Your Business Data — How to Store It, Protect It and Stay on the Right Side of the Law
A plain-English guide for Perth business owners and office managers on what to keep, where to keep it, who should have access, and what the law requires
Most Businesses Are Sitting on a Data Problem They Do Not Know About
Every Perth business — regardless of size or industry — holds data. Client information, staff records, financial documents, contracts, emails. Most businesses collect it without thinking too carefully about where it lives, how long they need to keep it, who can access it, or what happens when something goes wrong.
That gap between what most businesses do and what good data management looks like is where DM1 spends a lot of time when taking on new clients. This page explains the basics in plain English so you can see where your business currently stands.
ⓘ Please note: The information on this page is general in nature and is intended to help business owners understand their data obligations at a high level. It is not legal advice. Every business is different and the rules that apply to your situation may vary depending on your industry, the type of data you hold and how your business is structured. If you have specific concerns about your compliance obligations, DM1 recommends speaking with a qualified lawyer.
What Data Does Your Business Actually Hold?
Before you can manage your data properly, it helps to understand what you actually have. Most businesses hold more personal information than they realise — spread across email, shared drives, accounting software, practice management systems and paper files.
Information about your clients
Names, contact details, addresses, purchase history, financial information, health records, correspondence. This is the category most regulated by Australian law — and the one most businesses underestimate how much of it they actually hold.
Information about your staff
Employment contracts, payroll records, tax file numbers, bank details, performance reviews, leave records, superannuation details. Staff data carries the same legal protections as client data and must be handled with the same care.
Your business records
Financial records, invoices, contracts, quotes, emails, accounting data, supplier agreements. Many of these have minimum retention periods set by law — in most cases at least five years, and in some industries significantly longer.
How Long Do You Need to Keep It?
Different types of business records have different minimum retention periods set by Australian law. Keeping records for too short a time exposes you to legal and tax risk. Keeping everything forever creates its own storage and compliance problems. The table below covers the most common categories for Perth small businesses.
| Type of record | How long to keep it | Why |
|---|---|---|
| Financial and accounting records | Minimum 5 years | Required by the Corporations Act and ATO record-keeping rules |
| Tax records | Minimum 5 years from date of lodgement | ATO may request records for audit purposes within this window |
| Employee records (payroll, contracts, leave) | Minimum 7 years | Fair Work Act requirements for payroll records |
| Client contracts and agreements | Minimum 6 years after expiry | Limitation period for contract disputes under Australian law |
| Health records (healthcare providers) | Minimum 7 years (adult); until age 25 (minor) | State health records legislation and professional standards |
| Legal files and correspondence | Minimum 7 years (varies by matter type) | Law Society of WA practice standards |
| General business correspondence and emails | At least 5–7 years recommended | No single law but best practice given dispute and audit risk |
Retention periods shown are minimum general guides only and may vary by industry or specific circumstance. Confirm requirements with your accountant or lawyer for your specific situation.
Where Should You Actually Store Your Business Data?
Where your data lives determines how safe it is, how easily it can be recovered if something goes wrong, and whether you can meet your compliance obligations. Here are the three most common approaches and what DM1 recommends.
Not recommended
Local storage only — on computers or an office server
Files stored only on a local computer or in-office server are at risk of permanent loss from hardware failure, theft, fire, flood or ransomware. There is no off-site copy. If the device is gone, the data is gone. Many businesses operate this way without realising they are one incident away from losing everything.
Acceptable with caveats
Consumer cloud storage — personal Dropbox, Google Drive, iCloud
Better than local-only storage, but consumer cloud accounts are not designed for business use. They lack the access controls, audit logs, retention policies and compliance tools that business data requires. Using a personal account to store client information may also breach your Privacy Act obligations.
Recommended
Microsoft 365 — SharePoint and OneDrive for Business
Business-grade file storage with access controls, full version history, automatic backup, audit logging and compliance tooling built in. Files are accessible from any device, permissions are managed centrally, and deleted files are recoverable for up to 93 days. Included in every Microsoft 365 Business plan.
Who Should Be Able to See Your Business Data?
Controlling who has access to your business data is one of the most overlooked aspects of data management — and one of the most important. Two situations come up repeatedly when DM1 takes on new clients.
Why access control matters
Most small businesses give all staff access to everything because it is easier. The problem with this approach is that if any account is compromised — by a stolen password, a phishing email or a disgruntled employee — the person who gains access can see and take everything.
Proper access control means staff can only see and edit the files relevant to their role. A receptionist does not need access to financial records. A sales person does not need access to HR files. Limiting access limits damage.
What happens when staff leave
When a staff member leaves, their access to company systems, email and files should be removed the same day. DM1 regularly finds during new client onboarding that former staff still have full access to email accounts, shared drives and business systems months or sometimes years after their departure.
A proper offboarding process — disabling the account, preserving the mailbox, reassigning files — takes less than an hour and removes a significant ongoing risk.
What Does a Proper Backup Actually Mean?
Backup is one of those things most businesses assume is sorted until the day they actually need it. By then it is too late to fix. Here is what proper backup looks like in plain English.
What a backup actually is
A backup is a separate copy of your data stored in a different location. If your primary storage is lost, corrupted or encrypted by ransomware, the backup is what you restore from. A backup that lives on the same device or network as the original data is not a real backup — ransomware will encrypt both at the same time.
The 3-2-1 rule in plain English
The standard recommendation for business data backup is: keep 3 copies of your data, on 2 different types of storage, with 1 copy stored somewhere physically separate from your office. Cloud storage plus an offsite backup achieves this. Local-only storage achieves none of it.
Testing your backup matters as much as having one
A backup that has never been tested is not a backup you can rely on. DM1 has seen businesses discover on the day they needed to restore data that their backup had been silently failing for months. A backup should be tested periodically to confirm that files can actually be recovered from it.
For more detail on backup and disaster recovery, see our Backup & Disaster Recovery page.
What Are You Required to Do if Something Goes Wrong?
Data management is not just about preventing problems — it is also about being able to respond correctly if something does go wrong. Australian law has specific requirements about what you must do if client data is exposed or stolen.
If client data is exposed, you must report it
Under the Notifiable Data Breaches Scheme, if your business suffers an incident that exposes personal information and is likely to cause serious harm to the people affected, you are legally required to notify both the affected individuals and the Australian Information Commissioner within 30 days of becoming aware of it.
You cannot notify affected individuals if you do not know whose data was exposed. You cannot demonstrate reasonable steps if you have no security tooling. Both of these things require proper data management to be in place before an incident occurs.
The penalties are significant and went up in 2024
The Privacy and Other Legislation Amendment Act 2024 increased civil penalties for specific Privacy Act breaches to up to $62,600 per incident. From June 2025, individuals have the right to take direct legal action against a business for serious invasions of privacy.
For regulated industries — healthcare, legal, financial services, real estate — additional sector-specific obligations may also apply. See our Privacy Act & Compliance page for the full detail.
How DM1 Manages This for Perth Businesses
Data management is not a project with a start and end date — it is an ongoing part of running a business properly. DM1 handles it as part of the managed IT relationship, so business owners and office managers do not need to track it themselves.
What DM1 sets up for new clients
- SharePoint and OneDrive for Business configured with appropriate folder structure and access permissions
- Staff access set by role — people can only see what they need
- Offboarding process established so departing staff access is removed immediately
- Retention policies configured so data is kept for the required period and cannot be accidentally deleted
- Backup verified and tested — not just assumed to be working
- Audit logging enabled so there is a record of who accessed what and when
What DM1 manages ongoing
- New staff onboarded with the right access from day one
- Departing staff removed promptly with mailbox and files handled correctly
- Backup status monitored — failures flagged before they become a crisis
- Access permissions reviewed periodically as the business changes
- Microsoft 365 retention and compliance settings kept current
- Advice on any changes to data obligations that may affect your business
Why DM1?
DM1 has been supporting Perth small businesses since the 1970s. We are an authorised Microsoft CSP partner and we manage Microsoft 365 environments — including SharePoint, OneDrive, retention policies and access controls — across clients in healthcare, legal, financial services, retail and other industries. When data management questions come up, we give straightforward answers based on practical experience, not theoretical frameworks.
Not Sure How Well Your Business Data is Being Managed?
Call DM1 on (08) 6202 6012 or send a message. We will tell you where your gaps are and what it would take to sort them out — no obligation, no jargon.