DATA PRIVACY AND INFORMATION HANDLING POLICY
This sets out the Aware Group Ltd’s (‘Aware’) policies and procedures for the collection, use, retention and disclosure of personal information. It is intended to be a resource for Aware Group staff.
2. Privacy framework – objectives
a. Maintaining a positive “privacy culture” in which Aware staff, contractors and appointees are supported and encouraged to adopt good privacy practices;
b. Building trust and confidence with customers by:
• ensuring there are clear purposes for collecting personal information;
• good data collection processes;
• transparency in handling personal information;
• risk avoidance – avoiding the potential for security or data breaches;
• meeting access and correction requests;
• ensuring accuracy of personal information;
• proper use and disclosure of personal information; and
• respect for people as individuals rather than “personal identification numbers”.
c. Ensuring legal compliance.
3. Privacy Act 1993 – rights and obligations
Aware’s information handling policy is informed by its obligations under the Privacy Act 1993.
Section 7 of the Privacy Act 1993 provides that where other legislation allows or requires personal information to be used in a specific way, this will override the general provisions of the Privacy Act. Section 7 also provides that other statutes which prohibit or restrict the availability of personal information take precedence over the IPPs.
The following general guidelines apply to all of Aware.
4. Collection of personal information
Information is collected for purposes associated with the function of the project associated with collecting it. Those purposes will be consistent with the provisions of the associated statement of work or binding contract.
The customer providing personal data to Aware will be advised about:
• the purpose for collection and how the information will be used;
• the law under which the information is collected;
• who the information will be disclosed to and held by;
• the customer’s right to access their personal data and their right to ask to have the information corrected; and
• the consequences of not providing the information.
Information must generally be collected by Aware directly from the person concerned. There are some exceptions to this, including but not limited to circumstances where:
• the information is publicly available or the person consents to the collection of information from someone else;
• collecting information from the individual concerned would prejudice the purposes of collection;
• it is not reasonably practicable to collect information from the person concerned; or
• collection from someone else is required or permitted by law.
5. Use and disclosure of personal information
Generally, personal information may only be used by Aware for the purposes for which it is collected.
Before using personal information, steps must be taken to ensure that the information is accurate, up to date and complete.
Personal information must, in general, not be used by Aware for a different purpose or disclosed to anyone other than the person concerned. There are some permitted exceptions to this. For example, Aware may use personal information for a purpose other than that for which the information was collected if the information is used in a form in which the individual concerned is not identified.
In addition, information may be used for a different purpose where the purpose for which the information is to be used is directly related to the purpose in connection with which the information was obtained.
The grounds listed above also apply to the disclosure of personal information to third parties.
If a customer requests their own personal data from Aware there are limited grounds for withholding that information.
6. Storage and security of personal information
Aware has an obligation to securely store the personal information it collects and creates. As part of this, Aware will conduct accurate risk assessment where necessary. Under this policy, personal information is only accessible to authorised staff and is protected by appropriate security measures. Those security measures include limits on access to electronic databases where personal information is stored and ‘password protection’ where appropriate.
Information must only be held by Aware as long as the information is needed. Personal data no longer required to be held will be securely destroyed by the Aware.
All employees must also keep track of their own data with a personal data register that will ensure the transparency of any client data that any individual has and to ensure that all client data is disposed of appropriately when we are finished with it.
7. How we maintain best privacy practice
Aware is committed to maintaining best privacy practice through:
• ensuring all staff understand privacy rights and are kept up to date through training;
• ensuring that requests for disclosure of personal information or new projects involving personal information are referred to the Privacy Officer for review;
• undertaking audits of privacy policies and procedures on at least a bi-annual basis and following up any specific privacy issues which may arise;
• keeping abreast of privacy law developments, technology updates and following best practice guidance from the Privacy Commissioner; and
• responding to privacy concerns and/or complaints in a timely and constructive way.
For all projects requiring the handling of personal information or where it is felt that the project may affect any individual’s privacy, it is required that a brief privacy analysis is carried out to determine whether a full privacy impact assessment may be required. The templates for both these documents as well as a risk assessment pertaining to privacy may be obtained from the privacy officer.
8. Action where there is a potential privacy breach
Inadvertent privacy breaches may happen despite good processes and the best of intentions.
Where a potential breach is identified it is important to act quickly and openly.
As soon as a breach is detected, Aware personnel are required to advise their Manager and notify the Privacy Officer. The Privacy Officer will work with staff to address any privacy concerns, following the Privacy Commissioner’s guidelines for dealing with privacy breaches available at www.privacy.org.nz.
9. Who to contact
If you have any questions about this policy or the Aware Group’s information handling obligations under the Privacy Act 1993, please contact the Privacy Officer – [email protected]