Running a Compliant Business
How Long Should You Keep Records?
A plain-language guide to data retention: how long to keep personal data, how to decide, and how to dispose of it safely.
What you will learn
- What the retention standard requires
- How to set sensible retention periods
- How to dispose of data securely
- How to build a simple retention schedule
Overview
Keeping personal data is not free. Every record you hold is something you must protect and could lose in a breach. The Act asks you to keep personal data only as long as you genuinely need it. This module explains how to put that into practice.
Why this matters
Old data you no longer need is pure risk. It cannot help your business, but it can still be breached, misused, or requested. Sensible retention reduces that risk and keeps your systems tidy.
What the law says
The fifth standard (within sections 22 to 31) says personal data must not be kept longer than is necessary for the purpose it was collected for. The Act does not give a single number, because the right period depends on the data and the purpose.
How to set retention periods
For each type of data, ask:
- Why do we hold this, and for how long do we actually need it?
- Is there a legal, tax, or sector rule that sets a minimum?
- What is the risk of keeping it versus the cost of deleting it?
Write the answer down as a retention schedule: a simple list of data types and how long you keep each.
Disposing of data securely
When the time comes, dispose of data so it cannot be recovered:
- delete electronic files and clear them from backups on your schedule
- shred paper records rather than binning them
- wipe or destroy storage on old devices before disposal or resale
Common mistakes
- Keeping everything "just in case".
- Having no schedule, so nothing is ever deleted.
- Forgetting that backups and old devices also hold personal data.
Best practices
- Create a simple retention schedule and follow it.
- Review retention at least once a year.
- Make secure disposal a normal habit, not an afterthought.
Frequently asked questions
Key takeaways
- The fifth standard says do not keep personal data longer than necessary.
- Set retention periods based on need and any legal requirement.
- Dispose of data securely, both electronic and paper.
- A simple retention schedule makes this manageable.
