Introduction
The Privacy Act sets out a series of principles which relate to and promote:
- the collection, use, and disclosure of information about individuals; and
- providing individuals with access to information about them held by an organisation.
The Act gives the Privacy Commissioner a power to issue codes of practice which may modify the effect or operation of the Act in respect of particular sectors, industries, occupations, or activities.
Under the Act, individuals have a right to request access to personal information about them held by an organisation, and to seek corrections to that information if the individual considers it to be incorrect.
Policy
- NZbrokers Management Ltd undertakes to recognise and observe the information principles set out in the Privacy Act.
- Complying with the principals gives employees and others confidence that their personal information is properly safeguarded.
- Before NZbrokers Management Ltd disclose any personal information overseas, the overseas entity will need to provide evidence of similar levels of privacy protection that have the same legal protection as it would in New Zealand.
- In the course of its business activities, NZbrokers Management Ltd collects, stores, uses, and discloses personal information about employees and others. It may do this in order to comply with legislative requirements and the needs of government and official agencies; or to manage its business and operations, or for internal administration and internal reporting purposes.
- NZbrokers Management Ltd undertakes that it will endeavour at all times to collect, store, use, and disclose personal information in accordance with the principles set out in the Privacy Act and only to the extent necessary for the efficient and effective conduct of its business.
- NZbrokers Management Ltd will keep its needs for personal information under constant review, and will change its information collection, storage, usage, and disclosure processes and methods whenever appropriate.
- If the NZbrokers Management Ltd believes “serious harm” has been caused to affected individuals, it is mandatory to report the breach as defined by the reporting regime.
Definitions
For the purposes of the Privacy Act and this policy:
- NZbrokers Management Ltd is an agency.
- Personal information is information about an identifiable natural person, whether that individual is an employee, independent contractor, other worker, agent, consultant, or a person who is otherwise associated with NZbrokers Management Ltd
- Personal information may be in any form. It may be a document (see below), but not necessarily. It includes any information that NZbrokers Management Ltd has about an identifiable individual, even when that information is held only in the mind of a person who represents the organisation.
- A document may take any form, including written or printed material; information that is recorded or stored electronically; books, maps, plans, graphs, or drawings; and photographs, films, negatives, tapes, or other devices used to store and reproduce images.
- Evaluative or opinion material is material in any form that has been compiled solely for the purpose of determining the suitability, eligibility, or qualifications of the individual to whom the material relates for employment or appointment, for promotion or continuance in employment or office, for removal from employment or office, or for the awarding, continuing, modifying or cancelling of contracts, awards, scholarships, honours, or other benefits.
- Employees and Others Employees are any persons employed by NZbrokers Management Ltd. Others are clients, customers and any other worker of the NZbrokers Management Ltd
- Any personal information held by an officer or manager or employee of NZbrokers Management Ltd and held in that capacity, is deemed to be information held by the organisation itself.
Implementation and Procedures
Authority to deal with personal information
In return for the assurance that NZbrokers Management Ltd will observe the information privacy principles set out in the Privacy Act, employees and other persons are presumed to authorise at the time of their engagement the collection, storage, use, and disclosure of personal information.
A statement to this effect will be given to each intending employee or other persons for signature or approval before the engagement is confirmed.
NZbrokers Management Ltd is required to provide specific personal information about employees and others to various government agencies (eg Inland Revenue, Ministry of Social Development, Accident Compensation Corporation) and to other organisations (eg KiwiSaver scheme managers). It is assumed that employees and others authorise the disclosure of this information.
Access to information
Employees and other persons may request access to any personal information about them which NZbrokers Management Ltd might have.
Requests for access to personal information may be made directly to the person or department where the information is believed to be held. Alternatively, requests may be made to the Chief Executive Officer or the Privacy Act Officer.
The person who receives a request for access to personal information must respond without undue delay. In most cases, the individual making the request will be able to inspect the information in the form in which it is held or stored and, where appropriate and if requested, be provided with a printed or electronic copy.
The person who receives a request for access to personal information may consider that the request the Chief Executive Officer/Privacy Act Officer raises issues that need further consideration. The request must then be referred to for a decision. That decision must be made and communicated to the individual concerned within 20 days of the date on which the request for access was received.
Refusing access to personal information
In limited circumstances, a request for access to personal information from an employee may be declined. A decision to decline a request must be discussed with, and approved by, the Chief Executive Officer/Privacy Act Officer
A request for access may be declined if the information concerned is evaluative or opinion material.
A request for access may be declined if disclosure of the information concerned would:
- lead to the unwarranted disclosure of the affairs of another person
- breach a promise to a person who supplied evaluative material that the information or the identity of the person who supplied it or both would be held in confidence
- be likely to prejudice the physical or mental health of the individual concerned
- be contrary to the interests of an individual under the age of 16
- breach legal professional privilege.
A request for access may be declined, with the approval of the Chief Executive Officer/Privacy Act Officer if:
- the request is frivolous or vexatious
- the information requested is trivial
- the information requested is not readily retrievable
- the information requested does not exist or cannot be found, and there is no reason to believe that the information is held by another agency.
If a request for access to personal information is declined, the individual who made the request must be given, in writing, the reason or reasons for the refusal. An explanation of the reason or reasons should be given if requested. The person who made the request must be told that the refusal may be reviewed by the Privacy Commissioner or an Ombudsman.
Correcting personal information
An individual or representative of a company who is a client, who believes that any personal information about them is not accurate may ask for the information to be corrected.
The request for a correction should be made in writing and specify the change or changes that the individual or representative wishes to have made. The request should be made directly to the person who holds the information or to the Chief Executive Officer for employees and the Privacy Act Officer for Clients.
If warranted, the requested correction will be made.
If correction is considered to be unnecessary or unwarranted, the individual must be advised accordingly. The individual or representative may then ask for the requested correction to be attached to the information concerned, so that it is visible whenever others have access to the information.
Procedure for making complaints of interference with privacy
Employees and others may complain to NZbrokers Management Ltd that there has been interference with their privacy, and that this has caused them loss or damage, adversely affected their rights or interests, or resulted in significant humiliation, loss of dignity or injury to their feelings.
As an alternative, under the Privacy Act, complaints may be made to the Privacy Commissioner or an Ombudsman.
Employees and others who wish to complain that there has been interference with their privacy should first approach the person responsible for the alleged breach.
If that is not possible or appropriate, or the outcome of the approach does not satisfy the complainant, the complaint should be made again to the Chief Executive Officer for employees and Privacy Act Officer for Clients. The complaint may be made in person or in writing.
NZbrokers Management Ltd aims to investigate and resolve any complaint speedily and informally if possible.
Employees and others who wish to make a formal complaint that there has been interference with their privacy should set out in writing the details and circumstances of the alleged interference and deliver it to the Chief Executive Officer for employees and Privacy Act Officer for Clients.
The Chief Executive Officer/Privacy Act Officer will investigate the complaint as quickly as possible. The complainant, who may have the support or assistance of a representative or other person(s) chosen by the employee, will have the opportunity to contribute to the investigation.
The investigation will aim to achieve speedy resolution or satisfaction of the complaint. If that is not possible, and the complaint is upheld by the investigation, the matter may become the subject for training, counselling or disciplinary action.
The complaint and the outcome of the investigation are to be recorded and included on the employee’s personal file or in the Clients file.
Policy approved by:
NZbrokers Management Ltd