Records Retention Policy In New Zealand: What To Include And How Long To Keep Records

If you’re running a small business, paperwork (and digital “paperwork”) has a habit of piling up fast. Invoices, contracts, employee files, customer details, supplier emails, board minutes - it adds up.

That’s where a clear records retention policy comes in. A good retention policy tells your team what records to keep, where to store them, how long to keep them for, and how to dispose of them safely when the time comes.

Done properly, a records retention policy helps you stay compliant with New Zealand laws, respond to disputes or audits, protect customer privacy, and avoid the risk of holding onto documents longer than you should.

What Is A Records Retention Policy (And Why Does Your Business Need One)?

A records retention policy is a written set of rules that explains:

• what business records you collect and store (paper and digital);
• how you store them (including security controls);
• how long you keep each type of record (your “retention periods”);
• who is responsible for maintaining, archiving, and deleting records; and
• how you destroy records once the retention period ends.

Even if you’re a small operation, having a retention policy is one of those “legal foundations” that protects you from day one. It can help you:

• meet your tax and company record-keeping obligations;
• respond quickly if the IRD asks questions or audits you;
• prove what was agreed if there’s a customer or supplier dispute;
• handle employee issues properly (for example, performance management or termination);
• reduce privacy risk by not storing personal information longer than necessary; and
• keep your systems tidy and efficient, rather than drowning in old documents.

In practice, a retention policy is also a “business hygiene” document. It stops documents being kept inconsistently across inboxes, shared drives, laptops, phones, accounting systems, and physical folders.

What New Zealand Laws Affect Record Keeping And Retention?

New Zealand doesn’t have one single “records retention law” for all private businesses. Instead, your retention obligations depend on what records you’re keeping and why you have them.

Some of the common legal areas that affect a small business retention policy include:

Tax And Accounting Records (IRD Expectations)

If you’re in business, you’ll generally need to keep business and financial records that support your tax position. That includes things like invoices, receipts, expense claims, and GST records (if you’re GST-registered).

These records are important if the IRD reviews your returns, asks for evidence, or audits you.

Note: This article is general legal information and isn’t tax advice. Record-keeping requirements can depend on your circumstances, so it’s a good idea to confirm what you need to keep (and for how long) with your accountant or tax adviser, or by checking IRD guidance.

Company Records (Companies Act Requirements)

If you operate through a company, there are also corporate record-keeping obligations. For example, companies typically need to keep core governance records like:

• directors’ resolutions and shareholder resolutions;
• minutes of meetings;
• share registers and share transfer records; and
• financial statements and accounting records.

This is part of running your company properly and being able to show what decisions were made and when. If you’re still deciding on structure, setting this up cleanly from the start (including where records will live) is often easiest during Company Set Up.

Employment Records

If you have employees, you’ll likely hold sensitive records such as:

• signed employment agreements;
• payroll information, time and wage records;
• leave records (annual leave, sick leave, parental leave);
• performance notes, warnings, and investigation materials; and
• health and safety incidents involving staff.

From a practical standpoint, this is one reason it’s worth having properly drafted Employment Contract templates and consistent HR processes - because your retention policy will need to explain how you store and protect those documents too.

Privacy Act 2020 (Personal Information)

If you collect personal information about customers, clients, employees, or contractors (which most businesses do), the Privacy Act 2020 matters. A retention policy should align with good privacy practice, including:

• only collecting what you need;
• keeping it secure;
• keeping it accurate; and
• not keeping it longer than you need.

For many businesses, your retention policy will work alongside your external-facing Privacy Policy and your internal privacy processes.

Industry-Specific Rules

Depending on what you do, there may be extra rules or expectations around record keeping (for example, health services, financial services, licensed industries, or businesses dealing with regulated products). If you’re unsure, it’s worth getting advice early, because the “standard” retention periods may not be enough for your industry.

Tip: A retention policy isn’t only about keeping documents long enough - it’s also about deleting them when you should. Holding personal information “just in case” can increase privacy and security risk over time.

How Long Should You Keep Business Records In New Zealand?

The right answer depends on the document type and the legal reason you have it. Below is a practical retention schedule many small businesses use as a starting point.

Important: This is general information, not a substitute for advice on your specific situation. If you operate in a regulated industry, have complex shareholding arrangements, or are involved in a dispute, you may need to retain documents for longer.

Common Retention Periods (Practical Starting Point)

• Tax and accounting records: commonly kept for at least 7 years (e.g. invoices, receipts, bank statements, expense claims, GST records, and supporting documents). You should confirm your specific IRD retention obligations with your accountant/tax adviser or IRD guidance.
• Company governance records: often kept for 7+ years, and some core records are effectively kept for the life of the company (e.g. constitutional documents, share records, key resolutions).
• Contracts and commercial agreements: commonly kept for at least 7 years after the contract ends (and sometimes longer if there are warranties, ongoing obligations, or long-tail risk).
• Employee records (pay, time, leave): retention depends on the record type and your risk profile. As a practical baseline, many businesses keep key payroll, time, and leave records for at least 6–7 years after employment ends (particularly where pay and leave calculations may be queried), but you should consider any specific legal requirements that apply to your business.
• Health and safety incident records: there isn’t a single “one size fits all” period. Many businesses keep incident and investigation records for several years as a risk-management measure, and may keep them longer for serious incidents, notifiable events, or where ongoing risk controls need to be tracked. Consider what’s required for your industry and circumstances.
• Customer personal information: keep only as long as you need it for the purpose you collected it (then securely delete or de-identify it).

In plain terms: for many small businesses, 7 years is a common “default” for financial and contractual records, but personal information should be treated more carefully (and often kept for shorter periods).

What About Emails, Messages, And Digital Records?

Your retention policy should cover records no matter what format they’re in. A contract stored in a folder is still a record. So is:

• an email thread agreeing on scope and price;
• a signed PDF stored in an e-sign platform;
• a text message confirming a delivery date;
• customer information in a CRM; or
• staff rosters in a timesheet app.

If a document is evidence of a business decision, a transaction, or a legal obligation, it should be captured in your retention system - not left sitting in someone’s inbox forever.

When Should You Keep Records Longer?

Sometimes, deleting on the “standard” timeline isn’t the best call. You might keep records longer when:

• there’s an ongoing dispute or you reasonably expect one;
• the record relates to long-term warranties, product liability risk, or safety issues;
• the record is a foundational company document (e.g. your constitution or share register); or
• you have an ongoing legal requirement tied to your industry.

This is where your retention policy should build in a “legal hold” process (we’ll cover this below) so you don’t accidentally destroy important evidence.

What Should Your Retention Policy Include? (A Practical Checklist For Small Businesses)

A retention policy doesn’t need to be complicated, but it should be clear and usable. If your team can’t follow it in real life, it won’t protect you when it counts.

Most small business retention policies include the sections below.

1. Purpose And Scope

Start by explaining why the retention policy exists and what it covers. For example:

• the policy applies to all staff, contractors, and temporary users of your systems;
• it covers physical records, digital files, emails, and app-based records; and
• it covers customer, supplier, employee, and corporate records.

2. Definitions (Keep This Simple)

Define a few key terms so there’s no confusion, such as:

• Record: any document or data created or received in the course of doing business;
• Personal information: information about an identifiable individual (Privacy Act language);
• Retention period: how long the record must be kept before deletion/destruction; and
• Legal hold: a pause on deletion when a dispute, complaint, audit, or investigation is expected.

3. Retention Schedule (The Heart Of The Policy)

This is the part most people mean when they talk about a retention policy. It’s usually a table that lists:

• record category (e.g. “Invoices”, “Payroll”, “Customer Contracts”);
• where it is stored (e.g. accounting system, HR folder, CRM);
• retention period (e.g. 7 years); and
• disposal method (e.g. secure deletion, shredding).

If you only do one thing, do this - because it turns a vague policy into a practical process.

4. Storage And Security Rules

Your retention policy should explain how you protect records while you have them. This is particularly important for personal information and confidential business data.

Depending on your business, that can include rules like:

• who can access HR folders, payroll platforms, and finance drives;
• password management and MFA requirements;
• device rules (work devices vs personal devices);
• naming conventions and folder structure so records can actually be found; and
• where paper records are stored and who has keys.

Many businesses align this with their internal policies more broadly, including their Workplace Policy documents (so expectations are consistent across the team).

5. Disposal And Destruction Process

Deleting records isn’t just pressing “delete”. Your policy should cover:

• who approves destruction (for example, a business owner, office manager, or privacy officer);
• how destruction happens (secure deletion, shredding, wiping devices);
• how you deal with backups (a common blind spot); and
• how you document destruction (a simple log is often enough).

This matters because if you ever need to prove you handled information responsibly, having a repeatable process is a big help.

6. Legal Holds (Don’t Delete When Trouble Is Brewing)

A legal hold process is what stops your normal deletion schedule when you need records for a dispute, complaint, or investigation.

For example, imagine a customer alleges your product caused damage, or a former employee raises a personal grievance. If your retention policy says “delete customer emails after 12 months” and you follow it automatically, you could accidentally delete evidence you need.

A practical legal hold section includes:

• what triggers a legal hold (e.g. complaint, demand letter, dispute, IRD audit notice);
• who decides the hold applies;
• which systems and staff are affected; and
• how long the hold stays in place.

7. Training, Ownership, And Review Dates

Finally, assign responsibility. A retention policy works best when someone actually “owns” it.

For a small business, that might be:

• the director or business owner;
• an operations manager;
• your bookkeeper/finance lead for accounting records; and
• your manager/HR lead for employee records.

It also helps to set a review cycle (e.g. annually) so the policy stays aligned with your systems, your team size, and your legal obligations.

How To Implement A Retention Policy Without Overwhelming Your Team

The easiest retention policy to maintain is the one you build into your daily operations.

Here’s a simple rollout approach that works well for many small businesses.

Step 1: Map What You Actually Collect

Start with a list of where records currently live. Common places include:

• cloud drive folders (e.g. finance, HR, operations);
• email accounts and shared inboxes;
• accounting software;
• POS systems or ecommerce platforms;
• CRMs and booking systems; and
• paper files and notebooks (yes, they count too).

Step 2: Group Records Into Categories

Don’t try to set a retention period for every single file type. Group them into categories that make sense, such as:

• financial and tax records;
• corporate governance records;
• customer contracts and sales records;
• supplier contracts and purchasing records;
• marketing consents and mailing lists; and
• employment and HR files.

Step 3: Set Retention Periods And Deletion Rules

This is where you balance:

• legal compliance (keeping records long enough);
• business risk management (keeping the right evidence for disputes); and
• privacy and cybersecurity (not keeping personal info too long).

If your business handles a lot of personal information, it’s worth thinking about what you would do if you had a privacy incident. Many businesses document this alongside a Data Breach Response Plan, because retention and breach response go hand in hand (you can’t lose data you don’t keep).

Step 4: Build It Into Your Systems

You’ll get better results if your retention policy isn’t just a PDF stored somewhere.

For example:

• create standard folders and naming conventions;
• restrict who can save into HR and payroll folders;
• set calendar reminders for annual clean-ups (or quarterly if you’re high-volume);
• turn on archiving rules where appropriate; and
• make sure key documents are stored centrally (not only in one person’s inbox).

Step 5: Make It Part Of Onboarding

If you have staff, your retention policy should be part of onboarding so new hires know where to save records and what not to do (like downloading customer lists to a personal device).

Many businesses bundle retention expectations into their broader internal policies and HR docs so everything is consistent.

Key Takeaways

• A clear records retention policy helps your business stay compliant, reduce risk, and keep records organised across paper and digital systems.
• New Zealand record-keeping obligations can come from multiple areas, including tax rules, company governance obligations, employment requirements, and the Privacy Act 2020.
• As a practical starting point, many businesses keep core financial, tax, and contract records for at least 7 years, while personal information should be kept only as long as needed for the purpose it was collected.
• Your retention policy should include a retention schedule, storage and security rules, disposal processes, and a “legal hold” process to pause deletion when disputes or audits are likely.
• A retention policy works best when it’s built into daily operations (folder structures, access controls, onboarding, and regular clean-ups), not treated as a document that sits untouched.

If you’d like help putting a retention policy in place (or reviewing how your business stores, retains, and deletes documents), we can help. Reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.