Can I throw out old information?

Under the Privacy Act, there are no requirements to keep information for a certain length of time. Rather, agencies must not keep personal information for any longer than they have a lawful purpose for using that information.

Therefore, if you want to delete information, the first thing you need to consider is do you have a lawful purpose to keep this personal information? Keep in mind that there may be another law or regulation that requires you keep information for a certain period of time.

For instance, the Employment Relations Act 2000, the Tax Administration Act 1994, Public Records Act 2005 and the Health (Retention of Health Information) Regulations 1996 all impose obligations to keep certain types of information for certain timeframes.

If you aren’t required to keep the information, and you no longer have a lawful purpose to use it, you should take appropriate steps to ensure the information is securely deleted or destroyed.

Updated October 2025