Skip to main content
Forms Legal

IT Acceptable Use Policy (New Zealand)

IT Acceptable Use Policy (New Zealand)

Organisation: [Organisation Name]

Address: [Organisation Address]

NZBN: [NZBN]

Effective Date: [Effective Date]

Version: [Policy Version]

Next Review Date: [Review Date]

1. PURPOSE AND INTRODUCTION

[Organisation Name] (the “Organisation”) provides its employees, contractors, and other authorised users with access to information technology (“IT”) systems and resources to support the performance of their duties and the Organisation’s business objectives. This IT Acceptable Use Policy (“Policy”) sets out the rules, standards, and expectations that govern the use of all IT systems and resources owned, operated, or managed by the Organisation.

The purpose of this Policy is to: (a) protect the Organisation’s IT systems, data, and networks from misuse, security threats, and legal liability; (b) ensure compliance with applicable New Zealand laws, including the Privacy Act 2020, the Harmful Digital Communications Act 2015, the Cybercrime Act 2001, and the Copyright Act 1994; (c) establish clear expectations for the responsible and professional use of IT resources; and (d) protect the Organisation’s reputation and confidential information.

This Policy is issued pursuant to the Organisation’s obligations as an employer under the Employment Relations Act 2000. All users of the Organisation’s IT systems must read, understand, and comply with this Policy. This Policy supplements, and should be read together with, the Organisation’s other policies, procedures, and employment agreements.

2. SCOPE

2.1 This Policy applies to [Scope Persons] (“Users”) who access or use the Organisation’s IT systems and resources.

2.2 This Policy applies to all IT systems and resources owned, leased, or managed by the Organisation, including [Scope Systems] (collectively, the “IT Systems”).

2.3 This Policy applies whether IT Systems are used on the Organisation’s premises, remotely, or via the internet, and whether using the Organisation’s own devices or personal devices (BYOD) to access the Organisation’s systems.

2.4 This Policy applies at all times, including outside of normal working hours, when accessing the Organisation’s IT Systems.

3. ACCEPTABLE USE OF IT SYSTEMS

3.1 IT Systems are provided primarily for business purposes. Users may make reasonable incidental personal use of IT Systems provided such use:

  • does not interfere with or impair the User’s work duties or performance;
  • does not consume excessive bandwidth or storage;
  • does not violate any provision of this Policy or any applicable law;
  • does not create legal liability for the Organisation;
  • does not compromise the security or integrity of the IT Systems.

3.2 Users are responsible for all activities conducted using their login credentials. Users must not share passwords, user IDs, or access credentials with any other person.

3.3 Users must use strong passwords of at least eight (8) characters, combining uppercase and lowercase letters, numbers, and special characters. Passwords must be changed when required by the IT Systems and must not be written down or stored insecurely.

4. PROHIBITED USE OF IT SYSTEMS

4.1 The following uses of IT Systems are strictly prohibited. Breach of this section may constitute a serious disciplinary matter. Users must not use IT Systems to:

  • access, download, store, or distribute pornographic, obscene, offensive, discriminatory, harassing, or illegal content;
  • send or facilitate communications that are threatening, abusive, discriminatory, or defamatory, in breach of the Harmful Digital Communications Act 2015;
  • access or attempt to access systems, networks, or data without authorisation, in breach of the Cybercrime Act 2001;
  • install, download, or use unauthorised software, applications, or browser extensions;
  • reproduce, distribute, or share copyright-protected material without authorisation, in breach of the Copyright Act 1994;
  • send, receive, or store data that belongs to a third party without appropriate authorisation;
  • engage in any activity that could expose the Organisation to legal liability, reputational damage, or financial loss;
  • use the Organisation’s IT Systems for personal commercial gain, private business activities, or activities inconsistent with the Organisation’s interests;
  • transmit the Organisation’s confidential, commercially sensitive, or personal information to unauthorised recipients;
  • use or attempt to use social media in a way that damages the Organisation’s reputation or discloses confidential information;
  • gamble, access adult content sites, or conduct any illegal activity;
  • circumvent, disable, or interfere with any security controls or monitoring tools on the IT Systems.

5. EMAIL AND INTERNET USE

5.1 The Organisation’s email system is provided for business communication. Users must use professional and respectful language in all business emails.

5.2 Users must not send bulk or unsolicited emails (spam) using the Organisation’s email systems. All marketing and commercial email communications must comply with the Unsolicited Electronic Messages Act 2007, including including an unsubscribe mechanism and the sender’s identity and contact details.

5.3 Users must exercise caution when opening email attachments or clicking links in emails from unknown senders. Any suspicious emails must be reported to [IT Contact Name] at [IT Contact Email] immediately.

5.4 Internet access is provided for business purposes. Users may make reasonable personal use of internet access during work hours provided such use complies with this Policy.

5.5 Users must not use the Organisation’s internet connection to access or download pirated software, films, music, or other copyright-protected material.

6. DATA SECURITY AND PRIVACY

6.1 Users must handle all personal information in accordance with the Privacy Act 2020. Personal information must only be collected, used, stored, and disclosed for lawful purposes that are directly related to the Organisation’s functions and activities.

6.2 Users must not access, use, or disclose another person’s personal information stored on the IT Systems except where required for their legitimate work duties.

6.3 Users must report any actual or suspected privacy breach, data breach, or unauthorised access to the Organisation’s data to [IT Contact Name] at [IT Contact Email] immediately upon becoming aware of the incident. Prompt notification may be required under the Privacy Act 2020.

6.4 Users must not remove, copy, or transmit confidential or commercially sensitive data from the Organisation’s IT Systems without prior written authorisation from a manager or the IT contact.

6.5 Users who work remotely or who use personal devices to access the Organisation’s IT Systems must ensure their home network and personal device meet the minimum security standards set by the Organisation.

7. DEVICE USE AND SECURITY

7.1 Users are responsible for the security of any Organisation-owned device or equipment assigned to them. Users must not leave devices unattended and unlocked in public places. Devices must be locked with a PIN or password when not in use.

7.2 Users must report the loss or theft of any Organisation-owned device to [IT Contact Name] at [IT Contact Email] immediately. The Organisation may remotely wipe Organisation-owned devices or Organisation data from personal devices (BYOD) in the event of loss, theft, or termination of the User’s relationship with the Organisation.

7.3 Users must not install, connect, or use any unauthorised hardware, peripheral device, or removable media (such as USB drives) on Organisation IT Systems without prior authorisation from the IT contact.

7.4 Upon the termination of the User’s employment or engagement, all Organisation-owned devices and equipment must be returned in good working order and all Organisation data must be deleted from personal devices.

8. SOCIAL MEDIA

8.1 Users must comply with the Organisation’s separate social media policy (where one exists) when using social media on the Organisation’s IT Systems or in connection with the Organisation.

8.2 Users must not post, publish, or share any content on social media that discloses the Organisation’s confidential information, disparages the Organisation or its staff, clients, or suppliers, or could bring the Organisation into disrepute.

8.3 Where Users identify themselves as employees or contractors of the Organisation on social media, they must make clear that their views are personal and do not represent those of the Organisation.

9. CONSEQUENCES OF BREACH

9.1 Any User who breaches this Policy may be subject to disciplinary action. Depending on the nature and severity of the breach, disciplinary action may include [Breach Consequences].

9.2 Disciplinary action will be conducted in accordance with the Organisation’s disciplinary procedures and the requirements of the Employment Relations Act 2000, including the right of the User to be heard and to have a support person present.

9.3 Certain breaches of this Policy may also constitute offences under New Zealand law, including the Cybercrime Act 2001, the Harmful Digital Communications Act 2015, the Privacy Act 2020, and the Copyright Act 1994. The Organisation reserves the right to report such conduct to the New Zealand Police or other relevant authorities.

9.4 The Organisation reserves the right to suspend or terminate a User’s access to IT Systems pending investigation of an alleged breach.

10. GOVERNING LAW AND REVIEW

10.1 This Policy is governed by the laws of New Zealand.

10.2 This Policy will be reviewed on or before [Review Date] and updated as necessary to reflect changes in law, technology, or business practice. The Organisation reserves the right to amend this Policy at any time by providing reasonable notice to Users.

10.3 For questions about this Policy or to report an IT security incident, contact: [IT Contact Name], [IT Contact Email].

11. USER ACKNOWLEDGMENT

By signing below, the User acknowledges that they have read, understood, and agree to comply with this IT Acceptable Use Policy.

Organisation: [Organisation Name]

Authorised Representative

________________

Signature

User (Employee / Contractor)

________________

Signature

Maintained by Vladislav Sergienko, Founder·Template last modified: ·Report an error

What Is a IT Acceptable Use Policy (New Zealand)?

An IT Acceptable Use Policy in New Zealand sets the organisation's rules and expectations on it and the responsibilities of staff and users, supporting compliance with the Companies Act 1993.

The legal framework for IT acceptable use in New Zealand draws from several statutes. The Privacy Act 2020 governs the collection, use, storage, and disclosure of personal information, including information collected through employee monitoring. The Harmful Digital Communications Act 2015 prohibits threatening, harassing, or offensive digital communications. The Cybercrime Act 2001 (as incorporated into the Crimes Act 1961) criminalises unauthorised access to computer systems and interference with computer data. The Copyright Act 1994 prohibits the reproduction and distribution of copyright-protected material without authorisation. The Unsolicited Electronic Messages Act 2007 regulates commercial email, including spam. The Employment Relations Act 2000 (ERA) governs disciplinary processes in the employment relationship.

An IT Acceptable Use Policy serves several important functions. It establishes clear boundaries between acceptable and prohibited uses of IT systems, providing the basis for disciplinary action if breaches occur. It notifies employees that their use of IT systems may be monitored, which is required by the Privacy Act 2020 before monitoring can take place. It sets out the organisation’s expectations regarding data security and privacy, reducing the risk of data breaches that must be notified to the Privacy Commissioner under the Privacy Act 2020. It also protects the organisation from legal liability arising from employee misuse of IT systems, including copyright infringement, harassment, and cybercrime.

New Zealand employers have a duty of good faith under the Employment Relations Act 2000, which requires transparency and active communication with employees about workplace policies. An IT Acceptable Use Policy that is clearly communicated and regularly updated helps employers meet this duty and supports a fair disciplinary process if breaches occur.

When Do You Need a IT Acceptable Use Policy (New Zealand)?

A New Zealand IT Acceptable Use Policy is needed in a wide range of business situations. Every organisation that provides employees, contractors, or volunteers with access to IT systems should have an IT Acceptable Use Policy in place before granting access. This is particularly important in the following circumstances.

When onboarding new employees or contractors: New staff should receive and acknowledge the IT Acceptable Use Policy before or on their first day of work. This confirms they are aware of the rules and the consequences of breach from the outset, which is important for any subsequent disciplinary action under the Employment Relations Act 2000.

When implementing remote work or BYOD (bring your own device) arrangements: When employees work from home or use personal devices to access organisational systems, the IT Acceptable Use Policy must be updated to address the specific risks associated with remote access and personal device use, including home network security and data handling on personal devices.

After a data breach or IT security incident: If an organisation has experienced a data breach or IT security incident, reviewing and updating the IT Acceptable Use Policy is an important step in the incident response process. Under the Privacy Act 2020, organisations may be required to notify the Privacy Commissioner and affected individuals of serious privacy breaches.

When the organisation grows: As businesses expand and take on more staff, contractors, or interns, a formal IT Acceptable Use Policy becomes increasingly important to confirm consistent standards across the organisation.

When new IT systems or technologies are introduced: The introduction of new cloud services, collaboration platforms, AI tools, or social media channels should prompt a review of the IT Acceptable Use Policy to confirm the new technologies are covered.

For compliance with employment law: The Employment Relations Act 2000 requires employers to follow a fair disciplinary process before taking action against an employee for misconduct. Having a clear, written, and acknowledged IT Acceptable Use Policy is essential for demonstrating that the employee was on notice of the relevant rules.

What to Include in Your IT Acceptable Use Policy (New Zealand)

A thorough New Zealand IT Acceptable Use Policy should include the following key elements.

Purpose and scope: A clear statement of the purpose of the policy and who it applies to (employees, contractors, volunteers, etc.) and what IT systems and resources it covers (computers, email, internet, mobile devices, cloud services, etc.).

Acceptable use provisions: Rules setting out what constitutes acceptable use of IT systems, including any permitted personal use and the conditions that apply to such use. Acceptable use provisions should be specific and practical.

Prohibited use provisions: A thorough list of prohibited uses, including accessing inappropriate or illegal content, sending harmful digital communications in breach of the Harmful Digital Communications Act 2015, installing unauthorised software, reproducing copyright-protected material in breach of the Copyright Act 1994, and disclosing confidential or personal information without authorisation.

Email and internet use rules: Specific rules for the use of organisational email systems and internet access, including prohibitions on spam in compliance with the Unsolicited Electronic Messages Act 2007 and requirements for professional communication standards.

Data security and privacy obligations: Requirements for users to protect organisational data and handle personal information in accordance with the Privacy Act 2020, including incident reporting obligations for data breaches.

Monitoring notice: A clear statement that the organisation may monitor user activity on IT systems, specifying the scope and purposes of monitoring. This notice is required by the Privacy Act 2020 before monitoring can lawfully take place.

Device use and BYOD rules: Requirements for the security of organisational devices and rules for the use of personal devices to access organisational systems, including the right to remotely wipe organisational data.

Social media guidelines: Rules for employee use of social media in connection with the organisation, including prohibitions on disclosing confidential information or disparaging the organisation.

Consequences of breach: A clear statement of the disciplinary consequences of breaching the policy, consistent with the organisation’s disciplinary procedures under the Employment Relations Act 2000.

Governing law and review date: Confirmation that the policy is governed by the laws of New Zealand and a scheduled review date to confirm the policy remains current. The forms-legal.com IT Acceptable Use Policy (New Zealand) provides a ready-to-use template that meets New Zealand legal requirements.

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). IT Acceptable Use Policy (New Zealand) (New Zealand) [Legal document template]. Forms Legal. https://forms-legal.com/new-zealand/business/corporate/it-acceptable-use-policy-new-zealand

MLA

"IT Acceptable Use Policy (New Zealand) (New Zealand)." Forms Legal, 2026, https://forms-legal.com/new-zealand/business/corporate/it-acceptable-use-policy-new-zealand.

BibTeX
@misc{formslegal-it-acceptable-use-policy-new-zealand,
  author       = {{Forms Legal}},
  title        = {IT Acceptable Use Policy (New Zealand) (New Zealand)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/new-zealand/business/corporate/it-acceptable-use-policy-new-zealand}},
  note         = {Free legal document template. Based on Companies Act 1993}
}

Also available for these jurisdictions:

IrelandIreland

Frequently Asked Questions

Based on Companies Act 1993 — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know

Related Documents

You may also find these documents useful:

Privacy Policy (New Zealand)

Create a compliant New Zealand Privacy Policy for your business or website. Our template is drafted in accordance with the Privacy Act 2020 (NZ) and covers all 13 Information Privacy Principles (IPPs), including IPP 1 (purpose of collection), IPP 3 (collection from subject), IPP 5 (storage security), IPP 6 (access), IPP 7 (correction), IPP 10 (limits on use), IPP 11 (limits on disclosure), and IPP 12 (unique identifiers and overseas disclosure). Includes mandatory privacy breach notification under sections 113-119 of the Privacy Act 2020, Privacy Commissioner complaint process, direct marketing obligations under the Unsolicited Electronic Messages Act 2007, and overseas data transfer provisions.

Website Terms of Use (New Zealand)

Create compliant Website Terms of Use for your New Zealand business, drafted in accordance with the Contract and Commercial Law Act 2017 (CCLA), the Consumer Guarantees Act 1993 (CGA), the Fair Trading Act 1986 (FTA), the Privacy Act 2020, and the Harmful Digital Communications Act 2015. Our template covers acceptance mechanisms, intellectual property protections under the Copyright Act 1994 and Trade Marks Act 2002, user obligations, limitation of liability, consumer guarantee disclaimers, and governing law. Unlike generic templates, this document reflects New Zealand-specific legal requirements — including the mandatory acknowledgement that consumer guarantees under the CGA cannot be excluded in consumer transactions.

Remote Work Agreement (New Zealand)

Create a legally compliant Remote Work Agreement for New Zealand. Drafted in accordance with the Employment Relations Act 2000 (ERA), the Health and Safety at Work Act 2015 (HSWA), the Privacy Act 2020, and the Accident Compensation Act 2001. Covers remote work schedule (fully remote or hybrid), PCBU duties extending to the home workplace under the HSWA, workstation assessment, employer equipment and allowances, data security, ACC coverage, and termination of the remote work arrangement.

Employee Non-Disclosure Agreement (New Zealand)

Create a legally compliant Employee Non-Disclosure Agreement for New Zealand. Drafted in accordance with the Contract and Commercial Law Act 2017 (CCLA) and the Employment Relations Act 2000 (ERA). Covers trade secrets, confidential business information, post-employment confidentiality obligations, Privacy Act 2020 compliance, intellectual property assignment (Copyright Act 1994), return of confidential information on termination, and injunctive relief remedies under New Zealand equity law.

Employee Handbook (New Zealand)

Create a comprehensive Employee Handbook for New Zealand. Drafted in accordance with the Employment Relations Act 2000 (ERA), the Holidays Act 2003, the Health and Safety at Work Act 2015 (HSWA), the KiwiSaver Act 2006, the Human Rights Act 1993, and the Privacy Act 2020. Covers good faith obligations, working hours, annual leave (4 weeks), sick leave (10 days), family violence leave, KiwiSaver (minimum 3% employer contributions), health and safety duties (PCBU obligations), code of conduct, anti-harassment policy, disciplinary procedures, personal grievance process (90-day time limit), and ACC coverage. Suitable for all NZ employers.