Plain language law

New Zealand law explained for everyone

This page is about a bill. That means that it's not the law yet, but some people want it to be the law. It could change quickly, and some of the information is just a draft.

Customer and Product Data Bill

Protections - Record keeping

45: Data holder must keep records about regulated data service

You could also call this:

“Keep records about your data services and customer requests”

This proposed law says that if you’re a data holder, you must keep records about the regulated data services you provide. You’ll need to keep track of the requests for the service, whether you’ve fulfilled those requests, and any authorisations given by customers. For customer authorisations, you’ll need to record any limitations, changes, and previous authorisations.

You’ll also need to record if you’ve confirmed the authorisation and verified someone’s identity as required by other parts of the law. The government might ask you to keep other information too, which you’ll have to record.

These rules don’t apply to product data requests in the same way. You’ll need to keep these records for 5 years and follow any other rules the government sets about how to keep them.

Even if you stop being a data holder, you still need to follow these rules as if you were one. If you don’t follow these rules, you might have to pay a fine. The fine could be $20,000, or a court could make you pay up to $50,000.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS700325.

Previous

44: Verification of identity of person who makes request, or

“Checking who's asking for customer information”

Next

46: Accredited requestor must keep records about regulated data service, or

“Companies must keep records when they use your information”

Part 3 Protections
Record keeping

45Data holder must keep records about regulated data service

  1. A data holder must keep records of the following matters in respect of any regulated data service that the data holder provides:

  2. the request made for the service:
    1. whether the data holder has given effect, or has attempted to give effect, to the request:
      1. the authorisation given by or on behalf of the customer (if any), including—
        1. any limitations on the scope of the authorisation; and
          1. any modifications to the authorisation; and
            1. any previous authorisation given by or on behalf of the customer:
            2. whether the authorisation (if any) has been confirmed under section 38 and whether the identity of a person has been verified under section 44:
              1. the information specified by the regulations (if any).

                1. Subsection (1)(c) to (e) does not apply to product data requests.

                2. The records must be kept—

                3. for 5 years; and
                  1. otherwise in the manner prescribed by the regulations (if any).

                    1. If a person ceases to be a data holder, this section continues to apply with all necessary modifications as if the person were still a data holder.

                    2. A person that contravenes this section commits an infringement offence and is liable to—

                    3. an infringement fee of $20,000; or
                      1. a fine imposed by a court not exceeding $50,000.