07 888 5692 [email protected]

Privacy Statement

 

Confidentiality, Security and Privacy Policy

We recognise that personal information is essential for serving our clients and ensuring that the service we provide is the best it can be. The way we work must give everyone we deal with trust and confidence that we will do the right thing with their personal information.

During their work, The Matamata Household Budget Advisory Service Incorporated (“MHBAS”) employees are privy to confidential and private information and are, therefore, required to protect the confidentiality, security and privacy of that information. As part of the recruitment and employment process all employees, contractors, Committee and volunteers should sign a Confidentiality Agreement before officially commencing work.

This is critical to maintaining trust and confidence in our organisation and ensuring we are achieving our key purpose.

At all times MHBAS and its employees must meet the requirements and principles of the Privacy Act, as well as the following policy.

Accountabilities

All employees and Committee members are responsible and accountable for managing personal information appropriately with regard to MHBAS work.

Personal information

Personal information is any information about an identifiable individual, who is a living, natural person. A company is not an identifiable individual.

The information does not need to be private or sensitive, or identify a person by their name, to be personal information. Personal information is defined as such if there is a reasonable chance that an individual could be identified from it. This includes identification by a single individual and/or by data-linking.

Personal information includes information about other employees and Committee members as well as our clients.

Examples of personal information that MHAS holds include: employee and payroll information; individual client and local employee information held on the Client Voices information management system; training facilitator, tutor and student information; Committee  information.

Personal Information – Access, use, disclosure

Employees must ensure that they access, use and disclose personal information only if:

  • it is being used for the purpose(s) for which it was collected; and
  • it is necessary for carrying out their official duties for MHBAS.

Information held by MHBAS  should not be accessed or used unless these two criteria have been met.

Informed consent

Ensuring that all MHBAS’s information-gathering is done with informed consent is critical to client trust in the organisation.   Without informed consent MHBAS  cannot hold individual client information.

Informed consent consists of:

Consent

The client of a service must agree to provide the information for  MHBAS  to hold it.

Authority to consent

The client must have the authority to consent to the information being provided. This is particularly important in the case of information held on behalf of a third party.

Information

It is incumbent on MHBAS to ensure that our clients know how the information they provide our organisation may be used.

Communication

If the use of information changes over time, MHBAS  requires employees to ask clients to give permission for the new use.

Recording consent

MHBAS must keep a record of the client’s informed consent.

Who may release or withhold personal information?

The Chairperson is delegated with the power to decide to release, correct or withhold requests for personal information under the Privacy Act.

Under the Privacy Act, MHBAS is required to ensure that the person making the Privacy Act request is identified as the person the information relates to, and that no other individual’s privacy is breached in the release.

Confidentiality

Information shared from time to time during performing work duties is confidential. Confidential information must not be discussed with anyone outsideMHBAS, except as required to properly progress that work.

Clean desk principle

Employees should secure all sensitive documents from desktops, to be held in locked filing cabinets or other secure employer storage overnight.

E-mails

Due to its ease and speed of use, e-mail has particular privacy risks. The following actions can help prevent accidental breaches of privacy:

  • draft e-mails with the ‘To’ field blank
  • when sending mass e-mails, use BCC for privacy
  • double-check attachments and contents (including e-correspondence threads/chains) ­­
  • password-protect attachments where necessary
  • set up a delayed e-mail send in Outlook
  • consider turning off Outlook ‘autocomplete’
  • secure electronic and mobile storage devices with password protection
  • ‘Lock’ the computer screen when computer is left unattended
  • Never share information with unauthorised people.

Documents

All confidential documents that are not required to be kept must be shredded or securely destroyed.

Visitors

All meetings with visitors should be held in the meeting rooms set aside for that purpose, or off the premises.

Visitors who, for operational reasons, are granted access to MHBAS’s workspace areas are to be appropriately supervised during their attendance. Caution should be adopted when discussing MHBAS’s work and related matters. This is particularly important if the workplace is an open plan office.

Privacy obligations

All employees are required to comply with all applicable privacy principles and other obligations set out in the Privacy Act. The collection of personal information by and about employees is also governed by that Act.  MHBAS may compile personal information from time to time about its employees and prospective employees to enable it to fulfil its roles and functions. Care must be taken about why personal information is collected and compiled, held, accessed, used including by whom, and disclosed. Every agency including MHBAS is required by law to appoint a Privacy Officer.

Privacy Act 2020

Any employee who wishes to compile, store, access or use personal information must adhere to the Information Privacy Principles contained in the Privacy Act. The Act contains 12 Information Privacy Principles dealing with collecting, holding, using and disclosing personal information, and assigning unique identifiers. The principles also give individuals the right to access personal information and to request correction of it. They do not override other laws that govern the collection, use or disclosure of personal information. The principles are:

  • Only collect personal information if it is necessary for a lawful purpose connected with our functions.
  • Get personal information directly from the individual concerned wherever possible.
  • Be clear with people about what is being collected, why, what will be done with it, and who will see it, etc.
  • Be fair and considerate about how personal information is obtained.
  • Store it securely (protect it against loss, unauthorised access, use, modification, disclosure, or other misuses).
  • Let the person see personal information if they want to.
  • Fix it if the person thinks it is wrong.
  • Ensure personal information is accurate before you use it.
  • Securely dispose of personal information when it is no longer needed.
  • Use personal information only for the purpose you got it.
  • Only disclose personal information if you have a good reason.
  • Only use ‘unique identifiers’ where it is clearly allowed.

The Chairperson is responsible for ensuring, where practicable, that all systems, processes and practices in the areas for which they are responsible conform to the Privacy Act and the Information Privacy Principles.

Employees must also comply with the requirements relating to the archiving of data and privacy, storage and use of personal information.

Applications for employment by prospective employees

MHBAS may retain information provided by prospective employees for up to six months after the date the information was provided. When a prospective employee asks for the return of their curriculum vitae (CV) and similar personal information following an unsuccessful employment application, the information must be returned. Otherwise, CVs received from unsuccessful applicants and/or other identifiable information will be shredded or securely disposed of after six months.

Process/guidelines

Further detailed information about the Privacy Act and the Privacy Information Principles, including guidance notes, can be sourced on the website of the Privacy Commissioner.

Privacy breach response

What is a ‘privacy breach’?

A privacy breach is unauthorised access to, or collection, use, or disclosure of, personal information.

In the event of a privacy breach it is critical that MHBAS  fronts up quickly, advises the individuals affected by the breach and apologises where appropriate. This allows affected parties to take steps to protect themselves, allows the organisation to address the breach and its cause, and is important to maintaining trust in the organisation.

As such, any employee who becomes aware of a privacy breach is expected to immediately report it to the Chairperson. The Chairperson will report any privacy breaches to the Committee and to the Office of the Privacy Commissioner.

What is a ‘near miss’?

A near miss is an incident that had the potential to, but did not, breach any of the information privacy principles – for example, private information being put on a webpage but removed before it is cached or accessed.

In the case of inadvertent breaches and near-misses, MHBAS takes a ‘no blame’ approach as we need to know that issues are reported as soon as possible and without concern. When mistakes are made, it is the response from employees that is important.

In the case of a breach or near miss, employees must:

  1. Tell the Chairperson as soon as possible
  2. Identify what information was involved and who or what it is about
  3. Retrieve the information immediately or ensure it is deleted or disposed of by the recipient and ask for confirmation
  4. Note the details of the breach in a report to the Chairperson as soon as is practicable
  5. Keep any records relating to the incident (e.g. emails, letters, and notes)
  6. Identify and implement ways to prevent further similar incidences.

The Privacy Officer, will provide advice on possible next steps, including potentially notifying the Office of the Privacy Commissioner, and advising the affected party or parties.