Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
- What Is A Workplace Confidentiality Policy (And Why Do You Need One)?
Key Clauses And Rules Every Workplace Confidentiality Policy Should Include
- 1) Clear Definitions (And Real Examples)
- 2) Permitted Use (Use It For Work Only)
- 3) Limits On Disclosure (Including “Casual Chats”)
- 4) Security And Handling Requirements
- 5) Social Media And Public Communications
- 6) Return Of Property And Information When Someone Leaves
- 7) Consequences Of Breach (And A Fair Process)
- Key Takeaways
If you’re running a small business in New Zealand, confidentiality probably comes up more often than you’d like. Maybe an employee has access to customer lists, pricing, supplier terms, internal templates, or upcoming product launches. Or maybe your team handles sensitive personal information (like addresses, payment details, or health information).
Most business owners assume “everyone knows not to share that stuff” - but when there’s no clear workplace confidentiality policy in place, expectations get blurry fast. And when expectations are blurry, disputes (and damage) follow.
This guide explains what a workplace confidentiality policy should cover, how it links to your employment agreements and privacy obligations, and how to roll it out in a way that actually protects your business.
What Is A Workplace Confidentiality Policy (And Why Do You Need One)?
A workplace confidentiality policy is a written workplace rule that sets out:
- what information your business treats as confidential,
- who must keep it confidential (employees, contractors, interns, volunteers),
- how it can be used and shared,
- how it must be stored and protected, and
- what happens if someone breaches confidentiality.
It’s different from “confidentiality” as a general idea. A policy turns the idea into something practical, so your team knows exactly where the line is - and so you have a clearer basis for responding if issues come up.
As a small business, you’re often operating with lean teams and high trust. That’s great - but it can also mean:
- more people have broad access to your systems (POS, CRM, Xero, payroll, shared drives),
- roles overlap (someone doing admin might also manage customer disputes), and
- information moves quickly through Slack/Teams, personal phones, and remote work setups.
Without a clear workplace confidentiality policy, it’s easy for confidential information to be shared “accidentally” - like sending the wrong attachment, forwarding a customer email thread, discussing a client in a public space, or using business information for a side hustle.
And if you ever need to investigate or take action, having a properly drafted policy (aligned with your contracts) gives you a stronger foundation to respond fairly and consistently.
What NZ Employers Should Treat As “Confidential” At Work
One of the most common issues we see is businesses trying to label everything as confidential. That can backfire. If your policy is too broad or unrealistic, it becomes harder to apply consistently.
A good starting point is to define confidentiality by categories and give examples. For many NZ small businesses, confidential information can include:
1) Customer And Client Information
- names, addresses, phone numbers and email addresses
- purchase history and preferences
- complaints, dispute records and refund history
- any notes your staff record about clients
Where this overlaps with “personal information”, you also need to think about the Privacy Act 2020 and your internal privacy processes (more on that below).
2) Financial And Commercial Information
- pricing strategies and margins
- costs and profit figures
- budgets, forecasts and internal financial reports
- supplier rates, rebates and negotiated terms
3) Business “Know-How” And Trade Secrets
- recipes, formulas, workflows and internal processes
- templates, scripts, checklists and playbooks
- product or service development plans
- software code, automations or internal system setups
4) People And HR Information
- wages, pay reviews and bonus decisions
- performance management notes
- disciplinary investigations
- medical or leave-related information
This is an area where small businesses can get caught out. You may have managers who “talk shop” casually - but HR information is often sensitive and should be tightly controlled.
5) Contracts And Legal Documents
- customer and supplier contracts
- settlement terms
- internal policies and legal advice (where applicable)
- business sale discussions and due diligence information
If you’re selling or buying a business, confidentiality becomes even more important because sensitive commercial information is being shared during negotiations.
How Confidentiality Policies Fit With Employment Agreements And Other Legal Documents
A workplace confidentiality policy is strongest when it’s part of a consistent “document set” - meaning your agreements and policies all point in the same direction.
In practice, confidentiality protection usually sits across:
- your employment agreement (confidentiality clause + expectations),
- your workplace policies (the day-to-day rules), and
- any extra restraints or IP provisions where needed (depending on the role).
If your business is hiring, updating contracts, or formalising policies, it’s often worth making sure your Employment Contract is aligned with your confidentiality expectations from day one.
Confidentiality Clauses vs Confidentiality Policies
They work best together:
- The contract clause creates a binding obligation and makes confidentiality part of the employment relationship.
- The policy gives practical details: definitions, examples, permitted disclosures, security rules, and breach handling.
Policies are also easier to update over time (for example, if you introduce a new CRM, new remote work tools, or a new process for handling customer disputes).
Don’t Forget Contractors
A lot of small businesses rely on contractors - bookkeepers, marketing consultants, developers, virtual assistants, and sales contractors. If they can access your systems or your client data, confidentiality should be covered properly in writing.
That usually means using a tailored Contractors Agreement (rather than assuming your employee documents will “cover them too”).
Do You Need A Separate NDA?
Sometimes, yes. If you’re sharing confidential business information before someone starts work (or with a potential business partner), you might want a standalone Non-Disclosure Agreement.
A workplace confidentiality policy is great for ongoing operations. An NDA is often used for:
- pre-employment discussions (especially senior hires),
- supplier or manufacturing negotiations,
- potential collaborations, or
- business sale discussions.
Key Clauses And Rules Every Workplace Confidentiality Policy Should Include
There’s no one-size-fits-all policy (and copying a template can create gaps). But most NZ employers should cover the following building blocks.
1) Clear Definitions (And Real Examples)
Start by defining “Confidential Information” in a way that makes sense for your business. Then include examples relevant to your industry and operations.
This matters because if a dispute ever arises, the question becomes: was the employee (or contractor) reasonably on notice that this information was confidential? Practical examples help answer that.
2) Permitted Use (Use It For Work Only)
Your policy should make it clear that confidential information can only be used:
- for legitimate business purposes, and
- within the scope of the worker’s role.
It should also address common grey areas, like using business templates for a side business, saving client contact details “just in case”, or taking internal pricing models to a new employer.
3) Limits On Disclosure (Including “Casual Chats”)
Confidentiality breaches aren’t always malicious. They’re often casual, like:
- talking about a customer in a café,
- sharing screenshots in a group chat,
- forwarding internal emails to a personal account, or
- discussing “what’s going on at work” with friends in your industry.
Your policy should make it clear that disclosure includes verbal, written, visual, and digital sharing - not just “publishing it online”.
4) Security And Handling Requirements
This is where a policy becomes genuinely useful day-to-day. Include rules around:
- passwords and MFA (multi-factor authentication)
- locking screens and devices
- use of personal devices (BYOD)
- storing documents in approved systems (not personal drives)
- printing and disposing of documents securely
- sending information externally (approval steps, encryption where needed)
If your team works remotely, these rules are even more important because “workplace information” is now moving through homes, cafes, and shared Wi-Fi networks.
5) Social Media And Public Communications
Even if your staff never name customers, social posts can still disclose confidential information (for example, a behind-the-scenes photo with a customer list on a screen in the background).
A confidentiality policy often works best when paired with broader workplace conduct rules in a handbook, such as a tailored Staff Handbook.
6) Return Of Property And Information When Someone Leaves
Your policy should set clear expectations about what happens when employment ends, including:
- returning laptops, phones, keys and access cards
- removing access to systems (email, shared drives, CRMs)
- returning physical documents
- confirming confidential information hasn’t been copied or retained
This section is especially important if you’ve had a resignation that doesn’t go smoothly, or where there’s a risk of someone joining a competitor.
7) Consequences Of Breach (And A Fair Process)
Your policy should explain that a breach may lead to disciplinary action, up to and including termination (depending on the seriousness and the circumstances). It should also signal that you’ll handle issues fairly and consistently.
In New Zealand, process matters. Even where there appears to be wrongdoing, employers generally need to follow a fair process and consider the circumstances before making decisions that could disadvantage an employee.
If you want to build this into your documentation properly, it’s worth ensuring your policy and contract suite are aligned (rather than trying to patch gaps later).
Confidentiality And Privacy: Your Extra Obligations Under The Privacy Act 2020
Confidentiality and privacy overlap, but they’re not the same thing.
- Confidentiality is about protecting business information (including customer info) from unauthorised use or disclosure.
- Privacy is about how you collect, use, store and share personal information under the Privacy Act 2020.
If your staff handle personal information (and most do), your workplace confidentiality policy should support your privacy compliance.
From a practical perspective, that means building rules that help you take reasonable steps to protect personal information - for example, restricting access, using secure systems, and having a process to respond to mistakes.
You’ll also usually need a properly drafted Privacy Policy if you collect personal information from customers (whether in-store, online, through bookings, or via email enquiries).
Data Breaches: What If Someone Accidentally Leaks Information?
A confidentiality policy should include a simple “what to do next” process, such as:
- who to report the incident to immediately,
- how to contain it (recall email, change passwords, revoke access),
- how to document what happened, and
- when you may need external advice.
Under the Privacy Act 2020, some privacy breaches can be “notifiable” (meaning you may need to notify the Privacy Commissioner and affected people) depending on whether it’s likely to cause serious harm. The threshold and response can be technical, so it’s worth getting advice quickly if customer or employee personal information is involved.
How To Implement A Workplace Confidentiality Policy Without Creating Pushback
A policy only works if your team understands it and you apply it consistently.
Here’s a practical rollout approach that usually works well for small businesses.
1) Match The Policy To How Your Business Actually Operates
If your team uses WhatsApp, personal phones, shared logins, or informal handovers, a strict policy that assumes “perfect corporate systems” won’t stick.
It’s better to:
- identify your real confidentiality risks, and
- build rules that your team can realistically follow.
That might include setting up a shared password manager, creating a “no customer screenshots” rule, or clarifying when staff can take work devices home.
2) Train Your Team (Don’t Just Email A PDF)
Policies get ignored when they’re dumped into an inbox with “please read”. A short team meeting or onboarding walkthrough can make a huge difference.
Focus on:
- what information is most sensitive in your business,
- what mistakes commonly happen, and
- what to do if they’re unsure.
3) Build It Into Onboarding And Offboarding
Confidentiality should be reinforced at:
- Onboarding: signing the employment agreement, system access setup, training on customer data and internal documents.
- Role changes/promotions: when access expands.
- Offboarding: return of devices, access removal, and reminders of ongoing obligations.
4) Apply It Consistently
Inconsistency is where businesses get into trouble. If one employee gets warned for sharing client info but another is ignored for doing the same thing, enforcement becomes much harder later.
Consistency doesn’t mean “zero tolerance for honest mistakes”. It means:
- clear expectations,
- a fair response process, and
- good documentation.
5) Review It As You Grow
What counts as confidential in year one isn’t always the same in year three.
For example, once you start hiring managers, expanding locations, or building a customer database, you may need to tighten access controls and clarify who can share what externally.
It can also be a good trigger to review related documents as you scale - for example, whether your employment agreements, contractor agreements, privacy documentation, and internal processes still match how your business operates.
Key Takeaways
- A clear workplace confidentiality policy helps protect your customer information, commercial strategy, internal know-how, and HR data - especially in small teams where access is broad.
- Your policy should define confidential information with practical examples, set rules for use and disclosure, and include security requirements for devices, documents and systems.
- Confidentiality works best when it aligns with your core documents, including your Employment Contract and (where relevant) Contractors Agreement and Non-Disclosure Agreement.
- If your business handles personal information, confidentiality also supports your obligations under the Privacy Act 2020 - and you should consider whether you need a Privacy Policy and a clear incident response process.
- Rolling out a policy is as important as drafting it: train your team, build it into onboarding/offboarding, and apply it consistently to avoid disputes later.
If you’d like help putting a workplace confidentiality policy in place (or updating your employment documents so everything aligns), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.








