Privacy Act 2020 — employee information
Employer privacy obligations in New Zealand — employee information
Employers collect a wide range of personal information about employees. The Privacy Act applies to all of it. Here are the key obligations.
📋 Privacy Act 2020 — employer obligations for employee information
What information can employers collect?
Only what is necessary
Employers can collect personal information about employees that is necessary for employment purposes — including: name, contact details, tax file number, bank account (for pay), work history, qualifications, and performance records.
You should not collect information that is not necessary for the employment relationship. Collecting sensitive personal information (health, disability, ethnicity) requires extra justification and care.
Collection must be lawful and transparent
Tell employees what you're collecting and why
When collecting personal information directly from an employee, you must tell them:
- Why you are collecting it
- Who you might share it with
- Whether collection is voluntary or mandatory
- Their right to access and correct the information
A privacy statement in your employment agreement or onboarding documentation is a practical way to meet this obligation.
Monitoring employees
Surveillance requires transparency and proportionality
Employers can monitor employees — email monitoring, CCTV, GPS tracking, call recording — but must:
- Tell employees what monitoring is in place and why
- Have a legitimate business reason for the monitoring
- Ensure the monitoring is proportionate — not more intrusive than necessary
- Use monitoring data only for the stated purpose
Secret surveillance of employees is problematic under the Privacy Act and may also breach employment law good faith obligations.
Health information about employees
Extra care required — sensitive personal information
Health information is subject to the Health Information Privacy Code as well as the Privacy Act. Employers should:
- Only collect health information when genuinely necessary (e.g. fitness for duty, ACC, sick leave management)
- Keep health information separate from general employee records
- Limit access strictly — only those with a genuine need to know
- Not disclose an employee's health condition to other employees or managers without consent
- Use it only for the purpose for which it was collected
Employee access rights
Employees can request their own records
Employees can request access to personal information the employer holds about them — including performance reviews, disciplinary records, and medical information collected by the employer. The employer must respond within 20 working days.
Employers can withhold information that is protected by legal professional privilege, or that would identify a confidential informant. They cannot withhold information simply because it is unflattering.
References and background checks
Must have consent
Collecting references about a prospective employee requires their consent. Similarly, conducting a background or credit check requires the candidate's written consent. Using reference or check information for a purpose other than the employment decision may breach the Privacy Act.
Source: Privacy Act 2020; Health Information Privacy Code 2020. Privacy Commissioner workplace privacy:
privacy.org.nz. General information only.
Frequently asked questions
Can we monitor employee emails?
Yes, with transparency. Employees must be told that email may be monitored, the reasons for monitoring, and the circumstances in which it will occur. Monitoring should be proportionate — blanket monitoring of all email may be excessive.
Can we require employees to disclose their social media profiles?
Generally no — personal social media is private. You may have a legitimate interest if the employee's social media is relevant to their role (e.g. a public-facing influencer role) or if conduct on personal social media affects the workplace. Get legal advice before requiring disclosure.
What if we need to disclose an employee's information in disciplinary proceedings?
Limit disclosure to those directly involved in the process. Witnesses and decision-makers need to know relevant facts, but unnecessary disclosure to others in the workplace breaches privacy obligations.
How long do we keep employee records after employment ends?
At minimum: tax records (7 years, IRD requirement), employment agreement (at least 7 years after termination), payroll records (7 years). Other records depend on potential future needs — consider the risks of keeping and the risks of destroying.