NZ Privacy Act: When Can Businesses Delete Personal Information?

If you run a small business, you’re probably collecting personal information all the time - customer orders, enquiries, invoices, delivery addresses, CCTV footage, mailing lists, job applications, staff files, and more.

At some point, you’ll hit the practical question: when can (or should) we delete this information? And just as importantly, when must we keep it?

This is where data deletion rules under the NZ Privacy Act matter. In New Zealand, deletion isn’t just an IT tidy-up - it’s part of your legal compliance under the Privacy Act 2020.

Below, we’ll break down how deletion works under New Zealand privacy law, what to do when someone asks you to delete their information, and how to set up a simple, defensible approach as your business grows.

What Does The Privacy Act 2020 Say About Data Deletion?

The Privacy Act 2020 doesn’t use the same language as the GDPR “right to be forgotten”, but it does set clear expectations about how long you can keep personal information.

The key concept for data deletion under the NZ Privacy Act is found in the Information Privacy Principles (IPPs) - especially the principle that covers retention.

The “Don’t Keep It Longer Than You Need” Rule

In plain terms, the Privacy Act says your business should not keep personal information for longer than it’s required for the lawful purpose you collected it for.

So if you collected personal information to:

• deliver a product,
• provide a service,
• respond to an enquiry,
• process a job application, or
• manage an employment relationship,

…then once that purpose is finished (and you no longer have a good reason to keep it), you should be thinking about deleting it or de-identifying it.

Deletion Is Part Of “Security” Too

Data deletion isn’t just about retention - it’s also closely tied to your duty to keep personal information safe. The longer you store personal information, the more time there is for something to go wrong (like unauthorised access, staff error, or a cyber incident).

That’s why good deletion practices often sit alongside your overall privacy compliance documents, like a Privacy Policy and internal processes that explain how your team handles personal information day-to-day.

When Can Your Business Delete Personal Information?

Most small businesses want a simple rule like: “We can delete customer data after X months.”

In reality, the answer depends on why you collected the information and what obligations you have to keep it. That said, there are some common situations where deletion is usually appropriate.

1. When You No Longer Need It For The Purpose You Collected It

This is the core Privacy Act idea: once the purpose is done, you shouldn’t keep information “just in case”.

Examples might include:

• Enquiries: a potential customer emails you for a quote but never proceeds - you may not need that email chain forever.
• Bookings: if your booking is completed and there’s no dispute, some supporting documents may be deletable after a sensible period.
• Unsuccessful job applicants: if you don’t hire someone, you usually don’t need to keep their CV indefinitely.

2. When You Can Use De-Identified Data Instead

Sometimes you want to keep information for internal business reasons (like reporting, forecasting, or improving your service), but you don’t actually need it to be tied to an identifiable person.

In those cases, you might be able to de-identify or anonymise the data - for example, keeping sales totals but removing names, emails, phone numbers, and addresses.

Be careful here: “de-identified” only helps if you’ve genuinely removed the ability to reasonably identify the person. If the data can still be linked back (even indirectly), it may still be personal information.

3. When Someone Withdraws Consent (For Example, Marketing)

Many businesses collect and use information based on consent - for example, adding people to a marketing mailing list.

If someone withdraws consent, you should stop using their information for that purpose. Whether you should delete it will depend on whether you still have a lawful reason to keep it (for example, you may need to keep some records for account management, legal compliance, or to show you’ve actioned the opt-out). In many cases, it makes sense to delete the marketing record or, alternatively, keep only what you need on a suppression list so you don’t accidentally market to them again.

This is also where your marketing compliance and privacy compliance overlap (for example, email marketing rules and unsubscribe obligations).

4. When Keeping It Creates More Risk Than Value

Small businesses often build up “data clutter” across tools: spreadsheets, inboxes, CRMs, booking platforms, cloud drives, and staff laptops.

If you’re holding personal information you don’t actively need, you’re taking on avoidable risk - including a higher chance you’ll face a privacy complaint or a notifiable privacy breach.

Having a written plan (and training your team on it) helps, and if you want something practical to build from, a Data Breach Response Plan is often a helpful companion document to your retention/deletion policy.

When Shouldn’t You Delete Personal Information (Even If You Want To)?

Deletion isn’t always the safest legal choice. In some cases, deleting personal information too early can create real problems - especially if you later need records to prove what happened.

Here are some common situations where you may need to keep information for longer.

1. When Another Law Requires You To Keep It

The Privacy Act doesn’t override every other law. Your business may have retention requirements under other regimes, such as:

• Tax and accounting record-keeping (often a multi-year retention period, depending on the record type)
• Employment-related record expectations (for example, wage and time records)
• Industry-specific rules (for example, regulated financial services, health services, or other compliance-heavy industries)

Tax and record-keeping requirements can be technical and fact-specific - so it’s a good idea to check relevant IRD guidance and/or speak to your accountant. If you’re unsure what privacy law requires (and how to align it with your other obligations), it’s worth getting tailored Privacy Advice so your deletion policy doesn’t accidentally conflict with other rules.

2. When You Need It To Manage A Complaint, Dispute, Or Debt

Imagine this: a customer disputes a charge, claims a product wasn’t delivered, or says your advertising was misleading.

If you’ve deleted key records (like emails, invoices, delivery confirmations, or call logs), you may struggle to respond properly - and you may be exposing yourself to unnecessary legal risk.

A practical approach is to build “hold” rules into your system, such as:

• do not delete data linked to an open complaint or dispute
• extend retention if a refund request is escalated
• keep records while debt recovery action is ongoing

3. When The Information Is Still Needed For Ongoing Customer Service Or Warranty Purposes

If you sell products or provide ongoing services, you may need some information to:

• process returns or warranty claims,
• provide support, or
• manage subscription renewals.

The key is being clear about what you actually need and for how long - rather than keeping everything forever.

4. When It’s High-Risk Or Highly Sensitive Information (Extra Caution Required)

Not all personal information carries the same risk. Some types of information are more likely to cause serious harm if misused (for example, health information, biometrics, or identity documents).

If your business handles higher-risk data, your deletion and security standards need to be tighter - and you should be especially careful about access controls, disposal methods, and staff training.

If you want to sanity-check whether the information you collect is likely to be treated as higher risk, the concept of sensitive personal information is a useful place to start.

What If Someone Asks You To Delete Their Information?

This is where many small businesses feel stuck. A customer says “please delete everything you have about me” - and you’re not sure whether you have to comply.

Under New Zealand law, individuals have strong rights to:

• access their personal information, and
• request correction of their personal information.

They don’t have an absolute, standalone “right to deletion” in the same way as some overseas regimes. But in practice, a deletion request is often a signal that you should review:

• whether you still need the information for a lawful purpose, and
• whether keeping it creates unnecessary risk.

A Practical Way To Respond (Without Panicking)

When you receive a deletion request, a sensible process usually looks like this:

1. Confirm what the person is asking for (all data? marketing only? account history?).
2. Identify what personal information you hold across systems (email, CRM, accounting, booking tools, cloud storage).
3. Check whether you must keep any of it (tax, disputes, employment obligations, etc.).
4. Delete what you can and keep what you must - but limit access and document why you retained it.
5. Reply clearly to the requester explaining what you deleted and what you retained (and why).

If you want your team to handle these requests consistently (especially if you receive them more than once in a blue moon), an Access Request Form can be a simple way to standardise the intake process and reduce back-and-forth.

Do You Need To Delete Information From Backups Too?

This is a common and tricky issue. In many systems, backups are created automatically, and “deleting” something from the live system doesn’t always erase it instantly everywhere.

A practical approach is usually to:

• delete from active systems as a priority,
• make sure backups are protected and only accessed/restored when genuinely necessary, and
• set backup retention limits so older backups are overwritten or expire within a reasonable timeframe.

In other words, you’re generally aiming for reasonable, practical steps that reduce the likelihood of unnecessary retention, rather than guaranteeing immediate removal from every historical backup copy.

How Do You Set Up A Simple Data Retention And Deletion Process For Your Business?

Most privacy issues we see don’t come from bad intentions - they come from unclear systems. People save everything because it feels safer, but it can quietly increase your risk.

Here’s a practical, small-business-friendly way to build a deletion process that aligns with NZ Privacy Act expectations.

Step 1: Map The Personal Information You Collect

You can’t delete what you can’t find. Start by listing the categories of personal information your business collects, such as:

• customer contact details
• delivery addresses
• payment-related records (note: you should be careful about storing card details)
• support tickets and emails
• marketing list details
• CCTV footage (if applicable)
• employee records

Also note where it lives (Google Drive, Xero exports, Shopify, email inboxes, HR software, paper files, etc.).

Step 2: Assign A Retention Period To Each Category

This doesn’t have to be perfect on day one. The goal is to be able to explain your approach and show it’s connected to your real business needs and legal obligations.

For each category, ask:

• Why did we collect it?
• How long do we actually need it?
• Is there another law that requires retention?
• Do we need it to respond to disputes or warranty claims?

Step 3: Decide Whether To Delete, De-Identify, Or Archive

Not every record needs the same treatment. Common options include:

• Delete (securely remove from systems and storage)
• De-identify (keep business insights, remove identifiers)
• Archive (restrict access, keep only for legal/defensive purposes)

If you do archive information, access control matters. Archived personal information should not be accessible to the whole team “because it’s easier”.

Step 4: Train Your Team (Especially If Multiple People Handle Customer Data)

Even the best policy won’t help if your team doesn’t know how to follow it.

If you have staff handling customer and employee information, it can help to document internal privacy expectations (including what can be stored, where, and for how long). Many businesses cover this in an internal handbook-style document like an Employee Privacy Handbook.

Step 5: Have A Plan For “Accidental Retention” And Incidents

Sometimes personal information sticks around because it’s duplicated across systems, forwarded in emails, exported into spreadsheets, or stored on personal devices.

Build in controls where you can, and make sure your business has a clear internal process for handling privacy incidents and near-misses. A Privacy Incident Response Plan can be a practical tool here, even if you’re not a large organisation.

Key Takeaways

• Under the Privacy Act 2020 (IPP 9), you generally shouldn’t keep personal information for longer than you need it for the lawful purpose you collected it for.
• You can often delete personal information once a transaction, service, enquiry, or recruitment process is complete - as long as you don’t need the information for a real business purpose or legal obligation.
• Be careful about deleting information too early if you may need it for record-keeping, disputes, warranty issues, or other compliance requirements (and for tax retention, check IRD guidance and/or your accountant).
• Individuals in NZ don’t have an absolute “right to deletion” like some overseas regimes, but deletion requests should prompt you to reassess whether you still need the data and how you can minimise risk.
• A simple retention schedule (what you collect, why you collect it, where it’s stored, and when you delete it) makes privacy compliance much easier to manage as your business grows.
• Strong privacy compliance usually involves more than deletion - it includes clear documentation, staff training, and incident response planning.

If you’d like help setting up privacy processes, responding to an access/deletion request, or reviewing what your business should keep versus delete, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.