a legal hold is imposed, the normal email deletion schedule must be suspended for the affected accounts — even if the email would ordinarily be deleted under the retention policy. Failure to preserve relevant emails once a legal hold is imposed can result in spoliation findings by courts, adverse inferences against your business, and costs awards. In serious cases, it can constitute contempt of court.
Legal hold practicality: A credible legal hold capability requires tamper-proof archiving (where emails cannot be deleted even by administrators during a hold period), per-user or per-matter hold functionality, and audit logging that can demonstrate to a court that emails were preserved. ShieldBox's enterprise archiving includes legal hold with WORM (write once, read many) storage.
eDiscovery: Responding to Subpoenas and Regulatory Requests
eDiscovery refers to the process of identifying, collecting, and producing electronically stored information (ESI) — including email — in response to litigation, regulatory investigations, or formal information requests. In Australia, ASIC, APRA, the OAIC, the ACCC, and various state regulators have powers to compel production of email records. The ATO routinely requests email records in tax investigations. Courts can issue subpoenas for email records. A business without a well-organised email archive may face significant costs and reputational damage attempting to respond to these requests, particularly if the relevant emails are distributed across personal Gmail accounts, are stored on retired staff members' devices, or have been deleted beyond the retention period.
Implementing a Compliant Archiving Strategy
- Centralised archiving: All email (inbound and outbound) automatically archived as it is processed — not relying on users to manually file important emails.
- Tamper-proof retention: Archived emails should not be modifiable or deletable by users or even administrators (WORM storage) during the retention period.
- Indexed and searchable: The archive must be searchable by date, sender, recipient, subject, and keywords to support rapid eDiscovery responses.
- Retention policy automation: Automatic deletion of emails at the end of their retention period — satisfying APP 11.2 without relying on manual processes.
- Legal hold capability: Ability to suspend deletion for specified accounts or date ranges during litigation or investigation.
- Australian hosting: The archive must be hosted in Australia for APP 8 compliance and government access control. US-hosted archiving creates the same offshore disclosure problem as US-hosted email.