Can CA firms keep old ITR files, PAN copies and bank statements forever under DPDPA?

Others 1083 views 2 replies

Dilip Sahu

3 Points Posted on 02 June 2026

Most CA firms are sitting on years of old client data.

ITR files, PAN copies, Aadhaar copies, bank statements, Form 16, GST records, TDS workings, payroll files, KYC documents, audit papers and financial statements are often stored across Gmail, Google Drive, WhatsApp, desktops, laptops, pen drives, hard disks and physical files.

This has been normal practice for years.

The reason is understandable.

A CA firm may need old records for tax notices, reassessment, audit reference, client queries, professional defence, continuity of service and future assignments.

So the instinct is simple:

Keep everything. Delete nothing. We may need it someday.

But DPDPA creates a conflict.

If personal data was collected for a specific purpose, can it be kept forever after that purpose is over?

If a client has moved to another consultant, should all old PAN, Aadhaar, bank statements and WhatsApp attachments still remain with the previous CA firm?

If an article assistant or employee had access to old client folders and later leaves the firm, who is responsible for that data?

If old client documents are lying in personal phones, shared drives, email attachments and backup disks, is a privacy policy enough protection?

This is the real struggle for CA firms.

On one side, we have statutory, audit, and professional retention requirements.

On the other side, we have DPDPA expectations around purpose, consent, reasonable safeguards, data principal rights and responsible handling of personal data.

So the practical question is not whether CA firms should delete everything.

That would be unrealistic.

What should be retained, for how long, where, by whom, and under what control?

The resolution may be a basic retention and deletion framework for CA firms.

At a minimum, every firm may need to define:

1. Which client documents must be retained due to tax, audit, or professional requirements
2. Which personal data is no longer required after the assignment is completed
3. How long should PAN, Aadhaar, bank statements, salary slips, and KYC documents should be kept
4. Whether old WhatsApp and email copies should be deleted after moving documents to a controlled folder
5. Who in the firm can access old client records
6. What happens when staff, interns, or article assistants leave
7. How ex-client records should be reviewed
8. How physical files, hard disks, and backups should be destroyed or archived
9. Whether retention terms should be included in engagement letters
10. How client correction, deletion, or access requests should be handled

This is not only a legal compliance issue.

It is also an internal control, client trust, and professional risk management issue.

A CA firm may have a privacy policy, but if old client data is lying indefinitely across Gmail, WhatsApp, Google Drive, laptops, and physical files without retention logic, the real risk remains.

So I wanted to ask fellow professionals:

How are CA firms practically handling old client data under DPDPA?

Are firms:

- Keeping all records permanently?
- Defining retention periods?
- Cleaning old client folders?
- Reviewing ex-client data?
- Deleting WhatsApp copies after use?
- Restricting access to old records?
- Adding retention clauses in engagement letters?
- Waiting for more clarity?

Would appreciate practical views from CAs, tax consultants, audit firms and compliance professionals.

Replies (2)

Quick Summary

CA firms often retain client records for tax, audit, and legal purposes, but DPDPA requires data to be kept only for valid purposes and with safeguards. Firms should implement retention policies, restrict access, securely archive records, and delete unnecessary data after retention periods expire.

Aashok FC Advisory

Finance Compliance Consultant

987 Points Posted on 02 June 2026

DPDPA does not require CA firms to delete everything — it requires them to retain data with a legal basis, for a defined period, with proper safeguards, and delete it after the purpose/statutory period ends. The firms most at risk are those with no retention policy at all — not those with defined, legally backed retention schedules.

Thinking Bridge

Practical Finance Training

60 Points Posted on 03 June 2026

Absolutely, client data should not be stored "just in case" for all eternity in CA firms. The principles of the Digital Personal Data Protection (DPDP) indicate that the storage of personal data should be limited to the duration necessary to fulfill the purpose for which it has been collected or to meet legal and/or professional obligations. If there is no specific purpose in retaining the data, this indefinite retention can present compliance challenges.

Simultaneously, companies are not expected to delete everything right after the end of an assignment. Records are required to be held for tax assessment, audit, litigation, defence, regulation and for servicing clients. It's important that there is a retention policy, a set of rules that defines what, how long, who, and when, and it is documented.

One method for achieving this would be:

Have a retention schedule in place for ITRs, audit files, KYC papers and working papers.
Limit access to previous client information.
Delete unnecessary copies from WhatsApp, personal devices or email attachments after appropriate archival.
Add data retention and privacy statement to engagement letters.
Review and safely dispose of records that no longer need to be stored on a regular basis.

It's not really about holding on to data, it's about holding on to data forever with no legitimate legal or professional reason, and no proper safeguards.