The company is fully committed to compliance with the requirements of the Privacy Act 2020.
We are required to maintain certain personal information about individuals to satisfy our operational and legal obligations. These individuals include our employees, as well as Board members, contractors, visitors to the company’s premises or website, volunteers, suppliers, and any other individual whose personal information is collected by us or on our behalf.
We recognise the importance of correct and lawful treatment of all personal information as it helps to maintain confidence in our organisation and to ensure efficient and successful outcomes when using this information.
Personal information can be collected, held, and/or used in one or more of the forms of document defined in this Policy and may be kept in paper form, on computer systems or in other electronic media. It includes information that is retained for a significant period, as well as information that may be kept only briefly, or even fleetingly.
We endorse and adhere to the 13 Information Privacy Principles of the Act, and require all employees, and other individuals and organisations which collect, handle, process, transport and store personal information on our behalf, to familiarise themselves with these principles and to ensure that they comply with them in all their dealings with personal information.
Our commitment to the 13 Information Privacy Principles is summarised as follows.
Principle 1 – the purpose of collection of personal information
We only collect personal information for a lawful purpose connected with our functions or activities where it is necessary for that purpose.
Principle 2 – the source of personal information
Where we collect personal information, we will only collect it from the individual concerned unless: lawful exceptions apply. These exceptions include collection where:
- we can collect the information without prejudicing the individual’s interests;
- our lawful purposes for collecting the information would otherwise be prejudiced;
- the individual authorises us to collect the information from a third party;
- the information is publicly available.
Principle 3 – the collection of information from the subject
Where we collect personal information from an individual we will take reasonable steps to make the individual aware of all the information that they are entitled to receive under the Act in respect of that information, including the purpose for which the information is collected, the intended recipients, and their rights of access to and correction of the information.
Principle 4 – manner of collection of personal information
We will only collect information by lawful means, which are fair and do not intrude to an unreasonable extent upon the personal affairs of the individual concerned.
Principle 5 – storage and security of personal information
We will ensure that all personal information is protected, by such reasonable security safeguards as are reasonable, against loss, unauthorised access, use, modification or disclosure, and other misuses.
Principle 6 – access to personal information
Upon request, we will provide to an individual confirmation whether we hold any personal information about them, and access to their personal information.
Principle 7 – correction of personal information
We shall take all such steps that are reasonable in the circumstances to ensure that personal information is accurate, up to date, complete, and not misleading. Where a request is received to correct personal information, we shall comply with the Act in assessing and addressing the request.
Principle 8 – accuracy of personal information to be checked before use or disclosure
We shall not use or disclose personal information without taking any steps that are reasonable to ensure that it is accurate, up to date, complete, relevant, and not misleading.
Principle 9 – retention periods
We shall not keep personal information for longer than is required for the purpose for which it may be lawfully used.
Principle 10 – limits on the use of personal information
We will not use personal information which we collected for one purpose for a different purpose unless we reasonably believe that one or more of the exceptions set out in Principle 10 apply. This will include where the different purpose is directly related to the purpose in connection with which the information was obtained.
Principle 11 – limits on disclosure of personal information
We will not disclose any personal information unless we believe on reasonable grounds that one or more of the situations specified in Principle 11 apply. These include where disclosure is directly related to the purpose for which the information was obtained and where the individual authorises the disclosure.
Principle 12 – disclosure of information outside New Zealand
We will only disclose personal information outside New Zealand in compliance with the conditions set out in principle 12.
Principle 13 – unique identifiers
We will only assign unique identifiers to an individual for use in our operation where necessary and compliance with the requirements of Principle 13.
The rights of individuals whose personal information is collected by us.
Right of access
The company will comply with its obligation under the Act in respect of all requests made under Information Privacy Principle 6.
Individuals whose personal information is collected and held by the company are entitled to request;
• confirmation of whether we hold any personal information about them, and
• access to their personal information.
We will give reasonable assistance to a person who wishes to make such a request or who is doing so. Where we receive a request in writing, we will respond to the request as soon as is reasonably practicable, but no later than 20 working days after the day on which the request is received.
Where we decide to grant access to the personal information, we will inform the requester of the way the information is to be made available.
Where we decide not to grant access to the personal information or some of it, we will inform the requester of the reason for the refusal; and the requestor’s right to make a complaint to the Commissioner in respect of the refusal.
We may refuse to grant access to personal information where:
• disclosure is likely to pose a serious threat to the life, health, or safety of any individual;
• the information requested does not exist or, despite reasonable efforts to locate it, cannot be found;
• the disclosure of the information would involve the unwarranted disclosure of the affairs of another individual; or
• the disclosure of the information would breach legal professional privilege.
There are other reasons why access can lawfully be denied. Instead of refusing access to the personal information requested, we may grant access to the information, but may impose conditions relating to the requestor’s use of the information, and/or the requestor’s disclosure of the information to any other person.
Where excessive time or costs are involved we may charge a requester a reasonable fee for:
• providing assistance provided we make information available in compliance, in whole or in part, with the request, and
• making information available in compliance, in whole or in part, with the request.
We may extend the time within which we respond to a request if:
• the request is for a large quantity of information or necessitates a search through a large quantity of information, and meeting the original time limit would unreasonably interfere with our operations; or
• we need to make consultations to decide on the request and a response to the request cannot reasonably be given within the original time limit; or
• the processing of the request raises issues of such complexity that a response to the request cannot reasonably be given within the original time limit.
Right of correction
An individual or their representative may ask that personal information about them be corrected.
We will give reasonable assistance to a person who wishes to make such a request or who is doing so. Where we receive a request, we will respond to the request as soon as is reasonably practicable, and in any case not later than 20 working days after the day on which the request is received.
We will decide whether to grant the request and will notify the requestor that—
• we have corrected, or will correct, the personal information, informing the requester of the action we have taken, or will take, to correct the information; or
• we will not correct the personal information.
Where we notify the requester that we will not correct the personal information we will inform the requestor of—
• the reason for our refusal to correct the information; and
• the requestor’s entitlement to provide a statement of the correction sought and to request that it be attached to the information (if the requestor has not done so already); and
• the requestor’s right to make a complaint to the Commissioner in respect of our refusal to correct the information.