Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Protections - Record keeping

47: Accredited requestor must keep records about regulated data service

You could also call this:

“Requestors must keep customer data records for 5 years”

If you are an accredited requestor, you need to keep records when you ask for a regulated data service about a customer. You must record when you made the request and all the details about the customer’s permission. This includes any limits on what they allowed, any changes to their permission, when they gave permission, and when it ended (if you know).

You might also need to record other information if the rules say so. You have to keep these records for 5 years from when you made the request. The rules might also tell you how to keep the records.

Even if you stop being an accredited requestor, you still need to follow these record-keeping rules.

If you don’t follow these rules, you can get in trouble. You might have to pay a fine of $20,000, or a court could make you pay up to $50,000.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS841639.

Topics:
Business > Industry rules Rights and equality > Privacy Money and consumer rights > Consumer protection
Previous

46: Data holder must keep records about regulated data service, or

"Companies must keep track of how they share people's information"

Next

48: Data holders and accredited requestors must have customer complaints process, or

"Businesses must let customers complain if they're unhappy with how their data is used"

Part 3 Protections
Record keeping

47Accredited requestor must keep records about regulated data service

  1. An accredited requestor must keep records of the following matters in respect of any regulated data service relating to a customer that the accredited requestor requests:

  2. the request made for the service (including the time at which the request was made):
    1. the authorisation given by or on behalf of the customer, including—
      1. any limitations on the scope of the authorisation; and
        1. any modifications to the authorisation; and
          1. the time at which the authorisation was given; and
            1. the time (if any) at which the authorisation ended (if the accredited requestor is aware of that information):
            2. the information specified by the regulations (if any).

              1. The records must be kept—

              2. for 5 years from the date of the request; and
                1. otherwise in the manner prescribed by the regulations (if any).

                  1. If a person ceases to be an accredited requestor, this section continues to apply with all necessary modifications as if it were still an accredited requestor.

                  2. An accredited requestor that contravenes this section commits an infringement offence and is liable to—

                  3. an infringement fee of $20,000; or
                    1. a fine imposed by a court not exceeding $50,000.