At a glance
- Holding excess client data increases your firm’s cybersecurity risk and potential legal liability.
- Regulations require destroying personal information when it is no longer needed for compliance.
- Develop a simple data retention and destruction policy to manage data throughout its lifecycle.
Accountants have always been custodians of vast volumes of highly sensitive client data, from tax details to financial histories. In the digital age, the amount of data they manage and hold has grown exponentially.
Record-keeping is both a core compliance function and a significant business risk. Hoarding this data indefinitely raises your exposure in case of a cyber-attack and potentially violates privacy laws.
But just when to throw your data (very carefully) away is a tricky balancing act.
More data, more risk
Cyber theft is a growing problem. The Australian Signals Directorate (ASD) notes in its Cyber Threat Report for 2024-25 that it responded to more than 1,200 cyber security incidents in the 12 months – 11% more than in 2023-24. Meanwhile, the average cost of cybercrime per report for small business rose by 14%, to $56,600. Not only are these breaches expensive, but they can also have a major impact on a business’s reputation.
Advancetrack provides expert offshoring and outsourcing solutions to accounting firms. Managing director Vipul Sheth argues that holding sensitive tax and financial data sharply increases firms’ exposure to issues like cyber breaches, internal misuse, and non-compliance with evolving data protection laws.
And Aaron Bugal, a chief information security officer at Sophos, points out that Australia is still tightening its cybersecurity rules. Firms now incur penalties for breaches of all stored data, rather than just for the data that organisations actively use. The Office of the Australian Information Commissioner (OAIC) is suing Optus, for example, for failure to protect the data of around 9.5 million Australians before its 2022 cyber breach. Optus’s penalty could reach up to $2.22 million – and new laws provide for much bigger penalties still.
“Bigger breach? Bigger fine. It’s that simple,” says Bugal.
Navigating the regulations
No single statutory rule covers all accounting records, but several regulatory and legal frameworks apply. The Australian Securities and Investments Commission (ASIC), for example, mandates that companies retain financial records for seven years. After this time, deletion is allowed only if no audit, investigation, or litigation risk exists.
Under Australian Privacy Principle (APP) 11, all firms must take reasonable steps to destroy personal information when it’s no longer needed. The ACSC (Australian Cyber Security Centre) also advises that personal data be protected with strict access controls and archival separation, and that secure deletion processes are used.
Bugal says that storing data for longer than it’s required only leaves more time for cybercriminals to get their hands on this sensitive information: “Treat data like inventory. If it’s not active, not valuable, and not protected, it’s a liability, not an asset.”
The hidden costs of hoarding
Beyond compliance, accountants face the risk of technical debt – or taking shortcuts with technology adoption now which creates problems in the future. Keeping old data often means maintaining costly legacy systems longer than necessary, says George Tziahanas, vice-president of compliance at archiving specialist Archive360.
Advancetrack’s Sheth says that he’s supported firms who have come to Advancetrack after discovering they’d been holding personal data going back 15 or even 20 years, long past any legal or business need. The backlog of unreviewed files not only created a data protection headache, but also made their data systems sluggish and inefficient.
“It’s possible that cleaning up archives could save a firm thousands in unnecessary cloud storage costs – and make workflows far more agile,” he notes.
“Treat data like inventory. If it’s not active, not valuable, and not protected, it’s a liability, not an asset.”
Aaron Bugal
Crafting a retention policy
Developing a data retention and destruction policy that outlines how a firm manages data throughout its lifecycle can reduce client risk and ensure compliance.
For Sheth, holding legacy files “just in case” is an outdated concept. “The risk-to-reward ratio quickly skews negative if you don’t have policies around retention and destruction in place,” he says.
When it comes to the risk they hold, not all records are equal. Some contain sensitive information or have higher privacy and security implications, which need to be treated accordingly when planning a policy.
For Tziahanas, the key is to keep it simple: “The more complicated your data retention rules are, the harder they are to follow and enforce.”
Secure deletion in practice
If large-scale deletion is new for an organisation, it’s worth starting small with discrete data sets to confirm everything works as intended.
Businesses can choose between an affirmative deletion process, where someone actively pushes a button, or automated deletion once retention expires. “Here, there’s no right or wrong answer,” Tziahanas says. “The approach depends on the data type, risk profile, and governance practices.”
From there, someone needs to be clearly responsible for managing how data is deleted, while legal safeguards must be in place to keep any information that’s needed for lawsuits or regulatory checks.
Tziahanas recommends keeping records of the criteria and policies used, along with what was deleted and why. “Some organisations use a manifest or certificate of destruction to capture this metadata,” he notes.
Finally, Bugal notes that it’s important to consider if all versions of the data has actually been destroyed. A complete destruction must include the wiping of all locations, such as practice management systems, tax lodgement systems, cloud storage, email archives, and more.
Explore the IPA’s online CPDs to enhance your skills, from self-managed superannuation funds to tax updates.
