Questions are ordered from the purpose and legal basis of access control through identity creation, authentication, authorisation, privileged access, joiner-mover-leaver processes, external users, assurance and the gaps most likely to leave inappropriate access active.
What is an access control policy, and why does a New Zealand business need one?
An access control policy defines how the organisation identifies users, authenticates them, authorises access, limits privileges, monitors activity and removes access when it is no longer required. It should cover employees, directors, contractors, service providers, customers where relevant, human accounts, administrator accounts, service accounts, API credentials, physical access and remote access. New Zealand law does not prescribe one universal document titled 'access control policy' for every private business. The legal outcome is nevertheless clear where personal information is held: Privacy Act 2020 IPP 5 requires reasonable safeguards against unauthorised access, use, modification, disclosure and other misuse. IPPs 10 and 11 also restrict how personal information may be used and disclosed. The NCSC Critical Controls make MFA, least privilege and centralised logging practical priorities, while the NCSC Cyber Security Framework says organisations should separate systems so they can control who receives access. A written policy turns those outcomes into repeatable approval, provisioning, review and revocation rules.
- small private business — Use a concise policy covering named accounts, MFA, minimum access, administrator separation, offboarding and periodic review.
- personal-information holder — Connect access decisions and monitoring evidence to IPP 5, IPP 10 and IPP 11.
- larger or higher-risk organisation — Include central identity management, privileged-access controls, service-account governance, automated lifecycle processes and central logging.
- policy outcome — Only authorised identities receive the minimum access needed, for the minimum necessary period, with evidence and accountability.
Access to information, systems, applications, networks, premises and administrative functions is granted only to identified and authorised users for a legitimate business purpose. Access must be approved, individually attributable, limited to the minimum required, protected by appropriate authentication, reviewed according to risk and promptly removed when no longer needed. This policy applies to employees, directors, contractors, suppliers, service accounts, automation credentials and every other identity able to access organisational resources.
How should identity and account provisioning work?
Every account should represent an identified person, system or service and have a named owner. Human users should normally receive individual accounts rather than shared credentials, because individual accounts support accountability, access review and incident investigation. Provisioning should begin with an approved request stating the user's role, start date, systems required, access level, manager or system-owner approval and expected end date where access is temporary. Default accounts and credentials should be disabled, renamed or changed before operational use. System, service and automation accounts should be inventoried separately, assigned a business and technical owner, limited to the functions they perform and protected against interactive use where possible. NCSC guidance says access reviews should include user, system and service accounts, and administrative access should be justified and recorded. Access should not be created merely because it is convenient or because another person in a similar role has accumulated it over time.
- human user account — Individually assigned, linked to an approved worker or external user and prohibited from uncontrolled sharing.
- system or service account — Non-human identity with a named owner, defined purpose, limited permissions, protected credential and review date.
- temporary identity — Created with an expiry date and automatically disabled or reviewed when the approved period ends.
- provisioning evidence — Retain the request, approval, role, systems, permissions, activation date, owner and expiry information.
Every account must be uniquely identifiable and linked to an authorised person, system or service. Account creation requires a documented business purpose, an accountable owner, approval from the relevant manager or system owner, specified permissions and an expiry date where access is temporary. Shared accounts are prohibited unless a documented technical necessity exists and compensating accountability controls are approved. Default credentials must be changed or disabled before use. Service and automation accounts must have named business and technical owners and must not receive interactive or administrative access unless expressly required.
What authentication and MFA requirements should the policy set?
Authentication controls should reflect the sensitivity and exposure of the account. MFA should be enforced for administrator and privileged accounts, email, remote access, cloud administration, financial systems, source-code repositories, social media and systems holding customer, personal or financial information. NCSC says MFA adds protection against unauthorised access, business email compromise and other incidents, and recommends prioritising internet-accessible, sensitive and administrator-used systems. Own Your Online recommends enforcing 2FA for every user on key systems and considering alternatives where a service cannot support it. Authentication recovery and password-reset processes must be protected because an attacker may use them to bypass normal MFA. Passwords should be long, strong and unique and stored in an approved password manager. High-risk changes, such as resetting a credential, changing payment details or enrolling a new MFA method, should be verified through an independent channel.
- mandatory MFA — Administrator, privileged, internet-facing, remote-access, email, financial and sensitive-data accounts.
- authentication recovery — Protect password resets, MFA resets, recovery contacts, backup codes and device enrolment against social engineering.
- password management — Use unique credentials stored in an approved password manager rather than reuse or informal sharing.
- sensitive process verification — Independently verify payment, access, credential and data-change requests through a second channel.
Multi-factor authentication is mandatory for privileged accounts, administrator accounts, email, remote access, cloud administration, finance systems and systems holding sensitive or personal information. MFA must be enforced centrally where the service supports it. Passwords must be long, strong, unique and stored only in an approved password manager. Password resets, MFA resets, recovery-method changes and enrolment of new authentication devices require identity verification proportionate to the account's risk. Sensitive payment, data and access changes must be independently verified through a separate trusted channel.
How should authorisation, least privilege and role-based access work?
Authentication establishes that a credential or factor has been presented; authorisation determines what the authenticated identity is permitted to do. Access should be based on a defined role or specifically approved business need, not curiosity, seniority or technical capability. NCSC describes least privilege as giving people only the access they need to do their job and recommends role-based access control, review of role permissions and comparison of each user's assigned access with current duties. Where a role provides more access than necessary, the role should be redesigned or an additional lower-privilege role created. Access to personal information should be limited to legitimate work purposes. The Privacy Commissioner says organisations must limit database access to staff who need the information and support controls with audit logs so unusual activity can be investigated. IPPs 10 and 11 also mean that technical access does not itself authorise every use or disclosure of personal information.
- role-based access — Assign approved permission sets to defined roles and keep each role's permissions limited and documented.
- direct entitlement — Use individually approved access only where a role cannot meet a legitimate exceptional need.
- personal-information access — Permit access only where the worker requires the information for an authorised work purpose.
- permission change — Update roles and entitlements whenever duties, services, risks or information sensitivity change.
Authorisation is based on current duties and approved business need. Role-based access must be used where practical, with each role limited to the minimum permissions required for its defined tasks. Access to personal, confidential or restricted information is permitted only for an authorised work purpose. Technical ability to view, change, export or disclose information does not create permission to do so. Additional or exceptional access requires documented approval, justification, duration and review.
What controls should apply to privileged and administrator access?
Privileged access can change security settings, create users, read broad datasets, disable controls or affect entire services, so it requires stricter safeguards than normal access. NCSC recommends separate accounts for administrative and everyday activity, allowing stronger logging and authentication requirements to be applied to the administrator account. Administrative access should be justified by a specific task, approved by an accountable owner and reviewed more often than ordinary access. Just-in-time or time-limited elevation should be used where practical so privileged access is available only when needed. Privileged accounts should use phishing-resistant MFA where supported, must not be shared, should not be used for email or routine browsing and should generate protected central logs and alerts. Emergency accounts require tightly controlled credentials, documented use and immediate review after activation.
- named administrator — Uses a separate individually assigned account only for approved administrative work.
- temporary privileged user — Receives just-in-time or time-bound access for a defined task and loses it automatically afterward.
- emergency account — Protected, monitored and used only when ordinary administration is unavailable or unsuitable.
- privileged-session assurance — Apply stronger MFA, approval, logging, alerting, review and credential protection.
Privileged access must be individually assigned, explicitly approved, justified by a required administrative task and separated from the user's routine account. Privileged accounts must use multi-factor authentication, must not be used for routine email or web browsing and must have their actions centrally logged and monitored. Time-limited or just-in-time access must be used where practical. Shared administrator accounts are prohibited except for approved emergency accounts, whose credentials, activation, use and post-use review are strictly controlled.
How should joiner, mover and leaver access be managed and promptly revoked?
Access should follow the person's relationship and current duties from beginning to end. For a joiner, required access should be approved before activation and based on a defined role rather than copied wholesale from another user. For a mover, managers and system owners should review all existing access, remove entitlements no longer required and approve only what the new role needs. For a leaver, access should be disabled at the effective end of employment or earlier where a lawful risk-based decision requires coordinated revocation. Employment New Zealand says employers need to arrange the return of company property and cancel access to IT systems when an employee leaves. Offboarding should include email, cloud services, VPN, finance, social media, physical access, shared secrets, API tokens, MFA methods, password-manager collections, customer systems and supplier portals. The organisation should retain business records and redirect communications lawfully without allowing the former user continued access.
- joiner — Activate approved role-based access no earlier than required, with induction, MFA and acknowledgement completed.
- mover — Remove previous-role access and approve the new role rather than allowing privileges to accumulate.
- leaver — Disable logical and physical access at the effective separation time and recover organisational property and credentials.
- high-risk departure — Coordinate HR, management and IT so access is revoked at the lawful time without advance gaps or avoidable delay.
Access must reflect the user's current role and relationship with the organisation. Joiner access requires documented approval and is activated only when needed. When duties change, all existing access must be reviewed and access no longer required must be removed. When employment, engagement or another authorised relationship ends, logical and physical access must be revoked at the effective separation time, organisational property and credentials recovered, shared secrets changed where exposure is possible, and completion recorded. High-risk departures require coordinated revocation by management, HR and IT.
How should third-party, contractor and vendor access be controlled?
External users should meet the same security outcomes as internal users, with tighter limits where the organisation has less direct oversight. Access should be supported by a contract or approved engagement, assigned to named identities, limited to defined systems and tasks, protected with MFA and given an expiry date. Vendor administrator access should be disabled when not required or enabled only for approved support periods. Contracts should state access restrictions, confidentiality, subcontractor controls, security requirements, logging, incident notification, return or deletion of information and cooperation with investigation and revocation. IPP 5 requires an organisation giving personal information to a service provider to do everything reasonably within its power to prevent unauthorised use or disclosure. Own Your Online recommends ensuring an IT provider follows the same security rules defined for staff and clarifying responsibilities for updates, backups, logging and incident response.
- individual contractor — Named, time-limited account governed by contract, manager approval, MFA and least privilege.
- managed service provider — Separate administrator identities, controlled remote access, central logging and documented responsibility boundaries.
- software or cloud vendor — Confirm support-access methods, subprocessor access, authentication, notification and termination arrangements.
- external-access evidence — Retain the contract, sponsor, users, systems, permissions, purpose, expiry, reviews and access logs.
Third-party access requires a current contract or approved engagement, a named internal sponsor, individually attributable accounts, multi-factor authentication, least-privilege permissions and a defined expiry date. Vendor and contractor access must be limited to the systems, information, locations and periods required for approved work. Shared supplier accounts and unrestricted standing administrator access are prohibited unless an approved exception provides equivalent accountability. Third parties must follow our security rules, report incidents promptly, support logging and investigation, and cease access immediately when the authorised work or relationship ends.
How often should access be reviewed, and what should be logged?
Access reviews should confirm that every identity still exists for a valid reason, has an accountable owner and holds only the permissions needed for current work. NCSC says accounts and roles should be reviewed regularly and administrator permissions reviewed more frequently because of their sensitivity. A practical SME cadence is quarterly for privileged access, at least six-monthly for sensitive or high-risk systems and annually for other in-scope accounts, with additional reviews after role changes, supplier changes, incidents or major system changes. These intervals are a guide-created policy baseline, not statutory New Zealand deadlines. Logs should capture successful and failed authentication, MFA failures and denials, account creation and deletion, privilege changes, role changes, password and recovery changes, administrator activity, access to sensitive datasets and changes to logging itself. Logs may contain personal information or tokens and must be protected, access-limited and retained only as long as needed for security, legal and operational purposes.
- privileged review — Review at least quarterly as a practical baseline and immediately after relevant role, supplier or incident changes.
- sensitive-system review — Review at least six-monthly as a practical baseline, including users, roles, service accounts and external access.
- general access review — Review at least annually and whenever organisational or system changes could affect entitlement.
- access logging — Record identity, event, result, source, timestamp, target and material privilege or configuration changes.
System and information owners must regularly certify that accounts, roles and permissions remain necessary and appropriate. Privileged access is reviewed at least quarterly, sensitive-system access at least every six months and other in-scope access at least annually, with additional review after role changes, departures, supplier changes, incidents and material system changes. Authentication, account lifecycle, privilege changes and administrator activity must be logged centrally where practical. Logs must be protected from unauthorised access, alteration and deletion and reviewed through actionable alerts and scheduled assurance.
What are the common gaps in New Zealand SME access control?
Common gaps include shared user or administrator accounts; access copied from another worker without checking current need; staff retaining permissions after changing roles; former employees and contractors remaining active; MFA offered but not enforced; administrator accounts used for everyday email and browsing; default accounts and passwords left enabled; service accounts with no owner; permanent vendor access; recovery methods weaker than the main login; API keys stored in documents or source code; no expiry for temporary users; no central record of who can access each system; and logs that are absent, unprotected or never reviewed. Another gap is treating authentication as authorisation: working credentials do not create permission to access information after a role or relationship ends. Privacy access should also be limited by purpose, not only by technical capability. New Zealand businesses should use NCSC Critical Controls, the NCSC Cyber Security Framework, Own Your Online and the Privacy Act rather than presenting Australia's Essential Eight, SMB1001 or ASD ISM as New Zealand frameworks.
- identity gaps — Shared accounts, dormant users, unowned service identities and incomplete inventories weaken accountability.
- privilege gaps — Access accumulates through role changes, administrators use elevated accounts routinely and exceptions never expire.
- lifecycle gaps — Provisioning and revocation depend on informal messages rather than recorded and coordinated processes.
- assurance gaps — MFA coverage, access reviews, supplier access and logs are not measured or evidenced.
The organisation must not rely on working credentials, shared knowledge or informal trust as evidence of authorised access. All human, privileged, service, temporary and third-party identities require an owner, defined purpose, approved permissions and lifecycle control. MFA must be enforced for in-scope accounts, role changes must trigger entitlement review, departures must trigger prompt revocation, and material access activity must be logged. Australian cyber frameworks are not described as New Zealand law or official New Zealand baselines.
What's my next step?
Common misconceptions
- Every private New Zealand business is expressly required by statute to hold a document titled 'access control policy'. No universal titled-policy requirement was identified, although IPP 5 requires reasonable safeguards where personal information is held. INFERRED
- Successful authentication means the user is authorised to perform any available action. Authentication establishes identity evidence; authorisation depends on current permission and legitimate purpose. INFERRED
- MFA removes the need for least privilege. MFA reduces account-takeover risk, while least privilege limits the harm an authenticated or compromised account can cause. VERIFIED
- Administrator accounts are appropriate for routine email and web browsing. NCSC recommends separate administrative and lower-privilege accounts. VERIFIED
- Shared accounts are harmless in a small team. Shared credentials reduce attribution, complicate revocation and make meaningful access review and logging harder. INFERRED
- A former employee remains authorised if their login still works. Employment New Zealand says employers need to cancel IT-system access when an employee leaves, and continued technical access does not itself create permission. INFERRED
- A cloud or managed-service provider owns all responsibility for its administrator access. IPP 5 requires the customer organisation to take reasonable steps to prevent unauthorised use or disclosure by service providers. VERIFIED
- Service accounts do not need owners because they are not people. NCSC says access reviews should include system and service accounts. VERIFIED
- An annual access review is sufficient regardless of role changes, departures or incidents. NCSC says access must be reviewed and monitored over time, with administrative access reviewed more frequently. VERIFIED
- All access logs may be retained indefinitely because they are security records. NCSC notes that logs can contain personal information and access tokens and says retention should consider legal and operational requirements. VERIFIED
- IPP 5 is concerned only with external attackers. The Privacy Commissioner identifies inappropriate employee browsing and internal misuse as significant privacy risks. VERIFIED
- Australia's Essential Eight, SMB1001 and ASD ISM are official New Zealand access-control frameworks. They are not and should not be presented as New Zealand law or official New Zealand baselines. INFERRED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| Privacy Act 2020 IPP 5 reasonable access safeguards | Office of the Privacy Commissioner | The organisation holds personal information. | Ongoing while the information is held and whenever users, systems, suppliers, purposes or risks change. | |
| IPP 5 safeguards for service-provider access | Office of the Privacy Commissioner | Personal information is given to a service provider in connection with a service supplied to the organisation. | Before access is granted and throughout the service relationship, using everything reasonably within the organisation's power to prevent unauthorised use or disclosure. | |
| Privacy Act 2020 IPP 10 limits on use | Office of the Privacy Commissioner | A user or organisation proposes to use personal information to which access has been provided. | Before use, confirm that the activity is within the original purpose, directly related or otherwise authorised by an applicable exception. | |
| Privacy Act 2020 IPP 11 limits on disclosure | Office of the Privacy Commissioner | A user or organisation proposes to disclose personal information to another person or organisation. | Before disclosure, confirm that an authorised purpose or IPP 11 ground applies. | |
| Employee offboarding and IT-access cancellation | Employment New Zealand guidance | An employee's employment ends. | Arrange property return and cancel or review access to systems, email and distribution lists at the effective end of employment or as required by the lawful separation process. | |
| Crimes Act 1961 prohibition on unauthorised computer access | New Zealand Police and the courts | A person intentionally accesses a computer system without authorisation while knowing they are not authorised or being reckless as to authorisation. | Applies whenever the unauthorised access occurs. | Imprisonment for a term not exceeding 2 years under section 252. |
| Notifiable privacy breach following inappropriate access | Office of the Privacy Commissioner | Unauthorised access, use or disclosure causes or is likely to cause serious harm to an affected individual. | Notify the Commissioner and affected people as soon as practicable; OPC says notification should ideally occur within 72 hours after awareness of a notifiable breach. | Failure without reasonable excuse to notify the Commissioner is an offence punishable by a fine up to NZD 10,000. |
| Protection of personal information contained in access logs | Office of the Privacy Commissioner | Authentication, access or administrator logs contain identifiable employee, customer, supplier or other personal information. | Protect the records while held, limit their use and disclosure to authorised purposes and retain them only for an appropriate period. | |
| Contractual access-control requirements for suppliers and contractors | Customer, supplier or contracting party entitled to enforce the agreement | A contract, tender, security schedule or access agreement imposes identity, MFA, least-privilege, logging, review or revocation requirements. | Before access is granted and throughout the contractual relationship, including any stated review and termination deadlines. | Contractual remedies may apply, depending on the agreement. |
Sources
- Privacy Act 2020 information privacy principles primary
- Privacy Act 2020 Principle 5 — Storage and security of information primary
- Privacy Act 2020 Principle 10 — Limits on use of personal information primary
- Privacy Act 2020 Principle 11 — Disclosure of personal information primary
- The greatest threat in the workplace could be sitting next to you primary
- NotifyUs of a serious privacy breach primary
- Privacy Act 2020 primary
- NCSC Critical Controls: Summary primary
- NCSC Principle of least privilege primary
- NCSC Multi-factor authentication and verification primary
- NCSC Centralised logging primary
- NCSC Cyber Security Framework primary
- NCSC Protect your organisation primary
- Own Your Online — Top online security tips for your business primary
- Own Your Online — Choosing an IT service provider primary
- Employment New Zealand — On or after the last day of employment primary
- Crimes Act 1961 section 252 — Accessing computer system without authorisation primary
- r/newzealand discussion of former-employee database access and offboarding forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.