How long should you keep lookup data? A guide to data retention under the Privacy Act

IPP9 of the Privacy Act 2020 says that agencies should not keep personal information longer than is required for the purposes for which the information may lawfully be used. This creates an obligation to set and enforce data retention periods.

The challenge

Lookup data creates two competing needs:

• Compliance evidence — you need to keep records that demonstrate your IPP3A compliance.

• Data minimisation — you should not keep the results of lookups (the personal information itself) longer than necessary.

Best practice: separate evidence from data

The best approach is to separate the compliance evidence (who, when, what source, which pathway) from the lookup results (the actual personal information retrieved).

• Compliance evidence — retain for 7 years (aligned with standard NZ record-keeping and limitation periods).
• Lookup results — retain only as long as needed for the purpose. A car dealer might need the vehicle history report until the sale is completed. A finance company might need the credit report until the loan is repaid.

DEIS retention settings

In DEIS, you can configure separate retention periods for:

• Evidence log entries (recommended: 7 years)
• Lookup results (configurable per data source)
• Contact records (configurable)

When a retention period expires, DEIS automatically purges the data and records the purge in the evidence log.