Plain language law

New Zealand law explained for everyone

This page is about a bill. That means that it's not the law yet, but some people want it to be the law. It could change quickly, and some of the information is just a draft.

Customer and Product Data Bill

Protections - Record keeping

46: Accredited requestor must keep records about regulated data service

You could also call this:

“Companies must keep records when they use your information”

This new law proposes that when someone asks for your data, they need to keep careful records. They must write down when you said it was okay for them to have your information, including any limits you set. They also need to note if you changed your mind about what they can do with your data.

If they give your data to someone else or change it so it can’t be traced back to you, they have to record that too. They might also need to keep other information if the rules say so.

These records need to be kept for five years, and there might be special ways they have to store them. Even if the person or company stops being allowed to ask for data, they still have to follow these rules.

If they don’t keep these records properly, they could get in trouble. They might have to pay a fine of $20,000, or if it goes to court, up to $50,000.

This law is designed to make sure your information is handled carefully and that you can trust the people who are using it.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS841639.

Previous

45: Data holder must keep records about regulated data service, or

“Keep records about your data services and customer requests”

Next

47: Data holders and accredited requestors must have customer data, product data, and action performance policies, or

“Companies must create and follow rules about customer and product information”

Part 3 Protections
Record keeping

46Accredited requestor must keep records about regulated data service

  1. An accredited requestor must keep records of the following matters in respect of any regulated data service relating to a customer that the accredited requestor requests:

  2. the authorisation given by or on behalf of the customer, including—
    1. any limitations on the scope of the authorisation; and
      1. any modifications to the authorisation; and
        1. any previous authorisation given by or on behalf of the customer:
        2. if, after receiving data under section 15,—
          1. the accredited requestor provided the data or derived data to another person (other than the customer or a secondary user), that person and the basis upon which the accredited requestor considers it is permitted to provide the data or derived data to that person:
            1. the accredited requestor de-identified the data so that it no longer relates to an identifiable person, how the data was de-identified:
            2. the information specified by the regulations (if any).

              1. The records must be kept—

              2. for 5 years; and
                1. otherwise in the manner prescribed by the regulations (if any).

                  1. If a person ceases to be an accredited requestor, this section continues to apply with all necessary modifications as if it were still an accredited requestor.

                  2. An accredited requestor that contravenes this section commits an infringement offence and is liable to—

                  3. an infringement fee of $20,000; or
                    1. a fine imposed by a court not exceeding $50,000.