New Zealand Data Retention Requirements For Businesses

Alex Solo
byAlex Solo11 min read
Data & Privacy
Contents

If you run a small business, you probably collect more information than you realise.

Customer orders, invoices, email enquiries, CCTV footage, staff files, payroll records, website analytics, support tickets - it all counts as “data” in one way or another. And once you have it, you need to know how long you’re allowed (or required) to keep it, how to store it safely, and when you should delete it.

That’s where New Zealand data retention requirements come in. There isn’t one single “data retention law” that sets the same time period for all information. Instead, your retention obligations depend on what type of data you’re holding, why you collected it, and which laws apply to your business.

In this guide, we’ll break down what data retention requirements in New Zealand typically look like for small businesses, the key legal principles you need to follow, and practical steps you can take to stay compliant (without drowning in paperwork).

Note: This article is general information only and isn’t tax or accounting advice. Record-keeping rules can vary depending on your circumstances - it’s worth confirming your position with your accountant or adviser.

What Do “Data Retention Requirements” Actually Mean?

In plain terms, data retention requirements are the rules (and best-practice expectations) around:

  • What data you should keep (and what you shouldn’t collect at all);
  • How long you should keep it (minimum retention periods and sensible limits);
  • How you must protect it while you have it (security and access controls); and
  • How you should dispose of it when you no longer need it (secure deletion and destruction).

From a business perspective, getting retention right is a balancing act.

Keep records for too short a time, and you may struggle with tax audits, employment disputes, chargebacks, warranty claims, or regulatory requests.

Keep them for too long, and you increase privacy risk (and often security risk too), because you’re holding personal information you no longer need.

So your goal is usually:

  • Meet your “must keep” legal obligations (e.g. certain financial or employment records); and
  • Follow privacy principles by not retaining personal information longer than necessary.

Which NZ Laws Affect Data Retention For Businesses?

When people search for New Zealand data retention requirements, they’re often expecting a single time period. In reality, your obligations typically come from a few different legal buckets.

The Privacy Act 2020 (Personal Information Retention Principles)

The Privacy Act 2020 is the key law for most small businesses that collect personal information (for example, customer contact details, employee records, IP addresses linked to individuals, or CCTV footage identifying people).

One of the most important retention concepts in New Zealand privacy law is that you shouldn’t keep personal information for longer than you need it.

In other words, retention should be:

  • purpose-based (connected to why you collected it); and
  • time-limited (reviewed and deleted when it’s no longer required).

This is also why having a clear Privacy Policy matters. It’s often where you explain (at a high level) what information you collect, why, and how you handle it - including retention and deletion practices.

Tax And Financial Record-Keeping Rules

Even if you want to delete everything quickly (for privacy reasons), you can’t - because you’ll usually have separate obligations to keep tax and business records.

In practice, New Zealand businesses commonly need to keep certain business and tax records for at least 7 years (for example, records that support income tax and GST positions). This commonly includes source documents and other information that explains your returns and transactions.

Financial records are often kept to support:

  • income tax positions and GST reporting;
  • expense claims and deductions;
  • invoicing and payment history; and
  • audit and dispute resolution.

The key point is that financial records aren’t just “nice to have” - they’re part of running a compliant business. If you’re not sure what applies to your particular business model (or what needs to be kept for the full 7-year period), it’s worth getting accounting and legal advice aligned.

Employment Record Obligations (If You Have Staff)

If you employ staff, you’ll also be creating and storing employment-related records, such as:

  • employment agreements;
  • time and wage records;
  • leave and holiday records;
  • performance management documentation; and
  • health and safety-related incident records (where relevant).

As a practical baseline, employers are generally expected to keep wage/time and holiday/leave records for at least 6 years (commonly aligned with Holidays Act record-keeping expectations). Depending on the type of record and the risk profile (for example, where there’s an ongoing dispute or investigation), it may be reasonable to keep some employment records longer.

Beyond retention, you should also think about privacy and transparency with staff - for example, what you collect, why, and who can access it. That’s where an Employee Privacy Handbook can be a practical way to set expectations and reduce risk as your team grows.

And of course, it’s much easier to keep clean records when you have properly drafted contracts in place from day one - like an Employment Contract that matches how you actually run your business.

Industry-Specific Rules (Health, Finance, Education, And More)

Some industries have extra retention rules or regulator expectations. For example:

  • health providers may have additional obligations around clinical records;
  • financial service providers may have retention and audit trail obligations (often tied to licensing and AML processes);
  • businesses handling children’s data may face higher expectations on safeguards and governance; and
  • businesses operating internationally may need to consider overseas privacy regimes and cross-border contracting.

If your business sits in a regulated space, it’s worth treating your retention plan as part of your compliance system - not a “set and forget” admin task.

How Long Should You Keep Different Types Of Business Data?

There’s no one-size-fits-all answer, but you can usually build a workable retention approach by separating data into categories and setting a clear business reason (and timeframe) for each.

Below are common examples for small businesses. These are general guidance only - exact retention periods can depend on your industry, the nature of the record, and your risk profile.

1) Tax, Accounting, And Transaction Records

These are often the records businesses need to keep the longest, because they support your tax and financial reporting positions. In many cases, you should plan around a minimum 7-year retention period for core tax records.

Examples include:

  • invoices, receipts, purchase orders;
  • bank statements and reconciliations;
  • GST returns and working papers;
  • asset purchase and depreciation records; and
  • sales reports and payment gateway records.

Tip: if you’re using software platforms, check what gets stored where (and who controls deletion). Data retention isn’t just about what’s in your filing cabinet - it’s also what’s sitting in cloud tools and inboxes.

2) Customer Records And Support History

Customer data often includes personal information, so the Privacy Act principles matter here. You should ask:

  • Why do we need this data?
  • How long will we realistically use it?
  • Is there a legal reason to keep it (e.g. warranties, disputes, chargebacks)?

Examples:

  • customer profiles (name, email, phone, address);
  • order history;
  • support tickets and complaints;
  • refund and return documentation.

A practical approach many small businesses use is to keep identifiable customer records for a set period after the last interaction (or last transaction), then either delete them or anonymise them.

3) Marketing Lists And Email Data

Marketing data is easy to collect and surprisingly easy to mishandle.

If you’re running email marketing campaigns, you should be thinking not only about retention but also consent, unsubscribe functionality, and what your emails say and link to. If this is part of your growth strategy, it’s worth reviewing your practices against email marketing laws so your list-building doesn’t create compliance headaches later.

As a retention point: if someone unsubscribes, you may still need to keep a minimal record (for example, an “unsubscribe suppression list”) so you don’t accidentally re-add them and contact them again.

4) Employee Files And HR Documents

Employee records are often some of the most sensitive information a small business holds (think: bank details, addresses, emergency contacts, performance records, and sometimes health-related info).

Examples include:

  • employment agreements and variations;
  • payroll records and KiwiSaver information;
  • leave and timesheets;
  • disciplinary and performance documentation.

A key risk area here is access. Even if you retain the right records for the right amount of time, you can still run into issues if too many people can see them, or if they’re stored in messy inbox threads.

5) CCTV Footage And Security Logs

CCTV is common for retail, hospitality, warehouses, and shared workspaces - but it creates personal information.

Good practice is usually to:

  • retain CCTV footage only for as long as you genuinely need it (often a short window, unless it’s required for an incident investigation);
  • lock down access (not everyone on the team should be able to scroll through footage); and
  • have a clear process for responding to requests for footage and privacy complaints.

If you do experience a security incident affecting any personal information, having a plan in place makes a huge difference. A data breach response plan can help you act quickly and consistently when it matters most.

How Do You Create A Simple, Compliant Data Retention Policy?

Most small businesses don’t need a 40-page manual - but you do need a clear system that your team can actually follow.

Here’s a straightforward way to build a retention process that supports both compliance and day-to-day operations.

Step 1: Map The Data You Collect (And Where It Lives)

Start with a simple list of:

  • what data you collect (customers, staff, suppliers, website users);
  • how you collect it (online forms, POS systems, email, phone calls, CCTV);
  • where it’s stored (CRM, accounting software, email inboxes, shared drives, paper files); and
  • who has access (owners, managers, contractors, third-party providers).

This step is where a lot of businesses find “hidden” retention problems - for example, a team inbox that stores years of ID documents, or a shared Google Drive folder that’s accessible to ex-contractors.

Step 2: Set Retention Periods By Category (And Write Down The Reason)

Next, decide how long you’ll keep each category and why. Your “why” will usually fall into one of these:

  • legal requirement (tax, employment, regulated industries);
  • contractual requirement (e.g. to manage a warranty, dispute, or service delivery);
  • legitimate business need (e.g. customer service history for a reasonable timeframe);
  • security and fraud prevention (e.g. access logs for a set period).

Try to avoid the default setting of “keep it forever”. Under privacy principles, indefinite retention is often hard to justify - and it increases risk.

Step 3: Build Deletion And Archiving Into Your Workflow

A retention policy only works if it turns into real action.

Common approaches include:

  • setting calendar reminders for periodic deletion reviews;
  • configuring software auto-deletion where possible;
  • moving older data into restricted-access archives; and
  • securely shredding paper files instead of throwing them in the bin.

Step 4: Lock Down Access And Security Controls

Retention and security go hand-in-hand. If you’re keeping data for several years, you need to protect it for several years.

Practical safeguards include:

  • role-based access controls (only the right people can access sensitive folders);
  • multi-factor authentication (especially for email and cloud storage);
  • strong password practices and password managers;
  • encrypting devices and using secure backups; and
  • documenting your internal standards.

If you want something your team can follow consistently, an Information Security Policy can turn “we should be careful” into actual rules and processes.

Step 5: Manage Third Parties (Cloud Software, Contractors, IT Providers)

Many small businesses outsource key functions - payroll, marketing automation, cloud hosting, analytics, customer support platforms.

Even if you don’t “physically” store the data, you may still be responsible for how it’s handled.

If a third party is processing personal information on your behalf, it’s worth considering a Data Processing Agreement so responsibilities are clear (especially around security, breach reporting, and deletion/return of data when your relationship ends).

Common Data Retention Mistakes (And How To Avoid Them)

Most data retention issues don’t happen because a business is trying to do the wrong thing. They happen because everyone’s busy, systems grow quickly, and nobody wants to be the person who deletes something “just in case”.

Here are some common traps we see.

Keeping Personal Information “Just In Case”

It’s understandable to want a full history of every customer interaction. But if you keep personal information longer than necessary, you’re holding extra risk with no real benefit.

A better approach is to decide:

  • what you need to keep in identifiable form; and
  • what you can anonymise or delete after a set period.

Storing Sensitive Data In Email Threads

Small businesses often run on email, but email is rarely a good long-term storage system for sensitive information like IDs, bank details, or medical information.

Where possible:

  • move documents to a secure storage tool with access controls; and
  • delete attachments from inboxes once they’ve been securely stored (and you no longer need them).

Not Having A Clear “Who Does What” When There’s A Breach

If your data is compromised, you may have obligations to notify affected individuals and (in some cases) the Privacy Commissioner.

Trying to build your response plan mid-incident is stressful and risky. Having a data breach notification process mapped out in advance can save you serious time (and reduce the chance of making a mistake under pressure).

Forgetting That “Deleting” Doesn’t Always Delete

Some platforms keep backups, archives, or logs. Some files get copied into multiple systems (CRM + email + accounting software + shared drive).

When you set retention periods, think about:

  • where duplicates exist;
  • what is backed up automatically;
  • how to delete or de-identify data across systems; and
  • whether your contracts with providers support deletion/return of information.

Key Takeaways

  • There isn’t one single rule for data retention requirements in New Zealand - your obligations depend on the type of data you hold and which laws apply to your business.
  • The Privacy Act 2020 generally expects you to avoid keeping personal information for longer than you need it, so “keep everything forever” is rarely a good idea.
  • Many businesses still need to keep key records for longer periods for tax, accounting, and employment reasons (for example, core tax records are commonly kept for at least 7 years, and wage/holiday records are commonly kept for at least 6 years).
  • A practical retention policy starts with mapping what you collect, where it’s stored, who can access it, and then setting timeframes by category with a clear reason.
  • Retention and security go together - if you keep data for years, you need good access controls, clear internal processes, and a plan for dealing with breaches.
  • Third-party providers can create retention and privacy risk, so it’s worth documenting responsibilities and deletion expectations in your contracts.

If you’d like help putting the right data retention and privacy protections in place - including your Privacy Policy, internal security documents, or supplier agreements - you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Alex Solo
Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Privacy Incident Response Plans for New Zealand Businesses

Privacy Incident Response Plans for New Zealand Businesses

A privacy incident response plan helps New Zealand businesses contain data issues quickly, assess whether a breach is notifiable, and respond with clear

19 May 2026
Read more
Website Terms and Privacy for New Zealand Retail Fitout Companies

Website Terms and Privacy for New Zealand Retail Fitout Companies

For New Zealand retail fitout companies, website terms and privacy documents should do more than fill the footer. This guide explains how to align your

18 May 2026
Read more
Data Processing Schedules for New Zealand Businesses

Data Processing Schedules for New Zealand Businesses

A data processing schedule helps New Zealand businesses set clear rules for how personal information is handled in supplier and customer contracts. Here’s

17 May 2026
Read more
Legal Risks Of Sharing Private Messages Without Consent In New Zealand

Legal Risks Of Sharing Private Messages Without Consent In New Zealand

If you run a business, you’re probably communicating all day - with customers, suppliers, contractors and staff - across email, text, WhatsApp, Messenger, Slack, Teams and DMs. It can be tempting to...

17 May 2026
Read more
Legal Compliance And Ethics In Data Collection For NZ Businesses

Legal Compliance And Ethics In Data Collection For NZ Businesses

If you run a small business in New Zealand, chances are you’re collecting data every day - customer enquiries, online orders, email sign-ups, CCTV footage, loyalty program details, and even staff records....

14 May 2026
Read more
AI Model and Data Licence Agreements: Common Mistakes for New Zealand Businesses

AI Model and Data Licence Agreements: Common Mistakes for New Zealand Businesses

Signing an ai model and data licence without checking ownership, training rights, privacy terms and liability can create real commercial risk. This guide

13 May 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call