Data Retention In New Zealand: Privacy Act 2020 & Record-Keeping Duties

If you run a small business in New Zealand, you probably collect more information than you realise. Customer details, invoices, CCTV footage, staff records, website analytics, email lists, support tickets, delivery addresses - it adds up fast.

That's where data retention comes in. Keeping information for the right amount of time can protect your business, help you meet legal obligations, and make day-to-day operations smoother. But keeping data for too long (or in the wrong way) can create privacy risk, increase the impact of a data breach, and lead to avoidable compliance issues.

Below, we'll break down what data retention means in practice, what the Privacy Act 2020 expects, and the common record-keeping obligations that apply to NZ businesses - plus a practical way to set up a retention approach that fits your business.

What Is "Data Retention" (And Why Should Small Businesses Care)?

Data retention is the practice of keeping business information (including personal information) for a defined period of time, then securely deleting or de-identifying it when you no longer need it.

When we say "data", we don't just mean files sitting on a laptop. It might include:

• Customer data: names, contact details, purchase history, delivery addresses, support messages.
• Employee data: payroll, bank details, performance notes, medical certificates, immigration/visa checks (where applicable).
• Marketing data: email subscribers, lead forms, consent records, advertising audiences.
• Operational data: invoices, bank statements, contracts, supplier information.
• Digital data: website logs, IP addresses, user accounts, app analytics.
• Security data: CCTV footage, access logs, incident reports.

There are two big reasons retention matters for small businesses:

• Legal compliance: some records must be kept for minimum time periods (for example, tax and employment records).
• Risk management: the more personal information you keep, the more you have to protect - and the bigger the fallout if something goes wrong.

A simple way to think about it is: keep what you need, for as long as you need it, and no longer.

How The Privacy Act 2020 Affects Data Retention

Even if you're not a "tech company", the Privacy Act 2020 will likely apply to your business if you collect or hold personal information (information about an identifiable individual).

From a retention perspective, one principle is especially important: you should not keep personal information for longer than you need it.

Not Keeping Information Longer Than Necessary

The Privacy Act expectations are practical: if you no longer need personal information for the purpose you collected it for, you should take reasonable steps to delete it or anonymise it (so it can't be linked back to a person).

For example:

• If a customer asks for a quote but never becomes a customer, you may not need to retain their full enquiry history indefinitely.
• If you collected copies of ID for a specific verification purpose, you should have a clear plan for how long you'll keep it and when it will be securely destroyed.
• If CCTV footage exists for security purposes, you might only need it for a short rolling window unless an incident occurs.

This is one reason having a clear retention schedule is so useful - it helps you show you're being intentional rather than just accumulating data "just in case".

Data Retention And Privacy Policies

Most small businesses don't need a 20-page compliance manual - but you do need to communicate clearly with customers and users about what you collect and why. A properly drafted Privacy Policy is often the place where you explain, at a high level, how you handle and store personal information (including how long you generally keep it and how it's disposed of).

If your business model involves collecting more sensitive information (for example, health information, detailed location data, or identity documents), it's worth getting advice on how specific your retention disclosures should be.

Storage, Security, And Minimising Retention Risk

Data retention is closely tied to security. If you keep information you don't need, you're increasing your "attack surface" - meaning there's simply more that could be exposed in a breach.

Good retention practices tend to go hand-in-hand with:

• limiting staff access (only people who genuinely need the data should access it)
• locking down devices and accounts
• controlling who can download/export customer lists
• securely wiping devices before disposal
• having a plan if something goes wrong

For many businesses, it's also sensible to formalise your internal security expectations in an Information Security Policy and staff rules for systems and devices in an Acceptable Use Policy.

Access Requests: You Need To Find What You Hold

Under the Privacy Act, individuals can request access to personal information you hold about them (and in some cases request correction). That's much easier to handle when you know exactly where your data lives and how long it's kept.

Many businesses use a process document or template to manage these requests consistently, such as an Access Request Form.

Practical tip: if you can't locate information efficiently (because it's scattered across inboxes, personal devices, and old spreadsheets), that can quickly become a compliance headache.

What Other NZ Laws Create Record-Keeping Obligations?

The Privacy Act is only one piece of the puzzle. Your data retention obligations also come from other laws and regulators, depending on how your business operates.

Because record-keeping rules can differ by industry and situation, it's smart to treat the points below as a starting point - and then get tailored advice for your business.

Tax And Inland Revenue (IRD) Record-Keeping

Most businesses need to keep tax-related records (for example, invoices, receipts, bank statements, GST and PAYE records) for a minimum period. This often includes records that contain personal information (customer names, employee details, contractor invoices).

As a general rule, Inland Revenue can require businesses to keep tax records for at least 7 years (for example, under record-keeping requirements in tax legislation). The exact period and what counts as a "tax record" can vary depending on your circumstances and the type of record.

From a retention perspective, the key takeaway is:

• Some records must be retained even if you'd prefer to delete them, because they're legally required for tax purposes.

This is why a one-size-fits-all rule like "delete everything after 12 months" can backfire. Data retention needs categories.

Note: this section is general information only and isn't tax or accounting advice. If you're unsure what you must keep (and for how long), speak to your accountant/bookkeeper or check Inland Revenue guidance.

Employment Record-Keeping

If you have staff, you'll usually hold significant personal information - and you may have legal obligations to keep certain employment records.

Common examples include:

• wage and time records (often required to be kept for at least 6 years)
• leave records (often required to be kept for at least 6 years)
• kiwisaver and payroll deductions
• signed employment terms
• health and safety incident records (where relevant)

It's also worth thinking about where you store employment records. If managers are keeping performance notes in personal email folders or on private devices, that can create privacy and process risk.

Getting the basics right early (including a clear Employment Contract and consistent HR processes) makes employment record-keeping much easier to manage as your team grows.

Health And Safety Records

If you're managing a workplace (especially one with physical risk), you might retain records such as incident reports, hazard registers, training logs, and contractor documents. These can include personal information - for example, details about injuries or health conditions.

From a privacy perspective, the more sensitive the information, the more careful you should be about:

• limiting access
• secure storage
• clear retention timeframes
• secure destruction

Industry-Specific Rules (If You're In A Regulated Space)

Some businesses have extra retention obligations due to sector regulation (for example, financial services, health services, education providers, or businesses handling controlled products).

If you're in a regulated industry, the best approach is usually to:

• identify your regulators and key obligations early
• map what records you create in your customer journey
• build retention rules into your systems rather than relying on memory

How Do You Set Up A Practical Data Retention Policy For Your Business?

A good data retention setup doesn't need to be complicated - it just needs to be consistent, realistic, and aligned with how you actually run your business.

Here's a straightforward, small-business friendly way to do it.

Step 1: List The Types Of Data You Collect

Start with a simple inventory. For most businesses, you can group data into buckets like:

• customer and sales records
• marketing leads and subscriber lists
• support tickets and communications
• supplier and contractor records
• employee records
• security/CCTV
• website/app data

This step is important because retention rules are rarely "one timeframe fits all".

Step 2: Match Each Data Type To A Purpose (And A Legal Need)

For each bucket, ask:

• Why do we collect it? (the business purpose)
• Do we have to keep it under another law? (record-keeping obligations)
• How long do we realistically need it? (customer service, disputes, warranties, chargebacks, etc.)

Example: you may keep invoices to meet tax requirements, but you might not need to keep full customer support chat logs forever.

Step 3: Create A Simple Retention Schedule

A retention schedule is basically a table that says:

• Data type
• Where it's stored (Xero, email inbox, CRM, shared drive, hard copy filing cabinet)
• Retention period (the timeframe you'll keep it)
• Action at end (delete / anonymise / archive securely)
• Owner (who is responsible)

Don't stress if you can't perfect it on day one. A workable schedule you actually follow is better than an "ideal" schedule nobody uses.

Step 4: Build The Retention Steps Into Your Tools

Policies are great - but systems are what make retention happen in real life.

Depending on what you use, you might implement:

• automatic deletion rules for CCTV after a rolling period
• archiving rules for old email inboxes
• CRM automation to delete stale leads after a defined time
• permissions so only certain staff can export customer lists
• scheduled cleanup of shared drives

This is also where internal training matters. If your team doesn't know what to keep (and what not to keep), your retention plan won't stick.

Step 5: Plan For Secure Disposal (Not Just "Delete")

"Deletion" can mean different things depending on the system. If you're dealing with sensitive personal information, you should think about secure disposal, including:

• secure deletion rather than just moving files to a recycle bin
• shredding hard copy documents
• wiping devices before disposal or resale
• checking what happens to data in backups

Backups are a common blind spot. You may delete a record from your main system, but it might still exist in a backup for months. That's not automatically "wrong", but you should understand it and take reasonable steps to manage it.

Common Data Retention Mistakes (And How To Avoid Them)

Most data retention problems aren't caused by bad intentions - they happen because a business grows quickly and the admin doesn't keep up.

Here are some common issues we see, and what to do instead.

Mistake 1: Keeping Everything "Just In Case"

This is one of the biggest drivers of privacy risk. If you keep personal information forever, you're increasing what could be exposed in a data breach, and you may be retaining information longer than necessary under the Privacy Act.

Better approach: decide what you truly need for operations, legal compliance, and dispute management - and delete the rest on a schedule.

Mistake 2: Not Separating "Personal Information" From Business Records

Some records are legally required (like tax records), but other personal information is optional (like old marketing leads).

Better approach: use categories. Your retention schedule should clearly separate:

• legally required records
• commercially useful records
• nice-to-have records (often the first to delete)

Mistake 3: Storing Customer Data Across Random Places

If customer information lives in staff inboxes, personal phones, spreadsheets, DMs, and shared drives, it becomes very hard to manage access, retention, and privacy requests.

Better approach: pick a "source of truth" system (even a basic CRM) and train staff to keep key records there.

Mistake 4: No Plan For Data Breaches

Even with strong security, incidents can happen (phishing emails, lost devices, hacked passwords). If you hold personal information, you should think ahead about your response steps.

A documented Data Breach Response Plan can help you act quickly, reduce harm, and meet any notification obligations (where required).

Mistake 5: DIY Policies That Don't Match What You Actually Do

Copy-paste policies are risky because they often promise practices you don't follow (for example, claiming you delete all customer data after 30 days when you retain it for years in accounting software).

Better approach: use plain-English policies tailored to your operations, your tools, and your legal obligations.

Key Takeaways

• Data retention means keeping information for a defined period, then securely deleting or anonymising it when it's no longer needed.
• The Privacy Act 2020 expects you to avoid keeping personal information longer than necessary, and to take reasonable steps to protect what you hold.
• Other laws (especially tax and employment obligations) may require you to keep certain business records for minimum periods, even if they include personal information.
• A practical retention setup usually includes a data inventory, a retention schedule, and system-based processes (not just a document sitting in a folder).
• Common risks include keeping everything "just in case", storing data across random systems, and not having a clear deletion/disposal process (including for backups).
• Clear documentation like a Privacy Policy, an Information Security Policy, and a Data Breach Response Plan can help you stay consistent and reduce compliance risk as you grow.

If you'd like help setting up a data retention approach that fits your business (including privacy documentation and practical compliance processes), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.