Workplace Privacy

Under the Privacy Act 2020, organisations in Aotearoa are custodians of the personal information of their employees and clients, not owners. The Act’s 13 Information Privacy Principles (IPPs) govern how information is collected, stored, used, disclosed and retained. For employers, these duties sit alongside the Employment Relations Act 2000 (ERA), which imposes a broader obligation of good faith and fair treatment in all aspects of the employment relationship.

​

Collection: Only What Is Necessary, and Collected Fairly

IPPs 1–4 regulate collection. Organisations may collect personal information only for a lawful purpose connected with their functions, and only where it is necessary for that purpose (IPP 1), a data-minimisation requirement. Information should generally be collected directly from the individual (IPP 2), and they must be told why it is being collected, who will receive it, whether it is compulsory, and the consequences of not providing it (IPP 3). Collection must also be fair and not unreasonably intrusive (IPP 4).

In employment, these principles intersect with the ERA’s duty of good faith, which requires employers to be active, communicative and not misleading or deceptive. For example, seeking extensive medical or family details from job applicants without a clear, lawful purpose may breach both the Privacy Act and the ERA’s standards of fairness.

​

Storage and Security: Protecting What You Hold

IPP 5 requires agencies to protect personal information with reasonable security safeguards against loss, unauthorised access, use, modification or disclosure. For employers and service providers this means:

• Limiting access to HR and client files to those with a genuine “need to know”

• Implementing appropriate technical security for cloud systems and remote work

• Training staff to recognise phishing and social engineering

Having clear procedures for responding to suspected breaches

Because wage, time and leave records must be kept under the ERA and related legislation, employers must also ensure these records are accurate, complete, and securely retained for the required periods.

​

Access, Correction and Accuracy

Under IPPs 6 and 7, individuals have the right to access personal information held about them and to request corrections. Employees may seek copies of performance notes or wage records, and clients may seek access to file notes or contact details. The ERA reinforces this by requiring employers, on request, to provide employees with access to their wage and time records for the preceding six years.

IPP 8 then requires agencies to take reasonable steps to ensure information is accurate, up to date, complete and not misleading before using it. Decisions about promotions, disciplinary action or service provision based on outdated or incomplete records risk breaching both Acts.

​

Retention, Use and Disclosure (Including Overseas)

IPP 9 restricts retaining personal information longer than necessary for the original lawful purpose, subject to other legal record-keeping duties. IPPs 10 and 11 limit use and disclosure to the purpose for which the information was obtained, or a directly related purpose that the person would reasonably expect, unless an exception applies or consent is obtained.([privacy.org.nz][4])

For employees and clients, this means their information cannot simply be repurposed for marketing, data-matching or unrelated analytics without clear notice and, often, consent. ERA good-faith obligations reinforce this by requiring openness about decisions that may adversely affect employees and giving them information and an opportunity to comment.
 

IPP 12 adds special safeguards for disclosure outside New Zealand: agencies must ensure the overseas recipient is subject to comparable privacy protections or secure contractual commitments, or obtain informed consent. This is critical where payroll, HR or client systems are hosted offshore.

​

Unique Identifiers and Accountability

IPP 13 restricts the assignment and use of unique identifiers (such as staff numbers or client IDs) to situations where they are genuinely necessary and used carefully to avoid inappropriate cross-linking of information.
 

Finally, the Privacy Act’s notifiable breach regime and the ERA’s good-faith framework together emphasise that handling personal information is a core element of the employment and client relationship. Serious privacy failures are not just technical oversights – they can amount to a breach of legal duties going to the heart of trust, confidence and fairness in the workplace and in service delivery.