Objective:
Describe the potential collection, use, disclose and the protection of personal information of individuals
Application
Privacy is everyone’s responsibility. This policy applies to all Kake Oranga Hāhi Katorika Catholic Family Support Services (CFSS) kaimahi and board members who may be required to collect, access, use or disclose personal information, who may manage projects or systems that impact on personal information management, or who are responsible for making policy decisions about the way the CFSS manages personal information. It is the responsibility of each kaimahi, board member to understand and apply this policy. It also applies to contractors engaged by CFSS. It is the responsibility of the manager or delegated person to ensure that the contractor comply with all CFSS policies while working for CFSS.
Position Statement
This policy supports CFSS compliance with the requirements of the Privacy Act 2020 (the Act).
Background
CFSS is a social service and collects, holds and uses personal information:
• about clients, families and whānau who are referred to our services by other community services, local organisations, government departments, schools, self-referrals and other groups who visits our websites, social media platforms or offices; and
• employing, engaging and administering the working relationship with its kaimahi.
CFSS is committed to ensuring that personal information is managed appropriately. We strive to uphold good practice privacy standards in the collection, storage, use and disclosure of personal information required under the Privacy Act 2020 and wishes to lead by example and ensure that its privacy practices meet the expectations of its community.
Purpose
To ensure that CFSS team members manage person information in compliance with the Act, other relevant laws, and that CFSS are committed to protecting your privacy and handling your personal information in an open and transparent way.
This policy does not limit or exclude any of your rights under the Act 2020. If you wish to seek further information on the Act, see www.privacy.org.nz
Policy
This privacy policy:
• sets out the principles which are used by CFSS to collect, store, use and disclose personal information; and
• provides guidance to CFSS kaimahi when dealing with personal information. Describes how individuals can exercise their privacy rights in relation to access and correction of their personal information.
In this policy, personal information means information about an identifiable individual.
1. Information Privacy Principles
The collection, storage, use and disclosure of personal information is governed by the Privacy Act. In particular, section 22 sets out 13 information privacy principles (IPPs). CFSS must comply with these IPPs. Many of the IPPs have exceptions to them, therefore it is important to refer to the requirements in full in the Privacy Act when considering their scope, but below is a summary:
• IPP 1: CFSS must only collect personal information if it is necessary for a lawful purpose connected with a function or activity of CFSS.
• IPP 2: CFSS must only collect personal information directly from the individual concerned, or their appointed representative.
• IPP 3: When collecting the information, CFSS must take reasonable steps to ensure the individual knows it is being collected, the purpose of the collection and who will see it.
• IPP 4: CFSS must collect personal information by lawful means and in a fair and reasonable manner.
• IPP 5: CFSS must use reasonable safeguards to protect personal information against loss, unauthorised access, use, modification or disclosure, and any other misuse
• IPP 6: Individuals are entitled to request access to personal information that is held about them.
• IPP 7: Individuals are entitled to request that the information held about them be corrected.
• IPP 8: CFSS must take reasonable steps to ensure that the personal information is accurate, up to date, relevant, and not misleading before using it.
• IPP 9: CFSS must not keep the information for longer than needed for the purposes for which it may lawfully be used.
• IPP 10: CFSS must not, in most cases, use personal information obtained in connection with one purpose for another purpose.
• IPP 11: Personal information held by CFSS must not, in most cases, be disclosed to another person or organisation.
• IPP 12: CFSS must not disclose personal information to a foreign person or entity that is not subject to the Privacy Act or comparable safeguards, unless CFSS has obtained authorisation from the individual concerned.
• IPP 13: CFSS must not assign a unique identifier to an individual unless it is necessary to carry out its functions and must not use a unique identifier issued to a person by another agency.
2. Creation and collection of personal information:
CFSS will collect information only for purposes that are linked to our functions or activities and will collect it in a way that is fair and reasonable. CFSS will, unless there is a lawful reason not to make people aware of the collection of information, our purposes for doing so, and their rights to access and correct that information.
2.1 Who do we collect your personal information from?
CFSS collect personal information about you from:
• You, when you provide that personal information to us, including via the website and any related service, through any registration process OR through any contact with us (e.g.
telephone call or email).
• Third parties where you have authorised this or the information is publicly available. If possible, we will collect personal information from you directly.
3. Storing of personal information
CFSS will maintain all reasonable safeguards against the loss, misuse or inappropriate disclosure of personal information, and maintain processes to prevent unauthorised use or access to that information. In particular:
• CFSS will keep any physical documents secure when there is a business need to take them outside of CFSS premises, and no technical solution is applicable.
• CFSS will keep electronic personal information secure by ensuring its data storage has the correct internal permissions, is protected from external sources, maintaining regular back up of data to secure storage and applying good practice for information security management.
• CFSS may use cloud computing services to manage and store information. Where used, CFSS will ensure that cloud computing services meet all applicable IT security requirements.
4. Requests for access to or correction of personal information
CFSS will provide individuals with access to their personal information, where appropriate, and respect the individual’s right to seek amendment of factually incorrect information.
Requests for information will be processed by CFSS in accordance with the Privacy Act 2020 and CFSS procedures. In particular CFSS
• Acknowledge a request for personal information or correction of information as soon as possible after receipt.
• Respond to requests for personal information, or correction of personal information, as soon as is reasonably practicable (and within 20 working days of the request being made unless extended under the Privacy Act).
• Notify the requestor, in the case of a request for correction of personal information, whether the information has been (or will) be corrected, and if not, the requestor’s right to provide a statement of correction to be attached to the information.
CFSS kaimahi can request their personal information from the Manager directly. External requests must be made in writing to the Manager or posted to: CFSS Manager (Privacy Officer), PO Box 124010 Hamilton 3216 New Zealand
5. Use of personal information
CFSS will use personal information only for the purposes for which it is collected, except where legislation allows it to be used for other purposes. CFSS will, when using information, take reasonable steps to ensure it is complete, relevant, up to date and not misleading.
CFSS uses personal information to:
• to verify your identity
• to provide services and products to you
• to market our services and products to you, including contacting you electronically (e.g. by text or email for this purpose)
• to improve the services that we provide to you
• employ, engage and administer the working relationship with its kaimahi
• to bill you and to collect money that you owe us, including authorising and processing credit card transactions
• to respond to communications from you, including a complaint
• to conduct research and statistical analysis (on an anonymised basis)
• to protect and/or enforce our legal rights and interests, including defending any claim
• for any other purpose authorised by you or the Act.
6. Information sharing and disclosure of personal information
CFSS may share information externally where it is lawful to do so. For example, CFSS may disclose information to other agencies where there is an express legislative authority or requirement to do so. CFSS may also disclose personal information to other agencies where it believes on reasonable grounds that it falls within one of the exceptions to IPP 11 of the Act.
Disclosing your personal information:
CFSS may disclose your personal information to:
• another entity within our group
• any business that supports our services and products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the website or other services and products
• a credit reference agency for the purpose of credit checking you
• Police, EDUCANZ or other party in the nature of pre-employment checks
• other third parties (for anonymised statistical information)
• a person who can require us to supply your personal information (e.g. a regulatory authority)
• any other person authorised by the Act or another law (e.g. a law enforcement agency)
• any other person authorised by you.
• A business that supports our services and products may be located outside New Zealand. This may mean your personal information is held and processed outside New Zealand, for example, cloud storage.
7. Third party arrangements
Where CFSS enters into arrangements with third parties that involve the use or management of personal information held by CFSS, appropriate provisions will be included to protect that personal information. Where CFSS holds personal information on behalf of another agency there may be specific contractual, statutory or other legal requirements that CFSS must also comply with. The requirements for third party arrangements need to be considered on a case-by-case basis.
8. Internet use
While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.
• If you post your personal information on the website including social media [Facebook, messenger), you acknowledge and agree that the information you post is publicly available.
• If you follow a link on our website to another site, the owner of that site will have its own privacy policy relating to your personal information. We suggest you review that site’s privacy policy before you provide personal information.
• We use cookies (an alphanumeric identifier that we transfer to your computer’s hard drive so that we can recognise your browser) to monitor your use of the website. You may disable cookies by changing the settings on your browser, although this may mean that you cannot use all of the features of the website.
9. Privacy incidents
A privacy incident includes an actual privacy breach, a potential privacy breach, or a near miss.
• A privacy breach occurs when there is an unauthorised or accidental access to, or disclosure, alteration, loss or destruction of personal information.
• A privacy breach can also include an action that prevents the agency from accessing the information on either a temporary or permanent basis.
• A potential privacy breach occurs where a privacy breach may have occurred, but it is not known if an actual breach occurred.
• A near miss is where an action could have resulted in a breach but ultimately the breach does not occur.
All privacy incidents (actual and potential breaches or near misses) discovered by kaimahi should be notified to their manager. The manager is responsible for managing the response to the privacy incident in accordance with CFSS Privacy Policy.
CFSS Privacy Incident Reporting form (internal link) should be completed as soon as possible. This will be provided to the manager (Privacy Officer) who will advise further on the management of the privacy incident. This may include notifying the incident to the Office of the Privacy Commissioner where required under the Privacy Act or if notification is considered necessary in the interests of transparency.
Further obligations CFSS will:
• Train and inform its kaimahi (including contractors) of this policy and ensure the information privacy principles are applied when fulfilling their role within CFSS;
• Endeavour to protect the privacy of kaimahi;
• Regularly review CFSS business processes that relate to the collection, access, use, storage and destruction of personal information so they remain relevant and reflect good practice.
Complaints
CFSS takes concerns about its privacy practices seriously. Where any individual (internal or external) has a concern about CFSS privacy practices – whether these relate to the way we collect, share, use, disclose or store information, or a decision on an access request – these should be reported to CFSS Manager (Privacy Officer) in the first instance. The manager will do their best to address the concern and identify and fix any problems with our systems and processes.
Where any kaimahi becomes aware of a privacy complaint made by an individual to CFSS or to the Office of the Privacy Commissioner, CFSS manager should be notified.
Who to contact
CFSS Manager - Privacy Officer can be contacted at [email protected]
Describe the potential collection, use, disclose and the protection of personal information of individuals
Application
Privacy is everyone’s responsibility. This policy applies to all Kake Oranga Hāhi Katorika Catholic Family Support Services (CFSS) kaimahi and board members who may be required to collect, access, use or disclose personal information, who may manage projects or systems that impact on personal information management, or who are responsible for making policy decisions about the way the CFSS manages personal information. It is the responsibility of each kaimahi, board member to understand and apply this policy. It also applies to contractors engaged by CFSS. It is the responsibility of the manager or delegated person to ensure that the contractor comply with all CFSS policies while working for CFSS.
Position Statement
This policy supports CFSS compliance with the requirements of the Privacy Act 2020 (the Act).
Background
CFSS is a social service and collects, holds and uses personal information:
• about clients, families and whānau who are referred to our services by other community services, local organisations, government departments, schools, self-referrals and other groups who visits our websites, social media platforms or offices; and
• employing, engaging and administering the working relationship with its kaimahi.
CFSS is committed to ensuring that personal information is managed appropriately. We strive to uphold good practice privacy standards in the collection, storage, use and disclosure of personal information required under the Privacy Act 2020 and wishes to lead by example and ensure that its privacy practices meet the expectations of its community.
Purpose
To ensure that CFSS team members manage person information in compliance with the Act, other relevant laws, and that CFSS are committed to protecting your privacy and handling your personal information in an open and transparent way.
This policy does not limit or exclude any of your rights under the Act 2020. If you wish to seek further information on the Act, see www.privacy.org.nz
Policy
This privacy policy:
• sets out the principles which are used by CFSS to collect, store, use and disclose personal information; and
• provides guidance to CFSS kaimahi when dealing with personal information. Describes how individuals can exercise their privacy rights in relation to access and correction of their personal information.
In this policy, personal information means information about an identifiable individual.
1. Information Privacy Principles
The collection, storage, use and disclosure of personal information is governed by the Privacy Act. In particular, section 22 sets out 13 information privacy principles (IPPs). CFSS must comply with these IPPs. Many of the IPPs have exceptions to them, therefore it is important to refer to the requirements in full in the Privacy Act when considering their scope, but below is a summary:
• IPP 1: CFSS must only collect personal information if it is necessary for a lawful purpose connected with a function or activity of CFSS.
• IPP 2: CFSS must only collect personal information directly from the individual concerned, or their appointed representative.
• IPP 3: When collecting the information, CFSS must take reasonable steps to ensure the individual knows it is being collected, the purpose of the collection and who will see it.
• IPP 4: CFSS must collect personal information by lawful means and in a fair and reasonable manner.
• IPP 5: CFSS must use reasonable safeguards to protect personal information against loss, unauthorised access, use, modification or disclosure, and any other misuse
• IPP 6: Individuals are entitled to request access to personal information that is held about them.
• IPP 7: Individuals are entitled to request that the information held about them be corrected.
• IPP 8: CFSS must take reasonable steps to ensure that the personal information is accurate, up to date, relevant, and not misleading before using it.
• IPP 9: CFSS must not keep the information for longer than needed for the purposes for which it may lawfully be used.
• IPP 10: CFSS must not, in most cases, use personal information obtained in connection with one purpose for another purpose.
• IPP 11: Personal information held by CFSS must not, in most cases, be disclosed to another person or organisation.
• IPP 12: CFSS must not disclose personal information to a foreign person or entity that is not subject to the Privacy Act or comparable safeguards, unless CFSS has obtained authorisation from the individual concerned.
• IPP 13: CFSS must not assign a unique identifier to an individual unless it is necessary to carry out its functions and must not use a unique identifier issued to a person by another agency.
2. Creation and collection of personal information:
CFSS will collect information only for purposes that are linked to our functions or activities and will collect it in a way that is fair and reasonable. CFSS will, unless there is a lawful reason not to make people aware of the collection of information, our purposes for doing so, and their rights to access and correct that information.
2.1 Who do we collect your personal information from?
CFSS collect personal information about you from:
• You, when you provide that personal information to us, including via the website and any related service, through any registration process OR through any contact with us (e.g.
telephone call or email).
• Third parties where you have authorised this or the information is publicly available. If possible, we will collect personal information from you directly.
3. Storing of personal information
CFSS will maintain all reasonable safeguards against the loss, misuse or inappropriate disclosure of personal information, and maintain processes to prevent unauthorised use or access to that information. In particular:
• CFSS will keep any physical documents secure when there is a business need to take them outside of CFSS premises, and no technical solution is applicable.
• CFSS will keep electronic personal information secure by ensuring its data storage has the correct internal permissions, is protected from external sources, maintaining regular back up of data to secure storage and applying good practice for information security management.
• CFSS may use cloud computing services to manage and store information. Where used, CFSS will ensure that cloud computing services meet all applicable IT security requirements.
4. Requests for access to or correction of personal information
CFSS will provide individuals with access to their personal information, where appropriate, and respect the individual’s right to seek amendment of factually incorrect information.
Requests for information will be processed by CFSS in accordance with the Privacy Act 2020 and CFSS procedures. In particular CFSS
• Acknowledge a request for personal information or correction of information as soon as possible after receipt.
• Respond to requests for personal information, or correction of personal information, as soon as is reasonably practicable (and within 20 working days of the request being made unless extended under the Privacy Act).
• Notify the requestor, in the case of a request for correction of personal information, whether the information has been (or will) be corrected, and if not, the requestor’s right to provide a statement of correction to be attached to the information.
CFSS kaimahi can request their personal information from the Manager directly. External requests must be made in writing to the Manager or posted to: CFSS Manager (Privacy Officer), PO Box 124010 Hamilton 3216 New Zealand
5. Use of personal information
CFSS will use personal information only for the purposes for which it is collected, except where legislation allows it to be used for other purposes. CFSS will, when using information, take reasonable steps to ensure it is complete, relevant, up to date and not misleading.
CFSS uses personal information to:
• to verify your identity
• to provide services and products to you
• to market our services and products to you, including contacting you electronically (e.g. by text or email for this purpose)
• to improve the services that we provide to you
• employ, engage and administer the working relationship with its kaimahi
• to bill you and to collect money that you owe us, including authorising and processing credit card transactions
• to respond to communications from you, including a complaint
• to conduct research and statistical analysis (on an anonymised basis)
• to protect and/or enforce our legal rights and interests, including defending any claim
• for any other purpose authorised by you or the Act.
6. Information sharing and disclosure of personal information
CFSS may share information externally where it is lawful to do so. For example, CFSS may disclose information to other agencies where there is an express legislative authority or requirement to do so. CFSS may also disclose personal information to other agencies where it believes on reasonable grounds that it falls within one of the exceptions to IPP 11 of the Act.
Disclosing your personal information:
CFSS may disclose your personal information to:
• another entity within our group
• any business that supports our services and products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the website or other services and products
• a credit reference agency for the purpose of credit checking you
• Police, EDUCANZ or other party in the nature of pre-employment checks
• other third parties (for anonymised statistical information)
• a person who can require us to supply your personal information (e.g. a regulatory authority)
• any other person authorised by the Act or another law (e.g. a law enforcement agency)
• any other person authorised by you.
• A business that supports our services and products may be located outside New Zealand. This may mean your personal information is held and processed outside New Zealand, for example, cloud storage.
7. Third party arrangements
Where CFSS enters into arrangements with third parties that involve the use or management of personal information held by CFSS, appropriate provisions will be included to protect that personal information. Where CFSS holds personal information on behalf of another agency there may be specific contractual, statutory or other legal requirements that CFSS must also comply with. The requirements for third party arrangements need to be considered on a case-by-case basis.
8. Internet use
While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.
• If you post your personal information on the website including social media [Facebook, messenger), you acknowledge and agree that the information you post is publicly available.
• If you follow a link on our website to another site, the owner of that site will have its own privacy policy relating to your personal information. We suggest you review that site’s privacy policy before you provide personal information.
• We use cookies (an alphanumeric identifier that we transfer to your computer’s hard drive so that we can recognise your browser) to monitor your use of the website. You may disable cookies by changing the settings on your browser, although this may mean that you cannot use all of the features of the website.
9. Privacy incidents
A privacy incident includes an actual privacy breach, a potential privacy breach, or a near miss.
• A privacy breach occurs when there is an unauthorised or accidental access to, or disclosure, alteration, loss or destruction of personal information.
• A privacy breach can also include an action that prevents the agency from accessing the information on either a temporary or permanent basis.
• A potential privacy breach occurs where a privacy breach may have occurred, but it is not known if an actual breach occurred.
• A near miss is where an action could have resulted in a breach but ultimately the breach does not occur.
All privacy incidents (actual and potential breaches or near misses) discovered by kaimahi should be notified to their manager. The manager is responsible for managing the response to the privacy incident in accordance with CFSS Privacy Policy.
CFSS Privacy Incident Reporting form (internal link) should be completed as soon as possible. This will be provided to the manager (Privacy Officer) who will advise further on the management of the privacy incident. This may include notifying the incident to the Office of the Privacy Commissioner where required under the Privacy Act or if notification is considered necessary in the interests of transparency.
Further obligations CFSS will:
• Train and inform its kaimahi (including contractors) of this policy and ensure the information privacy principles are applied when fulfilling their role within CFSS;
• Endeavour to protect the privacy of kaimahi;
• Regularly review CFSS business processes that relate to the collection, access, use, storage and destruction of personal information so they remain relevant and reflect good practice.
Complaints
CFSS takes concerns about its privacy practices seriously. Where any individual (internal or external) has a concern about CFSS privacy practices – whether these relate to the way we collect, share, use, disclose or store information, or a decision on an access request – these should be reported to CFSS Manager (Privacy Officer) in the first instance. The manager will do their best to address the concern and identify and fix any problems with our systems and processes.
Where any kaimahi becomes aware of a privacy complaint made by an individual to CFSS or to the Office of the Privacy Commissioner, CFSS manager should be notified.
Who to contact
CFSS Manager - Privacy Officer can be contacted at [email protected]