Privacy Policy

Objective:
To set out CFSS’s privacy management requirements and explain how CFSS collects, uses, discloses, stores, protects, and manages personal information.
ApplicationPrivacy is everyone’s responsibility. This policy applies to all Kake Oranga Hāhi Katorika Catholic Family Support Services (CFSS) kaimahi and board members who collect, access, use, or disclose personal information, manage projects or systems affecting personal information, or make decisions about how CFSS manages personal information.
Each kaimahi and board member is responsible for understanding and applying this policy. It also applies to contractors engaged by CFSS. The manager or delegated person must ensure contractors comply with CFSS policies while working for CFSS.
Position Statement
This policy supports CFSS compliance with the requirements of the Privacy Act 2020 (the Act).
BackgroundCFSS is a social service and collects, holds and uses personal information:

about clients, families, and whānau who are referred to our services by community services, local organisations, government departments, schools, self-referrals, and other groups, or who visit our website, social media platforms, or offices; and
for employing, engaging, and administering the working relationship with its kaimahi.

CFSS is committed to managing personal information appropriately. We aim to follow good privacy practice in collecting, storing, using, and disclosing personal information, as required by the Privacy Act 2020, and to meet our community’s expectations. PurposeTo ensure CFSS team members manage personal information in line with the Privacy Act 2020, any applicable codes of practice, and other relevant laws, and that CFSS protects personal information and handles it openly and transparently.
This policy does not limit or exclude any rights under the Privacy Act 2020. If you wish to seek further information on the Act, see the Office of the Privacy Commissioner website.
PolicyThis privacy policy:

sets out the principles, responsibilities, and processes CFSS uses to collect, store, use, disclose, retain, and protect personal information; and

explains how individuals can access and correct their personal information and how CFSS manages it openly and transparently.

In this policy, personal information means information about an identifiable individual.
1. Information Privacy PrinciplesThe Privacy Act governs the collection, storage, use, and disclosure of personal information. Section 22 sets out 13 information privacy principles (IPPs), including IPP 3A on indirect collection. CFSS must comply with these IPPs. Many include exceptions, so staff should refer to the full requirements of the Privacy Act when needed. A summary is set out below:

IPP 1: CFSS must only collect personal information if it is necessary for a lawful purpose connected with a function or activity of CFSS.
IPP 2: CFSS must only collect personal information directly from the individual concerned, or their appointed representative.
IPP 3: When collecting the information, CFSS must take reasonable steps to ensure the individual knows it is being collected, the purpose of the collection and who will see it.
IPP 3A: If CFSS collects personal information about an individual from someone other than that individual, CFSS must take reasonable steps, in the circumstances, to ensure the individual is aware that the information has been collected, the purpose of the collection, the intended recipients, the agency collecting and holding the information, any legal authority for the collection, and the individual’s right to access and correct the information, unless an exception applies.
IPP 4: CFSS must collect personal information by lawful means and in a fair and reasonable manner.
IPP 5: CFSS must use reasonable safeguards to protect personal information against loss, unauthorised access, use, modification or disclosure, and any other misuse
IPP 6: Individuals are entitled to request access to personal information that is held about them.
IPP 7: Individuals are entitled to request that the information held about them be corrected.
IPP 8: CFSS must take reasonable steps to ensure that the personal information is accurate, up to date, relevant, and not misleading before using it.
IPP 9: CFSS must not keep the information for longer than needed for the purposes for which it may lawfully be used.
IPP 10: CFSS must not, in most cases, use personal information obtained in connection with one purpose for another purpose.
IPP 11: Personal information held by CFSS must not, in most cases, be disclosed to another person or organisation.
IPP 12: CFSS must not disclose personal information to a foreign person or entity that is not subject to the Privacy Act or comparable safeguards, unless CFSS has obtained authorisation from the individual concerned.
IPP 13: CFSS must not assign a unique identifier to an individual unless it is necessary to carry out its functions and must not use a unique identifier issued to a person by another agency.

2.Creation and collection of personal information:
CFSS will collect personal information only for purposes connected with its functions or activities, and only in a fair and reasonable way.
Unless there is a lawful reason not to, CFSS will take reasonable steps to make people aware that their personal information is being collected, why it is being collected, who will receive it, and their rights to access and correct it. If CFSS collects personal information indirectly, it will also comply with IPP 3A by notifying the individual as soon as reasonably practicable unless a statutory exception applies.

2.1 Who do we collect your personal information from?
CFSS collects personal information about you from:

you, when you provide personal information to us, including through our website and any related service, through any registration process, or through any contact with us (for example, by telephone or email).
Third parties where you have authorised this, where the information is publicly available, or where another lawful basis applies. If possible, we will collect personal information from you directly. Where we collect personal information indirectly, we will comply with applicable notification requirements under the Privacy Act 2020 unless an exception applies.

3. Storing of personal information CFSS will maintain reasonable safeguards against the loss, misuse, and inappropriate disclosure of personal information, and processes to prevent unauthorised access or use. In particular:

CFSS will keep any physical documents secure when there is a business need to take them outside of CFSS premises, and no technical solution is applicable.
CFSS will keep electronic personal information secure by ensuring that data storage has appropriate internal permissions, is protected from external threats, is regularly backed up to secure storage, and is managed in accordance with good information security practice.
CFSS may use cloud computing services to manage and store information. Where used, CFSS will ensure that those services meet applicable security requirements and that any overseas disclosure of personal information is managed in accordance with the Privacy Act 2020.

CFSS will keep personal information only as long as needed for the lawful purpose for which it was collected or may lawfully be used, and to meet legal, operational, safeguarding, employment, or record-keeping requirements. When it is no longer needed, CFSS will take reasonable steps to securely delete, destroy, anonymise, or de-identify it, as appropriate.
4. Requests for access to or correction of personal information CFSS will, where appropriate, give individuals access to their personal information and respect their right to request correction of factually incorrect information.
CFSS will process requests for information in line with the Privacy Act 2020 and CFSS procedures. CFSS will:

acknowledge a request for personal information or correction as soon as possible after receiving it;
respond to requests for personal information or correction as soon as reasonably practicable, and within 20 working days of the request being made unless that time is extended under the Privacy Act; and
notify the requestor, in the case of a request for correction, whether the information has been or will be corrected and, if not, of the requestor’s right to provide a statement of correction to be attached to the information.

CFSS kaimahi can request their personal information from the Privacy Officer or their manager. External requests must be made in writing to the Privacy Officer at CFSS, PO Box 124010 Hamilton 3216 New Zealand, or using the contact details listed in this policy.
5. Use of personal information CFSS will use personal information only for the purpose for which it was collected or another purpose permitted by the Privacy Act 2020 or other applicable law. Before using it, CFSS will take reasonable steps, in the circumstances, to ensure it is accurate, up to date, complete, relevant, and not misleading.
CFSS uses personal information to:

verify your identity;
provide services and products to you;
- communicate with you about our services, programmes, referrals, appointments, support, administration, or other matters connected with our functions and activities, including by electronic means where lawful;
improve the services we provide to you;
employ, engage, and administer the working relationship with our kaimahi;
bill you and collect money that you owe us, including authorising and processing credit card transactions;
respond to communications from you, including complaints;
conduct research and statistical analysis on an anonymised basis;
protect and enforce our legal rights and interests, including defending any claim; and
use it for any other purpose authorised by you or the Act.

6. Information sharing and disclosure of personal information CFSS may use or disclose personal information only were authorised by the individual concerned, required or permitted by the Privacy Act 2020 or another law, or otherwise connected with the purpose for which the information was obtained and lawfully able to be disclosed. Where CFSS engages service providers to support its functions, it will take reasonable steps to ensure appropriate privacy and security protections apply.
Disclosing your personal information:
CFSS may disclose your personal information to:

another entity within our group
any business that supports our services and products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the website or other services and products a credit reference agency for the purpose of credit checking you.
Police, the Teaching Council of Aotearoa New Zealand, or another relevant party for pre-employment checks where lawful and appropriate other third parties (for anonymised statistical information).
a person who can require us to supply your personal information (e.g. a regulatory authority).
any other person authorised by the Act or another law (e.g. a law enforcement agency).
any other person authorised by you.
A business that supports our services and products may be located outside New Zealand. This may mean your personal information is held or processed overseas, for example through cloud storage or other service providers. Before disclosing personal information to a foreign person or entity, CFSS will comply with IPP 12 and disclose it only were permitted by the Privacy Act 2020, including where the recipient is subject to the Act, must protect the information with comparable safeguards, or the individual authorises the disclosure after being expressly informed that comparable safeguards may not apply.

7. Third party arrangements Where CFSS enters arrangements with third parties involving personal information held by CFSS, appropriate provisions will be included to protect that information. Where CFSS holds personal information on behalf of another agency, specific contractual, statutory, or other legal requirements may also apply. Third-party arrangement requirements must be considered case by case.
8. Internet use CFSS takes reasonable steps to maintain secure internet connections and protect personal information transmitted through its online services. However, internet transmission risks cannot be completely eliminated.

If you post personal information on our website or social media platforms (for example, Facebook or Messenger), you acknowledge and agree that the information you post may be publicly available.

If you follow a link on our website to another site, the owner of that site will have its own privacy policy relating to your personal information. We suggest you review that site’s privacy policy before you provide personal information.

We use cookies (an alphanumeric identifier that we transfer to your computer’s hard drive so that we can recognise your browser) to monitor your use of the website. You may disable cookies by changing the settings on your browser, although this may mean that you cannot use all of the features of the website.

9. Privacy incidents A privacy incident includes an actual privacy breach, a potential privacy breach, or a near miss.

A privacy breach occurs when there is an unauthorised or accidental access to, or disclosure, alteration, loss or destruction of personal information.

A privacy breach can also include an action that prevents the agency from accessing the information on either a temporary or permanent basis.

A potential privacy breach occurs where a privacy breach may have occurred, but it is not known if an actual breach occurred.

A near miss is where an action could have resulted in a breach but ultimately the breach does not occur.

All privacy incidents, including actual or potential breaches and near misses, identified by kaimahi must be reported to their manager. The manager is responsible for managing the response in line with this policy.

The CFSS Privacy Incident Reporting Form (Appendix 1) should be completed as soon as possible and provided to the Privacy Officer, who will advise on managing the incident. CFSS will assess each incident promptly to determine whether it is a privacy breach and whether it has caused, or is likely to cause, serious harm. CFSS will take reasonable steps to contain the incident, reduce harm, investigate the cause, and keep appropriate records of actual breaches, potential breaches, and near misses. Where a privacy breach has caused, or is likely to cause, serious harm, CFSS must notify the Office of the Privacy Commissioner and affected individuals as soon as practicable, unless an exception under the Privacy Act 2020 applies.

Internal obligations CFSS will:

Train and inform its kaimahi (including contractors) of this policy and ensure the information privacy principles are applied when fulfilling their role within CFSS.
Endeavour to protect the privacy of kaimahi.
Regularly review CFSS business processes that relate to the collection, access, use, storage and destruction of personal information so they remain relevant and reflect good practice.

Complaints CFSS takes concerns about its privacy practices seriously. Anyone with a concern about how CFSS collects, shares, uses, discloses, stores, or manages personal information, or about a decision on an access or correction request, should raise it first with the Privacy Officer. The Privacy Officer will work with the relevant manager or delegated person to address the concern and identify and fix any issues in CFSS systems and processes.
If any kaimahi becomes aware of a privacy complaint made by an individual to CFSS or to the Office of the Privacy Commissioner, the kaimahi must notify their manager and the Privacy Officer as soon as possible.

Who to contact
The CFSS Privacy Officer is the main contact for privacy requests, complaints, and breach notifications and can be contacted at [email protected].