Every time Claude drafts a client email, summarises a contract, or produces a compliance memo, it creates a record. Most Australian businesses treat those outputs as disposable chat history. The law does not. If an AI output informs a decision, forms part of a customer file, or supports a financial statement, it can fall under the same retention obligations as any other business record.
Getting this wrong is costly in two directions. Keep too little, and you cannot defend a decision when a regulator or a customer asks how it was reached. Keep too much, in the wrong place, and you widen your exposure under the Privacy Act every year the data sits there. A Sydney firm that has to reconstruct six months of AI-assisted advice from scattered logs can spend $45,000 in staff time and legal review before it answers a single question. The point of a retention policy is to make that question cheap to answer.
What counts as a record when Claude is involved
A useful way to think about it: the record is not just the answer on screen. When an AI output does real work in your business, five things travel together, and any of them may need to be kept.
The prompt and context supplied to Claude, which often contains personal or commercial information
The output Claude produced, in the form it was actually used
Any human edits, sign-off, or approval applied before the output was relied on
The model version and the date, so the output can be interpreted correctly months later
Basic metadata: who ran it, when, and for which client or matter
If you only save the final answer, you lose the ability to show a reviewer that a person checked it. That human-in-the-loop trail is frequently the difference between a defensible process and an indefensible one. It also matters for accuracy disputes: when a customer challenges an outcome, being able to show the exact input and the version that produced it turns a vague argument into a factual one.
What Australian law actually requires
There is no single AI-records statute. Instead, existing rules apply to the output based on what it is used for, and several run in parallel.
Australian Privacy Principle 11 under the Privacy Act 1988 asks you to take reasonable steps to protect personal information and to destroy or de-identify it once it is no longer needed. An AI transcript full of customer detail that lingers for years is a live risk, not a harmless archive. Penalties for serious or repeated breaches now reach into the tens of millions of dollars for a body corporate, so redundant retention is a real liability rather than a filing quirk.
The Corporations Act and ASIC require financial records to be kept for seven years. If Claude helped prepare a reconciliation, a board paper, or an audit response, the working output that fed that record inherits the same clock. The ATO expects most tax records to be held for five years, and Fair Work requires employee records for seven. APRA-regulated entities carry the extra weight of CPS 234, which treats information security as a board-level duty.
There is also the Notifiable Data Breaches scheme to consider. If an AI log holding personal information is exposed, you may have to notify the affected people and the regulator within a tight window. Every extra copy of that data you have kept beyond its useful life is one more place a breach can originate, and one more thing to search when you are counting who was affected.
Public sector and government-adjacent work adds another layer: state records legislation in New South Wales, Victoria, and Queensland sets its own minimum retention schedules that override any casual delete-after-30-days habit.
A retention model that fits AI outputs
The practical answer is not to keep everything forever, and not to wipe chat logs each week. It is to classify AI outputs the same way you already classify documents, then apply the matching schedule.
Transient: brainstorming, drafts that were never used, throwaway questions. Keep for days, then delete. This shrinks your Privacy Act footprint.
Operational: outputs that shaped a customer interaction or an internal decision. Keep alongside the matter or account file, usually for the life of the relationship plus a buffer.
Regulated: anything touching financial statements, tax, employment, or advice given to a client. Keep for the statutory period of five to seven years, with the prompt, edits, and approval attached.
The classification only works if the storage location is decided in advance. An output that lives in an individual employee's chat history is effectively lost the day they leave. Regulated outputs belong in the same system as the record they support, so the retention clock and the access controls are inherited automatically rather than managed by hand.
A governance rule this simple can be enforced without a large platform. Many firms spend $120,000 a year on document management tools and still cannot say where their AI outputs live. The fix is usually a clear policy and a consistent filing habit, not more software.
Where to start
Pick one workflow where Claude already does meaningful work, such as client advice or contract review, and decide which of the three tiers its outputs belong to. Write down the retention period, where the output is stored, and what human check sits in front of it. That single documented decision does more for your defensibility than a company-wide policy nobody follows.
If you would like a hand mapping your AI outputs to the right Australian retention rules, we can walk through it together.



