Reading time: 5 minutes

As an agency that deals with customers’ personal information, such as their financial or contact details, you take on a risk when you store such data. If there is a privacy breach, your business must deal with the consequences. Therefore, you need to take due care when considering how long you keep customers’ personal data. You can only keep personal information as long as it is serving its intended purpose. Otherwise, you could be breaching your legal obligations. This article will highlight some important aspects to consider when determining how long you should keep customer data.

Personal Data and Its Purpose

When you collect personal information, you must do so with a specific purpose in mind, and it must connect to business functioning. You need to inform customers of this purpose, and you cannot use information outside of this without justification. You need to know this purpose prior to collection in order to only collect the information you actually need.

For example, you may collect customers’ physical addresses to deliver products to them. You cannot then use these addresses to send customers marketing pamphlets without their consent.

Where possible, limit the data you collect to only that which is absolutely necessary. The more unnecessary information you have, the more you have to store and keep up to date. There is also a greater volume of information to lose in the event of a data breach.

Keeping Data for as Long as Necessary

New Zealand privacy law does not specify a minimum timeframe that you must keep information for most kinds of personal information. However, the Privacy Act requires that your business does not keep personal information for any longer than you need it for its intended lawful purpose.

Therefore, when considering how long you need to keep certain kinds of customer data, you need to determine whether it is still fulfilling its intended purpose. If not, you should securely dispose of it. Ensure that you have a clear metric for deciding whether the information is still necessary, and apply this to data across your business.

For example, say that a customer moves house and they inform you of their updated address. You have no further need for their old address, so you should delete that information from their file.

Retention Requirements for Particular Kinds of Information

However, other New Zealand laws may require you hold on to particular kinds of information for a set period. This may apply to information regarding;

For example, if you are a health agency, you must keep any health records that you hold for a patient for ten years from the last instance of providing services for that patient. However, this does not apply where you have transferred these health files to the patient or their new healthcare provider.

Therefore, if you deal with this kind of information, you must be aware of any special requirements related to its retention. Ensure that you store this data securely, with protection measures that are proportionate to its sensitivity.

Data Breaches

The more data you keep, the more data there is to lose in the event of a data breach. A data breach occurs when an authorised person has accessed, misused, or lost any information that you hold. You will lose customer trust should a breach happen and you do not deal with it appropriately. There may also be legal consequences depending on breach severity and whether you complied with your reporting requirements under New Zealand law.

Therefore, when considering how long you should keep customer data, you need to consider whether you are adequately mitigating this risk. Ensure that you have adequate security systems for your data and only authorised staff members can access customers’ personal information. 


When you decide to dispose of customer data that you do not need anymore, you must do so securely. You need to ensure that once you have deleted this information, it is gone forever, and no one else can retrieve or access it. 

For example, this would include shredding physical documents to be unreadable or wiping hard drives and backups.

Key Takeaways

If your customer data does not identify them in any way, then in most cases, there are no specific requirements for how long you should keep that data. However, if your customer data does identify them, then it qualifies as personal information. You can only keep personal information as long as it fulfils its intended purpose, and you must not store it for longer than necessary. The more information you hold also increases the risk of information lost in a data breach, so you should consider that too. If you would like more information or help with your business’ data retention requirements, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Information

What is personal information?

Personal information is any data that can identify a living individual, such as their names or email addresses. This kind of information has special requirements for you how you should handle it.

How long should I keep customer data for?

If your customer information can identify that customer, you can only keep it for as long as it fulfils its intended purpose, and no longer. However, some data will have specific requirements for how long you need to retain it, such as employee records.

Can I dispose of information I do not need anymore?

Generally, you can dispose of information you no longer need, as long as you do it in a secure fashion. However, some information has specific retention requirements, such as health records.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards