Entry D1 v1 — Record-keeping obligations across employment, tax, and company law

What to watch for

Six things that change how the record-keeping picture actually works — most of which compliance content treats as separate single-statute lists rather than as the integrated reality of running a compliant business.

1. The three statutes don't substitute. They stack. IRD wants tax records under section 22 of the Tax Administration Act 1994 for 7 years.¹ Companies Office wants governance records under sections 189-194 of the Companies Act 1993 for 7 years (and some indefinitely — share register, constitution, key resolutions).² Employment NZ wants wage and time records under the Wages Protection Act and holiday/leave records under the Holidays Act for 6 years even after the employee leaves.³ The overlap: employment records that include payroll information are both employment records (Holidays Act, 6 years) and tax records (PAYE records under section 22, 7 years). The longer period applies. The trap is the operator who reads one statute's retention period and assumes it covers everything; it doesn't. Default position: 7 years for any record with financial or tax content, indefinitely for company-constitutional documents and share register, 6 years minimum for employment-side records that aren't tax-related.

2. The 7-year clock starts at end of income year, not at transaction date. Section 22(2) of the Tax Administration Act specifies that records must be retained for "at least 7 years after the end of the income year" to which they relate. For a 31 March balance date, a transaction in April 2026 falls in the 2026-27 income year ending 31 March 2027 — the 7-year retention runs until 31 March 2034, not until April 2033. This sounds like a small distinction but it matters for filing-disposal decisions. The Commissioner can extend the period by an additional 3 years (to 10 years total) by giving notice before the 7-year period expires — typically only invoked where an audit or investigation is in progress. The practical implication: don't dispose of records on the transaction-date anniversary; dispose on the income-year-anniversary, and only after the relevant tax returns have been filed and accepted.

3. Electronic records are fine. But the access discipline is real. Section 22 (and the equivalent provisions in the Companies Act and Holidays Act) permits records to be kept in electronic form, provided they're readily accessible and reproducible.⁴ This isn't a license to dump everything in a Google Drive folder and call it good. The IRD's Standard Practice Statement on electronic record-keeping requires: a reliable means of maintaining integrity (records not editable or modifiable without audit trail), ready accessibility (records can be produced when requested), format preservation (the electronic record reproduces the original accurately), and storage location compliance (records held offshore require Commissioner approval). For SMBs the practical implication is: use accounting software (Xero, MYOB, etc) that handles the integrity and audit-trail requirements automatically, and use cloud document storage (Google Drive, Dropbox, OneDrive) for non-financial documents with structured folder organisation. Don't email yourself receipts and hope to find them in five years.

4. Some records are kept for the life of the company, not seven years. The Companies Act distinguishes between time-limited and indefinite retention. Indefinite (must be kept for the life of the company): the constitution if there is one, the share register (which under section 87 must show shareholders' details for at least 10 years past the share transfer), the company's certificate of incorporation. Seven years: directors' resolutions, shareholders' resolutions, board minutes, accounting records, copies of written communications to shareholders during the past 7 years, copies of financial statements for the last 7 completed accounting periods.⁵ The trap is the operator who treats company-constitutional documents as disposable on the same cycle as financial records; they're not. Lose your constitution and you've created a real problem if there's ever a question about how the company was structured.

5. Privacy Act 2020 imposes an over-retention obligation. Don't keep records longer than necessary. Information privacy principle 9 of the Privacy Act 2020 requires that personal information not be kept for longer than is necessary for the purpose for which it was collected.⁶ This creates a tension with the keep-for-7-years tax obligation: you're statutorily required to keep payroll records for tax purposes, and statutorily required not to keep them longer than necessary. The reconciliation is that the tax obligation establishes the "necessary" period for payroll records — you can lawfully keep them for the statutory retention period, but should dispose of them once that period ends (and once any extension by the Commissioner has expired). The trap is the operator who keeps every record indefinitely on the principle that "you can't get in trouble for keeping things" — you can, under the Privacy Act, particularly for personal information about employees and customers no longer in business with you. Build the disposal discipline into the calendar alongside the retention discipline.

6. The records-keeping obligation isn't just paperwork. It's evidence of decisions. The substantive purpose of record-keeping across all three statutes is the same — to evidence that decisions were made for proper reasons, that taxes were correctly calculated, that employees were correctly paid, that the company was governed in good faith. The IRD audit looks at records as the proof of your tax position; the Companies Office investigation looks at records as the proof of director-duty compliance; the Labour Inspector looks at records as the proof of holiday-pay and wage-rate compliance. The records that survive scrutiny are the ones made at the time the decision was made, with the underlying reasoning visible. Contemporaneous record-keeping isn't bureaucratic discipline; it's the evidence layer that protects you when something is later questioned. For sole-director companies in particular (where the director's decisions and the company's decisions are the same human acting in two capacities) the record is often the only evidence that the director's duty under section 131 was met — that the decision was for the company's benefit rather than the director's personal benefit. The act of writing it down isn't trivial; it's how you demonstrate the decision was actually made the way it should have been.

A separate point on what good record-keeping accomplishes beyond surviving audit. The visible work — folders, software, retention schedules — is downstream of the operating discipline that produces the records in the first place. Operators who do this well don't have a record-keeping policy; they have an operating rhythm that produces records as a natural byproduct. Bookkeeping happens weekly because it's part of the weekly rhythm; payroll runs through software that generates records automatically; board resolutions happen at the moment of the decision rather than retrospectively. The trap is treating record-keeping as a separate discipline that has to be added to the operating routine — that's why so many SMBs end up frantically reconstructing records at year-end, with predictable consequences for accuracy. The discipline pays back in three directions: legal compliance (the visible payoff), operational visibility (you can see what's happening in your business in real time), and decision-quality (decisions made with current information are better than decisions made on retrospective reconstructions). All three flow from the same upstream investment.

The fourth direction shows up later: the capstone. Sale, lending, audit, dispute — contemporaneous records are the difference between a fast clean process and a reconstruction a buyer's DD team, a bank, or IRD will distrust. They can't be manufactured after the fact, which is exactly why they're worth more then. The discipline kept quietly for years cashes out, all at once, on the day it matters most.

Where this entry stops

This entry covers the integrated record-keeping obligations across tax, company, and employment law for a typical NZ SMB. It doesn't cover:

• Industry-specific record-keeping obligations — healthcare, financial services, building, food and beverage all have additional sector-specific record requirements that sit alongside the general framework.
• Privacy Act compliance generally — the entry flags Principle 9 (over-retention) but the full Privacy Act framework (collection, use, disclosure, access, correction, security) is broader. Compliance-floor territory; future wayfinder entry candidate.
• Document destruction procedures — what's required when records are disposed of (secure destruction, audit trail of disposal). Adjacent to retention; sits in records management territory.
• AML/CFT record-keeping — financial-services-and-beyond-specific obligations under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009. Specialist territory.
• Litigation hold procedures — when disputes are pending or anticipated, records that would otherwise be disposed of must be preserved. Specialist territory; lawyer involvement.

For specific record-keeping scenarios — particularly where IRD audit or Labour Inspector visits seem possible — talk to your accountant or employment-law adviser before the disposal decision rather than after.

Last verified 27 May 2026. Full source list: references.