How Long Can You Keep Personal Data Under NZ’s Privacy Act 2020?

If you run a small business, you probably collect more personal information than you realise. Customer enquiries, online orders, staff records, CCTV footage, email marketing lists, support tickets - it all adds up quickly.

At some point, you’ll need to ask: how long should we keep this personal data? Keeping information “just in case” can feel sensible, but under privacy law, it can actually create risk.

This is where personal data retention under the New Zealand Privacy Act 2020 becomes important. The Privacy Act doesn’t usually give you one simple timeframe (like “delete everything after X years”). Instead, it gives you a clear principle: don’t keep personal information longer than you need it.

Below, we’ll break down what the law expects, practical retention timeframes (including other NZ laws that affect how long you must keep certain records), and how to set up a retention process that’s realistic for a busy business.

What Does The Privacy Act 2020 Say About Personal Data Retention?

Under the Privacy Act 2020, the key rule for personal data retention is found in Information Privacy Principle 9 (IPP 9) (often referred to as the “retention principle”). In plain English, it means:

• Don’t keep personal information for longer than you need it for the purpose you collected it.
• Once you no longer need it, you should securely delete it or de-identify it (if you still need the information in a non-identifiable form).

This is important because “personal information” is broad. It’s basically information about an identifiable individual. For a small business, that could include:

• names, emails, phone numbers, addresses
• customer order history
• IP addresses and device identifiers (often personal information in context)
• CCTV footage where individuals are identifiable
• recorded customer calls
• employee HR files

Why The Privacy Act Cares About Keeping Data Too Long

Holding onto personal data creates ongoing responsibility. The longer you keep it, the more likely you’ll face issues like:

• data breaches (old databases still get hacked)
• unnecessary access requests (you may have to search and produce records you didn’t need to keep)
• privacy complaints if someone finds out their data is still sitting in your systems without a good reason

From a business perspective, good retention practices aren’t just about compliance - they’re also about reducing risk, cutting storage clutter, and making your systems easier to manage.

“How Long” Isn’t A Single Number

The tricky part is that IPP 9 doesn’t say “keep personal information for 2 years” or “keep it for 7 years”. Instead, you need to work out what is necessary based on:

• why you collected the information in the first place
• how long you genuinely need it to deliver services or administer the relationship
• what other laws require you to keep (or destroy) certain records
• your ability to justify the timeframe if questioned later

In practice, the best approach is to create a documented “retention schedule” that covers your main data types.

How Long Should You Keep Different Types Of Personal Data?

Most small businesses have a mix of legal obligations. The Privacy Act pushes you to delete data when it’s no longer needed, but other laws may require minimum retention periods. So you’ll often land on a “keep at least X years (because we must), but not longer than needed”.

Below are common retention categories and typical NZ timeframes. These are general guidelines only - the right answer depends on your business, contracts, industry rules, and risk profile. Where another law sets a specific minimum retention period, you should check the legislation (or get advice) to confirm what applies to you.

Customer Order And Invoice Records

If you sell goods or services, you usually need to keep sales records for accounting and tax purposes. While the Privacy Act focuses on “no longer than necessary”, tax and accounting obligations often mean you must retain records for a minimum period.

• Typical timeframe: commonly around 7 years for many business tax and accounting records, but the exact requirement depends on what records you’re keeping and which rules apply to your business.
• Privacy tip: if you only need parts of the record (e.g. invoice totals but not delivery instructions), consider redacting or de-identifying after a period.

Customer Enquiries And Leads (Including Website Forms)

If someone fills in a contact form but never becomes a customer, you generally don’t have a strong reason to keep their details forever.

• Typical timeframe:3–12 months (often enough to manage follow-ups and avoid re-contacting people who already said no).
• Privacy tip: if you add leads to a marketing list, make sure your messaging and opt-outs align with your marketing compliance settings (your email marketing laws obligations often overlap with privacy expectations).

Email Marketing Lists

Marketing lists can be high-risk because they’re easy to keep forever and easy to misuse. Your retention approach should be linked to engagement and consent management.

• Typical timeframe: keep while the person remains subscribed/engaged, plus a short buffer period (e.g. 6–24 months of inactivity) depending on your business and campaign cycle.
• Privacy tip: document how you obtained the email address and when the person last interacted, and prune inactive contacts regularly.

Employee Records (HR Files, Payroll, Leave)

Employment records usually need longer retention because disputes can arise after someone leaves, and other employment laws require certain records to be kept.

• Typical timeframe: some key employment records (like wages, time and leave) are commonly kept for around 6 years, but what you must keep (and for how long) depends on the specific record type and the legal obligations that apply.
• Privacy tip: keep sensitive documents (disciplinary notes, medical certificates) on a strict need-to-know basis and review them before simply carrying them forward year after year.

If you’re onboarding staff, it’s also smart to align what you collect with your Employment Contract and internal policies - collecting “extra” information can make retention harder to justify later.

CCTV Footage And Workplace Monitoring

CCTV is one of the most common “silent” personal data sources in small businesses (retail, hospitality, warehouses, gyms, offices).

• Typical timeframe: often 14–30 days unless you’ve identified an incident that requires longer retention (e.g. theft investigation, accident, complaint).
• Privacy tip: if you’re using cameras, make sure you’re thinking about both the purpose and the retention timeframe upfront - it’s much easier to defend if it’s written into your internal approach (and consistent with guidance on cameras in the workplace).

Call Recordings (Sales And Customer Support)

If you record calls for quality assurance, training, or compliance, the retention period should match that purpose. Keeping recordings forever “just in case” can become hard to justify under IPP 9.

• Typical timeframe:30–180 days for general quality/training, potentially longer where disputes are common and you genuinely rely on recordings.
• Privacy tip: call recording also raises collection and notice issues, so make sure you’re compliant at the point of collection too (including what’s covered under call recording laws).

Health Information Or “Sensitive” Personal Information

If your business collects health information (even occasionally - for example, medical notes to support a leave request, allergy information for catering, or injury reports), you should be extra cautious. Under the Privacy Act, health information is generally treated as highly sensitive, meaning the risk of harm from keeping it too long can be higher.

• Typical timeframe: depends heavily on why you collected it and any industry rules; if it’s only needed for a short-term purpose, delete it once that purpose is complete.
• Privacy tip: minimise what you collect, store it securely, restrict access, and don’t reuse it for unrelated purposes.

How Do You Decide What “No Longer Than Necessary” Means For Your Business?

For most businesses, the safest way to manage personal data retention under the New Zealand Privacy Act 2020 is to decide retention periods by working backwards from your actual business needs.

A practical decision-making framework looks like this:

Step 1: Map What Personal Data You Collect (And Where It Lives)

You can’t retain or delete properly if you don’t know what you have. Start with a basic list of:

• customer database / CRM
• email inboxes (sales@, support@)
• accounting software
• HR files (cloud drives, HR platforms)
• CCTV systems
• website analytics and logs
• paper files (yes, these still matter)

Step 2: Link Each Data Type To A Clear Purpose

Ask: why did we collect this? If the purpose is vague (“might be useful”), that’s a red flag. Strong purposes are things like:

• to deliver the product or service
• to manage warranties/returns and customer support
• to meet tax and accounting obligations
• to meet employment record obligations
• to investigate incidents or resolve disputes

Step 3: Check Other Legal Retention Rules

The Privacy Act isn’t the only rulebook. Depending on your industry, you might have retention obligations under (for example):

• tax and financial record rules
• employment and leave record rules
• anti-money laundering (AML/CFT) retention rules (if applicable)
• sector-specific professional standards

This is one of the main reasons “how long should we keep data?” is often a legal question, not just an IT question.

Step 4: Choose A Retention Period You Can Explain (And Actually Follow)

Your timeframe should be:

• defensible (you can explain why you need it)
• consistent (applied across the business)
• practical (you can automate it or assign ownership)

Then write it down in a short internal retention schedule and make sure your team knows what happens at the end of each period.

What Should A Data Retention Policy Include?

A retention policy doesn’t need to be long or scary. For many small businesses, a 2–4 page internal document plus a simple retention table is enough to start.

At a minimum, your retention policy should cover:

• what categories of personal data you collect
• the purpose for each category
• where it’s stored (systems, drives, paper files)
• the retention period you’ll apply
• who is responsible for review and deletion
• how you delete or de-identify the data securely
• what happens if there’s a dispute, incident, or legal hold (i.e. a pause on deletion)

Make Sure Your External Privacy Statements Match Reality

Your public-facing statements (like your website privacy policy) should be consistent with what you actually do behind the scenes. If your policy says you delete enquiry data after 12 months, but you keep it indefinitely in your inbox, that’s a problem.

For many businesses, this is where a properly drafted Privacy Policy is helpful, because it forces you to be clear about your collection, use, storage and disclosure practices in a way customers can understand.

Cookies And Analytics Still Count

Retention doesn’t just apply to “obvious” data like names and phone numbers. If you use cookies and analytics tools, you should think about:

• what data is collected via cookies
• how long it remains identifiable
• what settings you can shorten (or anonymise)

It often makes sense to align this with your Cookie Policy approach so your compliance story is consistent.

How Do You Securely Delete Or Dispose Of Personal Information?

Deleting data isn’t just dragging a file to the recycle bin. Under the Privacy Act, you’re expected to take reasonable steps to protect information from misuse, loss, and unauthorised access - and that includes during disposal.

Practical disposal steps include:

• Digital records: use secure deletion processes, remove user access, and check backups/archives where feasible.
• Cloud tools: confirm whether “deleted” data is retained in an archive and for how long, and adjust settings where possible.
• Paper records: shred or use secure document destruction services (especially for HR and financial records).
• Devices: wipe or destroy storage media before disposal or resale.

Have A Plan For Data Breaches

Even with strong retention habits, data incidents can happen. A retention policy reduces what’s at risk, but you still need a clear response process if something goes wrong.

For many small businesses, it’s worth having a data breach response plan in place so you can act quickly and meet any notification obligations.

What If Someone Asks You To Delete Or Access Their Data?

Retention isn’t only about what you want to keep - it’s also about how you respond to individuals’ rights under the Privacy Act.

Access Requests And Corrections

People can request access to their personal information and ask for corrections. That means the longer you keep personal data, the more you might have to search through (including archived emails and legacy systems).

Having a consistent process (and someone internally assigned to manage it) makes a big difference. Some businesses use an Access request form to help capture requests clearly and manage timeframes.

“Can They Force Us To Delete Everything?”

In many cases, if you still need the information for a lawful purpose (for example, tax record requirements, defending a legal claim, or completing a contract), you may be able to retain it - but you should be careful and get advice if you’re unsure.

This is where tailored privacy advice can save you a lot of headaches, especially if the request is tied to a complaint, a dispute, or a sensitive situation.

Key Takeaways

• Under the Privacy Act 2020 (IPP 9), you should not keep personal information longer than necessary for the purpose you collected it.
• There’s usually no single “magic number” for retention - you need a retention schedule that reflects your actual business needs and any other legal retention obligations.
• Common categories like invoices, customer records, employee records, CCTV, and call recordings all tend to have different retention timeframes, and you should document what you’ve chosen and why.
• A workable retention policy should cover what you collect, why you collect it, how long you keep it, where it’s stored, and how you securely delete it.
• Secure disposal matters - retention and deletion are both part of good privacy compliance, and they help reduce breach risk.
• Strong retention practices also make it easier to respond to privacy access/correction requests without scrambling through old systems.

If you’d like help setting up a data retention approach that fits your business (and aligns with the Privacy Act 2020), we’re happy to help. You can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.