How long does my organisation or business have to keep records for?

There are no minimum timeframes for retention of information under the Privacy Act. Rather, agencies must not keep personal information for any longer than they have a lawful purpose for keeping that information.

The first thing you need to consider is whether you have a lawful purpose to keep this personal information. Keep in mind that there may be another law or regulation that requires you keep information for a certain period of time.

For instance, the Employment Relations Act 2000, the Tax Administration Act 1994, Public Records Act 2005 and the Health (Retention of Health Information) Regulations 1996 all impose obligations to keep certain types of information for certain timeframes.

If you aren’t required to keep the information, it is up to your agency to decide how long you have a lawful purpose to use the information you have collected. This will largely depend on what the information is and what you told the person when you first collected it.

The important thing is for your agency to have a clear policy on how long your agency will retain the different types of personal information you collect, and to apply this consistently.

If you have a policy that says you will hold a certain type of information for a specific period, but then fail to do so, then this may indicate that your agency has a problem with information security.