Employee Records, Monitoring, And Privacy Mistakes At Work In NZ

Alex Solo
byAlex Solo9 min read

Running a small business in New Zealand often means wearing a lot of hats - employer, manager, IT support, and sometimes even “HR department of one”. In the middle of all that, privacy compliance can quietly slip down the priority list.

But workplace privacy breaches aren’t just a “big business problem”. They can happen in any workplace, including yours - through a misdirected email, an unlocked laptop, a well-meaning manager sharing the wrong information, or a new security camera installed without the right process.

The good news is that most workplace privacy issues are preventable. With a few practical systems (and the right documents) in place, you can protect your people, protect your business, and stay on the right side of the Privacy Act 2020.

What Counts As A Workplace Privacy Breach?

In simple terms, a workplace privacy breach usually means personal information has been:

  • accessed without authority (e.g. a staff member looks up a colleague’s medical note “out of curiosity”)
  • used for the wrong purpose (e.g. using emergency contact details for marketing)
  • disclosed incorrectly (e.g. sharing performance concerns with other team members)
  • lost or compromised (e.g. payroll spreadsheets stored on an unsecured device)

“Personal information” is broad. In an employment context, it can include:

  • home address, phone number, email address
  • bank account and payroll information
  • performance records, warnings, investigation notes
  • sick leave and medical information
  • immigration / visa information
  • CCTV footage or swipe-card access logs (if it identifies a person)
  • photos, recordings, or biometrics (where applicable)

Common Workplace Privacy Breach Scenarios We See

If you’re thinking “we’re a small team, we don’t do anything fancy”, these scenarios may still feel familiar:

  • Payroll or roster mix-ups: A payslip is emailed to the wrong staff member.
  • Group chats and screenshots: A manager shares employee information in a team chat that didn’t need it.
  • Performance management leaks: Details of a disciplinary issue spread through the workplace.
  • Unclear camera use: Cameras are installed to address theft, but staff aren’t properly told how the footage is used.
  • Access controls are too loose: Too many people can access HR folders, medical certificates, or complaints records.
  • Old devices aren’t wiped: A laptop/phone is sold or reallocated without removing employee files.

Even when there’s no bad intent, these situations can still create legal risk - and often create a bigger people issue (loss of trust, conflict, resignations) before the legal issue even arrives.

Which Laws Apply To Workplace Privacy In New Zealand?

Workplace privacy in NZ is mainly governed by the Privacy Act 2020. If you collect, store, or use employee information (and you will), you’re responsible for handling it properly.

The Privacy Act works through “privacy principles” that guide how you should manage personal information. The core ideas for employers are:

  • Collect only what you need for a lawful and necessary purpose.
  • Be transparent about what you collect and why.
  • Keep information secure against loss, unauthorised access, or misuse.
  • Use and disclose information appropriately (generally, for the purpose you collected it).
  • Allow access and correction (employees can usually request their information, subject to some exceptions under the Privacy Act).

Privacy doesn’t sit in a vacuum, either. Depending on the issue, your response may also touch on employment obligations (like good faith, fair process, and confidentiality expectations). That’s one reason workplace privacy problems can escalate quickly - what starts as “data” becomes “workplace conflict”.

If you use contractors or external providers (like payroll platforms, time-tracking systems, cloud storage, HR software, or security companies), privacy compliance doesn’t disappear. You’ll usually still need to take reasonable steps to ensure personal information is handled appropriately, including by choosing suitable providers and setting clear expectations in writing. It’s worth locking in those expectations in your Privacy Policy and internal procedures.

Where Employers Usually Go Wrong (And How To Avoid It)

Most businesses aren’t trying to do the wrong thing - they’re moving fast, solving problems, and relying on “what we’ve always done”. Here are some of the most common pressure points.

1) Collecting Too Much Information “Just In Case”

It’s tempting to collect extra details during recruitment and onboarding. But if you can’t clearly explain why you need it, that’s a red flag.

For example, you might need bank account details for payroll - but you probably don’t need a detailed medical history “just in case they call in sick”.

What to do: set a clear onboarding checklist that separates “must-have” information from “nice-to-have”. Keep your collection consistent and relevant to the role.

2) Using Employee Information For A Different Purpose

Employee information collected for one purpose generally shouldn’t be reused for a totally different one without a good reason. For instance:

  • Emergency contact details should be for emergencies, not newsletters.
  • Medical certificates should be used to assess sick leave, not to speculate about capability.
  • Customer complaints containing staff names should be handled carefully and not circulated broadly.

What to do: keep access limited to those who genuinely need it, and document your internal rules (even if it’s a simple policy).

3) Poor Security And Access Control

Many workplace privacy breaches are really security failures. Common causes include:

  • shared logins
  • no multi-factor authentication
  • HR files stored in general team folders
  • unencrypted devices
  • passwords written down in the office

What to do: introduce basic security standards (unique user logins, role-based access, and offboarding steps when someone leaves). If you have a staff handbook, this is a good place to set expectations.

4) Not Being Clear About Monitoring (Cameras, Tracking, Emails)

Monitoring can be lawful - but it can also become a source of privacy complaints if it’s done quietly, broadly, or without a clear business reason.

If you’re using CCTV or other monitoring tools, ask yourself:

  • What problem are we trying to solve (safety, theft prevention, security)?
  • Is the monitoring proportionate, or are we collecting too much information?
  • Have we told staff what we’re doing and why?
  • Who can access the footage/logs, and how long do we keep them?

It’s also worth remembering that monitoring can raise both privacy and employment law issues (including expectations set in contracts and policies, and the way monitoring information is used in workplace processes). If you’re considering or already using cameras, it’s worth reading up on cameras in the workplace and ensuring your approach matches your workplace culture and legal obligations.

How To Respond If There’s A Privacy Breach At Work

Even with great systems, things can still go wrong. When they do, the key is to respond quickly and sensibly - not defensively.

Step 1: Contain The Breach

Your first job is to stop the problem from getting worse. Depending on the situation, that might mean:

  • recalling an email
  • asking the recipient to delete the information (and confirming they’ve done so)
  • resetting passwords or disabling accounts
  • recovering a device
  • restricting access to a shared folder

Step 2: Work Out What Happened (And What Was Exposed)

Document what you know, including:

  • what information was involved
  • who it relates to (one employee, several employees, customers too)
  • who had access to it (internally or externally)
  • how long it was exposed
  • what you’ve done to contain it

This is also where employment process matters. If the breach involves staff conduct (for example, someone intentionally accessed information they shouldn’t have), you’ll want to manage it carefully and consistently with your employment documents, including your Employment Contract and internal policies.

Step 3: Decide Whether You Need To Notify

Under the Privacy Act 2020, some breaches are “notifiable” - meaning you may need to notify:

  • the affected individual(s)
  • and the Office of the Privacy Commissioner

This usually depends on whether the breach has caused, or is likely to cause, serious harm. There isn’t a single magic test, so you should look at things like the sensitivity of the information, what a third party could do with it, and what protections were in place.

If you’re unsure, it’s often worth getting advice early. Notifications done poorly (too late, too vague, or missing key details) can make the situation harder to control.

Having a plan ready helps you move faster. Many businesses implement a simple Data Breach Response Plan so nobody is guessing under pressure.

Step 4: Fix The Root Cause

After the immediate issue is under control, take practical steps so it doesn’t happen again. That might include:

  • updating policies and training
  • changing access permissions
  • upgrading security settings
  • tightening processes for email distribution lists and shared drives

If your breach was caused by unclear expectations (for example, a staff member didn’t realise a document was confidential), it may be time to strengthen your privacy practices and staff training - and make sure your documentation matches what you actually do day-to-day.

Practical Ways To Prevent A Workplace Privacy Breach

If you’re looking for a “doable” privacy compliance approach for a small business, focus on the basics done well. Here are the areas that usually give you the biggest risk reduction for the least effort.

Put The Right Privacy Documents In Place

You don’t need a 50-page policy that nobody reads, but you do need clarity and consistency. Depending on your workplace, that may include:

  • a clear Privacy Policy that explains what you collect and how you use it
  • an internal collection notice or onboarding privacy statement
  • confidentiality expectations in employment documentation
  • a process for handling employee access/correction requests

If you use contractors (IT support, bookkeepers, marketing agencies, recruitment), make sure your contracts deal with confidentiality and permitted use of information. For example, if you engage someone under a Service Agreement, it’s wise to be clear about how personal information is handled.

Limit Access To “Need To Know”

One of the simplest privacy protections is also one of the most effective: only give access to people who actually need it.

As your business grows, you might have:

  • team leaders who need rosters but not payroll
  • accounts staff who need payroll but not medical details
  • managers who need performance notes but not visa documents

Set up separate folders, separate systems, and separate permission levels. It’s a small operational change that can save you from a major privacy event.

Be Transparent About Monitoring And Surveillance

If you monitor work devices, emails, internet usage, GPS locations, or CCTV, be clear about:

  • what’s monitored (and what isn’t)
  • why you monitor it
  • how long you retain information
  • who can access it
  • what could trigger review (e.g. safety investigation, misconduct investigation)

This doesn’t just reduce legal risk - it also reduces misunderstandings, mistrust, and workplace drama.

Train Your Managers (Because Most Breaches Are Human)

You can have great software and still have privacy problems if managers aren’t trained on what they can and can’t share.

A quick, practical training session can cover things like:

  • how to talk about performance management without oversharing
  • how to store investigation notes
  • how to handle medical information appropriately
  • what to do if they suspect a privacy breach

If you’ve got remote or hybrid work, it’s also worth setting clear “work-from-home” privacy expectations (for example, not printing HR documents at home, not sharing screens in public spaces, and locking devices).

Have A Clear Incident Process (So You Don’t Panic)

When something goes wrong, your team should know:

  • who to tell (and how quickly)
  • how to preserve evidence without spreading the information further
  • what steps to take to contain the issue

This is where a plan (even a simple one) makes a big difference, particularly if you need to make decisions about notifying affected employees.

Key Takeaways

  • A workplace privacy breach can include unauthorised access, misuse, disclosure, or loss of employee personal information - even if it happens by accident.
  • In New Zealand, workplace privacy obligations are largely governed by the Privacy Act 2020, and employers should only collect what they need, keep it secure, and use it for appropriate purposes.
  • Common workplace privacy issues include misdirected emails, payroll mix-ups, oversharing performance information, weak access controls, and unclear monitoring practices.
  • If a privacy breach happens, you should act quickly to contain it, assess what information was involved, and consider whether notification is required.
  • Preventing privacy breaches is usually about strong basics: clear documentation, role-based access, secure storage, manager training, and an incident response process.
  • Privacy compliance is much easier (and cheaper) when you build it into your workplace systems from day one, rather than trying to fix it after a complaint or internal fallout.

This article is general information only and doesn’t constitute legal advice. If you’d like help putting the right privacy foundations in place - or you’re dealing with a possible breach and want to manage it carefully - you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Get your customer-facing terms right

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

How Much First Aid Is Enough For Your Workplace In New Zealand?

How Much First Aid Is Enough For Your Workplace In New Zealand?

If you run a small business, it’s easy to think “first aid” just means keeping a dusty kit in the cupboard and hoping you never need it. But under New Zealand’s health...

15 Jul 2026
Read more
Workplace Drug And Alcohol Testing: Employer Legal Guidelines In NZ

Workplace Drug And Alcohol Testing: Employer Legal Guidelines In NZ

If you run a small business, drug and alcohol issues can feel like one of those “hope it never happens” problems - until you’re dealing with a near miss, a customer complaint,...

15 Jul 2026
Read more
Workplace Surveillance In New Zealand: Legal Obligations For Employers

Workplace Surveillance In New Zealand: Legal Obligations For Employers

If you run a small business, workplace surveillance can feel like a practical no-brainer. You want to protect stock, keep customers and staff safe, prevent time theft, and make sure business systems...

15 Jul 2026
Read more
Workplace Language Policies In New Zealand: Legal Considerations

Workplace Language Policies In New Zealand: Legal Considerations

If you run a small business in New Zealand, it’s completely normal to want a workplace where everyone can communicate clearly, customers feel looked after, and safety instructions aren’t misunderstood. At the...

15 Jul 2026
Read more
Workplace Investigations And Employee Rights In New Zealand

Workplace Investigations And Employee Rights In New Zealand

When you employ staff, issues will come up at some point. It might be a complaint about bullying, a suspected theft, a health and safety incident, repeated lateness, or a conflict between...

15 Jul 2026
Read more
Workplace Incident Report Form Template (NZ): Free Download & Legal Tips

Workplace Incident Report Form Template (NZ): Free Download & Legal Tips

If you run a small business, a workplace incident can happen when you least expect it - a slip in the stockroom, a near miss with machinery, a customer injury on your...

15 Jul 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.