Privacy in the workplace has become a common concern. Employers of all sizes increasingly collect and manage personal information, raising questions about the extent of their rights to do so and the protections afforded to employees.

Individual privacy is protected through both the Privacy Act 2020 (the Act), common law (court-made law), the New Zealand Bill of Rights Act 1990 (which includes the right to be free from unreasonable search and seizure), and to some extent through international human rights treaties.

This article explores how the Act applies in employment settings, with a focus on personal data and workplace surveillance.

The Privacy Act 2020

The Act applies to both public and private sector agencies. It may also apply to individuals in New Zealand in some circumstances or overseas agencies if they carry on business in New Zealand, regardless of whether they have a physical presence in New Zealand.

The Act governs the collection, use, storage, protection, and disposal of personal information in New Zealand. The general objective of the Act is “to promote and protect individual privacy” in respect to information about individuals held by agencies.

The Act is principles-based, and contains 13 Information Privacy Principals (IPP) which set objectives or ideals. This ensures that the Act can be applied to situations that parliament may not have anticipated.

What is Personal Information? 

The Act defines personal information as any information that can identify an individual. This includes not only obvious identifiers such as names, addresses, and bank account details, but also employment records, medical details, emails, swipe card logs, and location data from company-issued devices. 

For the Act to apply, personal information must be collected, held or used by an agency, including organisations in both the public and private sectors.  

Workplace Surveillance

In the workplace, privacy concerns often arise in areas such as surveillance, email monitoring and the handling of personal records. Surveillance, including video monitoring, must comply with the Act’s principles, ensuring it is necessary for a lawful purpose, conducted fairly, and does not intrude unreasonably on an employees’ personal affairs.

Covert surveillance is generally discouraged unless there is a specific justified reason, such as investigating suspected theft in the workplace. Where that concern arises, an employer might be able to rely on an exception to IPP 3 (which requires consent from the person concerned).

Employers

Employers often collect personal information for legitimate business purposes—such as recruitment, payroll, performance management, and ensuring workplace safety. Modern employment agreements will normally include a clause which provides the employee’s consent to this collection and use. Employers must also consider the obligation of good faith, requiring them to be active, constructive, and communicative in the employment relationship, when considering to collect employees’ personal information.

Employers must ensure that personal data is:

  • Collected for a specific, lawful purpose;
  • That the employees consent to the collection and use;
  • Stored securely;
  • Accessed only by authorised personnel;
  • Retained for no longer than is necessary for the business purpose; and
  • Used solely for the purpose for which it was collected.

Many employers monitor employee activity to enhance productivity, ensure security, or meet compliance obligations. Common forms of workplace surveillance include:

  • Closed-circuit television (CCTV);
  • Monitoring of emails and internet usage;
  • GPS tracking in vehicles or mobile devices; and
  • Biometric systems (e.g. fingerprint or facial recognition).

Surveillance is not inherently unlawful, but it must be reasonable, proportionate, and conducted in a transparent manner. In most cases, employers are required to inform employees about:

  • The nature and extent of monitoring;
  • The reasons for collecting the information;
  • How the data will be used and stored.

For instance, installing CCTV in a warehouse for security purposes with clear signage is generally acceptable, but general covert surveillance in private areas such as break rooms may be considered intrusive and harmful.

A common question during the COVID-19 lockdowns was whether employers could require employees working from home to leave their laptop cameras on throughout the workday to monitor productivity. There might be some circumstances where an employer could lawfully instruct an employee to turn their camera on, for example during meetings. However, requiring an employee to keep their camera on, and so be subject to constant surveillance, will likely be considered as excessive and disproportionate to the business need.

Implied consent is not always sufficient—particularly when dealing with sensitive information such as health data. Employers should seek explicit consent and avoid collecting unnecessary personal data.

Some frequent privacy breaches include:

  • Sharing employee information without consent (for example, disclosing medical conditions to colleagues);
  • Engaging in excessive or unjustified surveillance;
  • Failing to notify staff that their digital activity (e.g. keystrokes or browser history) is being monitored;
  • Retaining personal data long after an employee has left the organisation, without a valid reason.

These practices often breach an employees’ right to privacy and could give rise to a claim for disadvantage from the affected employees.  For example, if an employer relies on improperly collected personal information to make decisions about dismissal or discipline, this could constitute procedural unfairness and breach the Act. Employees can raise privacy-related personal grievances under the Employment Relations Act 2000 or complaints under the Act.

Employers have a legitimate interest in protecting their business operations. However, this must be balanced against employees’ rights to privacy. To maintain compliance and foster trust, employers should:

  • Be transparent about data collection and monitoring;
  • Limit data collection to what is necessary;
  • Secure all personal information appropriately;
  • Dispose of or anonymise data when it is no longer required.

Employees

Employees, in turn, should familiarise themselves with their employment agreements and workplace privacy policies. If concerns arise, they have the right to request access to their personal information and to challenge how it is used.

Workplace privacy is not merely a compliance obligation—it is a matter of respect, transparency, and trust. Employees can expect that their personal information will be collected lawfully and fairly, without unreasonable intrusion into their personal affairs. Employers who handle personal data responsibly are more likely to cultivate a positive and productive work environment. Likewise, informed employees are better equipped to safeguard their privacy and contribute to a fair and open workplace culture.

 

If you are concerned about how to handle potentially private information, or that your privacy has been breached, the first step in getting support is to talk with a lawyer from Frontline Law about your situation and see what options we can offer you. Contact Frontline Law for a free initial consultation.

*The information in this blog post is general in nature and is not legal advice. If you need advice, you should contact us about your specific situation.