Individuals are entitled to:
request access to personal information that is held about them
request that the information held about them be corrected
Personal information under the Privacy Act 2020 (the Act) means “information about an identifiable individual”.
Information and Privacy Principles
The Act establishes 13 information and privacy principles (IPPs) that cover the collection, use and disclosure of information relating to individuals by the Employer, as well as the access to and correction of that information by the individuals concerned.
The privacy principles are subject to certain restrictions imposed by the Act, and may be expressly overridden by provisions in other Acts.
A breach of the IPPs may amount to interference to privacy, which may be investigated by the Privacy Commissioner.
Complaints not settled by the Privacy Commissioner may fall to be determined by the Human Rights Review Tribunal.
The IPPs provided for by the Act are:
Principle 1 – Purpose: Information must be collected for a lawful purpose connected with the activity and functions of the Employer. The collection of the information must be necessary for that purpose.
Principle 2 – Source: Personal information must be collected directly from the individual concerned apart from in limited circumstances.
Principle 3 – Collection: When personal information is collected directly from an individual, the person collecting must ensure that the individual is aware of a number of matters, including the purpose for which it is collected, the intended recipient, the fact that the individual has a right to access to, and a right to request correction of, that information.
Principle 4 – Manner of Collection: Personal information may not be collected unlawfully, or in any way that is unfair in the circumstances or which intrudes unreasonably on personal privacy.
Principle 5 – Storage and Security: The Employer must ensure that it has reasonable safeguards for securing from loss, access, use, modification, disclosure or misuse of the information.
Principle 6 – Access to Personal Information: Any individual is entitled to confirmation from the Employer as to whether it holds personal information, and access to that information about them if it is readily retrievable.
Principle 7 – Correction: An individual is entitled to request correction of personal information about them held by the Employer.
Principle 8 – Accuracy: The Employer cannot use personal information without taking reasonable steps to ensure that the information is up to date, complete, relevant and not misleading.
Principle 9 – Time Limit: Personal information may not be kept longer than necessary for the purpose for which it may lawfully be used.
Principle 10 – Limits on Use: Personal information obtained for one purpose may not be used for another purpose subject to certain exceptions.
Principle 11 – Limits on Disclosure: The Employer must not disclose personal information to any person or agency, unless one of the following applies:
there is a reasonable belief that disclosure is one of the purposes for which information has been obtained;
disclosure is to or on behalf of the individual concerned;
disclosure is necessary to enable the sale of the business;
disclosure is necessary to prevent a serious or imminent threat to public health or safety;
it has been authorised by the Privacy Commission;
the information is publicly available;
disclosure is necessary to avoid prejudice to the maintenance of law; and
the information will not be used in a form which identifies the individual concerned; and
Principle 12 – Cross-Border Disclosure: The Employer may disclose information to a foreign person or entity only under limited circumstances as outlined in the Act.
Principle 13 – Unique Identifier: The Employer may not assign a unique identifier to an individual unless this is necessary to enable it to carry out its functions effectively. A “unique identifier” is a tag that does not use the individual’s name.
Citycare collects, holds and uses personal information in order to perform our work and also as part of employing and engaging staff. Citycare is committed to ensuring that personal information is managed appropriately, and we strive to uphold good practice privacy standards in the collection, storage, use and disposal of personal information.
Personal information at Citycare is subject to:
The Act and associated 13 IPPs that cover the collection, handling, storage and use of personal information
The Official Information Act 1982
The Public Records Act 2005
What personal information is collected?
Citycare only collects personal information that is reasonably necessary to conduct the functions or activities of our business. The purpose for collecting the personal information will be clearly articulated before, at, or as soon as practicable after the collection. Generally, personal information will be used for dealing with your request, enquiry or employment-related matters.
Personal information collected will differ depending on the purpose of collection. For example, a resume may be required from candidates applying for a position; mailing address details for subscriptions to company newsletters; and emergency contact and tax file numbers for human resource management.
By sending emails, you will be providing us with certain personal information which may include your name and contact details. This information is collected by us for the purpose of dealing with your request. We may not be able to deal with your request without collecting this information from you.
When it is reasonable and practicable to do so and provided another exception in the IPPs does not apply, we will collect your personal information directly from you.
Citycare also collects personal information from recruitment service providers in seeking out prospective job applicants.
Information collected via our website
the address of a user’s server;
a user’s top-level domain (such as .com or .nz);
the date and time of a user’s visit;
the pages a user accessed and downloaded;
the search engine a user used;
the type of browser that was used.
When a user visits our site, a cookie may be placed on their machine. Where a user has visited us before, the cookie may be read each time they re-visit the site. We do not use this technology to access any other personal information of a user in our records and a user cannot be personally identified from a cookie.
How will Citycare use and disclose personal information?
Citycare will use personal information only for the purposes for which it is collected, except where legislation allows it to be used for other purposes. Citycare will, when using information, take reasonable steps to ensure it is complete, relevant, up to date and not misleading.
Personal information will only be disclosed to unrelated third parties with your consent or where required by law, or for one of the purposes for which the information was obtained. We may disclose your personal information to:
our employees, related bodies corporate, contractors or service providers for the purposes of operating our business or website, fulfilling requests by you or to provide products and services to you;
suppliers and third parties with whom we have commercial relationships, for business, marketing and related purposes; and
other organisations for authorised purposes with your express consent.
Citycare may share personal information with related companies or with contractors performing services for Citycare. In these instances, we will use reasonable endeavours to ensure that these organisations comply with the IPPs.
How will Citycare store and manage your data?
Citycare will maintain all reasonable safeguards against the loss, misuse or inappropriate disclosure of personal information, and maintain processes to prevent unauthorised use or access to that information. In particular:
Citycare will keep physical documents secure, including circumstances where there is a business need to take them outside of Citycare premises, and no technical solution is applicable.
Citycare will keep electronic personal information secure by ensuring its data storage is protected from external sources, maintaining regular back up of data to secure storage and applying good practice for information security management.
Citycare may use cloud computing services to manage and store information. Where used, Citycare will take reasonable steps to protect the personal information we hold from misuse and loss, interference and from unauthorised access, modification or disclosure.
Citycare will securely de-identify or dispose of personal information when we have no further need to use it, or when we are required by law to do so.
In accordance with our email policy, any emails you send will be automatically scanned which may result in your email or attachments being blocked. Our IT administrators may have access to your emails to authorise the content for security purposes only and not thereafter.
How can I access and correct information?
You may request access to personal information that we hold about you. Citycare will provide you with access to personal information in accordance with the Act and IPPs. There may be instances where we cannot grant you access to the personal information that we hold, for example, if it would interfere with the privacy of others or if would result in breach of confidentiality. If you are refused access to information, we will provide you with reasons for the refusal and inform you of any exceptions relied upon under the IPPs.
Citycare will take reasonable steps to make sure that the personal information we collect, use or disclose is accurate, complete and up to date. If you believe that the personal information we hold about you is inaccurate or out of date, please let us know and request us to amend it. We will consider your request, and if we are satisfied with your request, we will take reasonable steps to correct the information. If we do not agree that there are grounds for amendments, then we will follow the procedures set out in the IPPs.
A privacy incident includes an actual privacy breach, a potential privacy breach, or a near miss.
A privacy breach occurs when there is an unauthorised or accidental access to, or disclosure, alteration, loss or destruction of personal information. A privacy breach can also include an action that prevents Citycare from accessing the information on either a temporary or permanent basis.
A potential privacy breach occurs where an IPP might have been breached, but it is not known if an actual breach occurred.
A near miss is where an action could have resulted in a breach but ultimately the breach does not occur.
All privacy incidents (actual and potential breaches or near misses) discovered by staff should be notified to their immediate manager. Managers are responsible for managing the response to the privacy incident.
A Privacy Incident Reporting form should be completed as soon as possible. This will be provided to Citycare’s Privacy Officer who will advise further on the management of the privacy incident. This may include notifying the incident to the Office of the Privacy Commissioner where required under the Act or if notification is considered necessary in the interests of transparency.
Requests and Complaints
Where any member of staff becomes aware of a privacy complaint made by an individual to Citycare or to the Office of the Privacy Commissioner, Citycare’s relevant Privacy Officer should be notified.
Who to contact?
Citycare’s Property Privacy Officer is Dave Mills. His contact details are as follows:
Telephone: 021 195 9185 Email Dave.Mills@citycare.co.nz
Citycare’s Water Privacy Officer is Heidi Walkley. Her contact details are as follows:
Telephone: 021 223 9164 Email Heidi.Walkley@citycare.co.nz
Citycare’s Group Privacy Officer is Alastair Ridgway. His contact details are as follows:
Telephone: 021 798 784 Email Alastair.Ridgway@citycare.co.nz