Kai Safe
Sign inStart free trial
← All posts
Record retention

4-year record retention under the Food Act: what to keep, what to bin, and how to prove it digitally

Published 2026-05-25 · Kai Safe team

Open the back-office cupboard of any decent NZ food business and you'll find boxes. Boxes of receipts, dockets, temperature log pages, supplier invoices, cleaning sheets — most of them from years that nobody can quite remember. Operators keep them because they're afraid to throw anything away. "What if MPI shows up?"

The Food Act 2014 has a specific answer to "how long do I keep this stuff": four years. But there's a lot of nuance under that headline number — what counts as a record, what counts as keeping it, and what you can quietly bin.

This post unpacks the 4-year rule properly. What it means in practice, what verifiers actually ask for in year 3, what you can throw out, and why digital systems make this a non-issue if they're built right.

The legal basis — §65 of the Food Act 2014

Section 65 of the Food Act 2014 requires every food business operating under a registered Food Control Plan (or National Programme) to keep records relating to their food safety activities for a minimum of four years.

The exact wording (lightly paraphrased): records must be retained for at least 4 years after the activity they document, or longer if specified in the operator's FCP, or if MPI directs.

Practically, this means: a temperature log from January 2022 needs to be retrievable until at least January 2026. A delivery docket from June 2023 needs to be retrievable until at least June 2027.

That's the floor. Some operators retain longer for insurance, traceability, or supplier-dispute reasons. We'd suggest treating 4 years as the absolute minimum, not the target.

What counts as a "record"?

This is the bit most operators are fuzzy on. The Food Act doesn't enumerate every record type — it just says "records relating to food safety". Which in practice covers:

Must-keep (4+ years, no exceptions)

  • Temperature logs — every cold storage and hot-hold log, every probe reading, every two-stage cooling chart.
  • Cleaning records — completed cleaning schedules, sanitiser concentration checks, deep clean logs.
  • Delivery records — every chilled/frozen delivery receipt with temperature and supplier batch ref.
  • Cooking records — proven-method documentation, probe-checked temps for high-risk products.
  • Corrective actions — every fail and what was done about it. Critical: this is the one verifiers will ask for years later.
  • Staff training records — induction docs, refresher dates, allergen training certs.
  • Thermometer calibration logs — ice-point tests, hot-water tests, replacement records.
  • Pest control records — inspection visits, bait station logs, treatments.
  • Supplier approvals — the documentation showing each supplier was vetted before use.
  • Mock recall drill — annual drill documentation.
  • Verification reports — every previous MPI verifier visit report.
  • Reportable breach notifications under §50 — what you reported to MPI and when, plus follow-up correspondence.

Useful to keep (not strictly required, but verifiers often look)

  • Allergen menus — the version in force at the time the record was made (so if you changed the menu, you keep the old one too).
  • Floor plans and equipment registers — useful for verifiers reconstructing what your kitchen looked like at the time.
  • Standard operating procedures — your written SOPs for cooking, cooling, cleaning. Verifiers expect to see what staff were trained to do.
  • Pest controller contracts — useful if you ever face questions about how your pest activity was managed.

Can usually be binned (but check your FCP first)

  • General supplier invoices that aren't tied to a specific safety record. Your accountant probably wants them for 7 years for tax — that's an IRD thing, not food safety.
  • Marketing menu prints that don't have allergen info.
  • General correspondence that isn't about food safety.

When in doubt: keep. Space is cheap; insurance against an "I don't have the record" verifier finding is not.

What verifiers actually ask for in year 3

A 6-month verifier visit looks at the last 6 months of records. A 12-month visit looks at the last 12. But what about year 3?

Three scenarios where year 3 records get pulled:

Scenario 1: Customer complaint follow-up

A customer reports food poisoning from your venue. MPI investigates. They will ask for every record from the day of the meal, plus everything from the supply chain leading up to it. If the affected meal was 2.5 years ago, the records have to be there.

This is the most common reason a "year 3" record gets pulled, and it's the worst time for it to be missing.

Scenario 2: Insurance claim

A supplier claims you accepted contaminated product without complaint. You say you didn't. The records — your delivery docket from 2.5 years ago, with the temperature on arrival — settle the dispute. If you can't produce it, you lose the case.

Scenario 3: Audit by a corporate buyer

If you supply to a corporate canteen, hotel chain, or aged-care provider, their audit cycle is often 2-3 years. They want to see your compliance history going back. "Trust us, we had records" is not an acceptable answer.

Scenario 4: MPI escalation

If you've had an "unacceptable" verification outcome, MPI may pull a multi-year sample of records during the follow-up. Failing to produce them turns a recoverable situation into a compliance disaster.

How paper-based operators get burned in year 3

Five patterns we see repeatedly:

1. The damp basement

Records in boxes in a back room that floods every winter. By year 3, the ink is bled, the paper is mildewed, and the temperature logs from 2022 are illegible. Verifier opens the box; verifier shakes their head.

2. The previous owner's archive

You bought the business in 2023. The previous owner's records from 2021 and 2022 are technically yours now (the FCP transfers with the business). You don't have them. The previous owner has them in their garage. You don't know which boxes.

3. The "we changed our system in 2023"

You used a paper diary until 2023, then moved to an app, then changed apps in 2024. Records from the original diary are in a box. Records from the first app — gone, account closed. Records from the new app — fine. Year 3 verifier asks for January 2022. You shrug.

4. The handwriting

The records exist, in a box, in chronological order, dry. The verifier flips to a random page and asks "what does this say?" You can't read it. The staff member who wrote it left in 2023. The verifier marks "records illegible" on their report.

5. The single missing page

You've kept everything from 2021-2025. Except one week in March 2023 where a manager forgot to fill in the diary. The verifier finds it. "What happened that week?" You don't remember. You can't reconstruct it. You're now in conditional acceptance.

The immutability test

There's a sub-rule of the 4-year retention requirement that operators miss: records must be trustworthy. A verifier needs to know that the record they're looking at is what was actually written at the time, not what was edited last week.

For paper this is implicit — biro on paper, dated and signed, is hard to backdate convincingly. Verifiers know what fresh ink looks like.

For digital, it's explicit (S39-0005 four properties): the record has to be immutable in the sense that corrections create new records, never silently replace the old ones.

This is the bit that catches Excel-based operators. If your "records" are an Excel file, you can change any cell from 4 years ago, today, and there's no trail. A verifier suspecting tampering can ask you to prove the records weren't edited recently. With Excel, you can't. With a well-architected digital system, you can — the audit log shows every record's creation time, who created it, and any corrections that followed.

This isn't theoretical. We've talked to operators who passed verifier visits for years on Excel and then got pulled up in a year-3 investigation because the verifier couldn't accept that the records were trustworthy.

How a digital system should handle 4-year retention

A compliant digital food safety system needs:

1. Immutable record storage

Compliance records are never updated. Corrections are new records that reference the original. The original stays visible forever (or at least 4 years).

2. Server-side timestamps

The time on every record is from the server clock, not the device clock. This is what makes "edited 3 years later" detectable.

3. Full audit log

Every record action — create, correct, soft-delete, export — is logged with user, time, and IP. Verifiers can request the audit log if they have any suspicion.

4. Export at any time

You should be able to export your full compliance history as a static archive (PDF + CSV) at any time. This archive is itself a record — proof of what your records looked like on the day of export.

5. Multi-year retention by default

The system has to not delete records inside the 4-year window. In Kai Safe, compliance records are excluded from any normal deletion flow — even if a venue is cancelled or a business closes, the records are retained until the 4-year clock expires.

6. Portable archive

If the vendor disappears, you must be able to get your data out. Kai Safe gives you a one-click "archive everything" export — every record, photo, training cert, corrective action, as a single ZIP. That ZIP is portable, readable without Kai Safe, and counts as your records for the rest of the retention period.

What to do if you're behind

If you're reading this and panicking because your paper boxes are a mess: the recovery plan is straightforward.

Triage what you have

Pull every box, label by date range, identify gaps. Photograph or scan critical records (temperature logs, corrective actions, verification reports) into dated PDFs. Even crude scans are better than damaged originals.

Reconstruct what you can

For minor gaps (a missing week of cleaning logs), it's defensible to write a memo: "Cleaning records for week of [date] not retained due to [reason]; activities continued per schedule, no incidents reported." It's not great, but it's better than silence.

Switch to digital going forward

Don't try to digitise the past. Just start fresh with a system that captures everything correctly from day one. Run paper in parallel for a month or two, then archive the paper and let digital take over.

Don't bin paper inside the 4-year window

Even if you've switched to digital, the paper records from before the switch are still your records. Box them, label them, store them dry, keep them for 4 years from the date of the latest entry in each box.

How Kai Safe handles 4-year retention

The architecture:

  • compliance_records is append-only. No UPDATE queries, ever. Corrections are new records.
  • Every record has a server-stamped created_at. The user can't backdate.
  • Records are retained for a minimum of 4 years even if a venue cancels its subscription. (Cancelled venues lose write access immediately, but read access to historical records continues for the retention window.)
  • One-click full archive export — every record, every photo, every CA, every training doc — as a portable PDF+CSV bundle.
  • Audit log records every create, correction, export, with user and timestamp.

You don't have to think about retention. The system enforces it.

Try Kai Safe free for 30 days — and never lose another record.

Further reading


Run your FCP in Kai Safe

Mobile-first, offline-ready, built around the Simply Safe & Suitable template. From NZ$29/month.

Start free trial