Storing Employee Records for 7 Years: Where Fair Work Meets Cyber Security
Australian employers must keep employee records for 7 years — but the Fair Work rule is only half the job. Here's the secure-storage, access-control and backup side most businesses miss, and why it's a legal risk if you get it wrong.
Senior Workplace Relations Writer · GradDip Employment Relations, Griffith University
How long must Australian employers keep employee records?
Under the Fair Work Act 2009 (sections 535 and 536), employers must keep employee and pay records for seven years. The records must be in a legible form, in English, and readily accessible to a Fair Work Inspector on request. This applies to current and former employees — the seven-year clock keeps running after someone leaves.
The records that must be kept include: employee and employer details, pay rate and gross/net amounts, hours worked (for casuals and part-timers on penalty/loading rates), leave balances and leave taken, superannuation contributions and the fund, and how employment ended. Pay slips must also be issued within one working day of payment.
The bit most employers miss: where those records actually live
The Fair Work rule tells you how long and what — it doesn't tell you the part that trips businesses up: where and how those records are stored. Seven years of payroll and HR data — tax file numbers, bank details, superannuation, sometimes health and disciplinary information — is some of the most sensitive personal information an employer holds. Yet in a lot of small businesses it sits in an unencrypted shared drive, on a former bookkeeper's laptop, or in an email inbox, with no access controls and no tested backup.
Doing the storage half properly means: records held in encrypted, access-controlled storage (so only the right people can open them); role-based permissions rather than a folder everyone can see; and tested, offsite backups so a ransomware hit, a hardware failure or a departing staffer doesn't wipe seven years of evidence.
Why poor storage is a legal risk, not just an IT one
This matters beyond neatness. In an underpayment dispute, if you can't produce the records, the burden of proof effectively flips onto you — the Fair Work Act lets a court accept the employee's version of hours and pay where the employer failed to keep or produce compliant records. Lost or inaccessible records turn a defensible position into an indefensible one.
And the same files are a data-breach liability: a leak of payroll data (TFNs, bank accounts) can trigger obligations under the Notifiable Data Breaches scheme and real reputational damage. So the storage decision is simultaneously a Fair Work compliance decision and a cyber-security decision.
Getting the storage half right
A practical baseline: move HR and payroll records into a properly permissioned system (for most Australian businesses that's Microsoft 365 / SharePoint or an equivalent), lock down who can access each folder, turn on encryption and audit logging, and set up backups you've actually tested a restore from. Keep the retention clock in mind — you need to be able to produce any record from the last seven years, quickly and legibly.
The Fair Work half is straightforward to get right (that's what this site is for). The IT half — encrypted, access-controlled, backed-up storage that a regulator or a court would accept — is where a lot of employers need a hand. If that's you, our IT partner Frontrow Tech sets up secure Microsoft 365 storage and tested backups for Australian businesses. General information only — not legal advice; confirm anything specific with the Fair Work Ombudsman or a qualified professional.
Try these free tools
Official resources
Have a workplace question?
Got a specific situation this article didn't cover? Ask our workplace advisor.
General information and estimates only — not legal, financial or tax advice. Always check your specific award, agreement or contract, or a qualified professional, before you rely on the result.
Related articles
Step-by-step guide if your employer isn't paying super. How to check via myGov, report to the ATO, and what enforcement powers exist for unpaid super.
Can My Employer Change My Roster Without Notice? (Know Your Rights)Your employer must give 7 days' notice for roster changes under most awards. Here's when you can say NO — plus what to do if they change your hours without asking.
Payslip Requirements Australia — What Your Employer MUST Include (Checklist)Australian payslips must include 12 mandatory items or your employer faces fines up to $19,800 per violation. Full checklist: ABN, gross/net pay, super, tax withheld, leave balances, and more. Free 30-second compliance checker.
Being Bullied at Work? Here's What to Do (Step-by-Step Guide)If you're experiencing workplace bullying in Australia, you have legal protections. Step-by-step: how to document it, report it, apply for a stop bullying order, and get help.
Nine years in Australian workplace relations — Queensland hospitality HR, then retail ER in Brisbane and Northern NSW. Graduate Diploma in Employment Relations (Griffith University, 2018). Writes about award interpretation, underpayment recovery, and casual conversion. Member of the AHRI since 2019. Based in Paddington, Brisbane.
Recommended partners
Free tools surface the issue. Our partners help you solve it.
Authorised Employment Hero Partner
Employment Hero
Australian HR, payroll, rostering and award interpretation in one platform. Used by 300,000+ businesses. Fixes the underlying payroll/compliance issues our calculators surface.
Best for: SMEs that have outgrown spreadsheet payroll or want automated award interpretation.
See Employment HeroHR support partner
Liquid HR
Senior, hands-on HR support for your toughest workforce challenges — performance and conduct, grievances and mediation, redundancy and change. Liquid HR picks up where the technology ends.
Best for: employers and individuals who need a human HR professional to guide a workplace situation, not just a calculator.
Talk to Liquid HRIT, Microsoft & cyber partner
Frontrow Tech
Microsoft 365, Copilot rollouts, Essential Eight, Privacy Act 2026 and board-level cyber compliance for Australian SMBs. Where pay and HR end, your data and IT obligations begin.
Best for: SMBs running on Microsoft 365, anyone hitting cyber/privacy compliance, boards wanting an outside read on IT risk.
See FrontrowRecommended partners — we only recommend partners we've vetted as a good fit for Australian workplaces. Some partnerships help fund the free tools on this site.