Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Protections - Record keeping

46: Data holder must keep records about regulated data service

You could also call this:

“Companies must keep track of how they share people's information”

If you hold data for others, you need to keep records about the data services you provide. You must record when someone asks for data, whether you gave them the data, and any permission given by the customer for sharing their data. You also need to note if you checked the customer’s identity and if they confirmed their request.

For product data, you don’t need to record information about customer permissions. You have to keep these records for 5 years from when the request was made. If you stop being a data holder, you still need to follow these rules.

If you don’t keep these records properly, you might have to pay a fine. The fine could be $20,000, or up to $50,000 if a court decides.

Remember, there might be other rules about what information you need to record and how to keep the records. These rules will be written in other documents called regulations.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS700325.

Topics:
Money and consumer rights > Consumer protection Business > Industry rules Rights and equality > Privacy
Previous

45: Verification of identity of person who makes request, or

"Checking who you are when you ask for information"

Next

47: Accredited requestor must keep records about regulated data service, or

"Requestors must keep customer data records for 5 years"

Part 3 Protections
Record keeping

46Data holder must keep records about regulated data service

  1. A data holder must keep records of the following matters in respect of any regulated data service that the data holder provides:

  2. the request made for the service (including the time at which the request was made):
    1. whether the data holder has given effect, or has attempted to give effect, to the request:
      1. the authorisation given by or on behalf of the customer (if any), including—
        1. any limitations on the scope of the authorisation; and
          1. any modifications to the authorisation; and
            1. the time (if any) at which the authorisation ended (if the data holder is aware of that information):
            2. whether the authorisation (if any) has been confirmed under section 39 and whether the identity of a person has been verified under section 45:
              1. the information specified by the regulations (if any).

                1. Subsection (1)(c) to (e) does not apply to product data requests.

                2. The records must be kept—

                3. for 5 years from the date of the request; and
                  1. otherwise in the manner prescribed by the regulations (if any).

                    1. If a person ceases to be a data holder, this section continues to apply with all necessary modifications as if the person were still a data holder.

                    2. A person that contravenes this section commits an infringement offence and is liable to—

                    3. an infringement fee of $20,000; or
                      1. a fine imposed by a court not exceeding $50,000.