Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Counts As Employee Personal Information (And Why It Matters)
When Can You Share Employee Personal Information Under The Privacy Act 2020?
- 1) Sharing For A Work-Related Purpose You Collected It For
- 2) Sharing With The Employee’s Authorisation (Or Where They’d Reasonably Expect It)
- 3) Sharing Because It’s Required Or Authorised By Law
- 4) Sharing For Health And Safety (Where Appropriate)
- 5) Sharing With Service Providers (But You’re Still Responsible)
- What About Sharing Employee Personal Information When Selling Your Business?
- Key Takeaways
If you run a small business, it’s almost guaranteed you’ll need to share employee personal information at some point.
Maybe your payroll provider needs bank details. Maybe your accountant needs pay records. Maybe a customer complains and you need to investigate an incident. Or you’re selling the business and a buyer asks for “all staff files”.
This is exactly where things can get tricky: you still have privacy obligations, even when sharing information feels “normal” for running a business.
In this guide, we’ll walk through what small businesses in New Zealand need to know about handling and sharing employee personal information under the Privacy Act 2020 (and related workplace obligations), including practical examples and a simple compliance checklist you can actually use.
What Counts As Employee Personal Information (And Why It Matters)
“Employee personal information” is a broad concept. In practice, it covers any information about an identifiable employee (or job applicant).
That can include obvious things like:
- name, address, date of birth and contact details
- bank account details and tax information (eg IRD number)
- employment agreement details, pay rates and timesheets
- leave records (sick leave, annual leave, parental leave)
- performance notes and disciplinary records
- workplace investigation records (complaints, witness statements)
- photos and video footage (including CCTV)
It can also include information that feels “work-related” but is still personal, like:
- job applications, CVs and references
- training records and qualifications
- computer logs, device IDs and swipe-card access records (where linked to an individual)
- location tracking from work vehicles or apps
Why does this matter? Because once something is employee personal information, you can’t treat it casually. You need a lawful reason to collect it, store it securely, use it only for appropriate purposes, and be careful when disclosing it to others.
If you’re setting up (or tightening up) your privacy processes, having a clear Privacy Policy and internal process helps you stay consistent and reduce the risk of a complaint.
When Can You Share Employee Personal Information Under The Privacy Act 2020?
In New Zealand, the Privacy Act 2020 applies to “agencies” (which includes most businesses). It sets out Information Privacy Principles (IPPs) that govern how you collect, store, use and disclose personal information.
From an employer’s perspective, the key idea is simple:
You should only share employee personal information where a Privacy Act disclosure ground applies (for example, it’s connected to the purpose you collected it for, it’s authorised by the employee, or it’s required or permitted by law) - and you should share only what’s needed.
Here are common situations where disclosure is often legitimate (depending on context):
1) Sharing For A Work-Related Purpose You Collected It For
If you collected the information for a specific purpose (like paying wages), it’s generally okay to disclose it for that same purpose (like sending payroll details to your payroll provider).
But you still need to keep the disclosure proportionate. For example, a payroll provider likely needs:
- employee identity details
- pay rates and hours
- bank details
- tax and KiwiSaver settings
They probably don’t need performance management notes or medical details.
2) Sharing With The Employee’s Authorisation (Or Where They’d Reasonably Expect It)
Authorisation can play a role, but in employment relationships, it’s not always as straightforward as “just get consent” because there can be a power imbalance.
A good practical approach is to make likely disclosures clear upfront (through onboarding and privacy notices), and to check whether the disclosure is one the employee would reasonably expect in the circumstances (and is permitted under the Privacy Act’s disclosure rules).
This is one reason it’s worth having an up-to-date Employment Contract and policies that clearly explain how you handle HR records, payroll processing, IT systems, and workplace investigations.
3) Sharing Because It’s Required Or Authorised By Law
Sometimes you have to share employee personal information because another law requires it. For example:
- providing records to Inland Revenue in relation to PAYE obligations
- responding to a lawful request from a regulator
- complying with court orders or tribunal processes
In these cases, you still should:
- verify the request is legitimate and within scope
- limit what you provide to what is required
- keep a record of what was shared and why
And if you’re unsure about tax-specific reporting obligations, it’s best to check directly with Inland Revenue or your accountant (this article isn’t tax advice).
4) Sharing For Health And Safety (Where Appropriate)
Under the Health and Safety at Work Act 2015, you have duties to ensure health and safety so far as is reasonably practicable.
In some cases, you may need to disclose limited information to keep people safe (for example, to emergency services, or to a regulator after a notifiable event).
Even then, it’s important to avoid oversharing. Health and safety needs rarely justify sending an employee’s entire HR file to someone.
5) Sharing With Service Providers (But You’re Still Responsible)
Small businesses regularly use third parties who handle employee personal information, such as:
- accountants and bookkeepers
- payroll providers
- HR consultants
- IT support providers
- cloud storage providers
Even when a third party is holding or processing the data, you still need to take reasonable steps to ensure employee personal information is protected and only used appropriately.
That’s where having proper contracts and clear scope helps (including confidentiality, security standards, and breach notification obligations). If you use contractors, the legal line between “employee” and “contractor” can also affect what documentation you should have in place, including a tailored Contractor Agreement.
Common Small Business Scenarios Where Employers Get Caught Out
Privacy problems usually don’t come from “bad intentions”. They come from everyday decisions made quickly.
Here are some common scenarios where small businesses can accidentally mishandle employee personal information.
Sharing Too Much In A Reference Check
You might feel like you’re being helpful by “telling the full story” about an employee’s performance issues. But references should be factual, relevant, and carefully considered.
Overly detailed disclosures, subjective opinions, or sharing allegations that weren’t properly investigated can create both privacy risk and employment law risk.
A practical approach:
- have a consistent reference process
- limit references to role, dates, duties, and objective performance information
- keep a record of what you said and to whom
Posting Staff Photos Or Staff Updates Online
Staff spotlights and team photos can be great for marketing and culture, but you should still think about whether employees have agreed to their image being used (and in what context).
This is especially important where:
- employees are minors
- there are safety concerns (eg family violence risks)
- the post could reveal sensitive information (eg “X is back from medical leave”)
Emailing HR Information To The Wrong Person
This happens more often than anyone wants to admit. Autocomplete, similar names, and forwarding chains can lead to accidental disclosure.
Consider simple safeguards like:
- restricting who can access HR folders
- using role-based access controls (only those who “need to know”)
- double-checking recipients before sending attachments
- password-protecting sensitive files shared by email
Using Workplace Cameras Or Monitoring Without Clear Rules
Monitoring (including CCTV, device monitoring, or call recording) can involve employee personal information. The key risks are lack of transparency and collecting more than needed.
As a small business, you’ll want to be clear on when workplace cameras are appropriate, what you tell employees, and how footage is stored and accessed. If this is relevant to your workplace, it’s worth reviewing your approach to cameras in the workplace.
Disclosing Information During A Workplace Investigation
Complaints and investigations can require you to share some information so that:
- the process is fair
- people can respond to allegations
- you can test and verify the facts
But that doesn’t mean everyone gets access to everything. A good rule is to disclose what’s necessary for procedural fairness, while still limiting unnecessary personal details.
This is also where having a structured performance management and disciplinary process matters. If you’re not sure what “good process” looks like, it’s worth getting advice early (before things escalate) because the privacy piece and employment law piece are closely linked.
How To Share Employee Personal Information Safely (A Practical Checklist)
If you want a simple way to reduce privacy risk when you’re about to share employee personal information, use this checklist.
Step 1: Identify The Information (And Whether It’s Sensitive)
Start by listing exactly what you’re about to share. Then ask: is any of it “sensitive” in practice?
Examples of higher-risk employee personal information include:
- medical information or injury details
- disciplinary records and allegations
- bank details and identity documents
- information relating to harassment, bullying or discrimination complaints
If it’s sensitive, slow down and apply extra care (including tighter access controls, encryption, and better documentation of your reasons).
Step 2: Confirm Your Purpose (And Check It Matches What You Told The Employee)
Ask yourself: why am I sharing this?
Good examples include:
- processing wages
- administering leave entitlements
- complying with a legal requirement
- responding to a legitimate complaint or investigation
If your purpose is vague (eg “they asked for it”) that’s a sign you need to clarify whether the request is legitimate (and whether a disclosure exception under the Privacy Act applies).
Step 3: Share The Minimum Necessary
This is one of the most practical privacy habits you can build.
Instead of sending:
- the whole HR file
consider sending:
- the specific pages or fields required
- a summary that contains only relevant details
- redacted documents (where appropriate)
Step 4: Share It Securely
“Securely” doesn’t always mean expensive systems. For small businesses, it often means choosing sensible defaults:
- use secure portals rather than email for very sensitive documents
- password-protect files (and send the password via a separate channel)
- avoid sharing via personal email accounts
- limit access to staff who actually need it
Step 5: Keep A Record Of What You Shared (And Why)
Good recordkeeping is your friend if there’s ever a dispute or complaint. Keep a simple note that covers:
- what information was shared
- who it was shared with
- when it was shared
- why it was shared (the purpose and relevant disclosure ground)
For small businesses, even an internal register or a file note saved in the employee’s folder can be enough.
What About Sharing Employee Personal Information When Selling Your Business?
If you’re buying or selling a business, employee information becomes a major due diligence topic.
Buyers often want to understand staffing costs, liabilities, performance issues, and whether key staff are likely to stay. Sellers want to provide enough information to progress the deal, but not breach privacy obligations (or undermine staff trust).
As a starting point, it’s common to:
- share aggregated or de-identified payroll summaries early (eg total wages, role types, tenure)
- share identifiable employee information later in the process and only when necessary
- use confidentiality arrangements and controlled access (eg data room permissions)
Also, remember that if the business is sold, employees may have rights and expectations around continuity, consultation, and process (depending on the structure of the transaction and the employment arrangements).
This is a good time to get advice on both privacy and employment risk. Employee considerations can also arise in the deal structure itself, including what gets transferred, what stays with the seller, and what information can be provided without overstepping. If this is on your radar, it can help to review the general issues that come up around selling your business and employee rights.
How Do You Set Up Your Business To Handle Employee Personal Information Properly?
Privacy compliance is much easier when it’s built into your systems from day one.
For small businesses, “systems” doesn’t need to mean complicated. It just means being clear, consistent, and documented.
Use The Right Employment Documents And Policies
Your employment documents are often where expectations are set about:
- what information you collect
- why you collect it
- who you may share it with (and in what circumstances)
- use of IT systems, monitoring, and workplace investigations
That usually starts with a properly drafted Employment Contract and a clear privacy approach across your business.
Have A Plan For Requests And Complaints
Employees can ask for access to their personal information. They can also challenge the accuracy of information you hold. These are normal requests, and handling them well is part of running a good workplace.
Even if you’re a small team, it helps to have:
- a point person for privacy queries
- a standard internal process for verifying identity and responding on time
- a method for redacting third-party information when needed
Some businesses use a simple form to manage this process consistently, like an Access Request Form.
Know What To Do If There’s A Privacy Breach
A privacy breach might include:
- sending a spreadsheet with employee details to the wrong email address
- a hacked email account exposing HR attachments
- an ex-employee accessing a system after termination
- a lost laptop with unencrypted HR files
The Privacy Act 2020 has a “notifiable privacy breach” regime. If a breach is likely to cause serious harm, you may need to notify the Privacy Commissioner and affected individuals.
When things go wrong, having a written plan reduces panic and helps you respond consistently. Many businesses put this into a Data Breach Response Plan.
Make Sure Your Third Parties Are Bound By Clear Terms
If vendors handle employee personal information, you’ll want to think about:
- confidentiality obligations
- what they can and can’t do with the data
- where data is stored (including overseas storage)
- security measures
- breach notification timeframes
This is especially relevant where you outsource IT or HR functions, or engage overseas contractors and platforms. Strong contracts won’t solve everything, but they make expectations clear and can reduce risk when something goes wrong.
Key Takeaways
- Employee personal information includes more than just payroll details - it can cover performance notes, investigation records, CCTV footage, and IT monitoring data.
- Under the Privacy Act 2020, you should only disclose employee personal information where a disclosure exception applies (and ideally for a purpose the employee would reasonably expect, or where it’s required or permitted by law).
- When sharing employee personal information, a practical rule is to share the minimum necessary and use secure methods (especially for sensitive information).
- Common risk areas for small businesses include reference checks, workplace investigations, accidentally emailing the wrong recipient, and unclear workplace monitoring practices.
- Buying or selling a business can involve employee personal information - but you should manage disclosures carefully during due diligence and avoid handing over full HR files too early.
- Strong foundations make compliance easier: clear employment documents, a privacy policy, a process for access requests, and a data breach response plan all help you stay consistent.
If you’d like help setting up your privacy processes, reviewing what you can (and can’t) share, or putting the right documents in place, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
