SecurityPolicy.com.au
Home/ New Zealand/ Policy Library/ Acceptable use policy for New Zealand businesses
New Zealand Policy Library Policy template Reviewed 2026-07-13

Acceptable use policy for New Zealand businesses

13 + 3A
numbered Privacy Act principles, with IPP 3A effective from 1 May 2026
10
current NCSC Critical Controls
90 days
usual period for raising most personal grievances
5
functions in the NCSC Cyber Security Framework
Why this guide exists

Questions are ordered from the purpose and core rules of an acceptable use policy through communications, generative AI, workplace monitoring, personal devices, fair consequences, non-employees, acknowledgement and the gaps most likely to undermine enforcement.

What is an acceptable use policy and why does a New Zealand business need one?

An acceptable use policy sets the rules for using the organisation's information, systems, accounts, networks, devices and communications services. It tells workers what business and limited personal use is permitted, what is prohibited, how personal and confidential information must be handled, what monitoring may occur, how suspected incidents must be reported and what process applies when a rule may have been breached. New Zealand law does not prescribe one universal document titled 'acceptable use policy' for every private business. A clear policy is nevertheless a practical way to support Privacy Act 2020 IPP 5 safeguards, IPP 10 and IPP 11 limits on using and disclosing personal information, employment-law good faith and fair process, and the security outcomes recommended by NCSC and Own Your Online. Employment New Zealand says workplace policies provide detail about how work is done and what is expected beyond the employment agreement or job description. The policy should be proportionate, understandable, consistently applied and linked to the organisation's information security, privacy, incident response, BYOD and disciplinary processes.

How this differs by situation
  • employees and casual employees — Apply the policy through the employment relationship, induction, training and fair employment processes.
  • contractors and other authorised users — Apply equivalent security rules through contracts, access conditions and confidentiality obligations.
  • privacy and security — Connect acceptable-use rules to IPP 5, IPP 10, IPP 11, NCSC guidance and the incident-reporting process.
PUT THIS IN YOUR POLICY, EXACTLY

This policy governs the use of our information, systems, accounts, networks, internet access, communications services, devices and approved artificial-intelligence tools. It applies to every employee, director, contractor, temporary worker, volunteer and other person given access. Users must protect information, use access only for authorised purposes, follow security instructions, avoid unlawful or harmful activity and immediately report suspected loss, misuse, compromise or policy breach.

What use of systems, accounts and data should be permitted or prohibited?

Permitted use should centre on legitimate work activities performed through approved accounts, applications, devices and storage locations. A business may allow limited incidental personal use where it is lawful, reasonable, low-risk, does not interfere with work, does not create material cost and does not expose the organisation to security, privacy or reputational harm. The policy should make clear that authorisation is determined by business purpose, not merely by whether a user has functioning credentials. Prohibited conduct should include accessing personal or confidential information without a work need; sharing passwords or MFA factors; bypassing security controls; installing unapproved software; moving work information to personal email, storage or messaging accounts; harassment, unlawful content or fraud; excessive personal use; unauthorised recording; deliberate interference with systems or logs; and disclosing information without authority. IPP 10 and IPP 11 generally limit the use and disclosure of personal information to the purpose for which it was obtained unless an applicable exception exists. OPC also expects organisations to prevent employee browsing and make clear that access to customer information is only for legitimate work purposes.

How this differs by situation
  • permitted business use — Authorised activity using approved identities, systems, information and processes for a legitimate work purpose.
  • limited personal use — Optional employer permission that should be reasonable, lawful, low-risk and subordinate to work requirements.
  • prohibited use — Unauthorised access, disclosure, credential sharing, control bypass, harmful content, unapproved software and removal of business data.
  • privileged users — Administrators and support personnel remain limited to approved tasks and must not browse information merely because their access permits it.
PUT THIS IN YOUR POLICY, EXACTLY

Business systems, accounts and information may be used only for authorised work and any limited personal use expressly permitted by this policy. Users must not access information without a legitimate work need; share passwords, authentication factors or accounts; bypass security controls; install or connect unapproved technology; send business information to personal accounts; use access for curiosity or personal advantage; disclose information without authority; conceal activity by altering logs; or use organisational resources for unlawful, fraudulent, harassing, discriminatory, offensive or materially disruptive activity.

What rules should cover email, web use, messaging and generative-AI tools?

Business communications should use approved accounts and services so the organisation can secure, retain, search and recover its records. Users should not automatically forward business email to personal accounts, use private messaging as the only record of a business decision, or send sensitive information through an unapproved channel. Unexpected links, attachments, MFA prompts and payment-detail changes should be independently verified and reported. Generative AI requires additional rules. OPC says the Privacy Act applies to everyone using AI tools in New Zealand and recommends a Privacy Impact Assessment before use. OPC also says personal or confidential information should not be entered unless the organisation has explicitly confirmed that the provider will not retain or disclose it, and AI output should receive human review before action is taken. The policy should identify approved tools and accounts, permitted information classes, prohibited data, required human verification, ownership and recordkeeping expectations, and the process for proposing a new AI tool. Staff should not represent unverified AI output as fact, professional advice or an approved organisational decision.

How this differs by situation
  • email and web — Use approved accounts, report suspicious activity and do not evade filtering, retention or security controls.
  • messaging and collaboration — Protect sensitive information, preserve required business records and avoid personal channels unless specifically approved.
  • approved generative AI — Use only for authorised purposes, with approved data classes, human review and required records.
  • prohibited AI input — Do not enter personal, privileged, confidential, commercially sensitive or security information without documented approval and provider assurance.
PUT THIS IN YOUR POLICY, EXACTLY

Users must conduct business through approved email, web, messaging, storage and collaboration services. Business information must not be forwarded, copied or synchronised to personal accounts unless expressly authorised. Only approved generative-AI tools and organisational accounts may be used for work. Personal, privileged, confidential, commercially sensitive, security-sensitive or customer information must not be entered into an AI tool unless the privacy and security assessment expressly permits it. AI output must be checked by a competent person for accuracy, bias, confidentiality, legal risk and fitness for purpose before it is used or shared.

What monitoring is lawful, and how should it be disclosed under the Privacy Act and Employment Relations Act?

Owning a device, account or network does not give an employer an unlimited right to monitor workers. Monitoring personal information must have a lawful and necessary purpose, be fair and no more intrusive than reasonably required, and comply with the Privacy Act's collection, security, use, disclosure and retention principles. OPC says employers generally have a proper basis to monitor work computers, email and internet use, but must clearly explain permitted use and the extent of monitoring. Employment New Zealand says an employer deciding to monitor should develop a policy, comply with the Privacy Act and Employment Relations Act, consult employees and unions where applicable, and make sure employees understand the policy and its purpose. Good faith requires parties to deal honestly, openly and in a fair and timely way. The policy should disclose the types of monitoring, data collected, purpose, systems and locations covered, who can access results, retention, possible employment uses and complaint route. Covert or highly intrusive monitoring requires exceptional justification and specific legal advice.

How this differs by situation
  • routine security monitoring — Logs, alerts, malware protection, access records and service monitoring disclosed in a clear policy.
  • productivity or conduct monitoring — Requires a legitimate need, proportionality, consultation and clear explanation of possible employment use.
  • covert or intrusive monitoring — Generally high risk and potentially unfair; use only where strongly justified and legally reviewed.
  • employees and unions — Consult where applicable and provide understandable notice before ordinary monitoring begins or materially changes.
PUT THIS IN YOUR POLICY, EXACTLY

We may monitor organisational accounts, systems, networks and devices for documented purposes including security, service reliability, legal compliance, acceptable-use assurance and investigation of suspected misconduct. Monitoring must be lawful, necessary, fair, proportionate and no more intrusive than reasonably required. We disclose the monitoring performed, the information collected, its purposes, authorised users, retention and possible employment uses. Materially new or expanded monitoring requires privacy review, good-faith consultation where applicable and notice before implementation, except where a lawful and compelling investigation need justifies a different approach.

What should the policy say about BYOD, personal accounts and personal devices?

A business should decide deliberately whether personal devices and accounts may be used rather than allowing informal BYOD by default. NCSC says BYOD introduces additional business and information-security risks and recommends a risk assessment and a communicated usage policy defining expected behaviour and organisational support. Approved devices should use a supported operating system, prompt security updates, encryption, automatic locking, MFA and an approved means of separating or managing work information. Lost, stolen or compromised devices must be reported immediately. Work information should not be stored in personal cloud storage, personal email, consumer messaging backups or shared family accounts unless specifically authorised. The policy should explain what security configuration, compliance checks or work-data removal the organisation may perform and should not claim unrestricted access to unrelated personal content. Where a personal account is unavoidably used to administer a business service, such as a social-media page, it should meet the organisation's MFA and password requirements and have documented backup administrators and offboarding arrangements.

How this differs by situation
  • organisation-owned device — Preferred for sensitive work because security configuration, support, logging and recovery can be centrally managed.
  • approved BYOD — Permit only supported, updated, encrypted and appropriately separated devices meeting defined compliance requirements.
  • personal accounts — Do not use for business information or administration unless expressly approved and protected to business standards.
  • loss, investigation and exit — Define reporting, preservation, work-data removal, access revocation and the treatment of private information.
PUT THIS IN YOUR POLICY, EXACTLY

Personal devices and accounts may be used for work only where expressly approved. An approved personal device must run supported and current software, use device encryption and automatic locking, require multi-factor authentication where available, and use the approved method for separating and protecting work information. Business information must not be copied to personal email, storage, backups or messaging accounts. Users must immediately report loss, theft, compromise or change of ownership. The organisation may remove organisational access and work information in accordance with the disclosed BYOD process but will not claim unrestricted access to unrelated private content.

What consequences can follow a breach, and what fair process is required?

A breach may result in coaching, retraining, removal of access, a warning, another proportionate disciplinary outcome or, in sufficiently serious circumstances, dismissal. The policy should not state that every listed breach automatically amounts to serious misconduct. Employment New Zealand says a policy breach can potentially be serious misconduct, but whether it is serious depends on the facts, the employee's explanation, the degree of carelessness or intent, the effect on trust and the impact on the job. Before disciplinary action, the employer should investigate sufficiently, tell the employee the allegations and possible consequences, provide relevant information, allow a reasonable opportunity for representation and response, genuinely consider the response and make a proportionate decision. The statutory justification test asks whether the employer's actions and how the employer acted were what a fair and reasonable employer could have done in all the circumstances. For most personal grievances the employee has 90 days to raise the issue, although separate rules may affect valid trial periods and certain high-income earners.

How this differs by situation
  • minor or first breach — Consider explanation, coaching, retraining, correction and proportionate informal or formal action.
  • repeated or material breach — Use a documented disciplinary process and consider warnings, access restrictions or other proportionate action.
  • potential serious misconduct — Assess actual facts, intent, harm, trust, role and explanation rather than relying only on the policy label.
  • employee — Provide allegations, relevant information, representation opportunity, response and genuine consideration before deciding.
PUT THIS IN YOUR POLICY, EXACTLY

A suspected breach will be assessed under the applicable employment or contractual process. Outcomes may include guidance, retraining, access restriction, corrective action, warning, contract remedies or dismissal where justified. No listed breach is automatically treated as serious misconduct. For employees, the organisation will investigate sufficiently, disclose the concern and relevant information, identify possible consequences, allow a reasonable opportunity for representation and response, genuinely consider the response and make a fair, reasonable and proportionate decision.

How should the policy apply to contractors, casuals and visitors?

Apply the security rules to everyone according to the access they receive, but do not confuse employment status. Casual employees remain employees and employment-law protections apply during their employment and agreed work. Contractors are generally not employees and are not covered by all the same employment rights and obligations; their acceptable-use, confidentiality, audit and termination consequences should therefore be incorporated into the services contract or access conditions. Temporary workers supplied through another organisation may involve both contractual and employment responsibilities. Visitors should receive only the access needed for the visit, remain sponsored or escorted where appropriate, use time-limited credentials and comply with confidentiality, photography, recording and device-connection rules. Access should expire automatically or be revoked promptly when the task, engagement or visit ends.

How this differs by situation
  • casual employee — Apply the policy and employment-law fair process during the employment relationship and agreed periods of work.
  • independent contractor — Apply rules through the services agreement, confidentiality clauses, access terms and contractual remedies.
  • agency or temporary worker — Clarify responsibilities among the worker, host organisation and supplying employer.
  • visitor — Use sponsorship, escorting, time-limited access and restrictions on information, recording and network connection.
PUT THIS IN YOUR POLICY, EXACTLY

Acceptable-use requirements apply to every person according to the access provided. Employees and casual employees are managed through the applicable employment process. Contractors and supplier personnel are bound through written contracts and access conditions. Visitors must be authorised, sponsored and appropriately supervised, and may use only the information, facilities, networks and credentials expressly provided for the visit. All access must be time-limited where practical and revoked promptly when the work, engagement or visit ends.

How should policy acknowledgement be recorded, and is electronic acceptance valid?

Record who received and acknowledged the policy, which version they received, the date and time, the acceptance method and any required training or assessment. Electronic acknowledgement may be practical through an HR platform, learning system, secure portal or electronic-signature service. The Contract and Commercial Law Act 2017 allows legal requirements for writing and signatures to be met electronically when its conditions apply. An electronic signature must adequately identify the signatory, indicate approval and be appropriately reliable; consent is relevant where information or a signature is to be received electronically. Not every acceptable use policy is legally required to be signed, so the main objective is reliable evidence of issue, accessibility, acknowledgement and understanding. Acknowledgement does not waive Privacy Act or employment rights, provide blanket consent to undisclosed monitoring or automatically make every policy term contractual. Material changes should be communicated and, where they affect employment conditions or monitoring, considered through good-faith consultation before re-acknowledgement.

How this differs by situation
  • issue record — Retain the recipient, policy version, issue date and accessible copy.
  • electronic acknowledgement — Use an identifiable account, timestamp, approval action and tamper-resistant record.
  • understanding — Support acknowledgement with induction, examples, questions and role-specific training.
  • policy change — Notify users, consult where legally or practically required and obtain a fresh acknowledgement for material revisions.
PUT THIS IN YOUR POLICY, EXACTLY

Every user must receive access to the current policy and acknowledge that they have read, understood and will comply with it. The organisation records the user's identity, policy version, acknowledgement date, acceptance method and required training. Electronic acknowledgement is permitted where the process reliably identifies the user and records approval. Acknowledgement does not waive statutory rights, authorise undisclosed monitoring or prevent a user from raising a concern about legality, fairness or proportionality.

What are the common gaps in New Zealand SME acceptable use policies?

Common gaps include copying a policy that does not match the organisation's actual systems; prohibiting all personal use while managers routinely tolerate it; failing to distinguish authentication from authorisation; omitting personal information, generative AI, personal messaging, BYOD, service accounts, social-media administration and cloud storage; claiming workers have no privacy on any work-related device; describing monitoring vaguely or introducing it without consultation; calling every policy breach serious misconduct; failing to provide a fair process; applying employee language to contractors without contractual incorporation; relying on acknowledgement without training; and failing to revoke access when a person leaves. Other gaps include no reporting route for phishing, lost devices or accidental disclosure; no rules for payment verification; no owner or review date; and no evidence that the policy is consistently applied. The policy should not import the Australian Fair Work Act, Australian professional-conduct rules, ASD ISM, Essential Eight or SMB1001 as New Zealand law or official New Zealand frameworks.

How this differs by situation
  • unclear expectations — The policy uses broad prohibitions without practical examples, approved alternatives or a reporting route.
  • missing modern use cases — AI, messaging, BYOD, personal cloud storage, service identities and remote work are omitted.
  • privacy and employment overreach — Monitoring is undisclosed, consequences are automatic or acknowledgement is treated as waiver of rights.
  • weak implementation — No training, evidence, enforcement consistency, offboarding, exceptions or review process exists.
PUT THIS IN YOUR POLICY, EXACTLY

This policy must reflect our actual technology, work practices, information and users. It is reviewed for email, messaging, cloud services, generative AI, remote work, BYOD, personal accounts, privileged access, contractors, visitors, monitoring and offboarding. Monitoring and disciplinary provisions must remain lawful, transparent, fair and proportionate. Policy acknowledgement is supported by training and consistent implementation. Australian employment laws and Australian cyber frameworks are not described as New Zealand law.

What's my next step?

Common misconceptions

  • Every New Zealand business is expressly required by statute to hold a document titled 'acceptable use policy'. No universal titled-policy requirement was identified, although privacy, security, employment and contractual duties make clear rules valuable and sometimes necessary in practice. INFERRED
  • Because the employer owns a computer or email account, it may monitor anything without notice or limits. Monitoring remains subject to Privacy Act and employment-law requirements. VERIFIED
  • A policy can automatically classify any breach as serious misconduct. Employment New Zealand says the actual facts, explanation, intent, impact and effect on trust must be considered. VERIFIED
  • Signing an acceptable use policy waives an employee's Privacy Act and employment rights. Acknowledgement does not displace statutory rights or fair-process obligations. INFERRED
  • Working login credentials prove that access remains authorised. Authorisation depends on permission and legitimate purpose, not merely on whether authentication still succeeds. INFERRED
  • Casual employees have no employment protections. Casual workers may be employees, and dismissal rules can apply during an agreed period of work. VERIFIED
  • Contractors are automatically covered by the same employment processes as employees. Contractors generally have a different legal status, so acceptable-use obligations and remedies should be included in their contract. VERIFIED
  • Using a personal device or personal messaging account removes the organisation's security and privacy interests. Work information remains subject to applicable organisational, contractual and Privacy Act requirements. INFERRED
  • Public generative-AI tools may receive any information because the user is only asking for help. OPC warns against entering personal or confidential information unless retention and disclosure risks have been explicitly addressed. VERIFIED
  • AI output can be used without review because the tool produced it confidently. OPC recommends human review before an organisation takes action based on AI output. VERIFIED
  • An electronic acknowledgement is inherently invalid in New Zealand. The Contract and Commercial Law Act permits legal writing and signature requirements to be met electronically when its conditions apply. VERIFIED
  • Australia's Fair Work Act, ASD ISM, Essential Eight or SMB1001 are New Zealand employment law or official New Zealand cyber frameworks. They are not and should be referenced only where an Australian obligation or customer requirement separately applies. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
Privacy Act 2020 IPP 5 reasonable security safeguards Office of the Privacy Commissioner The organisation holds personal information, including employee, customer, supplier or other individual information. Ongoing while the information is held and whenever systems, users, suppliers, purposes or risks change.
Privacy Act limits on collection and transparency for employee monitoring Office of the Privacy Commissioner The employer collects personal information through email, internet, device, location, camera, audio, keystroke, productivity or other workplace monitoring. Assess necessity and fairness before collection, provide appropriate notice before ordinary monitoring, and comply throughout use, storage, disclosure and retention.
Privacy Act 2020 IPP 10 limits on use Office of the Privacy Commissioner The organisation proposes to use personal information, including information collected through monitoring or system logs. Before each materially different use, confirm that it is the original purpose, directly related or otherwise authorised by an applicable exception.
Privacy Act 2020 IPP 11 limits on disclosure Office of the Privacy Commissioner The organisation proposes to disclose personal information to another person or organisation. Before disclosure, confirm that it is authorised by the original purpose or another applicable IPP 11 exception.
Employment relationship duty of good faith Employment Relations Authority and Employment Court An employer and employee deal with each other in the employment relationship, including policy consultation, monitoring changes, investigation and disciplinary action. Ongoing throughout the employment relationship and relevant processes. Remedies or penalties may apply depending on the nature and seriousness of the breach.
Fair and reasonable disciplinary or dismissal process Employment Relations Authority and Employment Court The employer considers disciplinary action or dismissal for an alleged acceptable-use or security-policy breach. Before deciding the outcome, sufficiently investigate, disclose the concern and relevant information, provide an opportunity to respond and genuinely consider that response. The Authority may order remedies including reinstatement, lost wages, compensation, compliance or penalties where legally available.
Personal grievance timeframe Employment Relations Authority An employee alleges unjustified dismissal, unjustified disadvantage or another qualifying personal grievance. Generally raise the grievance with the employer within 90 days; sexual-harassment grievances generally have a 12-month period. Special rules and exceptions may apply.
Electronic writing and signature requirements Courts or other authority applying the Contract and Commercial Law Act 2017 A legal requirement for writing or a signature is proposed to be met electronically. At the time of electronic delivery or signature, ensure accessibility, identification, approval, appropriate reliability and any required consent.
Contractual acceptable-use obligations for contractors and supplier personnel Customer or contracting party entitled to enforce the agreement A non-employee is given access to organisational information, systems, devices, networks or premises. Before access is granted and throughout the engagement, with prompt revocation and return or deletion requirements on exit. Contractual remedies, access revocation or termination may apply according to the agreement.

Sources

  1. Create an online security policy for your business primary
  2. Top online security tips for your business primary
  3. NCSC Critical Controls: Summary primary
  4. NCSC Cyber Security Framework primary
  5. NCSC Bring Your Own Device guidance primary
  6. NCSC Protect your organisation primary
  7. Privacy Act 2020 information privacy principles primary
  8. Privacy Act 2020 Principle 5 — Storage and security primary
  9. Privacy Act 2020 Principle 10 — Limits on use primary
  10. Privacy Act 2020 Principle 11 — Disclosure of personal information primary
  11. Can I monitor employee use of work computers and accounts? primary
  12. What information is my employer entitled to collect while I am working? primary
  13. Can I record my employees? primary
  14. Privacy and employee snooping primary
  15. Employee misuse of personal information primary
  16. Artificial Intelligence and the Information Privacy Principles primary
  17. Generative Artificial Intelligence primary
  18. Workplace policies and procedures primary
  19. Employee privacy primary
  20. Misconduct primary
  21. Dismissal primary
  22. Dismissal rules for high-income earners primary
  23. Personal grievances primary
  24. Types of worker primary
  25. Who can apply to the Employment Relations Authority primary
  26. Employment Relations Authority remedies and costs primary
  27. Employment Relations Act 2000 primary
  28. Contract and Commercial Law Act 2017 electronic transactions provisions primary
  29. r/newzealand discussion of former-worker database access forum
  30. r/newzealand discussion of workplace email monitoring forum
  31. r/newzealand discussion of work messaging on a personal phone forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.