Privacy Policy

Intent

We collect and manage a range of personal information. We treat it respectfully and carefully, are open with people about why we collect it, how it is held and stored, what we do with it and rights of access.

We comply with regulatory standards and only release and share information in accordance with our policies and the law. Wherever possible, we forewarn and seek consent from people about when their information may have to be disclosed.

Definitions

“Personal information” is information about an identifiable,living human being. It includes health information and all other types of information whether paper, digital, or electronic which identifies a person.

"Privacy Officer"- see here for role of Privacy Officer.

Responsibilities

Management will:

• act as or delegate the responsibilities of Privacy Officer to kaimahi/staff
• monitor and manage our information management system
• monitor and manage our privacy and data breach risks with appropriate safeguards
• manage privacy and data breach incidents.

The Privacy Officer(s) will:

• monitor the organisation's compliance with this policy and the Privacy Act 2020
• assist with privacy-related training of staff/volunteers
• liaise with the Office of the Privacy Commissioner as necessary.
• support staff and volunteers when dealing with privacy-related issues.

Staff/kaimahi and volunteers will comply with this policy.  

Requirements

When and how we collect personal information‍

Personal information will only be collected when necessary for service provision and business purposes.

Information will be collected in a way that is sensitive toa person’s culture, age, abilities, level of understanding and circumstances.

Informed Consent will be obtained and all due care taken to ensure the person understands the reasons for collecting the information, how and when it will be used, stored, accessed, and shared, and their rights to access and correct it (evidenced by a Privacy Consent form or equivalent.)

Source of personal information‍

If non-identifying information would achieve the same purpose as personal information, non-identifying information will be collected and used instead.

Where possible, personal information will be collected directly from the person concerned or their representative.

If health information is collected from a third party, the accuracy of the information will be checked with the person to whom it relates or their nominated representative.

Personal information collected from third parties for recruitment and other HR purposes (eg background and police checks) is used for evaluative purposes and not checked for accuracy.

Use of Personal Information

Personal information will only be used or shared for the purposes for which it was collected or as allowed by law (HIPC Rule 10; IPP 10 Privacy Act).

Before it is used or shared, the information will be checked(with the person concerned or their nominated representative) to ensure it is accurate, up-to-date, complete, relevant, and not misleading.

Safety concerns associated with use should be raised and resolved with management before using the information.

Staff/kaimahi must seek approval from the Privacy Officer/Management before using personal information for purposes that are not directly related to the reason(s) for collecting the information.

Accuracy‍

A person may request a correction to their personal information/ health information.  

If the correction is agreed, it must be documented in the file notes. A printed copy of the change will be given to any other party who holds the notes that require correction.

A refusal to correct will be documented in the relevant file with reasons. At the person's request, the proposed correction will be placed on their file (ie without the correction made).

People will be informed in writing about who will have access to their personal information.

Access to personal information

A person may request access to their own or their child's personal information.Unless there is good reason to refuse, we will facilitate access as follows:

• enable access within 20 working days of receiving the request for access
• remove information about another person on their file beforehand (under the oversight of management/their delegate)
• encourage the person to have support while viewing their record (ie for sensitive information)
• inform the person of their right to seek a correction to their personal information.

A parent/guardian may access their child's personal information on request unless we reasonably believe it would be contrary to the young person's best interests after considering:

• the young person's views on access
• the nature of the personal information to be accessed
• the parent's reasons for wanting access
• the importance of privacy to the well being of the rangatahi.

If access is denied, the parent/guardian will be informed of our reasons and their right to complain to the Privacy Commissioner.

Recordkeeping

A record will be kept of:

• any request for access and of the date when received
• a copy of the information accessed
• authorisation to access (if given by a person relevant)
• the reasons for delay or refusal (if applicable)
• safeguards implemented to action the request
• other steps taken for the request (eg in relation to parental access).

Privacy Officer

We have a Privacy Officer to support our compliance with the law and policies and to support our interactions with the Office of the Privacy Commissioner (eg about privacy breaches; complaints etc.)

Family violence information

When enabling a person to access their personal information,reasonable care must be taken to ensure that:

• Information, which is vital to the safety of a protected person (under the Family Violence Act 2018), is not revealed to a respondent. However, other information may be accessed eg information about a child's wellbeing. If in doubt, we will liaise with the Family Court Coordinator regarding appropriate action.
• Caregiver/Protected person consent will besought prior to any communication with a respondent or respondent's programme provider. The exception will be where there are threats to a party, in which case appropriate disclosure will be made.