IT Policies And Procedures: Practical Examples For New Zealand Businesses

If you’re running a small business, your IT setup is probably a mix of laptops, phones, cloud apps, Wi‑Fi, and whatever helps you get the job done quickly.

But as soon as you have staff, contractors, customer data, or even a shared inbox, “IT” becomes more than just tools - it becomes risk.

That’s where IT policies and procedures come in. They help your team understand what’s expected, reduce preventable mistakes, and show (if anything goes wrong) that you took reasonable steps to protect your business.

Below, we’ll walk through practical examples of IT policies and procedures for NZ businesses, the key legal touchpoints, and how to roll them out in a way that actually gets followed.

What Are IT Policies And Procedures (And Why Do Small Businesses Need Them)?

IT policies and procedures are the internal rules and playbooks that set out:

• What your team is allowed (and not allowed) to do with company systems, devices, and data (policies); and
• How to do things safely and consistently (procedures), like onboarding a new team member, responding to a suspected breach, or approving new software.

They’re especially important for small businesses because you’re often operating with:

• Lean teams (so one mistake can have a big impact)
• Shared admin access (which can create security gaps)
• Fast-changing tools (new apps, AI tools, messaging platforms)
• Hybrid work and BYOD (people using personal phones/laptops)

Good IT policies and procedures help you:

• Protect confidential business information and customer data
• Prevent downtime (and expensive “emergency fixes”)
• Set clear expectations (so you can manage issues fairly if something goes wrong)
• Meet legal obligations, especially under the Privacy Act 2020

Most importantly: they help you get protected from day one, rather than scrambling after an incident.

What NZ Laws Do IT Policies Need To Align With?

IT policies aren’t just “best practice”. In NZ, they often connect directly to legal obligations. The right documents (and the way you apply them) can make a real difference if there’s a dispute, a privacy complaint, or an employment issue.

Privacy Act 2020 (And Your Data Handling Obligations)

If you collect, store, use, or share personal information (for example, customer details, employee records, CCTV footage, or call recordings), you’ll need to take reasonable steps to keep it safe. That includes having internal IT rules that cover:

• who can access data
• how it’s stored and shared
• password and authentication standards
• how you respond to suspected privacy incidents

In most businesses, your external-facing Privacy Policy should match what you actually do internally - because if you promise one thing publicly but behave differently in practice, that can create legal and reputational risk.

Employment Law (Setting Expectations And Applying Them Fairly)

Your IT policies often become part of the “rules of the workplace”. That means employment law principles matter - especially around:

• giving appropriate notice and, where it’s reasonable in the circumstances, consulting before introducing major new monitoring or tracking tools
• having clear, consistently applied rules (to reduce allegations of unfairness)
• ensuring disciplinary action is based on a fair process (not just “you broke the policy”)

IT rules also need to align with your Workplace Policy approach generally, so expectations around conduct, confidentiality, and reporting are consistent.

Workplace Privacy (Monitoring, Cameras, And Recordings)

If you’re using monitoring tools - like CCTV, location tracking, device monitoring, or logging internet usage - you’ll want to be careful about how it’s introduced and explained.

Two common examples that come up for small business owners are:

• workplace surveillance (including CCTV): Are Cameras Legal In The Workplace?
• recording calls for training/quality assurance: Business Call Recording Laws In New Zealand

The key theme is transparency. In many cases, the practical risk isn’t just “is this allowed?” - it’s “did we clearly communicate what we’re doing, why, and how the information will be used?”

Cybersecurity And Fraud Risk (Your Practical Duty To Be Sensible)

Even if your business isn’t “in tech”, you’re still exposed to phishing, invoice scams, compromised accounts, and malware.

IT policies and procedures help you show that your business is taking reasonable steps to prevent avoidable losses - and they reduce the chance that an insurer (or a commercial partner) later says you failed to maintain basic controls.

Core IT Policies Every NZ Business Should Consider (With Practical Examples)

Not every business needs a massive policy library. But most small businesses benefit from a solid “core set” of IT policies and procedures that match how you actually work.

Here are the policies we commonly see as the building blocks.

1) Acceptable Use Policy (Devices, Internet, Email, And Apps)

An Acceptable Use Policy sets the baseline for what staff can do with company devices and systems.

Practical examples of rules you might include:

• Company devices are primarily for business use, with limited reasonable personal use.
• No installing unauthorised software, plugins, or browser extensions.
• No forwarding work emails to personal accounts (unless approved).
• No sharing passwords or using shared logins (except approved shared inboxes with controlled access).
• No using public Wi‑Fi without a VPN (if your business uses one).

This is also a good place to address online conduct and reputational risk, especially if your team interacts with customers online. For many businesses, this overlaps with Employee Social Media Use rules.

2) Access Control And Password Policy

This policy is about preventing “everyone has admin access to everything” (which is common in small businesses, and risky).

Practical examples include:

• Minimum password length (and banning reused passwords)
• Mandatory multi-factor authentication (MFA) for email, accounting software, and cloud storage
• Role-based access (staff only get what they need)
• Offboarding rules (access removed immediately on termination/resignation)

A simple procedure that often makes a big difference is an “Access Request Form” process (even if it’s just a tracked email or ticket): who approves access, what level, and when it expires.

3) Data Handling And Classification Policy

This policy answers: what information is sensitive, and how should it be handled?

For example, you might classify data as:

• Public: marketing content, published pricing
• Internal: standard operating documents, internal emails
• Confidential: customer lists, supplier pricing, financial reports
• Sensitive personal information: health info, ID documents, payroll details

Then you can set clear “do’s and don’ts”, like:

• Confidential data must not be stored on personal devices unless encrypted.
• Sensitive personal information must only be shared via approved systems (not SMS or personal email).
• USB storage is restricted or prohibited.

4) Remote Work And BYOD (Bring Your Own Device) Policy

If your team works from home or uses personal devices for work, you’ll want rules that protect your business without being unrealistic.

Common practical settings include:

• Screen lock and password requirements on phones/laptops used for work
• Prohibiting family/shared users from accessing the work device profile
• Rules about printing and storing documents at home
• What happens if a device is lost or stolen (who to tell, and when)

This also intersects with broader employment settings (like health and safety and confidentiality). If you’re building out your approach, it can help to consider the bigger picture of Working From Home Legal Issues so your IT rules don’t conflict with your employment processes.

5) Software Approval And Shadow IT Policy

“Shadow IT” is when staff start using unapproved tools (file sharing, messaging apps, AI tools, free accounts) because it’s faster.

The risk isn’t just security - it’s also:

• data ending up in the wrong place
• unknown contract terms (including overseas data storage)
• privacy compliance issues if customer data is uploaded
• subscription costs creeping up across the business

Practical rules could include:

• All new software must be approved by a manager (or nominated IT lead).
• Customer data must not be uploaded into external tools unless approved.
• Only business-owned accounts can be used for business systems.

If your business provides software or grants users access to platforms, you may also need external-facing legal documents like Software Licence Agreement terms - but internal IT rules are still crucial for how your team manages the systems day-to-day.

6) AI Use Policy (If Your Team Uses Generative AI Tools)

AI tools are now a standard part of work for many teams - marketing, customer support, HR, admin, even drafting internal documents.

A clear AI policy helps you avoid common traps, like accidentally disclosing confidential data, creating inaccurate content, or using AI outputs without appropriate review.

Practical examples include:

• Staff must not input customer personal information into AI tools unless approved.
• AI outputs must be reviewed by a human before being sent to customers.
• AI can’t be used to generate legal advice or final contract wording without review.
• Staff must disclose AI use where required by your business standards (for example, marketing claims or customer communications).

Some businesses build this into a broader IT framework; others prefer a standalone Generative AI Use Policy so expectations are crystal clear.

IT Procedures You Should Have Documented (So Your Policies Actually Work)

Policies set the rules, but procedures are what make those rules usable.

If you’ve ever thought “we have a policy, but nobody follows it”, the missing piece is usually practical procedures and ownership.

1) Onboarding Procedure (New Starters)

A simple onboarding IT procedure can include:

• issuing devices (or setting up BYOD access safely)
• creating user accounts with the correct access level
• enabling MFA
• providing security training (phishing basics, password expectations)
• getting written acknowledgement of key policies

This is also where your employment documentation matters. For example, you might attach IT policies to your Employment Contract or refer to them as part of your workplace rules (with the right drafting so they’re enforceable and updateable).

2) Offboarding Procedure (Resignations And Terminations)

This is one of the most important procedures for protecting your data.

Your offboarding checklist might include:

• disabling email and app access immediately once the person leaves
• changing shared passwords (if any exist)
• recovering devices and keys
• removing access to shared drives and customer databases
• confirming return/deletion of confidential information

Good offboarding also reduces the risk of post-employment disputes about access, ownership of files, or alleged misuse of information.

3) Data Breach Response Procedure

When something goes wrong (lost laptop, suspicious login, phishing click, mis-sent email), you don’t want your team guessing what to do.

A practical response procedure usually covers:

• how to identify and escalate an incident
• who is responsible for containment (password reset, disabling access, contacting IT)
• how you assess whether the breach has caused (or is likely to cause) serious harm, and whether notification is required under the Privacy Act 2020
• documentation and internal reporting
• customer/third-party communications (if needed)

Many businesses build this around a Data Breach Response Plan so there’s a clear workflow when time matters.

4) Change Management Procedure (New Tools, New Settings, New Risks)

Even in a small business, changes can break things (or create security gaps). A lightweight change procedure might include:

• who can approve new tools
• how privacy/security risks are checked (especially where personal info is involved)
• how staff are notified of changes
• how you document what changed and when

This is especially important where you introduce new monitoring tools, new customer support systems, or anything that changes how personal information is collected or used.

How Do You Roll Out IT Policies Without Overwhelming Your Team?

The best IT policies and procedures are the ones your team can actually follow.

Here’s a practical rollout approach that works well for small businesses.

Step 1: Start With Your Real Risks (Not A 40-Page Template)

Begin by mapping what you actually use:

• devices (company-owned vs BYOD)
• key systems (email, file storage, payroll, accounting, CRM)
• where customer and employee personal information is stored
• who has admin access
• remote work arrangements

Then build policies around those realities.

Step 2: Make One Person Responsible (Even If You Don’t Have “IT”)

You don’t need an internal IT department, but you do need ownership. Appoint someone to:

• approve access and software
• manage onboarding/offboarding checklists
• coordinate incident response
• keep policies updated

Step 3: Train In Plain English (And Repeat It)

Most IT incidents aren’t caused by bad intentions - they’re caused by confusion, speed, or people not realising the risk.

Short training beats long documents. For example:

• a 10-minute onboarding walkthrough
• a quarterly reminder about phishing
• a “what to do if you clicked a suspicious link” one-pager

Step 4: Make Acknowledgement Part Of Your Workflow

Have staff confirm they’ve read and understood key policies. It doesn’t need to be complicated, but it should be documented.

Step 5: Review Every 6–12 Months (Or When Something Changes)

Your IT environment changes quickly - new apps, new staff, new remote work arrangements, new threats. Put a recurring review in your calendar.

If you’re unsure whether your policies are enforceable, consistent with your employment documents, or aligned with privacy law, it’s worth getting tailored advice. It’s much easier to do this upfront than to fix it mid-incident.

Key Takeaways

• IT policies and procedures help you set clear expectations, protect confidential information, and reduce preventable mistakes in day-to-day operations.
• In New Zealand, your IT approach often connects directly to legal obligations - especially under the Privacy Act 2020 and employment law principles around fairness and transparency.
• Strong core policies commonly include acceptable use, password/access control, data handling, remote work/BYOD, software approval (shadow IT), and AI use expectations.
• Procedures are what make policies work in practice - onboarding/offboarding, data breach response, and change management are a great place to start.
• Workplace monitoring (like CCTV and call recording) needs extra care: be clear, transparent, and consistent with your privacy and employment obligations.
• Don’t rely on generic templates that don’t reflect how your business operates - IT rules should be tailored to your systems, your people, and your real risks.

If you’d like help putting the right IT policies and procedures in place (and making sure they’re legally enforceable in NZ), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.