Can NZ Employers Access Employee Emails?

If you run a small business, it’s only a matter of time before you face a tricky question: can we check an employee’s emails? Maybe you’re dealing with a suspected data leak, a bullying complaint, a departing employee who handled key client relationships, or you’ve just discovered sensitive information was sent to the wrong person.

Whatever the trigger, monitoring employee emails sits right at the intersection of privacy, employment law, and practical business risk management. Done properly, it can help protect your business. Done badly, it can create serious issues (including privacy complaints, personal grievances, and reputational damage).

Below, we break down how email monitoring generally works in New Zealand, what rules and principles you should keep in mind, and how to set up a policy that protects your business from day one. This article is general information only and isn’t legal advice.

What Does “Employee Email Monitoring” Usually Mean In Practice?

“Employee email monitoring” can cover a range of activities, and the legal risk often depends on what you’re doing, why you’re doing it, and how transparent you’ve been.

Common types of email monitoring include:

• Accessing emails in a work inbox (e.g. name@yourbusiness.co.nz) to find client information, attachments, or records of conversations.
• Reviewing sent items to confirm whether business communications were sent, what was promised, or whether confidential information was shared.
• Keyword searches (e.g. searching for a customer’s name, a project code, or “invoice”).
• Checking metadata and activity logs (e.g. login times, forwarding rules, deleted emails, auto-forwarding to external addresses).
• Ongoing monitoring (e.g. filtering, scanning, or auditing as a standard IT security measure).

It can also involve broader digital monitoring that overlaps with email, such as:

• monitoring chat tools and collaboration platforms
• monitoring internet usage and downloads
• recording phone calls (where emails trigger call-backs or follow-ups)

If your business uses broader monitoring tools, it’s worth also thinking about workplace surveillance generally (for example, Are Cameras Legal In The Workplace?) and communications recording rules (for example, business call recording laws).

Is Employee Email Monitoring Legal In New Zealand?

In New Zealand, employee email monitoring can be lawful-but it’s not a “do whatever you want” zone. Even where an email account is provided by the business, employees may still have privacy interests in personal information contained in messages, and monitoring needs to be handled fairly, for a proper purpose, and with privacy obligations in mind.

There isn’t one single “email monitoring law”, but these are the key legal frameworks employers usually need to consider:

1) The Privacy Act 2020 (And Privacy Principles)

Most employee email monitoring involves collecting, using, or disclosing personal information (even if the inbox is a “work” inbox). The Privacy Act 2020 sets expectations around things like:

• purpose: are you collecting/accessing information for a legitimate reason connected to your business?
• transparency: have you told staff what may be monitored and why?
• minimisation: are you collecting only what you need (not doing a fishing expedition)?
• security: are you limiting who can access the emails and storing any extracted material securely?
• access/correction: does the employee have rights to access information held about them (subject to specific grounds for refusing access in some cases)?

For many small businesses, your privacy posture is helped a lot by having a clear Privacy Policy and internal processes that match what you say you do.

2) Employment Relations Act 2000 (Fair Process And Good Faith)

Even if you have operational reasons to access business systems, how you do it matters. Employment law in NZ strongly focuses on fairness and process. If email monitoring is used in a disciplinary process, investigation, or performance management context, you’ll generally need to act in a way that is:

• fair and reasonable in the circumstances
• consistent with your policies
• done in good faith (not misleading, not predetermined, not punitive)

From a risk perspective, one of the biggest triggers for personal grievances is not just what an employer finds, but how the employer went about looking.

3) Your Employment Contract And Workplace Policies

Your strongest “day one” protection is making sure your internal rules are clear and agreed up front-usually through a combination of an Employment Contract and a Workplace Policy setting expectations about communications, systems use, and investigations.

If you try to introduce monitoring after a problem arises, it can look reactive (and unfair), and you may have less room to move.

When Can Employers Access Employee Emails (And When Should You Be Careful)?

As a practical guide, employers are usually on safer ground where the monitoring/access is:

• for a clear business purpose (security, continuity, legal compliance, investigation of misconduct)
• proportionate (limited to what you need)
• transparent (staff have been told this may happen)
• handled confidentially (limited access, proper records)

Here are common scenarios and the key issues to consider.

Scenario A: An Employee Is Away Or Has Left (Business Continuity)

If someone is on leave, unwell, or has resigned, you may need to access their inbox to:

• find customer orders or job details
• retrieve documents and attachments
• respond to client emails that have landed in their inbox

Tip: This is where your IT setup matters. Often the lowest-risk option is to:

• use shared inboxes for key functions (e.g. accounts@, sales@)
• turn on an out-of-office message with an alternative contact
• set up forwarding rules that are documented and approved

If you must access an individual inbox, have a documented reason, limit what you access, and keep it to business communications wherever possible.

Scenario B: Suspected Misconduct (Confidential Information, Bullying, Fraud)

If you suspect a staff member has:

• shared confidential information
• harassed or bullied someone via email
• taken customer lists when leaving
• been running a competing business through work email

…then email monitoring may be part of an investigation. This is where you need to be extra careful about:

• scope creep: only collect what’s relevant to the allegations
• process: make sure your investigation is fair (and not predetermined)
• record-keeping: document who accessed what, when, and why

Also check whether your issue overlaps with other “conduct outside work” areas. For example, if the concern involves online conduct and reputational issues, your rules should align with guidance on employee social media use.

Scenario C: Monitoring For IT Security (Ongoing, Preventative Monitoring)

Many businesses now do some level of monitoring as a standard security practice, such as scanning for malware, phishing, unusual forwarding rules, or data exfiltration patterns.

Done right, this is often easier to justify than ad-hoc monitoring because it’s:

• system-wide
• not targeted at a particular employee
• clearly connected to security and confidentiality

But it still needs to be communicated and designed with privacy in mind (including limiting access to alerts and audit logs).

When You Should Be Especially Cautious

Employee email monitoring becomes higher risk when:

• the monitoring is secret and you haven’t clearly warned employees it may occur
• you monitor personal emails (e.g. the employee’s private Gmail accessed through a browser)
• you use monitoring to “build a case” without following a fair process
• you access sensitive personal content that isn’t relevant to your business purpose
• you share the emails widely internally (“office gossip” risk) instead of restricting access

Even if you’re trying to protect the business, heavy-handed monitoring can backfire if it’s not justified and proportionate.

How To Set Up An Email Monitoring Policy That Actually Protects Your Business

If you want to do employee email monitoring properly, it shouldn’t start when something goes wrong. The best approach is to put clear rules in place early so expectations are set from day one.

Here’s a practical checklist most small businesses can work through.

1) Make It Clear What Systems Are “Work Systems”

Spell out what counts as business systems, such as:

• your email accounts and domains
• company devices (laptops, phones)
• messaging and file storage tools
• your Wi-Fi and network

This matters because employees often assume they have privacy in “their” inbox, while employers assume anything on the company system is business property. Clear wording reduces misunderstandings.

2) Explain What Monitoring May Happen (And Why)

Your policy should explain, in plain language:

• what you may monitor (e.g. emails, attachments, logs, forwarding)
• why (e.g. security, client service continuity, legal compliance, investigating misconduct)
• how (e.g. limited access, approvals, audits)
• when (e.g. where reasonably necessary, or in defined situations)

This is often best handled as part of an employee privacy framework (and it’s where an Employee Privacy Handbook can be useful for pulling everything into one consistent set of expectations).

3) Set Boundaries Around Personal Use

Lots of workplaces allow “reasonable personal use” of email and internet. That’s fine, but it should be explicit, because it affects expectations of privacy and monitoring.

For example, you might:

• allow minimal personal use but warn that work systems may still be monitored
• prohibit personal use entirely (which can be harder to enforce in practice)
• set rules about personal accounts on work devices (especially for remote work)

If you allow personal use, you should plan for the reality that some personal information may be incidentally collected during legitimate monitoring. That makes “minimisation” and confidentiality even more important.

4) Define A Clear Internal Approval Process

A major risk in employee email monitoring is informal access (e.g. a manager logging into someone’s inbox out of curiosity or frustration).

To prevent that, your business should have a simple internal process, such as:

• only specific roles can approve access (e.g. director/owner, HR manager)
• only specific roles can carry it out (e.g. IT admin)
• all access must be documented (who/what/when/why)
• any copied material is stored securely and access-limited

This is also helpful evidence if your decision-making is later challenged.

5) Align Your Monitoring With Your Wider Employment Documents

Email monitoring shouldn’t sit in a vacuum. It should match your:

• confidentiality expectations
• disciplinary and investigation processes
• device and internet use rules
• remote working arrangements

This is why it’s common to include communications and monitoring rules in a set of Workplace Policy documents, and to reinforce key points in the employment agreement.

Common Pitfalls With Employee Email Monitoring (And How To Avoid Them)

Even well-meaning employers can stumble here. These are some of the most common mistakes we see in small businesses.

1) “We Own The Email Account, So We Can Do Anything”

It’s true that a work email account is usually a business tool. But that doesn’t automatically make any kind of access lawful or fair. Covert monitoring, overbroad searches, or accessing irrelevant personal content can still create Privacy Act and employment law risk.

Fix: Anchor your monitoring to a legitimate business reason, limit what you collect, and follow your own policies.

2) Doing A Broad “Fishing Expedition”

Searching months (or years) of emails with no defined purpose is where monitoring can look excessive.

Fix: Keep the scope narrow. Use date ranges, specific keywords, and relevance-based review.

3) Failing To Treat Collected Emails As Sensitive Information

Emails often contain:

• customer personal information
• staff personal details
• medical information (e.g. sick leave notes)
• banking/payment information

Fix: Lock down access, store extracts securely, and don’t forward emails around internally “for visibility” unless it’s truly necessary.

4) Not Planning For BYOD And Remote Work

If staff use personal devices (BYOD) or work remotely, lines blur fast.

Fix: Make sure your policies cover:

• use of personal devices for work
• separation of personal and business accounts
• security requirements (passwords, MFA, device lock)
• what happens when an employee leaves

5) Letting Monitoring Become A Substitute For Good Systems

If the only place customer history lives is one person’s inbox, you’ll constantly be tempted to access emails for basic operations.

Fix: Where possible, build resilient systems:

• use a CRM or shared recordkeeping for customers
• store contracts and invoices in shared folders
• use shared inboxes for key workflows

This reduces both business disruption and privacy risk.

Key Takeaways

• Employee email monitoring can be legal in New Zealand, but it needs a clear business purpose, an appropriate scope, and a fair process-especially where it might lead to discipline or termination.
• The Privacy Act 2020 is a key consideration, because accessing a work inbox often involves collecting or using personal information-so purpose, transparency, and minimisation matter.
• Employment law requires fair process and good faith; even if monitoring reveals misconduct, a flawed investigation can still create legal risk.
• Your Employment Contract and Workplace Policies should clearly explain monitoring, what staff can expect, and what counts as acceptable use of business systems.
• Have an internal approval process so monitoring is controlled, documented, and limited to those who genuinely need access.
• Design your systems to reduce reliance on accessing individual inboxes, using shared inboxes and centralised recordkeeping where possible.

If you’d like help setting up (or reviewing) your employee email monitoring approach, including the right employment terms and privacy documents, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.