Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
As a small business owner, you’re constantly balancing trust and practicality. You need your team to share information internally so work gets done, but you also need to protect the parts of your business that make it valuable - your client lists, pricing, processes, strategy, and sensitive personal information.
That’s where workplace confidentiality becomes a real business issue (not just a “nice to have”). When confidentiality isn’t handled properly, you can end up with customer complaints, privacy breaches, loss of competitive advantage, staff disputes, or difficult exits where information walks out the door.
The good news is: with the right policies, contracts, and day-to-day practices, you can put clear boundaries in place and protect your business from day one - without creating a culture of secrecy or distrust.
This article provides general information for New Zealand employers and isn’t legal advice. For advice on your specific situation, it’s worth getting tailored support.
What Does “Confidentiality In The Workplace” Actually Mean?
In a workplace context, confidentiality generally means that workers (employees and often contractors too) must not misuse or disclose information they access through their work.
In practice, “confidential information” can cover a wide range of things, including:
- Client and customer information (names, contact details, purchasing history, preferences)
- Pricing and quoting information (margins, discount rules, supplier pricing)
- Business operations (processes, internal templates, training material, workflows)
- Financial information (budgets, forecasts, revenue, costs)
- Strategy (growth plans, product roadmap, marketing plans)
- Trade secrets (formulas, methods, techniques, and know-how that give you an advantage)
- Staff information (performance issues, remuneration details, disciplinary matters)
Importantly, confidentiality isn’t only about stopping someone from posting things online. It also includes things like:
- sharing information with friends or family
- using information to start a competing business
- downloading client lists before resigning
- discussing sensitive matters in public or in group chats
From an employer perspective, you want two things:
- Clear rules about what must be kept confidential and how information should be handled
- Practical enforcement options if confidentiality is breached
Where Do Confidentiality Obligations Come From In NZ?
In New Zealand, confidentiality in the workplace can come from a few different places. Some obligations arise under law, and others are best made explicit through your documents and processes.
1) Your Employment Agreement
The most common and practical source is a written employment agreement with clear confidentiality clauses. This is where you set expectations early and define what confidentiality means in your business (not just in theory).
If you’re hiring staff, a properly drafted Employment Contract is one of the simplest ways to protect your confidential information from day one.
2) Implied Duties (Even If You Didn’t Write Them Down)
Even without a detailed clause, employees will generally have duties during employment (including acting in good faith) that can restrict misuse of truly confidential information. However, the scope of any implied confidentiality obligation can be fact-specific, and it’s usually much harder to enforce if you haven’t clearly set expectations in writing.
For small businesses, it’s usually much safer to put confidentiality rules in writing so there’s less room for misunderstandings later.
3) Privacy Law (When Information Is “Personal Information”)
Confidentiality overlaps heavily with privacy obligations, especially if your staff handle customer data, patient data, student data, or even staff HR records.
Under the Privacy Act 2020, personal information must be collected, used, stored, and disclosed appropriately. If an employee discloses personal information without authority, you could be dealing with both an employment issue and a privacy compliance issue.
If you collect personal information through your website, booking system, CRM, or mailing list, a clear Privacy Policy helps set the rules externally - and it should match what your team actually does internally.
4) Contract Law (Contractors, Suppliers, and Partners)
Many confidentiality issues don’t come from employees - they come from contractors, agencies, service providers, or collaborators.
If you’re sharing sensitive business information with a third party, consider using a tailored Non-Disclosure Agreement before you hand over the details.
What Should You Treat As Confidential (And What Shouldn’t You Overreach On)?
A common mistake is trying to label everything confidential. It can feel safer, but in reality it often makes your confidentiality clause less effective, harder to apply, and more likely to be challenged in a dispute.
A better approach is to be specific and practical.
Information That Is Usually Reasonably Confidential
As a general rule, you can confidently treat the following as confidential in most small businesses:
- customer/client databases and contact lists
- supplier terms, wholesale pricing, and discount structures
- internal templates, scripts, manuals, and SOPs
- profit margins and financial performance reports
- planned product/service launches
- non-public business strategies and internal reporting
Information That May Not Be “Confidential” In The Legal Sense
Some information is difficult to classify as confidential, especially if it’s:
- publicly available (for example, on your website or social media)
- common industry knowledge (general skills an employee gains through experience)
- already known to the person before they joined your business
This is why “confidentiality” is often paired with other protections - like IP ownership provisions, device and return-of-property clauses, and (where appropriate) restraints of trade.
A Quick Reality Check: Confidentiality vs Normal Workplace Communication
Confidentiality in the workplace shouldn’t stop employees from doing their job, raising issues, or accessing information they genuinely need. You want a policy that supports:
- good internal reporting
- appropriate escalation of issues
- lawful disclosures (for example, health and safety reporting)
- normal collaboration
Overly strict rules can backfire by discouraging communication or creating distrust - and that can be a productivity issue as much as a legal one.
How Do You Put Confidentiality Rules In Place (Without Making It Awkward)?
Most confidentiality problems aren’t caused by bad intentions. They’re caused by vague expectations, poor systems, and “we’ve always done it that way” habits.
If you want confidentiality in the workplace to actually work day-to-day, you need a mix of documents and practical controls.
1) Build It Into Your Employment Agreement
Your employment agreement is usually the best place to:
- define confidential information in a way that fits your business
- explain permitted use (for work purposes only)
- prohibit disclosure to third parties
- cover what happens on termination (return of documents, devices, passwords)
- set expectations around systems (email, cloud storage, CRM access)
This is especially important when you have staff handling customer information, marketing lists, financial data, or business processes you’ve spent years building.
2) Use A Staff Policy For The Practical “How”
Policies help you turn the contract clause into everyday behaviour. For example, a policy might cover:
- how to store files (approved tools only)
- who can access which folders
- password rules and MFA expectations
- rules for printing, shredding, and disposing of documents
- working from home expectations (private space, locked screens, no shared devices)
This is also where you can set clear expectations about monitoring and workplace systems if that’s relevant to your operations - just be mindful of privacy obligations and transparency.
3) Use NDAs For Non-Employee Scenarios
When you’re dealing with external parties - like a developer, marketing contractor, bookkeeper, or potential buyer - an NDA can be a cleaner tool than trying to squeeze protections into a purchase order email.
A good NDA can also clarify:
- the purpose of disclosure (why they’re receiving the information)
- who they can share it with (if anyone)
- how long confidentiality obligations last
- what must be returned or deleted
4) Think About Data Privacy As Part Of Confidentiality
For many businesses, “confidential information” includes personal information - and that brings privacy compliance into the picture.
It’s worth checking that your external-facing documents (like your Privacy Policy) match your internal reality. If you have staff collecting personal information on forms, running email marketing lists, or recording calls, you’ll want consistent rules and permissions.
Common Confidentiality Risks For Small Businesses (And How To Reduce Them)
Small businesses often have fast-moving teams, shared tools, and informal processes - which is great for agility, but it can make confidentiality harder to manage.
Here are some of the most common scenarios we see, and what you can do about them.
Staff Taking Client Lists Or Files When They Leave
This is one of the biggest real-world confidentiality issues. It might look like:
- exporting contacts from your CRM
- forwarding customer emails to a personal address
- saving quote templates or pricing spreadsheets
- taking internal SOPs or training materials
Practical risk-reducers include:
- clear contract clauses about return of property and confidential information
- role-based access (not everyone needs access to everything)
- offboarding checklists (disable access promptly, collect devices, reset passwords)
- exit reminders about confidentiality obligations
Oversharing In Group Chats Or Social Media
Even well-meaning staff can overshare. For example, a quick photo of the workplace can accidentally capture:
- customer details on screens
- whiteboards with strategy notes
- private employee rosters
A simple social media guideline and a reminder that “work info stays at work” can go a long way.
Work-From-Home And Device Risks
Remote work can create confidentiality issues if staff use shared family devices, save files locally, or work in public spaces.
Consider setting clear expectations around:
- using only approved work devices or secured accounts
- not downloading files unnecessarily
- locking screens and protecting passwords
- secure disposal of printed documents
Recording Calls Or Using Surveillance Without Clear Rules
Some businesses record customer calls for training and quality purposes, and some use security cameras or other monitoring tools for safety and security.
These can be legitimate business practices, but they overlap with privacy and workplace transparency. If you’re recording calls, it’s worth understanding the compliance angle and making sure your team is trained on the rules and scripts. For context, call recording can raise issues under the Privacy Act 2020 and industry expectations, so it’s a good idea to sanity-check your approach to call recording laws before rolling it out widely.
Similarly, if you use cameras on site, you’ll want to think about legitimate purpose, signage, and policy. Workplace monitoring is a common friction point if it’s introduced without clarity, so it’s worth getting your approach right to cameras in the workplace.
What Can You Do If Confidentiality Is Breached?
If you suspect a confidentiality breach, it’s tempting to react quickly - but in employment situations, process matters. A rushed response can create risk for your business (for example, if you move straight to termination without following a fair process).
What you can do depends on the situation, but common steps include:
1) Act Quickly To Contain The Risk
- Change passwords and revoke access where appropriate
- Secure devices, documents, and accounts
- Preserve evidence (emails, downloads, system logs)
Be careful about how you collect evidence. The “right” approach depends on your policies, what systems/accounts are involved, and your privacy obligations - so it may be worth getting advice before reviewing devices, accessing accounts, or introducing any additional monitoring.
2) Investigate Fairly (Especially For Employees)
In an employment context, you’ll usually want to follow a fair investigation and disciplinary process. That often means:
- raising the concerns with the employee
- giving them a chance to respond
- considering their explanation genuinely
- documenting your steps
Even when you feel confident you’re “in the right”, process mistakes can turn a clear misconduct issue into an employment dispute.
3) Consider Whether This Is Also A Privacy Breach
If the information involved includes personal information, you may also need to consider whether the incident triggers privacy obligations (including whether it’s a notifiable privacy breach). This is where a quick legal check can save you from accidentally under-reporting - or over-reporting - the issue.
4) Enforce Contractual Rights
If your agreements are well drafted, you may be able to rely on clauses requiring the person to:
- stop using or disclosing the information
- return or delete confidential materials
- confirm in writing they have complied
If the breach involves a contractor or external party, your NDA and service agreement terms will be key.
5) Think Beyond The Immediate Dispute
Once the urgent issue is contained, it’s worth asking: how did this happen? The fix is often a systems improvement - tighter access controls, better onboarding, clearer policies, or updated documents.
Confidentiality issues are one of those areas where a small amount of prevention can save a huge amount of time (and cost) later.
Key Takeaways
- Workplace confidentiality is about protecting the information that keeps your business running - client data, pricing, internal processes, strategy, and sensitive records.
- In NZ, confidentiality obligations can come from employment agreements, implied duties (which can be limited and context-specific), the Privacy Act 2020 (for personal information), and contracts with third parties.
- Your best protection is usually a combination of a clear employment agreement, practical workplace policies, and (where appropriate) an NDA for contractors and external parties.
- Trying to label “everything” confidential can backfire - clear and reasonable definitions are easier to enforce and more likely to work in real life.
- Common risks for small businesses include client lists walking out the door, oversharing on social media, remote work device issues, and unclear rules around call recording or workplace monitoring.
- If a breach happens, act quickly to contain the risk, follow a fair process (especially for employees), and consider whether privacy obligations are also triggered.
This article is general information only and isn’t legal advice.
If you’d like help putting the right confidentiality clauses and workplace documents in place, or dealing with a confidentiality breach, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.








