Legislation current as at 2 May 2026. Check legislation.govt.nz for any amendments.

Employee Monitoring in New Zealand: Your Rights & Employer Obligations (2026)

If you work in New Zealand and your employer uses software to track your keystrokes, read your emails, or monitor your location via GPS, you have specific privacy rights under the Privacy Act 2020. This guide explains what your employer can and cannot do, and what to do if you suspect your rights have been breached.

Key Rule – IPP 1 (Purpose)
Under Information Privacy Principle 1 (IPP 1) of the Privacy Act 2020, an employer may only collect personal information (including monitoring data) if it is necessary for a lawful purpose connected with their functions or activities. Monitoring just to “keep an eye on staff” is not enough – there must be a genuine business reason (e.g., security, productivity, compliance).

1. What Counts as Employee Monitoring?

Employee monitoring includes any systematic collection of data about your work activities. Common examples in NZ workplaces:

Keylogging – recording every keystroke you type
Email monitoring – reading incoming/outgoing emails (including personal emails on work systems)
GPS tracking – tracking company vehicles or work phones in real time
Screen recording / webcam activation
Internet and app usage logs
Biometric data (fingerprint scans, facial recognition for timekeeping)

2. The Privacy Act 2020 – Your Key Protections

The Privacy Act 2020 sets out 13 Information Privacy Principles (IPPs). The two most relevant for monitoring are IPP 1 and IPP 3.

IPP 1 – Purpose of Collection

Your employer must only collect monitoring data for a lawful purpose that is necessary for their business. For example:

Preventing theft of client data (keylogging on sensitive systems)
Ensuring vehicle safety (GPS tracking for delivery drivers)
Complying with industry regulations (e.g., financial services recording calls)

Monitoring for vague reasons like “improving productivity” without a specific, documented need is likely a breach of IPP 1.

⚠️ Warning – Personal Grievance Risk
If your employer monitors you without proper notice or a lawful purpose, you may have grounds for a personal grievance under the Employment Relations Act 2000. The Employment Relations Authority can award compensation for humiliation, loss of dignity, and injury to feelings – up to $25,000 or more in serious cases.

IPP 3 – Collection Must Be Fair and Not Unlawful

Under IPP 3, your employer must collect information in a way that is fair and does not intrude to an unreasonable extent on your personal affairs. Secret monitoring (e.g., hidden cameras in break rooms, undisclosed keyloggers) is almost always a breach of IPP 3.

3. The Notification Requirement – You Must Be Told

Under IPP 3 (read together with section 22 of the Privacy Act), your employer must take reasonable steps to make you aware that monitoring is happening. This includes telling you:

That monitoring is occurring (e.g., “We use GPS tracking on all company vehicles”)
What type of data is collected (e.g., keystrokes, emails, location)
Why it is being collected (the purpose)
Who will have access to the data
How long it will be kept

Notification should be in your employment agreement, an employee handbook, or a clear policy that you have acknowledged. A vague mention in a staff meeting is not enough.

Key Rule – No Surprises
You must be notified before monitoring begins, or as soon as practicable after. If your employer starts monitoring without telling you, they are likely breaching IPP 3. This applies even if you are using a work-provided device.

4. Specific Monitoring Types – What’s Allowed?

Keylogging

Keylogging is high-risk. It can capture passwords, personal messages, and confidential information. The Privacy Commissioner has said keylogging should only be used in exceptional circumstances (e.g., investigating a specific security breach) and with clear, prior notice. Blanket keylogging of all staff is almost never justified.

Email Monitoring

Employers can monitor work emails for legitimate business purposes (e.g., data loss prevention). However, if you use your work email for personal messages (which many NZ employees do), your employer must have a policy that explains how they handle personal content. They cannot read your personal emails without a very good reason (e.g., a court order or serious misconduct investigation).

GPS Tracking

GPS tracking of company vehicles or work phones is generally acceptable if the purpose is work-related (e.g., route optimisation, safety). But tracking outside work hours or tracking personal vehicles without consent is likely a breach. The employer must also ensure the data is not used to monitor personal activities.

5. What to Do If You Think Your Rights Are Breached

Check your employment agreement and policies – see if monitoring is disclosed.
Ask your employer in writing – request a copy of the monitoring policy and what data is collected.
Raise a formal complaint – if you are not satisfied, you can raise a personal grievance (within 90 days of the breach).
Complain to the Privacy Commissioner – the Office of the Privacy Commissioner can investigate and issue compliance notices.

⚠️ Warning – Don’t Ignore It
If you suspect undisclosed monitoring, do not try to “test” it by sending sensitive personal data. Instead, seek advice from a lawyer or the Privacy Commissioner. Retaliation for raising a privacy concern is unlawful.

6. Best Practice for Employers (and What Staff Should Expect)

Employers who want to avoid personal grievances and Privacy Act complaints should:

Conduct a privacy impact assessment before implementing monitoring
Have a written monitoring policy that is clear and accessible
Only collect data that is strictly necessary
Limit access to monitoring data to authorised personnel
Delete data when it is no longer needed

If you are an employer or manager looking for a compliant monitoring solution, ShiftScript’s employee monitoring tools are designed with NZ privacy law in mind – including built-in notification workflows and data minimisation features.

7. Summary – Your Rights at a Glance

Your employer must have a lawful purpose for monitoring (IPP 1).
You must be notified before monitoring starts (IPP 3).
Monitoring must be fair and not intrusive (IPP 3).
Secret monitoring is almost always a breach.
You can raise a personal grievance if your rights are violated.

Need a Privacy-Compliant Monitoring Solution?

ShiftScript helps NZ employers monitor ethically and legally. Our platform includes automatic privacy notifications, data retention controls, and full compliance with the Privacy Act 2020.

Get Started with ShiftScript →

Frequently asked questions

Can my employer monitor my personal emails on a work computer?

Generally, yes – if you use a work email system, your employer can monitor it for legitimate business purposes. However, they must have a clear policy telling you this in advance. If they read emails that are clearly personal (e.g., marked 'personal'), they may breach IPP 3 (fair collection). The Privacy Commissioner recommends employers have a policy that respects personal communications where possible.

Is keylogging legal in New Zealand?

Keylogging is legal only in very limited circumstances. Under IPP 1, it must be necessary for a specific purpose (e.g., investigating a security breach). Blanket keylogging of all staff is almost always a breach. The employer must also notify you before keylogging begins. If you discover undisclosed keylogging, you may have grounds for a personal grievance.

Does my employer need to tell me about GPS tracking?

Yes. Under IPP 3, your employer must take reasonable steps to notify you that GPS tracking is occurring, what data is collected, and why. This includes tracking company vehicles or work phones. Tracking outside work hours or tracking personal vehicles without consent is likely a breach of the Privacy Act.

What should I do if I think my employer is monitoring me secretly?

First, check your employment agreement and any policies for disclosure. If you find no notice, ask your employer in writing for a copy of their monitoring policy. If you are not satisfied, you can raise a personal grievance within 90 days or complain to the Privacy Commissioner. Do not try to 'test' the monitoring by sending sensitive data – seek legal advice instead.

Can I be fired for refusing to consent to monitoring?

It depends. If the monitoring is lawful (e.g., required for safety or compliance) and you were notified, refusing may be a breach of your employment obligations. However, if the monitoring is not justified under IPP 1 or is undisclosed, you cannot be lawfully dismissed for objecting. If you are dismissed, you may have a personal grievance for unjustified dismissal.