What the NSW Digital Records Guideline means for you.

Written By Geoff Mann

What the new NSW digital records guidelines mean for your firm

In October 2025, the Law Society of NSW published updated guidelines for the management and storage of digital documents. They are worth reading in full. They set out clear, practical expectations for any firm holding client files in digital form.

They also point to something larger. How a firm holds a closed file is becoming a question of systems, not just storage. That direction applies well beyond NSW.

What the guidelines actually say

The guidelines are practical rather than abstract. The main points:

  • A client document can be electronic or paper. The client is entitled to the original format. If a firm digitises and the client later wants the original back, the firm keeps a copy at its own cost.

  • The conduct rules require client documents to be kept for at least seven years after a matter ends, unless the client or legislation requires otherwise.

  • To store original documents electronically, the firm needs the client's consent. A clause in the retainer is the clean way to record it.

  • Scanned files must be searchable. A flat image of a page is not enough where text access is needed.

  • Wills, deeds and other safe custody documents are the exception. They must not be digitised or destroyed. They stay in their original form, with a separate safe custody register.

The guidelines then go further than the individual file. They ask firms to maintain a Record Retention Policy, a Disaster Recovery Plan and a Data Breach Response Plan. They expect access controls, audit logs, encryption, staff training, and a review at least every twelve months.

Retention is a lifecycle, not a folder

Read those requirements together and a pattern appears. The guidelines do not treat retention as a single task. They treat it as a connected lifecycle.

A file is captured, stored so it can be found, access controlled, tracked through its life, then destroyed on time and only when allowed. Alongside that sits the firm's wider obligation to be ready when something goes wrong.

This is the useful shift in how to think about the topic. Storage is where a file sits. Governance is whether the firm can account for it. Most firms can store well. Fewer can account well, and the difference only shows up when a file is tested.

That test rarely arrives on a quiet day. It tends to arrive as a client asking to see the personal information held about them, as a regulator asking what happened to a file from several years ago, or as a security incident where the first question is what was in the archive and who could reach it.

Storage is where a file sits. Governance is whether the firm can account for it.

Where firms tend to get caught

The same gaps appear across firms of every size:

  • Scanned files saved as images rather than searchable text. When a request lands, the page that matters cannot be found.

  • Closed matters spread across shared drives, old devices and personal cloud folders. No single source, and no reliable audit trail.

  • No record of destruction. A file is gone, but nothing shows it was destroyed correctly, or that destruction was permitted at that point.

  • Safe custody documents pulled into a bulk digitisation project by mistake. A will should never be in that batch.

  • A retention policy that exists as a document but not as a working practice.

None of these are failures of effort. They are gaps in the system around the files.

Practical steps a firm can take

The guidelines themselves are a good checklist. A few priorities stand out for most firms:

  • Review the retainer and costs agreement so client consent to digital storage, and the return position on original documents, is recorded clearly.

  • Make sure scanning produces searchable text, with metadata preserved and files saved in stable formats such as PDF/A for finalised documents.

  • Separate safe custody documents from any digitisation or destruction process, and keep the safe custody register current.

  • Hold closed matters in one controlled archive with role based access and audit logging, rather than across multiple ad hoc locations.

  • Set a retention period at the point a matter closes, and keep a record when a file is destroyed at the end of it.

  • Treat the Record Retention Policy, Disaster Recovery Plan and Data Breach Response Plan as live documents, reviewed at least once a year.

A firm that has these in place can usually do the things the guidelines care about without drama. Find any file quickly. Show who accessed what and when. Apply and run a retention period. Destroy on time with a record that it was done properly. Respond to a privacy request or an audit with evidence rather than guesswork.

Some of this can be managed in house. Some firms use a dedicated system for closed matter governance. File Republic's Compliance Studio is one example, built to hold closed matters in a searchable, access controlled archive with configurable retention and certified destruction. It sits alongside the practice management system rather than replacing it. Whichever route a firm takes, the underlying point is the same.

The takeaway

The NSW guidelines are not really about scanning. They describe what good practice now looks like for the full life of a closed file, from capture to destruction.

The honest test for any firm is simple. If a closed matter were questioned tomorrow, by a client, a regulator or an auditor, could the firm account for it cleanly. That is worth checking on a quiet day, before the question arrives.

This article is general information, not legal advice. Firms should consider their own circumstances and the current Law Society of NSW guidance.

 

Geoff Mann
Next

File Republic achieves Cybercert SMB1001 Gold