Can You Be Fired For Accidentally Sending Confidential Information In NZ?

It happens faster than you’d like to admit.

You’re replying to a customer, rushing between jobs, and you attach the wrong file. Or you hit “Reply All” and include a pricing sheet meant for internal eyes only. Or an employee forwards something internally… and it goes to the wrong external contact.

For small businesses, accidentally sending confidential information can feel like an instant worst-case scenario: relationships on the line, reputational damage, and a big question sitting underneath it all.

Can you dismiss an employee for it?

The short answer is: sometimes, but not automatically. In New Zealand, employment law focuses heavily on process and reasonableness, and privacy law may also come into play depending on what was disclosed.

This article breaks down what you need to know as an NZ employer: when an accidental disclosure might justify disciplinary action (including dismissal), what your obligations are under the Privacy Act 2020, and how to protect your business with the right policies and contracts from day one.

What Counts As “Confidential Information” In A Small Business?

In practice, “confidential information” is anything your business treats as private, commercially sensitive, or restricted to certain people.

What’s tricky is that confidentiality isn’t limited to dramatic trade secrets. For most SMEs, confidential information often includes everyday documents and data.

Common Examples Of Confidential Information

• Customer details (names, addresses, phone numbers, purchase history)
• Employee information (pay rates, performance notes, medical information, leave records)
• Pricing and margins (supplier costs, wholesale rates, discount structures)
• Commercial plans (budgets, forecasts, tender documents, growth plans)
• Intellectual property (designs, product formulas, internal training materials)
• Contracts and negotiations (draft agreements, settlement discussions, legal advice)

A big dividing line is whether the information is also personal information. If it identifies an individual (or could reasonably identify them), privacy law can apply.

That’s why this issue often sits at the intersection of employment law and privacy law. You’re managing conduct and performance on one hand, and information protection obligations on the other.

Accidentally Sending Confidential Information: Is It A Privacy Breach Under NZ Law?

It can be.

Under the Privacy Act 2020, a privacy breach can include situations where personal information is:

• accessed, disclosed, altered, lost, or destroyed (accidentally or intentionally), and
• this happens without authority, or in a way that compromises the privacy of the person concerned.

So if the accidental email contained a customer list, employee medical note, or an invoice with a customer’s address and payment details, you may be dealing with a privacy breach (not just a workplace mistake).

When Do You Need To Notify Anyone?

Not every privacy breach needs to be reported externally. But if it’s a notifiable privacy breach (meaning it has caused, or is likely to cause, serious harm to the affected person/people), you may need to notify:

• the affected individual(s), and
• the Office of the Privacy Commissioner (OPC).

Whether “serious harm” is likely depends on things like the sensitivity of the information, who received it, whether it can be retrieved, and what the recipient might do with it.

Even when it isn’t “notifiable”, you still need to respond appropriately as a business. That usually includes containing the breach (for example, requesting deletion), assessing impact, and improving safeguards.

Having a clear Privacy Policy helps set expectations around how your business handles personal information, but your internal processes (training, access controls, and breach response) are just as important.

Can You Dismiss An Employee For Accidentally Sending Confidential Information?

Potentially, yes - but dismissal is not the default outcome, and it won’t be lawful unless you meet New Zealand’s employment law standards.

In NZ, dismissals must be both:

• substantively justified (there is a good reason), and
• procedurally fair (you followed a fair process).

The question usually isn’t “Did they make a mistake?” It’s:

• How serious was the mistake?
• Was it genuinely accidental?
• What harm did it cause (or could it have caused)?
• What policies, training, and expectations were in place?
• Is dismissal a reasonable response in the circumstances?

Situations Where Dismissal Might Be Justified

Accidentally sending confidential information can, in some situations, amount to serious misconduct or be treated as serious enough to justify dismissal (often after investigation), especially where:

• the disclosure involved highly sensitive personal information (for example, medical information or detailed employee records)
• the employee acted with recklessness (for example, repeatedly ignoring clear instructions or security steps)
• there’s a history of similar issues (repeated carelessness after warnings and training)
• there’s a clear breach of trust in a role where confidentiality is fundamental (for example, finance, HR, senior management)
• the mistake caused significant harm to the business or individuals

Even then, you usually still need to look at whether a warning, retraining, or changes to role/access could reasonably address the risk.

Situations Where Dismissal Is Less Likely To Be Justified

You’ll generally be on shakier ground if:

• the business didn’t provide clear confidentiality expectations or training
• there’s no policy around email, security, or handling sensitive information
• the employee reported the error immediately and took steps to contain it
• the disclosure was minimal and low-risk (for example, a non-sensitive attachment, quickly corrected)
• the employee has a strong record and it’s a genuine one-off mistake

This is where your legal foundations matter. If you have a well-drafted Employment Contract with confidentiality clauses, and workplace policies that actually reflect how your business operates, you’re in a much better position to respond fairly and consistently.

What Process Should You Follow As An Employer (So You Don’t Create A Bigger Problem)?

When an accidental disclosure happens, many businesses want to act immediately - and that makes sense. But moving too quickly can create risk of an unjustified dismissal or a personal grievance.

A good approach is to run two tracks at the same time:

• Contain the information issue (privacy/confidentiality risk management)
• Manage the employment issue (disciplinary process, if warranted)

Step 1: Contain The Disclosure

Practical first steps often include:

• asking the recipient to delete the email and attachments (and confirm they’ve done so)
• recalling email where possible (not always effective, but worth trying)
• changing passwords/access if credentials or security information were involved
• restricting internal access to the relevant data while you investigate
• documenting what happened and when (you’ll want a clear record)

If personal information was involved, consider whether you need a formal breach assessment and whether notification obligations might be triggered.

Step 2: Investigate Before You Decide

In employment law terms, you generally need to:

• investigate the incident properly
• tell the employee what the concern is (clearly and with enough detail)
• give the employee a real opportunity to respond
• consider the response with an open mind

This is not just a “tick the box” exercise. If you’ve already decided on the outcome before hearing from the employee, you can undermine the fairness of the process.

Step 3: Consider Proportionate Outcomes

Depending on severity, outcomes might include:

• no formal action (but coaching or process change)
• training and updated procedures
• a written warning (for negligence/carelessness)
• final warning (for serious carelessness or repeated issues)
• dismissal (usually where the conduct is serious enough to justify termination, including serious misconduct or repeated issues after warnings)

It can help to ask: What would a fair and reasonable employer do in these circumstances? That “reasonableness” lens is a common theme in NZ employment disputes.

Step 4: Don’t Forget Notice, Final Pay, And Documentation

If the situation leads to termination, make sure you handle notice and final entitlements correctly and document the decision.

In some cases (for example, serious misconduct) an employer may consider dismissal without notice, but this depends on the circumstances and requires a fair process. Otherwise, termination will typically involve working out notice under the employment agreement (or any relevant minimums) and ensuring final pay (including any holiday pay) is calculated correctly.

Where notice is being paid out instead of worked, you may also need to think about payment in lieu of notice and what your contract allows.

The aim is to avoid a second dispute after the first one - for example, an argument about whether notice was valid, whether holidays were paid correctly, or whether the termination letter matches the process you followed.

How Can NZ Businesses Reduce The Risk Of Accidental Disclosures In The First Place?

Most accidental disclosures are preventable with a mix of good systems and clear expectations.

And the best time to put those protections in place is before you have a close call (or an actual breach).

Put Clear Confidentiality Expectations In Writing

Your first line of defence is a properly drafted employment agreement that:

• defines what “confidential information” means in your business
• sets rules about use, disclosure, storage, and return of information
• makes it clear confidentiality obligations continue after employment ends

This is typically built into your Employment Contract, and often supported by policies or a staff handbook.

Use Practical Policies (Not Just Generic Templates)

If you’re relying on a policy, it should reflect reality. For example, if your team uses personal phones, WhatsApp, or cloud drives for work, your policies should address that clearly.

Common policies that help prevent accidental disclosure include:

• email and communications policy (including “Reply All” expectations and attachment checks)
• data handling and access control policy (who can access what)
• working from home practices (screen privacy, shared devices, printing)
• incident reporting (how to escalate quickly when something goes wrong)

If your business records or monitors communications (for training, compliance, or security), you’ll also want to be careful about the rules around monitoring and consent. Depending on what you do, call recording laws and privacy obligations can be relevant.

Train Your Team (And Refresh Training)

Training doesn’t need to be fancy. It just needs to be consistent and documented.

For example:

• run a 20-minute onboarding session on handling customer information
• show staff how to use BCC and double-check recipients
• require a second-person check before sending certain documents (payroll, customer lists, contracts)
• teach staff what to do immediately if they make a mistake (reporting early is key)

When an incident happens, documented training helps you show that expectations were clear and the business took reasonable steps to prevent breaches.

Set Up Simple Technical Safeguards

Even small businesses can implement meaningful safeguards without big budgets. For example:

• limit access to folders based on role (especially HR and finance)
• use password protection for sensitive attachments
• set up “external email” warnings for staff
• use two-factor authentication
• have a clear process for offboarding and revoking access

These practical measures also support your Privacy Act obligations, because they show you’re taking reasonable steps to protect information.

Key Takeaways

• Accidentally sending confidential information is a common business risk, but whether it justifies dismissal depends on severity, context, and whether you follow a fair process.
• If the disclosure involves personal information, it may be a privacy breach under the Privacy Act 2020, and in serious cases you may need to notify affected individuals and the Privacy Commissioner.
• As an employer, you need both substantive justification and procedural fairness before disciplining or dismissing an employee for an accidental disclosure.
• Strong legal foundations help you respond properly: a clear Employment Contract, enforceable confidentiality terms, and practical workplace policies reduce confusion and risk.
• Prevention is usually cheaper than cleanup - training, access controls, and clear reporting processes can significantly reduce accidental disclosures.
• If you’re unsure whether an incident is “serious misconduct”, a notifiable privacy breach, or a situation better handled through coaching and process changes, getting tailored legal advice early can save you a lot of time and stress.

If you’d like help reviewing your employment documents, confidentiality protections, or privacy compliance, you can reach us at 0800 002 184 or team@sprintlaw.co.nz to discuss next steps.