Acceptable Use Policy (New Zealand)

An Acceptable Use Policy in New Zealand sets the organisation's rules and expectations on the subject and the responsibilities of staff and users, supporting compliance with the Companies Act 1993.

The Privacy Act 2020 is the cornerstone statute. Under Information Privacy Principle 5 (IPP 5) of the Privacy Act 2020, every organisation holding personal information must take reasonable steps to protect that information from unauthorised access, disclosure, loss, and misuse. An AUP is one of the primary technical and organisational measures that satisfies IPP 5. The Privacy Commissioner — the independent regulator established under Part 4 of the Privacy Act 2020 — can investigate complaints, issue compliance notices, and refer serious cases to the Human Rights Review Tribunal for damages awards up to NZD 350,000.

The Harmful Digital Communications Act 2015 creates direct criminal and civil liability for organisations that fail to take reasonable preventive steps. Offences under Section 22 of the Harmful Digital Communications Act 2015 carry penalties of up to two years' imprisonment or a fine of NZD 50,000 for individuals and NZD 200,000 for bodies corporate. An AUP that prohibits harmful, offensive, or harassing communications expressly addresses Section 22 exposure.

The Crimes Act 1961 governs unauthorised computer access. Under Section 249 of the Crimes Act 1961, accessing a computer system without authorisation carries up to two years' imprisonment; Section 250 covers damaging or interfering with computer systems (up to ten years' imprisonment). An AUP defines what constitutes 'authorised access', which is directly relevant to the Section 249 threshold. Section 251 of the Crimes Act 1961 prohibits making or supplying software for committing computer crimes (up to two years).

The Health and Safety at Work Act 2015 requires organisations to manage psychosocial risks including workplace bullying helped through digital communications. Section 36 of the Health and Safety at Work Act 2015 imposes a primary duty of care on every PCBU (person conducting a business or undertaking) to protect workers so far as is reasonably practicable. WorkSafe New Zealand enforces the HSWA 2015 and expects organisations to have documented policies covering digital risk.

The Employment Relations Act 2000 requires employment policies to be fair and transparent. Without an AUP, the Employment Relations Authority (ERA) may find that an employer lacked a clear policy baseline against which to measure employee conduct. CERT NZ — New Zealand's national computer emergency response team operating under the Department of the Prime Minister and Cabinet — recommends AUPs as a foundational cybersecurity control for all organisations. The forms-legal.com Acceptable Use Policy (New Zealand) template addresses all of these statutory requirements in a single, ready-to-use document.

A New Zealand Acceptable Use Policy is needed by any organisation that provides employees, contractors, or third parties with access to its IT systems, networks, email, or internet connection. Several specific triggers make an AUP urgent in New Zealand.

Onboarding new staff: Every new employee or contractor who receives system credentials should acknowledge a current AUP before gaining access. The Employment Relations Act 2000 requires employment policies to be communicated clearly — presenting the AUP at induction and obtaining a signed acknowledgement creates a documented baseline for any future disciplinary action under the Employment Relations Authority (ERA) process. Section 4 of the Employment Relations Act 2000 requires good faith in employment relationships, which includes transparent workplace policies.

After a security incident: Organisations that have experienced a data breach, phishing attack, or Privacy Act 2020 notification obligation should review and reissue their AUP as part of the remediation response. The Privacy Commissioner expects organisations to demonstrate systemic improvements following a notifiable privacy breach under Part 6 of the Privacy Act 2020. Failure to update policies after a breach can be treated as aggravating conduct in any Human Rights Review Tribunal proceedings.

Introducing remote work or BYOD: When employees work from home or use personal devices, the risk profile changes substantially. An updated AUP should address VPN requirements, personal device security standards, and the limits of employer monitoring consistent with Privacy Act 2020 principles.

Regulatory audits or procurement requirements: Government agencies, financial institutions, and large corporates increasingly require suppliers to have documented IT policies as a condition of engagement. An AUP is frequently a mandatory item in vendor due diligence checklists, ISO 27001 certification audits, and New Zealand Government procurement assessments.

Before disciplining an employee for IT misuse: The Employment Relations Authority has held repeatedly that disciplinary action for IT misuse must be grounded in a clear, communicated policy. Without an AUP, a personal grievance claim under Section 103 of the Employment Relations Act 2000 may succeed on the basis that the employee had no notice of the prohibited conduct.

A well-drafted New Zealand Acceptable Use Policy must cover the following elements to be legally effective and operationally sound.

Scope and coverage: State clearly which systems, devices, networks, platforms, and users the policy governs — including company-owned hardware, cloud services, email accounts, social media profiles, and personal devices used for work (BYOD). Define who is bound: employees, contractors, temporary staff, and any third parties with system access. The scope should expressly reference the Privacy Act 2020 and the Harmful Digital Communications Act 2015 as the primary regulatory framework.

Authorised and prohibited uses: List what users are permitted to do and what is expressly prohibited. Prohibited conduct should include: accessing systems without authorisation (Sections 249–250 of the Crimes Act 1961); transmitting harmful digital communications contrary to Section 22 of the Harmful Digital Communications Act 2015; downloading unlicensed software; sharing login credentials; and using company systems to harass, bully, or discriminate against others in breach of the Human Rights Act 1993.

Internet and social media rules: Define acceptable personal use of the internet during work hours, prohibit posting content that could constitute a harmful digital communication under Section 22 of the Harmful Digital Communications Act 2015, and set out rules for representing the organisation on social media platforms including LinkedIn, Facebook, and X (formerly Twitter).

Email standards: Prohibit mass forwarding, phishing-style communications, and sending personal information about other individuals in breach of Information Privacy Principle 11 (IPP 11) of the Privacy Act 2020. Require that all external emails containing personal information use encrypted or secure channels.

Data handling and Privacy Act 2020 compliance: Require users to handle personal information only for the purpose for which it was collected (IPP 10 of the Privacy Act 2020), store it securely (IPP 5), and report any suspected privacy breach to the Privacy Officer immediately. The organisation's obligations under Part 6 of the Privacy Act 2020 for notifiable privacy breaches must be referenced — serious breaches must be reported to the Privacy Commissioner within a reasonable timeframe.

Passwords and access security: Mandate strong passwords (minimum length and complexity), prohibit credential sharing, and require multi-factor authentication where available. Reference CERT NZ password security guidance and the NZISM (New Zealand Information Security Manual) baseline controls where applicable.

Monitoring notice: Inform users that the organisation may monitor use of its IT systems. Overt monitoring consistent with Privacy Act 2020 Information Privacy Principles is lawful — the AUP must give advance notice before any monitoring occurs. The Privacy Commissioner has stated that covert monitoring without prior notice is generally inconsistent with IPP 5.

Remote work and BYOD: Set minimum security requirements for home networks, personal devices, and VPN use. Specify that Section 36 of the Health and Safety at Work Act 2015 obligations extend to remote work environments and that the organisation retains the right to require security audits of BYOD devices used for work.

Incident reporting: Require users to report security incidents, suspected Privacy Act 2020 breaches, phishing attempts, and malicious communications to the IT security team and Privacy Officer immediately.

Consequences of breach: State disciplinary consequences of AUP breaches — up to and including termination of employment under the Employment Relations Act 2000 — and potential criminal referral to the New Zealand Police or the Serious Fraud Office for conduct involving Section 249 or Section 250 of the Crimes Act 1961.

Acknowledgement and review: Require signed acknowledgement from every covered user at onboarding and upon each material update. Commit to annual policy review. The forms-legal.com Acceptable Use Policy (New Zealand) template covers all of these elements in a single, plain-English document.