Data Retention Policy (New Zealand)

Under the Tax Administration Act 1994, New Zealand businesses must retain financial records — including income and expenditure records, GST records, payroll records, and supporting documents — for at least 7 years from the end of the income year to which they relate. The Inland Revenue Department (IRD) can audit financial records for up to 4 years (or longer in cases of fraud or evasion), so retaining records for 7 years provides a comfortable buffer. Under the Companies Act 1993, companies must retain accounting records for at least 7 years. Under the Financial Reporting Act 2013, reporting entities (public issuers, issuers of regulated products) must retain financial statements and related documents for at least 7 years. For GST-registered businesses, the Goods and Services Tax Act 1985 requires records supporting GST returns to be kept for 7 years. Under the Employment Relations Act 2000, employers must retain wage and time records for each employee for at least 6 years. These statutory minimums are incorporated in a data retention policy's retention schedule, and organisations should not delete records before these periods expire to avoid potential IRD or regulatory penalties.

Information Privacy Principle 9 (IPP 9) of the Privacy Act 2020 states that an agency (any organisation that holds personal information) must not keep personal information for longer than is required for the purposes for which the information may lawfully be used. In practice, this means organisations must have a data retention policy that specifies how long each category of personal information is kept and ensures that personal information is deleted or anonymised when it is no longer needed. There is no single 'maximum retention period' under the Privacy Act 2020 — the appropriate retention period depends on the purpose for which the information was collected and any other legal obligations (such as the 7-year requirement under the Tax Administration Act 1994 for financial records). Common retention categories include: employee records (typically 7 years after the employment ends); customer records (3–7 years depending on transaction type); health records (10 years under some health sector regulations); and marketing databases (review annually and delete contacts who have not engaged). The Privacy Commissioner can investigate complaints about excessive retention of personal information and may require organisations to delete or anonymise information.

When personal information has reached the end of its retention period, New Zealand organisations must ensure it is disposed of securely to prevent unauthorised access, in accordance with Information Privacy Principle 5 of the Privacy Act 2020 (which requires organisations to protect personal information against loss, misuse, and unauthorised disclosure). Secure disposal methods include: for paper documents — cross-cut shredding (micro-cut shredding for highly sensitive documents such as health or financial information), or use of a certified document destruction service that provides a certificate of destruction; for electronic data — secure deletion using software tools that overwrite data (e.g., NIST 800-88 compliant erasure), degaussing of magnetic media, physical destruction of hard drives, or use of certified data destruction services; for portable media (USB drives, CDs, backup tapes) — physical destruction or degaussing; and for cloud-hosted data — ensuring the cloud provider permanently deletes data and provides confirmation. Simply moving files to the 'Recycle Bin' or formatting a hard drive is not sufficient for secure deletion of sensitive personal data. Organisations should document their disposal procedures and maintain disposal logs for audit purposes.

Yes. New Zealand organisations that store data in cloud services (including Microsoft 365, Google Workspace, Salesforce, AWS, and other cloud platforms) must require that their data retention policy covers cloud-stored data, not just on-premises systems. The Privacy Act 2020 applies to personal information regardless of where it is stored — if the data relates to identifiable New Zealand individuals and is held by a New Zealand organisation (even if physically stored on offshore servers), the Privacy Act 2020's Information Privacy Principles apply. When personal information is stored in overseas cloud services, the organisation remains responsible for the information and must ensure: the cloud provider offers adequate security and data protection; data retention and deletion controls are available and configured in accordance with the policy; and the transfer of data to an overseas service complies with IPP 12 (which permits disclosure of personal information overseas only to recipients subject to adequate privacy protections). Organisations should also consider the implications of overseas data subject to foreign government access requests (e.g., US CLOUD Act). New Zealand's Privacy Commissioner and CERT NZ have published guidance on cloud data governance.

A Data Retention Policy (New Zealand) does not legally require a lawyer in New Zealand, and individuals and businesses may draft and execute the document independently. The Companies Act 1993 does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified New Zealand lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The High Court of New Zealand has jurisdiction over disputes arising from this type of document, and Companies Office may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.