Employee Information Requests: NZ Employers’ Duties Under the Privacy Act 2020

If you employ staff in New Zealand, there’s a good chance you’ll eventually receive a request like: “Can I please get a copy of all the information you hold about me?”

For many small businesses, this can feel a bit intimidating. You might be wondering what you have to hand over, how quickly you need to respond, and whether you’re allowed to refuse parts of the request (especially if it involves other people or sensitive workplace issues).

The good news is: there’s a clear framework under the Privacy Act 2020, and once you have a process in place, handling employee information requests under the Privacy Act 2020 becomes much more manageable.

This guide explains what you need to know as an employer, what “employee information” can include, what your timeframes are, when you can refuse or withhold information, and the practical steps to respond without creating unnecessary risk for your business.

What Counts As An “Employee Information Request” Under The Privacy Act 2020?

Under the Privacy Act 2020, employees (and job applicants) generally have a right to request access to personal information about them that your business holds.

This is often called an “access request” or “request for personal information”, and it’s one of the most common Privacy Act issues employers deal with.

What Is “Personal Information” In An Employment Context?

In simple terms, personal information is information about an identifiable individual. In the workplace, that can include obvious things like payroll records, but it can also include less obvious records created during day-to-day management.

Examples can include:

• employment agreements, variations and written policies acknowledged by the employee
• payroll data, timesheets, leave records and deductions
• performance review notes and KPIs
• disciplinary process documentation (warnings, investigation notes, meeting minutes)
• emails, chat messages, or internal notes that are about the employee
• complaints made by or about the employee
• CCTV footage or access logs (if the person is identifiable)
• health or injury information (often “sensitive” personal information)
• recruitment information (CVs, interview notes, reference checks)

Even if you don’t think of something as part of the employee’s “file”, it can still be personal information if it’s about them and your business holds it.

Is The Employee Entitled To “Everything”?

Not necessarily. The right is to access their personal information. That’s not the same as an automatic right to access:

• confidential business information that isn’t actually about them
• information that identifies other individuals (unless it can be reasonably separated)
• information you are entitled to refuse or withhold under the Privacy Act 2020 (more on this below)

The tricky part is that many workplace documents contain a mix of information (for example, a complaint email might discuss multiple staff). In those cases, you may need to redact or withhold parts rather than release the document “as-is”.

What Are Your Core Obligations When You Receive A Privacy Act 2020 Employee Information Request?

When a current or former employee makes an access request, your obligations usually come down to a few key points:

• Take the request seriously and respond within the required timeframe
• Confirm what’s being requested (and clarify scope if needed)
• Verify identity before disclosing information
• Decide whether to grant access in full, in part, or refuse (with lawful reasons)
• Provide the information in an accessible way (usually copies)
• Keep a record of what you did and why

Timeframes: How Quickly Do You Have To Respond?

As a general rule, you must respond to a Privacy Act access request as soon as reasonably practicable, and no later than 20 working days after receiving it.

In practice, “respond” means you must make a decision (grant, grant in part, or refuse) and communicate it within that timeframe. If you’re granting access, you should also provide the information without undue delay - and ordinarily within the same 20 working days.

If the request is complex (for example, it involves a large volume of records or requires consultation to protect other people’s privacy), you may be able to extend the time limit. If you do extend time, you should make sure you do it properly - including notifying the employee within the original 20 working days, explaining why you’re extending, and confirming the new due date.

Do You Need A Formal Form Or Specific Wording?

No. An employee doesn’t need to mention the Privacy Act 2020 for it to be a valid request.

If someone emails saying “I want all notes, emails, and documents about me”, that can still be a Privacy Act 2020 employee information request.

It’s a good idea to have an internal procedure (and train your managers) so that these requests get escalated quickly, rather than sitting in someone’s inbox until it becomes urgent.

Many businesses use a standard process and template, such as an Access Request Form, to help clarify scope and keep records consistent.

A Step-By-Step Process For Handling Employee Information Requests (Practical Checklist)

If you want to reduce stress (and avoid accidental non-compliance), it helps to follow a consistent workflow every time.

1) Acknowledge The Request Promptly

You don’t need to have the full response ready straight away, but you should acknowledge receipt and confirm the next steps.

This is where you can:

• confirm the date you received the request (so the clock is clear)
• ask for clarification if the request is broad
• ask for ID verification if needed

2) Confirm Identity And Authority

Before releasing anything, make sure you’re confident the requester is who they say they are.

If a request comes from a representative (for example, a lawyer, advocate, or family member), you’ll usually want written confirmation that they’re authorised to act for the employee.

3) Clarify The Scope (If Needed)

Some requests are extremely broad, like “everything you’ve ever written about me”. You can ask reasonable clarification questions to narrow it down, such as:

• the time period they’re interested in
• the categories of documents (performance, payroll, disciplinary, etc.)
• specific issues or events

Even if the employee won’t narrow the request, you still need to process it - but clarification can help you respond faster and reduce disputes.

4) Collect The Information From All The Places It Might Live

In small businesses, employee information is often spread across multiple systems.

Depending on how you operate, you may need to check:

• HR folders (digital or physical)
• payroll systems and leave records
• email accounts and internal chat tools
• rosters/timekeeping systems
• incident registers and health and safety records
• CCTV systems or access control logs
• manager notebooks, diaries, or phone notes (yes, these can count too)

This is one reason it’s worth having a clear Workplace Policy about record-keeping and business communications, so information is stored in a controlled and searchable way.

5) Review For Redactions, Withholding Grounds, And Sensitive Content

Before handing over anything, you should review the material carefully. This is where employers often get caught out - especially where documents contain information about other staff, complainants, customers, or witnesses.

Common practical steps include:

• separating documents into “disclose”, “disclose with redactions”, and “potentially refuse/withhold”
• removing third-party identifiers where appropriate
• checking whether disclosure could create safety risks or unfairly impact others
• checking whether there are lawful reasons to refuse or withhold parts (for example, legal privilege, protected evaluative material, or where disclosure would be an unwarranted disclosure of another person’s affairs)

6) Respond In Writing And Provide The Information In A Usable Format

Most businesses provide copies electronically (PDFs) unless there’s a reason to do otherwise.

When providing the response, it’s smart to include:

• what information you are providing
• what you have withheld or redacted (if anything)
• the reason for any refusal/withholding (at a high level)
• what the employee can do if they disagree (for example, raising a complaint)

If you’re regularly dealing with staff privacy issues, an Employee Privacy Handbook can help set expectations about how workplace information is collected, used, stored, and accessed.

When Can You Refuse Or Withhold Information (And What Are The Common Employer Pitfalls)?

Yes - there are situations where you can lawfully refuse a request or withhold certain information. But you need to be careful and apply the Privacy Act 2020’s specific refusal/withholding grounds to the particular information requested (often on a document-by-document, or even line-by-line, basis).

In practice, many disputes arise because an employer:

• assumes “confidential” means they can refuse (it doesn’t automatically)
• releases documents without thinking about other people’s privacy
• misses the 20 working day deadline (or extends time without doing it correctly)
• over-withholds information without a clear legal basis

Third-Party Privacy (Other Employees, Customers, Witnesses)

A very common issue is information that includes other identifiable people.

For example, an employee requests “all documents about the complaint made against me”, but the complaint includes the complainant’s personal details, witness statements, or customer information.

Often, the practical approach is to:

• provide the relevant document, but redact names and identifying details where appropriate
• withhold parts where disclosure would unreasonably reveal another person’s personal information (or where releasing it could create safety or retaliation risks)

Confidential Evaluations And References

Some information may be withheld where it falls within specific grounds (for example, certain evaluative material gathered to determine suitability for employment, continued employment, promotion, or similar decisions - often on the understanding it would be kept confidential).

These situations can be nuanced - it’s worth getting legal advice before refusing access, particularly if the request relates to a dispute or termination scenario.

Workplace Investigations, Misconduct, And Disciplinary Matters

When an employee makes an access request during (or after) a workplace investigation, you need to balance:

• their right to access their personal information, and
• the privacy and safety of complainants/witnesses, and
• the integrity of the process (including whether early disclosure could prejudice an ongoing investigation or related employment process)

There isn’t a one-size-fits-all answer. The risk for employers is either withholding too much (and triggering a complaint) or disclosing too much (and exposing other staff or undermining trust in your processes). Where you do withhold, you should be clear on the specific lawful basis you’re relying on (for example, protecting the privacy of others, confidentiality, legal privilege, or other recognised withholding grounds).

This is also where having properly drafted Employment Contract documentation and a clear disciplinary framework can help, because your record-keeping tends to be cleaner and more consistent from day one.

“We Don’t Have To Provide Emails Or Internal Messages, Right?”

Not quite. If an email (or message) contains personal information about the employee, it can fall within the scope of a request.

That doesn’t mean you must hand over entire mailboxes, but it does mean you should take a careful approach to identifying relevant communications, applying redactions where needed, and withholding only where you have a lawful basis to do so.

Special Situations Small Business Employers Should Prepare For

Not every Privacy Act 2020 employee information request is the same. Here are a few scenarios where we often see small businesses get stuck.

Requests After Resignation Or Termination

Many requests happen after an employment relationship ends, especially if there’s an unresolved dispute.

Even if the employee has left, your obligations under the Privacy Act 2020 generally still apply to personal information you hold about them.

Tip: treat these requests as a “red flag” that the situation may escalate. Make sure your response is timely, consistent, and carefully reviewed.

CCTV Footage And Workplace Monitoring

If your workplace uses CCTV, swipe cards, GPS tracking, or device monitoring, employees may request access to footage or logs where they’re identifiable.

Two common issues come up:

• Retention periods: if your CCTV system overwrites footage quickly, you may not have it by the time a request is made
• Other people in the footage: footage may also capture customers and staff, so you may need to consider redaction, providing stills, or arranging a controlled viewing

If you operate cameras at work, it’s worth making sure your practices are consistent with the principles covered in Are Cameras Legal In The Workplace.

Health Information And Sensitive Personal Information

Medical certificates, injury records, and other health-related information can be particularly sensitive.

You should ensure access is managed carefully, stored securely, and only shared with those who genuinely need it for employment purposes. Also keep in mind that some information employees assume you “have” (for example, detailed EAP counselling notes) is often held by the external provider rather than the employer - so your response will usually be limited to what your business actually holds.

What If You’ve Had A Data Breach?

If an employee request arises because of a suspected privacy incident (for example, information was disclosed to the wrong person), you should switch into “incident response mode” quickly.

A written Data Breach Response Plan can help you act fast, document what happened, and reduce the risk of follow-on complaints.

Key Takeaways

• Employee information requests under the Privacy Act 2020 can cover a wide range of documents, including HR files, payroll records, emails, investigation notes, and CCTV footage (if the employee is identifiable).
• As an employer, you generally need to respond as soon as reasonably practicable and within 20 working days, so it’s important to escalate requests quickly and track deadlines (and if you need more time, extend properly and on time).
• Employees are entitled to access their personal information, but that doesn’t always mean you must provide everything in full - you may need to redact third-party information or rely on specific lawful withholding grounds in some situations.
• A consistent internal process helps you manage scope, verify identity, locate information across systems, and respond in a way that reduces legal and operational risk.
• Workplace investigations, complaints, and monitoring systems (like CCTV) are common “high-risk” areas where careful handling and legal advice can make a big difference.
• Clear documentation from the start (including a solid Employment Contract and workplace privacy rules) makes responding to requests faster and less stressful.

If you’d like help setting up a practical process for Privacy Act 2020 employee information requests, updating your workplace privacy documentation, or responding to a specific request, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.