Record-keeping obligations for Australian law firms
Australian law firms must keep accurate and complete records of every client matter, trust transaction and professional decision. The Legal Profession Uniform Law, trust accounting rules and Solicitors' Conduct Rules all impose record-keeping duties, and the Privacy Act governs how those records must be stored and disposed of.
Coverage
Every Australian law practice — from sole practitioners to incorporated legal practices and large firms — together with in-house legal teams that hold client matter records.
Legal basis
Legal Profession Uniform Law and Legal Profession Uniform General Rules 2015; Australian Solicitors' Conduct Rules; Privacy Act 1988 (Cth); state-based evidentiary and limitation legislation; AML/CTF Act 2006 (Cth) where applicable.
The obligations
Maintain a client matter file for every retainer
Open and keep a dedicated matter file recording instructions, advice, correspondence and key decisions for every client engagement.
Record costs disclosure and bills
Keep copies of every costs disclosure, updated disclosure, costs agreement and bill on the relevant matter file.
Keep trust accounting records for seven years
Retain trust receipts, cash books, ledgers, reconciliations and supporting bank records for at least seven years from the last entry.
Retain file notes of advice and key conversations
Make contemporaneous file notes of substantive advice, instructions and conversations with clients, opponents, courts and regulators.
Store records securely
Protect paper and electronic records against unauthorised access, loss and tampering using reasonable physical, technical and organisational controls.
Respect client ownership of the file
Recognise that the client is generally entitled to their file at the end of the retainer, subject to any lien for unpaid costs and exceptions at common law.
Apply minimum retention periods
Keep closed client files for a period consistent with limitation periods and regulatory requirements — typically seven years, longer for estates and children's matters.
Dispose of records responsibly
When records reach the end of their retention period, dispose of them in a way that protects confidentiality — for example, secure shredding or certified digital destruction.
Support electronic records with audit trails
Where files are kept electronically, ensure metadata, version history and access logs show when and by whom records were created and changed.
Keep records needed to defend a claim
Retain material likely to be relevant to a professional indemnity claim, tax review or regulatory investigation for the full limitation period.
What happens if you do not comply
Inadequate records can lead to disciplinary action, adverse inferences in court, loss of costs on assessment, professional indemnity claims and regulator findings of systemic failure.
Reporting requirements
Records must be produced on request to the state Legal Services Commissioner, external trust examiners, courts under subpoena, and the OAIC in the event of a data breach investigation.
What firms should do today
- Adopt a written records management policy with minimum retention periods by matter type
- Standardise file opening and closing checklists so every matter captures the same core records
- Use an electronic document management system with version control and access logs
- Schedule annual destruction runs for files past their retention period and record what was destroyed
- Back up records to Australian-hosted infrastructure and test restores at least annually
Compliance with Quillio
Quillio supports record-keeping by preserving file notes, drafts and AI-assisted summaries on Australian-hosted infrastructure, with full audit trails of who generated what and when. See /resources/security.
This guide is general information about record-keeping obligations only — not legal or compliance advice. Retention periods depend on matter type, client instructions and limitation periods and should be confirmed for individual files.
Build compliance into your stack.
Quillio is built around AU compliance from the ground up — SOC 2 Type II + ISO 27001 + Australian data sovereignty. The free trial requires no credit card.
Start your free trial