Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If your team uses their own phones for work (or you’re thinking about allowing it), you’re not alone. Bring Your Own Device (BYOD) is common in small businesses because it’s fast, flexible and can save on hardware costs.
But BYOD also creates one of the trickiest issues we see for employers: privacy. A personal phone can hold both business data (customer details, emails, documents) and highly personal information (photos, messages, banking apps). If something goes wrong, it’s easy to end up with a privacy complaint, an employment dispute, or a data breach you didn’t see coming.
In this guide, we’ll break down what you need to know about BYOD privacy in New Zealand, what the Privacy Act 2020 expects from you, and the practical policies and steps that help you stay protected from day one.
What Is BYOD (And Why BYOD Privacy Gets Complicated)?
BYOD generally means you allow staff to use their personal phones (and sometimes laptops or tablets) to do work tasks. That can include:
- Accessing work email and calendars
- Using messaging apps to speak with customers or suppliers
- Taking photos or videos for work purposes
- Using business apps (job management, CRM, POS tools, time tracking)
- Accessing cloud drives and internal systems
The challenge with BYOD privacy is that your business has legitimate reasons to protect and access business information, but your employee also has a legitimate expectation of privacy over their personal device and personal accounts.
From a small business owner’s perspective, the risk usually shows up in real-life situations like:
- A staff member leaves and business contacts or customer messages are still on their phone
- A phone is lost or stolen and it had customer details, health information, or logins saved
- You need to investigate misconduct and key evidence is in a message thread on a personal device
- You want to monitor productivity (or track devices) and aren’t sure what’s lawful or fair
None of these issues are “unsolvable”, but they are much easier to manage if you set expectations early with the right contracts, policies and practical security steps.
Which NZ Laws And Duties Matter For BYOD Privacy?
When we talk about BYOD privacy in New Zealand, there are a few core legal areas you’ll want to keep in mind. The key is that privacy and employment obligations overlap.
The Privacy Act 2020 (And The Privacy Principles)
If your staff use personal phones for work, your business is likely collecting, using, storing, or sharing “personal information” (for example customer contact details, delivery addresses, complaint histories, or employee information).
Under the Privacy Act 2020, you generally need to take reasonable steps to:
- Collect personal information fairly and only where you have a lawful purpose
- Tell people what you’re doing with their information (in plain terms)
- Keep personal information secure against loss, unauthorised access, use, modification or disclosure
- Only use/disclose information for proper purposes
- Allow access and correction where required
BYOD doesn’t remove these obligations. In some ways, it increases your risk because information is spread across devices you don’t own or fully control.
This is one reason many businesses pair a BYOD arrangement with a clear Privacy Policy and internal privacy procedures (so staff know what to do, and customers know what to expect).
Employment Law (Fair Process And Reasonable Expectations)
In NZ, employment relationships are built on good faith and fairness. Even if you have strong business reasons to access information on a device, how you go about it matters.
As a practical example: if you suddenly demand an employee hand over their personal phone so you can search it, that can create real risk if it’s not supported by clear, pre-agreed rules and a fair process.
This is where your Employment Contract and workplace policies become your “source of truth” for what’s allowed and what staff can reasonably expect.
Health And Safety Duties (Including Psychosocial Risk)
BYOD isn’t just a privacy issue. It can also create health and safety risks, especially around:
- Employees feeling they must be “always on”
- After-hours messages and burnout
- Stress caused by monitoring or unclear rules
If your business culture or systems push people to be available 24/7 on their personal device, that can become a management issue quickly (even before it becomes a legal one).
Confidentiality And Commercial Risk
Even where “privacy law” isn’t the main concern, BYOD creates a confidentiality risk. Customer lists, pricing, supplier terms and internal documents often end up stored in personal apps, personal photo galleries, or personal cloud backups.
If that information leaves with an employee (intentionally or accidentally), it can be very hard to recover.
That’s why BYOD should be treated as a legal foundations issue: it affects your data, your customer trust, and your ability to control business information.
How Do You Set Clear Rules For BYOD Privacy (Without Overreaching)?
The goal isn’t to control your employee’s personal life. The goal is to protect business information and set expectations so there’s less confusion when something happens.
A strong BYOD setup usually includes a BYOD policy plus supporting privacy and security policies. In many workplaces, these rules sit alongside a broader Workplace Policy framework.
What Should A BYOD Policy Cover?
Here are the points we generally recommend you cover when dealing with BYOD privacy on personal phones:
- Scope: what devices are covered (phones, tablets, laptops) and whether BYOD is optional or required
- Approved uses: which work systems can be accessed, and what apps are approved for business communications
- Business vs personal boundaries: what types of business information should (and shouldn’t) be stored on a personal device
- Security requirements: passcodes, biometrics, auto-lock, encryption, OS updates, and whether jailbroken/rooted devices are prohibited
- Cloud backups: whether business data is allowed to sync to personal cloud storage (often this is restricted)
- Loss/theft process: how quickly staff must report a missing device and what steps you’ll take
- Remote wipe and access controls: when you can require a remote wipe (and what parts of the device may be affected)
- Monitoring: what you do and don’t monitor (and why), and what data you may be able to access
- Exit/offboarding: what happens when employment ends (returning business info, removing accounts, confirming deletion)
If you want something that’s easy for staff to follow, it can help to pair BYOD with an Acceptable Use Policy that explains in plain terms how devices, systems and accounts should be used.
Keep It Practical: Separate Business Data Where Possible
One of the most effective ways to manage BYOD privacy is to reduce how much business data ever mixes with personal data.
Even without getting overly technical, you can adopt practices like:
- Using work-only accounts for email and document storage (rather than personal accounts)
- Requiring business communications to happen through nominated channels
- Using role-based access (so not every staff member has access to everything)
- Having a clear rule against saving customer lists in personal contacts or personal notes apps
From a legal risk perspective, this also helps if you ever need to investigate an issue. You can focus on business systems and business accounts, rather than trying to access a personal phone.
Have A Security Baseline (And Put It In Writing)
Privacy law doesn’t demand perfection, but it does expect “reasonable steps”. For many small businesses, a sensible baseline includes:
- Mandatory passcode/biometric lock on the device
- Auto-lock after a short idle period
- Not sharing the device with others while logged into work accounts
- Prompt installation of security updates
- Rules about public Wi-Fi use for work systems
These expectations often sit neatly within an Information Security Policy, especially if your business handles customer data, payment information, or sensitive personal information.
Can You Monitor Or Access An Employee’s Personal Phone Under BYOD?
This is where BYOD privacy gets very real. Many employers ask: “If the phone is used for work, can we just access it?”
In most cases, you should treat access and monitoring as something you need to handle carefully, with clear upfront rules and a fair process.
Monitoring: Start With Purpose And Proportionality
Before you monitor anything, be clear about:
- Why you’re doing it (security, legal compliance, protecting customers, investigating a complaint)
- What you actually need (do you need location data, app logs, message content, or just confirmation that data has been deleted?)
- How intrusive it is compared with the business risk
- What you’ve told staff in advance
In practice, employers usually get into trouble when monitoring is unexpected, overly broad, or not clearly explained.
Accessing The Device: Prefer Business Accounts And Business Systems
Where possible, structure work so you don’t need to access a personal phone at all. For example:
- Keep customer records in a central system
- Use business-managed email accounts for customer communications
- Avoid making personal SMS the default channel for customer jobs
If there is a genuine need to access business information on a personal device (for example, a serious complaint or suspected data theft), you’ll want to think about:
- What your policies and contract say about access
- Whether there are less intrusive ways to get the information
- Ensuring a fair and reasonable process (including giving the employee an opportunity to respond)
- Limiting any review to business data as much as possible
Because these situations can escalate quickly, it’s often worth getting tailored advice before taking steps that could trigger an employee privacy complaint or a personal grievance.
Remote Wipe: Make Sure It’s Targeted And Agreed In Advance
Remote wiping a personal phone is a big step. If you wipe personal photos and personal messages along with business data, you can expect pushback (and potentially legal risk) unless your approach is clearly agreed and reasonable.
A practical approach is to:
- Get explicit written agreement about when remote wipe can happen (for example, confirmed loss/theft, or after exit)
- Use tools/processes that wipe business data only, where possible
- Give staff clear instructions on backing up their personal data (because the device is still theirs)
The more you can separate business data from personal data, the more manageable your BYOD privacy obligations become.
What Happens When Someone Leaves? Offboarding Steps To Protect BYOD Privacy
Offboarding is where BYOD problems often show up, especially for small businesses where relationships are close and processes are informal.
If an employee resigns (or is terminated) and they’ve been using their personal phone for work, you’ll want a clear, repeatable offboarding checklist.
BYOD Offboarding Checklist
To reduce your risk, consider including steps like:
- Remove access to business systems (email, cloud drives, admin portals) promptly
- Confirm business information is returned (for example exported customer notes or job records)
- Confirm deletion of business data stored locally on the device (where applicable)
- Remove business accounts from the device (especially if the device is shared with family members)
- Reassign customer communications (so customers don’t keep messaging an ex-staff member)
- Change shared passwords (ideally, avoid shared passwords altogether)
It’s also smart to plan for “messy exits”, not just smooth ones. That means setting up access controls and documentation from day one, rather than relying on goodwill later.
Plan For Data Breaches (Because BYOD Makes Them More Likely)
If a phone goes missing, or you suspect customer information has been accessed improperly, you may have a privacy breach on your hands. In some cases, you may need to notify affected people and the Office of the Privacy Commissioner - but only if it meets the Privacy Act’s “notifiable privacy breach” threshold (which is broadly about whether the breach has caused, or is likely to cause, serious harm).
Having a documented process helps you respond quickly and consistently. Many businesses put a Data Breach Response Plan in place so your team knows what to do in the first hour, the first day, and the first week after an incident.
This isn’t about expecting the worst. It’s about making sure one lost phone doesn’t turn into a major operational and reputational issue.
Key Takeaways
- BYOD privacy is a common risk area for NZ small businesses because personal phones mix sensitive business data with private personal information.
- Even if you don’t own the device, you still need to comply with the Privacy Act 2020 when your staff collect, store or use personal information for work.
- A clear BYOD policy should cover security requirements, approved use, access/monitoring expectations, remote wipe rules, and what happens when someone leaves.
- Where possible, reduce privacy risk by keeping business communications and records in business systems (instead of personal messages, personal contacts, or personal cloud storage).
- Monitoring or accessing an employee’s personal phone is high-risk if it’s unexpected or overly intrusive, so set expectations upfront and follow a fair process.
- Offboarding is a common weak spot for BYOD setups, so have a practical checklist to remove access, recover business information, and confirm deletion where appropriate.
- Because BYOD increases the chance of lost/stolen device incidents, a clear response process can save you time, cost and stress later.
Disclaimer: This article is general information only and isn’t legal advice. Because BYOD arrangements and privacy issues can be very fact-specific, consider getting tailored advice for your workplace.
If you’d like help putting the right BYOD privacy settings in place for your workplace (including contracts, policies, and privacy compliance), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
