Reading time: 6 minutes

New Zealand privacy law requires that you protect the personal information you deal with. This legislation impacts how you manage your employees’ internet and email usage. However, while you can manage such usage to minimise certain privacy risks, like privacy breaches, you need to do so in a way that intrudes on employee privacy as little as possible. For some guidance, this article will go through how you can manage your employees’ internet and email usage under the New Zealand Privacy Act.

What Is the Privacy Act?

The Privacy Act sets out what privacy protections the law gives people in New Zealand. It does so by setting certain requirements for any entity that deals with any information that can identify a living person, which it classifies as personal information. Examples of personal information include:

  • names;
  • email addresses;
  • physical addresses;
  • photos; and
  • phone numbers.

Your business will likely deal with the personal information of both your customers and your employees, which means you will need to comply with the Privacy Act’s requirements. These include:

  • collecting personal information in a legal manner and for a legitimate purpose;
  • only collecting personal information that you need;
  • only using data for the purpose you told people at the time of collection;
  • applying reasonable security measures to information according to its sensitivity;
  • telling individuals what information you are collecting and why;
  • only storing information for as long as you need it;
  • letting individuals access and correct the personal information you hold about them;
  • not using data in a way your customers/employees would not expect;
  • only sharing personal information where you have consent or the law requires it;
  • disposing of information securely;
  • having a privacy officer at your business; and
  • reporting any privacy/data breaches where they are likely to cause serious harm.

Privacy Breaches

Privacy breaches can unfold in multiple different ways. A privacy breach can happen when: 

  • an unauthorised person (or group of people) has gained access to the personal information that your business deals with;
  • personal information is misused, lost, deleted, altered, or destroyed; or
  • something is preventing you from gaining access to your stored personal information, such as a cyberattack.

If your business stores personal information that is subject to a privacy breach, you have various obligations. These will depend on the nature of the information you hold and the severity of the privacy breach.

For example, if an employee sends a confidential email containing sensitive personal information to the wrong email address, this is likely to be a privacy breach. As an agency under the Privacy Act, generally, you will be responsible for the actions of your employees. 

It is important to note that privacy breaches can be intentional or accidental. Either way, you need to prepare for privacy breaches and account for risks that may lead to them. In addition, you have a responsibility to reasonably secure any personal information you store or share, which you can reflect in your workplace internet and email policies. 

Therefore, reflecting security in your workplace practices to avoid privacy breaches can help you comply with your obligations under the Privacy Act. Actions such as monitoring staff internet and email usage may then fall under this practice.

Respecting the Privacy of Your Employees

However, the Privacy Act also protects the privacy of your employees themselves. Their personal information will be part of the personal information your business deals with, so you have the same obligations when dealing with it. In particular, you can only collect employee personal information when it is necessary for your business to complete its legitimate activities. Therefore, you can only monitor or track employee internet and email usage as far as it is necessary for security and preventing privacy breaches. Accordingly, you can only do so:

  • lawfully; 
  • fairly; and
  • in a way that is not unreasonably intrusive.

For example, asking your employees for their social media passwords so that you can monitor their social media usage is not necessary and is likely to be unreasonably intrusive.

As a result, in most cases, you will need to tell your employees when you are monitoring their internet or email usage unless you have a very strong reason not to. Additionally, you will engage the other requirements of the Privacy Act when dealing with any personal information you collect in this way.

Developing Appropriate Policies

Therefore, when developing workplace policies for employee internet and email usage, you need to balance your business’ needs for security with their privacy rights. Work with them to find fair solutions and consider:

  • what qualifies as acceptable email and internet use;
  • what processes and steps employees need to observe when sending personal information over the internet or email;
  • why you are collecting any personal information, and whether it is necessary;
  • how you will inform staff of any privacy obligations; and
  • who has access to any employee personal information you collect.

You need to set out any such policies in your employment agreement so that employees are aware of any monitoring or other management.

Key Takeaways

The Privacy Act will relate to how you can manage your employees’ internet and email usage in two main ways. First, it requires that you implement appropriate security measures to reduce privacy risks, including monitoring and restricting your employees’ internet and email usage. Second, on the other hand, you need to do this while respecting the privacy protections the Privacy Act grants your own employees, which means you need to inform your employees about how you will manage their internet and email usage. 

If you would like more information or help with the Privacy Act and your workplace policies, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is the Privacy Act?

The Privacy Act is New Zealand’s main privacy law that defines personal information and sets out requirements for businesses that deal with it. It aims to promote and protect privacy rights.

Can I monitor my employees’ email and internet usage under the Privacy Act?

You can only monitor your employees’ email and internet usage as far as it is reasonable and only when necessary for a legitimate business purpose. Therefore, you should aim to protect email privacy where possible. When you collect any personal information in this way, you need to tell your employees.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards