Employee Privacy Rights In New Zealand: What Employers Need To Know

If you employ staff in New Zealand, you’re almost always handling some form of personal information. That might be as simple as a job application and bank account details, or as complex as medical certificates, performance notes, swipe-card logs, CCTV footage, and device monitoring records.

That’s where employee privacy rights come in. Even as a small business, you’re expected to collect, use, store and share employee information in a fair and lawful way.

The good news is you don’t need a giant HR department to get this right. With the right policies, clear communication, and a few practical safeguards, you can protect your business and treat your team fairly from day one.

Note: This article provides general information for New Zealand businesses and isn’t legal advice. Because privacy and employment issues are often fact-specific, it’s worth getting tailored advice before acting on a particular situation.

What Are Employee Privacy Rights (And Why Do They Matter For Employers)?

In simple terms, employee privacy rights are the protections employees have over their personal information at work - including how it’s collected, what it’s used for, who can access it, and how long you keep it.

From an employer perspective, privacy isn’t just about “being nice” (although that helps). It’s also about:

• Compliance risk: mishandling employee information can trigger complaints and investigations.
• Employment risk: privacy mistakes can quickly turn into personal grievances if employees feel you acted unfairly.
• Culture and trust: staff are more likely to be honest and engaged when they know their information is handled responsibly.
• Operational clarity: clear rules on monitoring, access, and record-keeping reduce internal disputes.

In New Zealand, these rights mainly come from the Privacy Act 2020 (and the Information Privacy Principles in that Act), as well as general employment law expectations around fairness and good faith.

Put another way: even if you “own the business systems”, you don’t automatically have unlimited rights to gather and use information about people who work for you.

Which Employment Records Are Covered By Privacy Law?

If you’re wondering whether privacy law applies to your employee files, the answer is: almost certainly yes.

In most small businesses, employee personal information can include:

• Recruitment information: CVs, cover letters, interview notes, reference checks, background checks.
• Employment documents: signed Employment Contract, variations, job descriptions, wage and time records.
• Payroll and financial details: bank details, IRD number, KiwiSaver details, pay slips.
• Leave and health information: medical certificates, injury/incident reports, accommodations and return-to-work notes.
• Performance and conduct records: warnings, investigation notes, meeting notes, complaints.
• Workplace monitoring data: CCTV footage, access-card logs, GPS tracking, device and internet usage logs.
• Work communications: emails, chat messages, call recordings (where used).

A helpful rule of thumb: if the information is about an identifiable employee (or job applicant), treat it as personal information and handle it carefully.

This is also why it’s smart to set expectations early with documents like a staff handbook and workplace policies - privacy issues often arise because the rules were never clearly communicated.

How Do You Comply With The Privacy Act 2020 As An Employer?

The Privacy Act 2020 sets out principles that apply to how you handle personal information. You don’t need to memorise every principle, but you do need systems that reflect them in practice.

Here’s what compliance usually looks like in day-to-day employment situations.

1. Only Collect What You Actually Need

One of the most common mistakes is collecting “nice to have” information just because it might be useful later.

As an employer, you should collect personal information only where it’s reasonably necessary for:

• hiring decisions
• payroll and legal obligations
• managing performance, conduct, and safety
• running your business operations

For example, you might need bank details to pay wages, but you probably don’t need an employee’s personal social media passwords (and asking could create serious legal and trust issues).

2. Tell Employees What You’re Collecting And Why

Transparency is a major theme in New Zealand privacy law. Practically, this means you should let employees know:

• what information you’re collecting
• why you’re collecting it
• who will have access to it
• how it will be stored and protected
• whether it may be shared with third parties (like payroll providers)

Many businesses cover this through a Privacy Policy and internal workplace policies (especially where monitoring is involved).

3. Use Information Only For The Purpose You Collected It

If you collect information for one reason, you generally shouldn’t re-use it for a completely different purpose without a proper basis.

For instance, if you collected emergency contact details for safety reasons, using that list for marketing or unrelated announcements would be hard to justify.

This is where clear internal processes help - especially around who can access employee files, and for what purpose.

4. Keep It Safe (And Limit Who Can See It)

Employers must take reasonable steps to protect employee information from loss, unauthorised access, misuse, or disclosure.

For small businesses, “reasonable steps” usually includes:

• password-protecting HR folders and payroll systems
• restricting access to those who genuinely need it (often only the owner/manager and payroll)
• using role-based access if you have systems that allow it
• locking paper files away (and not leaving files on a counter “for later”)
• having a process for staff to report a suspected privacy incident quickly

If you outsource IT or payroll, you should also know what your providers are doing with that data and whether it could be stored offshore.

5. Don’t Keep Information Longer Than Necessary

You don’t need to keep everything forever “just in case”. Holding onto old staff records for no reason can increase your risk if there’s a data breach or an access request later.

Instead, consider a retention approach that matches:

• your legal obligations (for example, wage and time records)
• practical needs (for example, responding to disputes)
• privacy expectations (deleting securely when no longer needed)

Because retention timeframes can depend on your situation, it’s worth getting tailored advice - especially if you’re dealing with sensitive information like medical details or disciplinary files.

Can You Monitor Staff At Work (CCTV, Emails, GPS, Devices)?

Monitoring is one of the biggest flashpoints for employee privacy rights. Many employers assume that because a device or workplace is “the company’s”, monitoring is automatically allowed.

In reality, you generally need to balance legitimate business reasons (safety, security, productivity, protecting confidential information) against an employee’s reasonable expectation of privacy, and make sure any monitoring is carried out in a fair and proportionate way. Depending on the situation, employment law obligations (including good faith and fair process) can be just as important as privacy law.

Monitoring can be lawful - but how you do it matters.

CCTV In The Workplace

CCTV can be a practical tool to manage safety and security, particularly in customer-facing businesses, retail, hospitality, and warehouses.

However, best practice is to:

• have a clear purpose (e.g. preventing theft, keeping staff safe)
• avoid placing cameras in highly private areas (like bathrooms or changing areas)
• let staff know cameras exist and what they’re used for
• limit access to recordings
• retain footage only as long as needed

If you’re considering cameras (or you already have them and want to check you’re doing it right), it’s worth reading up on cameras in the workplace and aligning your setup with your internal policies.

Monitoring Emails, Chats, And Internet Use

Many businesses want the ability to check work emails or internet activity - for example, to investigate misconduct, data leaks, harassment complaints, or misuse of systems.

To reduce risk:

• set clear rules about acceptable use of work systems
• be upfront about any monitoring (rather than doing it secretly, except in rare cases where you’ve obtained specific advice)
• limit monitoring to what’s reasonable for your purpose
• avoid “fishing expeditions” into private communications without a genuine reason

This is a good place for an internal acceptable use policy and staff handbook wording to do a lot of heavy lifting.

GPS Tracking And Company Vehicles

GPS tracking can be reasonable where it relates to:

• fleet management and logistics
• health and safety (knowing where workers are)
• security (stolen vehicle recovery)

The main traps are tracking outside work hours (or more than you need to) and using tracking data for a purpose you didn’t tell the employee about. If your staff take vehicles home, you’ll want especially clear rules and disclosures.

Call Recording And Meeting Recordings

If you record calls (for example, customer service lines), don’t forget that this can involve both employee privacy and customer privacy. You should have a lawful basis and give appropriate notice.

As a starting point, call recording laws in New Zealand are worth understanding before you roll out any recording tools.

What About Medical Information, Drug Testing, And “Sensitive” Data?

Some employee information is more sensitive than others, and it’s usually where things go wrong fastest.

This includes:

• medical certificates and health conditions
• injury claims and rehabilitation plans
• drug and alcohol testing results
• biometric data (where used)
• criminal record checks (where applicable)

When you’re dealing with sensitive information, the standard you’re held to is higher. You should be asking:

• Do we genuinely need this information?
• Have we explained why we need it and what we’ll do with it?
• Who will see it, and is that access truly necessary?
• How are we securing it?
• When will we delete it?

Drug and alcohol testing is a common example. Even where testing may be justified (e.g. safety-critical roles), you’ll usually need more than a standalone “consent form” to do this properly. Your testing should be backed by a clear contractual and policy foundation, a fair process (including how testing is triggered and handled), and careful management of results and disclosures. A properly drafted Drug Test Consent Form can be one part of that framework, alongside a clear workplace policy that explains when and why testing occurs.

Health information is another common pressure point. You can generally ask for medical certificates in appropriate situations, but you should avoid collecting unnecessary detail. Often, you only need confirmation that someone is unfit for work (and for how long), not a full diagnosis.

Handling Employee Privacy Requests, Complaints, And Data Breaches

Even if you do everything right, you should still assume that at some point an employee (or former employee) may ask:

• “What information do you have about me?”
• “Can I get a copy of my file?”
• “That note is wrong - can you correct it?”

Having a plan for these situations saves a lot of stress later.

Employee Requests To Access Or Correct Information

Under New Zealand privacy law, individuals generally have rights to access and request correction of their personal information, and employers usually need to respond within statutory timeframes (often within 20 working days, unless an extension applies).

From an employer point of view, the practical steps are:

• know where employee information is stored (paper and digital)
• have a consistent process to respond
• be careful with information that includes other people (e.g. witness statements), as disclosure may need extra thought
• keep a record of what you provided and when

If you want a structured way to manage this, a simple Access Request Form can help keep requests organised and reduce the chance of information being missed or mishandled.

Employee Privacy Complaints

If an employee complains about privacy, it’s rarely just a “privacy issue”. It often overlaps with trust, workplace culture, and perceptions of fairness.

As an employer, it’s wise to:

• take the concern seriously and respond promptly
• check your policies and what you told employees at the time
• limit further access/sharing while you investigate
• document your decision-making

Where the complaint relates to monitoring or disciplinary action, it’s especially important to ensure your processes are consistent with good faith and fair process expectations.

Data Breaches In The Employment Context

A data breach could be anything from:

• sending a payslip to the wrong email address
• losing an unencrypted laptop with HR files
• a hacked payroll system
• a manager sharing sensitive information with staff who shouldn’t have it

Privacy incidents don’t just happen to big companies. Small businesses are often more vulnerable because processes are informal and access controls are looser.

It helps to have a response process documented in advance - including who investigates, who you notify internally, and when you consider external notification. A Data Breach Response Plan can be a practical starting point if you want something structured.

Key Takeaways

• Employee privacy rights apply to most information you hold about staff and job applicants, including payroll details, medical certificates, performance notes, and monitoring data.
• As an employer, your key obligations generally come from the Privacy Act 2020, alongside broader expectations of fairness in employment relationships.
• You should only collect employee information you genuinely need, be transparent about what you’re collecting and why, and use it only for appropriate purposes.
• Workplace monitoring (like CCTV, email monitoring, and GPS tracking) can be lawful, but it should be reasonable, clearly communicated, and supported by appropriate workplace policies and fair process.
• Sensitive information (especially health and drug testing information) needs extra care, tighter access controls, and well-documented processes.
• Have a practical plan for access/correction requests and privacy complaints so you can respond quickly and consistently (and within required timeframes).
• Privacy compliance is much easier (and cheaper) to build in early than it is to fix after a complaint or breach.

If you’d like help setting up workplace privacy policies, reviewing your employment documents, or checking your monitoring practices, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.