Questions are ordered from choosing a remote-work and device-ownership model through device and network safeguards, off-site information handling, monitoring, incident response and offboarding, ending with the gaps most likely to expose an SME's information or a worker's personal data.
What is a remote work and BYOD policy, and why does a New Zealand business need one?
A remote work and BYOD policy defines when people may work away from the organisation's premises, which company-owned or personal devices may connect, what security and privacy conditions apply, how incidents are reported and how access and work data are removed when the arrangement ends. New Zealand law does not prescribe one universal document with this exact title for every private business. The policy is nevertheless a practical way to meet Privacy Act 2020 IPP 5's requirement for safeguards reasonable in the circumstances and to apply NCSC and Own Your Online guidance to devices and networks outside the organisation's direct control. NCSC says BYOD introduces business and information-security risks and should be supported by a risk assessment, business case, communicated usage rules and regular review. Employment New Zealand says home working can require extra security, specific devices or remote-login controls, and that employee monitoring remains subject to the Privacy Act. Health and safety duties also continue when employees work from home. The policy should sit beside the employment agreement or flexible-work arrangement, information security policy, acceptable use policy, privacy policy and incident response plan.
- all remote workers — Define approved locations, hours or availability where relevant, devices, access methods, security duties, support and incident reporting.
- BYOD users — Require explicit approval, device compliance, work-data separation and informed agreement to management and removal controls.
- employer or PCBU — Address privacy, security, equipment, support and health and safety rather than treating home work as solely the worker's responsibility.
- risk-based policy — Select controls according to information sensitivity, system exposure, worker role, device ownership and the consequences of loss or compromise.
Remote access to organisational information and systems is permitted only through an approved working arrangement, authorised device and approved connection method. This policy applies to employees, directors, contractors and other authorised users working from a home, shared workspace, customer site, public location or while travelling. Remote and BYOD arrangements must protect personal and business information, meet device and network requirements, support lawful monitoring and incident response, and allow prompt removal of organisational access and work data when approval or the relationship ends.
Should we provide company devices, allow BYOD or use a mixed model?
Choose the model according to risk rather than convenience alone. Company-owned devices usually provide the strongest control because the organisation can standardise configuration, patching, encryption, applications, backups, endpoint protection, logging and support. Own Your Online recommends prioritising company devices for people who access more sensitive systems when the business cannot provide one to everyone. BYOD may be workable for lower-risk access if the organisation can identify authorised devices, enforce or verify minimum settings, separate work and personal data, restrict local storage and remove work access safely. NCSC says organisations should decide which users need mobility, whether the device should be organisation-owned or personally owned, what information they require and how they will access it. A mixed model can allow limited mobile access on personal phones while reserving sensitive systems, privileged administration and locally stored data for managed company devices. Employment New Zealand says employers may supply equipment, ask employees to provide it or agree an allowance; there is no general automatic entitlement to a home-working allowance. The arrangement, support, costs and privacy trade-offs should be clear before access is enabled.
- company-owned device — Preferred for privileged work, sensitive data, regulated services, software development and roles needing strong central management.
- approved BYOD — Suitable only where risk is acceptable and compliance, separation, support, monitoring and removal conditions are practical.
- mixed model — Permit limited low-risk access on personal devices while requiring managed company devices for sensitive or administrative tasks.
- worker choice and support — Explain whether BYOD is voluntary, the alternative device available, costs, technical support and what the organisation may manage or remove.
The organisation will select company-owned, BYOD or mixed-device access according to role, information sensitivity, system exposure and management capability. Privileged administration and access to Restricted information require a managed company device unless a documented exception provides equivalent safeguards. BYOD requires prior written approval and remains voluntary where the role can be performed using an organisation-provided device. The approved arrangement must state equipment ownership, support, costs, permitted use, management controls, privacy expectations and return or removal requirements.
What security requirements should apply to remote and BYOD devices?
Only authorised and identifiable devices should access organisational systems. The policy should require a supported operating system, prompt security updates, device encryption, automatic screen locking, a strong unlock credential, current endpoint protection where appropriate, approved applications, MFA and a means to assess compliance. Own Your Online specifically recommends updated operating systems, hard-drive encryption, strong passwords, current antivirus and uploading locally saved work documents to the organisation's network. NCSC says mobile-device management can check operating-system versions, authentication, encryption and installed software, enforce settings and restrict access according to device security. Work and personal data should be separated through a managed work profile, container, virtual desktop or browser-based access where practical. Sensitive data should not remain in personal downloads, photo libraries, messaging backups or consumer cloud services. Devices that are rooted, jailbroken, unsupported, shared without effective user separation or unable to meet required settings should be denied access.
- minimum device compliance — Supported OS, current patches, encryption, automatic lock, strong authentication, approved software and required endpoint protection.
- work-data separation — Use managed profiles, containers, virtual desktops or controlled applications to prevent mixing with personal storage and backups.
- conditional access — Allow access only from registered devices that meet required configuration and risk conditions.
- device owner — Keep the device available for compliance checks and promptly remediate settings without exposing unrelated personal content unnecessarily.
An authorised remote or BYOD device must run a supported operating system, install security updates promptly, use device encryption and automatic locking, require a strong password, PIN or approved biometric, and use approved security and access software. Multi-factor authentication is mandatory for remote access. Work information must remain within approved applications, storage or a managed work profile and must not be copied to personal email, consumer cloud storage, personal messaging backups or shared family accounts. Unsupported, rooted, jailbroken, materially non-compliant or unregistered devices must not access organisational information.
How should staff secure home networks, public Wi-Fi, hotspots and remote connections?
Home networks are usually preferable to public or shared Wi-Fi, but they still need basic protection. Require the home router's default administrator credentials to be changed, current firmware, WPA2 or later wireless security, a strong Wi-Fi password and restricted internet-facing administration. Where practical, place the work device on a guest or separate network from household smart devices. Own Your Online recommends trusted home Wi-Fi or a password-protected mobile hotspot instead of public Wi-Fi and says remote connections to the organisation's network should use an approved VPN. MFA remains mandatory for remote access. Public Wi-Fi at cafés, airports, hotels or libraries should be avoided for sensitive work; use an approved mobile hotspot or other trusted connection instead. A VPN protects traffic to the work network but does not make an unpatched or compromised device safe. Remote desktop, VPN and support tools must be approved, updated, strongly authenticated and configured so they are not unnecessarily exposed to the internet.
- trusted home network — Updated router, changed defaults, strong wireless security, firewall and separation from untrusted household or guest devices where practical.
- mobile hotspot — Use an approved password-protected hotspot when a trusted home or business network is unavailable.
- public or shared Wi-Fi — Avoid for sensitive work; do not rely on the venue's network or a VPN alone to remove all risk.
- remote access service — Use only approved VPN, virtual desktop or remote-access tools with MFA, patching, restricted exposure and logging.
Remote work must use a trusted home or business network or an approved password-protected mobile hotspot. Public or shared Wi-Fi must not be used for Confidential or Restricted work unless no safer option exists and the approved secure-access method is used. Home routers used for work must have default administrator credentials changed, current firmware, WPA2 or later security, a strong wireless password and internet-facing administration disabled unless specifically required. Approved VPN or remote-access software and multi-factor authentication must be used whenever the organisation requires them.
How should business and personal information be handled away from the office?
Remote work changes the surroundings, not the organisation's privacy obligations. Business information should remain in approved cloud services, virtual desktops, managed applications or organisational storage rather than personal email, local consumer folders or household backups. IPP 5 requires reasonable safeguards, while IPPs 10 and 11 generally limit how personal information is used and disclosed. Staff should minimise local downloads, lock screens whenever unattended, prevent family members or housemates using work profiles or devices and avoid discussing sensitive matters where they can be overheard. Printing at home should be permitted only where necessary and supported by secure storage, transport and destruction rules. Screens and paper should be positioned away from windows, cameras and shared spaces; privacy screens may be needed when travelling. Business records must not be photographed into personal camera rolls or synchronised to personal photo and messaging services. Personal information found during technical support or device management should not be accessed or used beyond the legitimate security purpose.
- approved storage and collaboration — Keep information in organisational cloud, managed application, virtual desktop or network storage with controlled access and retention.
- physical privacy — Protect screens, conversations, papers and devices from household members, visitors and people in shared locations.
- printing and disposal — Print only where authorised, store securely and return or destroy through an approved method.
- personal information boundary — Do not browse unrelated personal content during support, compliance checks, investigation or removal of work data.
Business information must remain in approved organisational systems and must not be transferred to personal email, personal cloud storage, consumer messaging backups, personal photo libraries or shared household accounts. Users must lock devices when unattended, prevent access by family members or other unauthorised people and protect screens, calls and papers from observation or overhearing. Home printing requires prior approval for Confidential or Restricted information, secure storage and approved return or destruction. Organisational support and management activities must not access unrelated personal information except where lawfully necessary and authorised.
What monitoring is appropriate for remote workers and personal devices?
Remote work does not remove employee privacy. Monitoring must serve a legitimate and necessary purpose, be lawful, fair and no more intrusive than reasonably required. OPC says employers may generally monitor work computers, accounts, email and internet usage, but should collect only what is needed, be open about the collection and clearly explain permitted use and the extent of monitoring. On a personal device, disclosure needs to be especially specific because mobile-device management may reveal operating-system details, authentication, encryption, installed software and potentially stored data, and may allow locking or remote wiping. NCSC says staff must understand what the management system can see and do. The policy should distinguish security and compliance telemetry from productivity or conduct monitoring and state who may view it, how it is used, how long it is retained and how workers can ask questions or exercise access and correction rights. Covert or materially expanded monitoring requires exceptional justification, good-faith consideration and legal or privacy review.
- device-compliance monitoring — Collect only settings needed to establish device identity, support status, encryption, lock, approved software and security posture.
- security monitoring — Log authentication, access, malware, data movement and policy violations for protection and investigation.
- productivity or conduct monitoring — Use only for a defined legitimate purpose with proportionality, transparency and employment-law process.
- personal-device boundary — State exactly what the organisation can see, manage, lock or erase and avoid collecting unrelated private content.
Monitoring of remote work and authorised devices is limited to documented purposes including security, service reliability, compliance and investigation of suspected misuse. We collect only information reasonably necessary for those purposes and disclose the systems monitored, information collected, authorised users, retention, uses and available worker rights. Before enrolling a personal device, we explain what the management system can see and do, including any ability to restrict access, lock a work profile or remove data. Unrelated personal content must not be accessed or collected merely because the technology permits it.
What should happen when a remote or BYOD device is lost, stolen or compromised?
Require immediate reporting through a channel available even when the device is missing. The worker should provide the device type, ownership, time and place last seen, whether it was unlocked, what accounts and information it could access and any signs of phishing, malware or unauthorised activity. The response team should revoke sessions and tokens, reset exposed credentials, block the device, preserve relevant logs, assess personal-information risk and decide whether to lock or wipe the work profile or device. NCSC says organisations need clear incident processes for lost, stolen or suspicious mobile devices and that administrators must know when significant actions such as remote locking or wiping are appropriate. For a personal device, whole-device wipe should occur only where the technical and legal ability and user agreement are clear and the response is proportionate; work-profile or selective wipe is preferable where available. If the incident has caused or is likely to cause serious privacy harm, the Privacy Act notification process applies.
- immediate user action — Report promptly, stop using a suspicious device and provide information needed to identify accounts and data at risk.
- account containment — Revoke sessions, tokens, certificates and remote access and reset credentials where exposure is possible.
- device response — Locate, lock, quarantine or selectively wipe the work profile according to risk, authority and evidence needs.
- privacy and cyber assessment — Assess breach notification, NCSC reporting, Police, insurer and customer obligations separately.
Loss, theft, suspected compromise, unexpected behaviour or unauthorised access involving a remote or BYOD device must be reported immediately. The organisation may revoke access, sessions, certificates and tokens; require credential changes; quarantine the device; or lock or remove organisational data according to the approved response process. A personal device will be wholly wiped only where the capability, authority, user agreement and circumstances clearly justify it. The privacy officer will assess whether personal information is involved and whether the incident is a notifiable privacy breach.
How should offboarding remove work access and data from personal devices?
Offboarding should cover the person, every account and every authorised device, not only return of a laptop. Employment New Zealand says employers need to arrange the return of company property and cancel or review access to IT systems, email and distribution lists when employment ends. For BYOD, revoke sessions, MFA registrations, VPN profiles, certificates, application access, password-manager collections, cloud synchronisation, mobile tokens and remote-support permissions at the effective end time. Remove the managed work profile or organisational applications and confirm that approved local copies, downloads and backups have been returned or securely deleted. Avoid unnecessary access to personal information during verification. Company information should not remain in personal email, messaging histories, camera rolls, consumer backups or personal cloud storage. If whole-device wiping was contemplated, it must already be authorised and proportionate; ordinarily, selective removal of the work profile is safer. Role changes and withdrawal from BYOD should use the same removal process even where employment continues.
- departing worker — Return company equipment, stop using work data and cooperate with removal and verification requirements.
- logical access removal — Disable accounts and revoke sessions, MFA, certificates, VPN, cloud, application, password and support access.
- work-data removal — Remove managed profiles and approved local data without browsing or deleting unrelated personal content.
- records and confirmation — Record completion, unresolved issues, recovered property, retained business records and any exception.
When employment, engagement, remote-work approval or BYOD approval ends, organisational access must be revoked at the effective time and company property returned. The organisation will remove managed work profiles, applications, certificates, sessions, tokens, VPN access, MFA registrations and synchronisation rights from personal devices. The user must return or securely delete organisational information held locally or in personal services and confirm completion when requested. Removal and verification must avoid accessing or deleting unrelated personal information except where lawfully necessary and authorised.
What are the common gaps in New Zealand SME remote-work and BYOD policies?
Common gaps include allowing personal devices by default without a device register or approval; letting unsupported operating systems connect; offering MFA but not enforcing it; mixing work data with personal email, photos, messaging and cloud backups; treating a VPN as a complete security solution; allowing sensitive work on public Wi-Fi; failing to explain what mobile-device management can see or erase; using whole-device wipe language without legal authority or worker agreement; allowing family members to share a work device or profile; unmanaged home printing; no prompt lost-device reporting route; no health and safety or equipment discussion; monitoring remote workers more intrusively than office workers without justification; and offboarding accounts while leaving work data and MFA tokens on personal devices. Other gaps include no alternative to BYOD, no response to formal flexible-work requests, no review after device or role changes and no distinction between NCSC guidance and Australian instruments. Essential Eight, SMB1001 and the ASD ISM must not be presented as New Zealand frameworks or laws.
- unmanaged device risk — The organisation does not know which personal devices connect or whether they are patched, encrypted and supported.
- data-boundary failure — Work files spread into personal accounts, downloads, backups, cameras and household-shared services.
- privacy and employment overreach — Monitoring or wipe capabilities are vague, excessive, undisclosed or inconsistent with the working arrangement.
- lifecycle failure — Lost devices, role changes, BYOD withdrawal and offboarding do not trigger reliable access and data removal.
Remote and BYOD access must not operate as an informal exception to normal security, privacy, employment or health and safety requirements. Every authorised device must be identifiable, supported and compliant; remote access must use MFA and approved connections; work information must remain separated from personal services; monitoring and wipe capabilities must be disclosed and proportionate; and loss, role change and departure must trigger prompt access and data removal. Australian cyber frameworks are not described as New Zealand law or official New Zealand baselines.
What's my next step?
Common misconceptions
- Remote work moves the workplace outside the employer's health and safety responsibilities. Employment New Zealand says HSWA duties also apply to employees working from home. VERIFIED
- An employer must always provide every item of home-working equipment or a fixed allowance. Employment New Zealand says employers may supply equipment, ask employees to provide it or agree an allowance, with no general specific legal entitlement to an allowance. VERIFIED
- BYOD is automatically cheaper than company-owned devices. NCSC warns that support, security incidents and contribution to employee-device costs can increase the organisation's overall costs. VERIFIED
- A password and VPN are sufficient for remote access. Own Your Online says 2FA should be mandatory, and NCSC also prioritises patching, asset management and least privilege. VERIFIED
- A VPN makes any public Wi-Fi or compromised device safe. A VPN encrypts the connection to work resources but does not correct device compromise, unsafe applications or every network risk. INFERRED
- The organisation may inspect everything on a personal device once it is used for work. Monitoring must remain necessary, transparent, lawful, fair and proportionate. VERIFIED
- Installing mobile-device management on a personal device has no privacy implications. NCSC says workers must understand what the system can see and do and calls BYOD a privacy and security trade-off. VERIFIED
- The organisation may wipe a personal device whenever it chooses. NCSC says remote wipe requires consideration of technical and legal capability and user agreement, and significant actions need clear processes. VERIFIED
- Personal email or cloud storage is acceptable for work because the worker owns the device. Device ownership does not remove Privacy Act safeguards or organisational control over business information. INFERRED
- Home printing is harmless because the documents remain at the employee's house. Physical personal and confidential information still requires reasonable storage, access, return and disposal controls. INFERRED
- Offboarding is complete once the company laptop is returned. Employment New Zealand also points to cancelling or reviewing system, email and distribution-list access, and BYOD requires removal of work access and data. INFERRED
- Australia's Essential Eight, SMB1001 and ASD ISM are New Zealand remote-work frameworks. They are not and should not be represented as New Zealand law or official New Zealand baselines. INFERRED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| Privacy Act 2020 IPP 5 safeguards for remote and mobile information | Office of the Privacy Commissioner | The organisation holds personal information that can be accessed, stored, transmitted, printed or discussed through remote work or a mobile device. | Ongoing while the information is held and whenever devices, locations, users, access methods, suppliers or risks change. | |
| Privacy Act 2020 IPP 10 limits on use | Office of the Privacy Commissioner | Personal information obtained through remote work, device management, support or monitoring is proposed to be used. | Before any materially different use, confirm the original purpose, a directly related purpose or another authorised IPP 10 ground. | |
| Privacy Act 2020 IPP 11 limits on disclosure | Office of the Privacy Commissioner | Personal information is proposed to be disclosed through remote work, monitoring, technical support, a supplier or another recipient. | Before disclosure, confirm that the original purpose or another authorised IPP 11 ground applies. | |
| Employee-monitoring privacy requirements | Office of the Privacy Commissioner | The employer collects employee personal information through remote-work software, device management, location, communications, access logs or other monitoring. | Assess necessity, fairness and proportionality before collection, provide appropriate notice before ordinary monitoring, and comply throughout use, storage, disclosure and retention. | |
| Health and safety duty for employees working from home | WorkSafe New Zealand | Employees perform work from home or another remote workplace within the business or undertaking. | Ongoing; ensure health and safety so far as is reasonably practicable and review risks when the arrangement or work changes. | Duties and potential offences or penalties depend on the applicable Health and Safety at Work Act 2015 provisions and circumstances. |
| Formal flexible-working request response | Employment New Zealand and the employment institutions applying Part 6AA of the Employment Relations Act 2000 | An employee makes a formal request to change working arrangements, including where they work. | Consider the request in good faith and reply in writing as soon as possible and no later than one month after receiving it. | |
| Update an employment agreement for a permanent workplace change | Employment New Zealand | An employee permanently changes their place of work under an agreed home-working arrangement. | Update the written employment agreement to reflect the permanent change. | |
| Return company property and cancel IT access on departure | Employment New Zealand guidance | An employee's employment ends. | Arrange property return and cancel or review system, email and distribution-list access at the effective end of employment or as required by the lawful separation process. | |
| Notifiable privacy breach arising from a remote or mobile-device incident | Office of the Privacy Commissioner | Loss, theft, compromise, unauthorised access or disclosure involving personal information has caused or is likely to cause serious harm. | Notify OPC and affected people as soon as practicable; OPC says notification should ideally occur within 72 hours after awareness of a notifiable breach. | Failure without reasonable excuse to notify the Commissioner is an offence punishable by a fine up to NZD 10,000. |
Sources
- NCSC Bring Your Own Device guidance primary
- NCSC Mobile device management primary
- NCSC Critical Controls: Summary primary
- NCSC Cyber Security Framework primary
- NCSC Protect your organisation primary
- NCSC Asset lifecycle management primary
- NCSC Application control primary
- Own Your Online — Enable staff to work remotely and securely primary
- Own Your Online — Stay secure when working remotely primary
- Own Your Online — Secure your small business network primary
- Own Your Online — Types of remote access software primary
- Own Your Online — Set up a new device securely primary
- Privacy Act 2020 information privacy principles primary
- Privacy Act 2020 Principle 5 — Storage and security primary
- Privacy Act 2020 Principle 10 — Limits on use primary
- Privacy Act 2020 Principle 11 — Disclosure of personal information primary
- Can I monitor employee use of work computers and accounts? primary
- What information is my employer entitled to collect while I am working? primary
- NotifyUs of a serious privacy breach primary
- Employment New Zealand — Working from home primary
- Employment New Zealand — Asking for flexible working arrangements primary
- Employment New Zealand — Responding to a flexible working request primary
- Employment New Zealand — On or after the last day of employment primary
- WorkSafe — Working from home primary
- Health and Safety at Work Act 2015 primary
- r/newzealand discussion of work-from-home equipment forum
- Geekzone discussion of employer BYOD phone arrangements forum
- r/newzealand discussion of client information and tracking on a personal phone forum
- r/newzealand discussion of workplace communications monitoring forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.