Objective: To ensure that the Company and its employees abide by the requirements of the Privacy Act 1993.
To be effective in doing our jobs we need to have access to relevant, accurate and timely information. The way that we collect and use this information must be consistent with the way we work in addition to meeting specific legal requirements.
The Act promotes and protects individual privacy and imposes controls on the collection, use and disclosure of personal information. This policy is to assist in understanding the requirements of the Act.
As a Company we keep information on individuals and, in particular, Employees and Candidates. Much of this is personal and confidential, and as such, is subject to the Privacy Act legislation. This legislation has been designed to protect individuals from misuse of personal information. It gives them the right to see their personal information and prevents it being processed if it is likely to cause damage or distress. In addition, it lays down rules for how that information may be used.
Legislation applies to most personal information held in manual, computerized and other forms. This includes information held on personal files as well as private systems maintained by Managers.
The Company takes its obligations towards its Employees and Candidates very seriously and undertakes to comply with all aspects of the privacy protection legislation.
"Personal information" is any information about an individual (a living natural person) as long as that individual can be identified. The Privacy Act 1993 identifies 12 distinct principles in relation to privacy protection:
Purpose of collection of personal information
Information must be collected for a lawful purpose and necessary for that purpose.
Source of personal information
Personal information must be collected directly from the individual concerned - with some exceptions including where the information is publicly available or where the individual has authorised its collection.
Collection of information
Where information is collected from an individual that individual must be aware of several specific matters including that the information is being collected and the purpose for which it is being collected.
Manner of collection of personal information
Information must not be collected unlawfully or in a manner that is unfair or that intrudes unreasonably on the personal affairs of the individual concerned.
Storage and security of personal information
Information must be stored and protected against loss or unauthorised access, use or disclosure.
Access to personal information.
Where information can be readily retrieved, the individual concerned is entitled to obtain confirmation that information is held and have access to that information. Some exclusions apply, eg where disclosure would prevent detection of criminal offences or would breach another individual’s privacy.
Correction of personal information
An individual may request correction of their personal information. Where this is not agreed to, the individual may request that a statement is attached to the original information saying what correction was sought but not made. There is an obligation to ensure that information retained is accurate, up to date, complete and not misleading.
Accuracy of information
Information held must not be used before it has been checked as accurate, up to date, complete, relevant and not misleading.
Information not to be kept longer than necessary
Personal information must not be kept longer than is necessary for the purpose for which it was collected.
Limits on use of personal information
Personal information obtained for one purpose must not be used for another, except in certain limited situations including where it is believed that authorisation has been given for further use or that the information was from a publicly available publication.
Limits on disclosure of personal information
Personal information must not be disclosed except in certain restricted circumstances including where the disclosure is in connection with one of the purposes for which it was obtained, or where the information is from a publicly available publication or where the disclosure is authorised by the individual concerned.
Persons holding information may not assign “unique identifiers” (for example code numbers) to individuals unless it is necessary to carry out their functions efficiently. The same unique identifier used by other persons/agencies (eg IRD numbers) cannot be used.
The Company will keep personal data relating to Employees and Candidates secure and will not use this information without their authority for its release. It may, however, disclose personal data in certain notified circumstances. This could include, for example, providing information to third parties under certain circumstances.
All requests by Employees/Candidates to see their own personal information held should be made in writing to a Director. They can ask to see the personal data being processed by the Company, the purposes for which the information is being used, and the details of anyone to whom this information has been given.
Employees must only give out personal information where they are satisfied with the proof of identity of the enquirer and/or where the relevant individual had given explicit permission. This applies particularly to information relating to candidates which must be kept securely and used only with the candidate’s consent.
Any Employee who does not follow this Policy or the guidelines in this document may be subject to disciplinary action.
Serious issues or illegal activity may be considered gross misconduct and may result in termination of employment.