Can Employers Monitor Employees’ Internet Browsing And Search History In New Zealand?

If you run a small business, your internet connection and devices are business tools - and you’ll usually want to keep them secure, productive, and legally compliant.

That’s where employee internet monitoring comes in. Maybe you’re worried about cybersecurity, staff spending too much time on non-work browsing, or sensitive information being uploaded to personal accounts. Or maybe you’ve had an incident and need to investigate what happened.

The good news is that monitoring employees’ internet use is often lawful in New Zealand - but it’s not a “do whatever you want” area. Privacy, fairness, and reasonableness matter, and the way you monitor is just as important as what you monitor.

This article is general information only and isn’t legal advice. Because the legal risk can change depending on your workplace, your systems, and why you’re monitoring (especially if it becomes a disciplinary issue), it’s worth getting tailored advice before you implement targeted monitoring or rely on monitoring data in an investigation.

Below, we break down how employee internet monitoring works under NZ law, what you should put in place from day one, and how to reduce the risk of privacy complaints or employment disputes.

Is Employee Internet Monitoring Legal In New Zealand?

In New Zealand, there isn’t a single “internet monitoring law” that gives you a simple yes/no answer. Instead, employee internet monitoring sits at the intersection of a few key legal obligations.

In most cases, you can monitor employees’ internet browsing and search history at work - if it’s done lawfully and fairly.

The Main Laws And Principles You Need To Keep In Mind

• Privacy Act 2020: You generally need to collect and handle personal information in a way that’s lawful, necessary, transparent, secure, and not overly intrusive.
• Employment Relations Act 2000: You must be a “good faith” employer, and if monitoring is used in performance management or misconduct processes, your actions and decisions must be fair and reasonable.
• Health and Safety at Work Act 2015: You have obligations to provide a safe workplace - which can include managing online harassment, bullying, and unsafe behaviour on work systems.
• General fairness and reasonableness: Even where something is technically possible, it can still create legal risk if it’s unexpected, excessive, or “secretive” without a strong justification.

A helpful way to think about employee internet monitoring is this: monitoring is more defensible when it is transparent, proportionate, and tied to a real business purpose.

Why Businesses Usually Monitor

Common legitimate reasons for employee internet monitoring include:

• protecting your systems from malware, phishing, ransomware, and data breaches
• preventing leaks of confidential information or client data
• ensuring staff follow company policies and appropriate workplace behaviour standards
• investigating suspected misconduct (for example, harassment or serious time theft)
• meeting regulatory or contractual obligations (for example, where clients require security controls)

Where employers often get into trouble is when monitoring is rolled out without clear notice, without a policy, or in a way that feels like surveillance “just because”. That’s avoidable with the right setup.

What Counts As “Internet Browsing And Search History” (And What You Can Actually See)?

When business owners talk about employee internet monitoring, they often mean different things. “Browsing history” might mean the history stored inside a web browser - but employers usually monitor at the network, device, or account level, which can produce different kinds of data.

Common Types Of Internet Monitoring Data

Depending on your systems, your business may be able to collect information such as:

• websites visited (domains and sometimes specific pages/URLs)
• timestamps (when access happened and for how long)
• search queries (in some situations - for example, where you have access to a managed device’s browser history, or where your security tools capture this at the device level; many network logs will not show the exact terms typed into an encrypted search)
• downloads/uploads (for example, file types and destination)
• device identifiers (which laptop/phone/user profile made the request)
• blocked site attempts (attempts to access restricted content)
• use of web-based email or cloud storage (access events rather than content, depending on tools used)

Browser History vs Network Logs

It’s worth separating two concepts:

• Browser history: the history saved in Chrome/Safari/Edge on a device profile. This can be deleted by the user, and it can be affected by Incognito/Private Browsing (though that doesn’t necessarily stop all tracking).
• Network-level logs: records generated by routers, firewalls, secure web gateways, or DNS services. These logs may still show domains accessed even if the employee uses private browsing, but they often won’t show the content viewed inside encrypted sessions.

If you’re not sure what your business systems can actually see, it’s a good idea to confirm with your IT provider before you make promises to staff (or assumptions during an investigation).

Does “Private/Incognito Mode” Stop Employee Internet Monitoring?

Incognito mode usually stops the browser from saving local history on that device profile. It does not automatically stop network logs, firewall logs, or device management monitoring (depending on your setup). It also doesn’t automatically make an employee’s activity “invisible” to your organisation - but what you can see will depend on your tools (for example, many network tools will show domains and connection details rather than the precise content of pages or search terms).

This matters legally because an employee may wrongly assume their activity is “private” just because they used private browsing. That’s another reason transparency and clear policies are so important.

How To Monitor Internet Use Lawfully: The Privacy And Employment Law Checklist

If you want employee internet monitoring to be defensible in New Zealand, you should build it around a few practical principles.

1) Be Clear About The Purpose (And Keep It Legitimate)

Start with: Why are we monitoring?

Examples of legitimate purposes include:

• cybersecurity and threat detection
• protecting confidential information
• ensuring appropriate use of business resources
• investigating suspected misconduct

Avoid vague reasons like “keeping an eye on everyone” - that’s where monitoring starts to look excessive and intrusive.

2) Tell Employees What You’re Doing (Transparency Is Key)

Under the Privacy Act 2020, a major theme is that people should not be surprised about what personal information is being collected and why. In an employment context, surprise monitoring can also create trust issues and legal risk.

Practically, you should tell employees:

• what you monitor (for example, websites visited, access logs, downloads)
• when you monitor (ongoing security logging vs targeted monitoring)
• why you monitor
• how the data will be used (for example, security, performance, misconduct investigations)
• who can access the information
• how long you keep it

This is usually done through a mix of your Workplace Policy, onboarding training, and IT access terms (for example, an “acceptable use” policy).

3) Only Collect What You Need (Proportionality)

A good rule of thumb: collect the minimum information needed to meet your purpose.

For example:

• If your goal is cybersecurity, you might only need security logs and alerts - not a detailed record of every search query.
• If your goal is productivity, you might use high-level reporting and only drill down when there’s a reasonable concern.

Over-collecting can increase privacy risk and can also create extra obligations around storage and security (because you now hold more potentially sensitive personal data).

4) Store Monitoring Data Securely

If you collect monitoring logs, you must protect them against loss, unauthorised access, misuse, or disclosure.

Security steps can include:

• restricting access to a small number of authorised people
• using role-based permissions (for example, HR can’t access raw logs unless required)
• keeping audit trails of who accessed monitoring data
• secure storage and encryption (where appropriate)
• retention limits and deletion processes

In a small business, even simple controls (like limiting access to the owner and one manager) can make a big difference.

5) Make Sure Your Employment Documents Support Monitoring

Employee internet monitoring is much easier to manage if your expectations are written down clearly. This typically includes:

• an Employment Contract that deals with confidentiality, IT resource use, and workplace rules
• an acceptable use policy such as an Acceptable Use Policy outlining permitted and prohibited internet use
• a privacy-focused document that covers employee data handling, like an Employee Privacy Handbook

These documents don’t just “tick a box” - they reduce misunderstandings, support fair processes, and can help you justify monitoring decisions later if you need to rely on them.

Common Risk Areas For Small Businesses (And How To Avoid Them)

Employee internet monitoring can quickly become risky when personal devices, remote work, or mixed personal/work use is involved. Here are a few common scenarios where we see businesses trip up.

Monitoring Personal Use On Work Devices

Many workplaces allow “reasonable personal use” of internet during breaks. If you do allow this, be careful about how your monitoring is framed.

Even if browsing happens on a work laptop, it may still involve personal information. For example, an employee may search medical information, access their banking, or read sensitive news. If your monitoring captures this level of detail, you’ll want to be extra cautious about:

• whether you truly need that detail
• who can see it
• whether the employee understood that monitoring occurs

If your business doesn’t want any personal browsing at all, you should make that expectation clear (and consider whether it’s realistic for your workplace culture).

BYOD (Bring Your Own Device) And Personal Phones

If employees use their personal phone on your workplace Wi-Fi, you may still capture network logs (depending on your systems). Often, those logs will show connection details such as domains accessed and timestamps - not the full content viewed - but it can still be privacy-sensitive because the device is personal.

If you operate a BYOD environment, it’s worth setting clear boundaries about:

• what the business can monitor on the network
• what the business will not access (for example, personal photos or personal messages)
• what happens if a device is lost or compromised

In some cases, you may choose to offer a separate guest Wi-Fi for personal devices to reduce privacy and employment risk.

Remote Work And Home Networks

Remote work adds another layer: employees may use home internet and personal routers, and they may reasonably expect greater privacy at home.

If you issue company laptops, you can still implement security tools - but you should be careful about “always on” monitoring that could capture information outside work hours.

A practical approach is to:

• limit monitoring to work accounts and work devices
• avoid monitoring outside normal work hours unless there’s a genuine security need
• be upfront about what is logged and when

Monitoring That Turns Into A Disciplinary Process

A common trigger for employee internet monitoring is suspicion that someone is doing the wrong thing. But this is where you need to slow down and make sure you’re following a fair process.

If you plan to rely on monitoring logs to discipline an employee, consider:

• Was the monitoring clearly disclosed in policies or employment documents?
• Was the monitoring proportionate to the concern?
• Have you preserved evidence properly (for example, keeping logs unaltered)?
• Will you give the employee a chance to respond to the allegations and information?

Even if you have strong evidence, mishandling the process can still create risk (for example, a personal grievance).

Should You Have An Internet And Monitoring Policy (And What Should It Say)?

For most small businesses, a written policy is the single best way to manage employee internet monitoring. It sets expectations upfront and reduces the “surprise factor” that causes disputes.

Your policy doesn’t need to be overly legalistic - it just needs to be clear, practical, and consistent with what your systems actually do.

Key Clauses To Include

Many businesses include the following in their workplace internet/IT rules:

• Permitted use: what’s allowed (for example, reasonable personal use during breaks)
• Prohibited use: for example, illegal content, offensive material, copyright infringement, unauthorised downloads, bypassing security controls
• Security obligations: password rules, MFA, not sharing logins, phishing awareness
• Monitoring statement: what is monitored (and that monitoring may occur)
• Investigation statement: that monitoring data may be used to investigate misconduct or policy breaches
• Confidentiality: expectations around client information and trade secrets
• Consequences: what may happen if the policy is breached

This is often included within your broader Workplace Policy suite, so the rules sit alongside other expectations (conduct, bullying/harassment, conflicts, and so on).

Don’t Forget Social Media And Online Behaviour

Internet monitoring issues often overlap with social media use - for example, excessive scrolling during work hours, reputational harm, or harassment using workplace systems.

It can help to align your monitoring approach with your rules on Employee Social Media Use, especially if your team uses social platforms for marketing or customer support as part of their job.

What About Notifying People Every Time You Monitor?

In many workplaces, you won’t (and can’t) notify employees every time an automated security log is created - and you don’t need to. What matters is whether employees were clearly informed that monitoring can occur, and that it may be used for legitimate business purposes.

Targeted monitoring is different. If you’re thinking about monitoring a particular employee more closely than others, it’s smart to get advice first, because the fairness and privacy issues are more sensitive.

Key Takeaways

• In New Zealand, employee internet monitoring is often legal, but it needs to be done in a way that’s transparent, reasonable, and tied to a legitimate business purpose.
• The Privacy Act 2020 and employment law fairness principles matter - especially if you rely on monitoring data for discipline or dismissal.
• Be clear about what you monitor (websites, timestamps, downloads and, in some cases, searches), why you monitor, and who can access the data.
• Keep monitoring proportionate: collect what you need for security and operations, and avoid overly intrusive surveillance without a strong reason.
• Protect your business by documenting expectations in an Employment Contract and practical policies like an Acceptable Use Policy.
• Employee internet monitoring gets trickier with BYOD and remote work, so set boundaries early and make sure staff aren’t surprised by what your systems can see.

If you’d like help setting up employee internet monitoring the right way - including workplace policies, employee privacy documents, and employment contracts - you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.