Privacy Policy

Intent
Lifeskills is committed to ensuring full compliance with the Privacy Act 2020 and its amendments, Privacy Codes of Practice and any other relevant Standards, Guidelines or Legislation. The organisation values the importance of privacy and principles to protect the privacy of individuals. To meet this commitment, Lifeskills will ensure that the way it collects, uses, secures, and discloses personal information meets the requirements of the Privacy Act 2020.

‍

Company
This is to be achieved by ensuring:

Personal information is only collected for a lawful purpose only to the extent necessary for Lifeskills business
Personal information is directly collected from the person and not a third party
Any personal information collected is based on full disclosure of purpose and use of information
Personal information is not collected by unlawful, unfair, or unreasonably intrusive ways
Adequate safeguards are in place for safe storage and security of personal information
Every person can access any personal information held about them
Every person can correct the personal information held about them
Any disclosure of personal information is accurate, up to date, complete, relevant, and not misleading
Any personal information is not retained longer than it is required for the lawful use
Any personal information is only used for the purposes it is collected
Any disclosure of personal information complies with requirements of the Privacy Act 2020
Any personal information is not disclosed to organisations or individuals outside of New Zealand. If required by law, this complies with the requirements of the Privacy Act 2020
Ensure that any unique identifiers are protected from misuse
Promptly reporting any privacy breaches to the Privacy Commissioner

‍

Applicability
This Policy is operationally applicable to the Lifeskills Board, Chief Executive, Senior Managers and in particular members of the Human Resources team, privacy officers, administrators, and the Operations Manager. The contents have a bearing on all employed staff, whether a party to an employment agreement, an independent contractor or otherwise in a relationship of employment with Lifeskills. Lifeskills recognises that any entity that holds personal information including private businesses must comply with the Privacy Act 2020, and mandatory compliance with legislation and organisational policies and procedures to ensure protection of personal information is required.

‍

Criteria
Lifeskills operational policies and procedures are to be read in conjunction with each other. This policy relates to the achievement of a robust administration system, supported by appropriately qualified and trained staff satisfying the needs of the stakeholders. The intention is to achieve procedural fairness and clarity and no policy is intended to contravene another or have an adverse effect on the person to whom it is applicable.

‍

Appointment of Privacy Officers
The organisation appoints three distinct Privacy Officers.

The Chief Executive is appointed as the Privacy Officer (Approvals) with responsibility to approve any requests, policies and procedures relating to the Privacy Act 2020.
The Operations Manager is appointed as the Privacy Officer (Operations) with responsibility to ensure operations meet requirements of the Privacy Act 2020, implement good practice policy and procedures, and audit compliance on a regular basis.
The Registrar is appointed as the Privacy Officer (Information) with responsibility to ensure any personal information collected is only for the lawful purpose, it is secured and protected, and safely destroyed when the lawful purpose concludes.

‍

The Privacy Principles (Privacy Act 2020)
The policy is designed to comply with the 13 Privacy Principles as outlined by the Privacy Act 2020:

Principle 1 - Purpose for collection
Principle 2 - Source of information
Principle 3 - What to tell an individual
Principle 4 - Manner of collection
Principle 5 - Storage and security
Principle 6 - Access
Principle 7 - Correction
Principle 8 - Accuracy
Principle 9 - Retention
Principle 10 - Use
Principle 11 - Disclosure
Principle 12 - Disclosure outside New Zealand
Principle 13 - Unique identifiers

‍

Policy Principles

Application
The Privacy Act applies to ‘personal information’ - information which is about an identifiable individual. Individual is defined as meaning any living natural person (so doesn’t include ‘legal persons’ like companies).

‍

Material Form
Information is defined broadly and includes physical documents (like written records or photos), electronic documents (emails, audio, and video recordings, etc.), and can include information held in the mind of the employees if that information is readily retrievable.

‍

Personal Information
Information or an opinion about an identifiable individual or information that could lead to identification of an individual:

whether that information or opinion is true or not, and
whether that information or opinion is recorded in a material form or not.

‍

Sensitive Personal Information
“Information or an opinion about individuals” that also has personal information such as:

racial or ethnic origin
political opinions
membership of political associations
religious beliefs or affiliations
philosophical beliefs
membership of a professional or trade association
membership of a trade union
sexual orientation or practices
criminal record

‍

Training and Development
Lifeskills will ensure all staff and contractors are inducted to the organisation privacy policies and procedures.
Lifeskills will ensure all staff are provided training to meet the organisation’s obligations under the Privacy Act 2020.
The Privacy Officer (Approvals) is responsible to ensure that the induction and training is fit for purpose to provide education and guidance on meeting the requirements of the Privacy Act 2020.
The Privacy Officer (Operations) is responsible to ensure all staff and contractors receive induction and training on meeting the requirements of the Privacy Act 2020.

‍

Collection of Information
The Privacy Officer (Information) is responsible to ensure that:

Any personal information collected is for a lawful purpose and only to the extent required for that purpose.
Any personal information is directly collected from the individual and no other means of personal information collection is practised.
Any personal information collected is on the basis of disclosure of the following to the individual:
- purpose of collection?
- who will receive it?
- whether giving it is compulsory or voluntary?
- what will happen if the information isn’t provided?
Any personal information collected is lawful, fair, and reasonable.

‍

The Privacy Officer (Information) can set guidelines for information to be collected, disclosed and the manner in which it is collected. The Privacy Officer (Information) can stop, limit, or destroy information collected based on its non-compliance with the Privacy Act 2020.

‍

Storage and Security

The Privacy Officer (Operations) is responsible to set procedures that are reasonable to prevent loss, misuse, or disclosure of personal information.
The Privacy Officer (Operations) has the authority to approve purchases including devices, encryption, physical barriers, and digital barriers or electronic security measures to ensure security of personal information.
The Privacy Officer (Information) is responsible to limit access of personal information to those who need it for an approved duty and setting data management and information use procedures for protection of personal information.
The Privacy Officer (Information) is responsible for secure storage, archiving and destruction of personal information as per legislative requirements.
The Privacy Officer (Information) is responsible to set security protocols for digital or physical transmission of data.

‍

Access, Correction and Accuracy
The Privacy Officer (Approval) is responsible to set an accessible process for individuals to request access and correction of personal information held by the organisation.
The Privacy Officer (Approval) is responsible to approve such requests and provide requested information or correction as soon as practicable and no later than 20 working days of receipt of such request. In case of a disagreement to the correction of personal information, the Privacy Officer (Approval) is required to attach a statement of correction to the information to show the person’s view.
The Privacy Officer (Approval) is responsible to consider, approve or decline any requests for access, including any urgent requests within the parameters of the Privacy Act 2020.
The Privacy Officer (Approval) is responsible to ensure any disclosure of personal information is accurate, up to date, complete, relevant, and not misleading.

‍

Retention and Use
The Privacy Officer (Information) is responsible to ensure that all information collected is only used for the lawful purpose it is collected.
The Privacy Officer (Information) is responsible to ensure that all information collected is only retained no longer than it is required for lawful purpose.
The Privacy Officer (Information) is responsible to set process for disposal of personal information in a way that complies with the requirements of the Privacy Act 2020.
The Privacy Officer (Information) is responsible to ensure that reasonable steps are in place to protect unique identifiers.

‍

Disclosure
The Privacy Officer (Approval) is responsible to consider any requests of disclosure of personal information from any party.
The Privacy Officer (Approval) may only approve such requests in limited circumstances that meet legal obligations after considering relevant legal opinion.
The Privacy Officer (Approval) shall not approve any requests of disclosures to entities that are not subjected to the Privacy Act 2020.
The Privacy Officer (Approval) shall be responsible to ensure that disclosure does not include any unique identifiers unless expressly required by law.

‍

Policy Access
The Privacy Policy and associated documentation are accessible to all employees and contractors.
Privacy policy disclosures and statements are accessible to individuals both in public forums such as the website and brochures and at time of collection of data.
A record of acknowledgment of the Privacy Policy should accompany all personal information collected.

‍

Privacy Breaches
The Privacy Officer (Approvals) is responsible to report any notifiable privacy breaches to the Privacy Commissioner as soon as practicable and no later than 72 hours of being aware of such breach.
A privacy breach occurs when an organisation or individual either intentionally or accidentally:

provides unauthorised or accidental access to someone's personal information
discloses, alters, loses, or destroys someone's personal information
is unable to access their personal information due to, for example, their account being hacked

The Privacy Officer (Operations) is responsible to take reasonable steps to prevent privacy breaches by taking steps such as:

physically securing personal information
preventing employee browsing
disposing of information and documents safely
preventing data breaches through email
preventing communication from going to the wrong address
keeping organisation IT network secure

‍

Records Management
All personal information and records are maintained in accordance with Records Management Policy.

‍

Related Key Documents

Legislation

Privacy Act 2020

Other policies that may impact on this policy

Guidelines

Standards and Procedures

Forms

Other Useful Resources

Accountability, Management and Control
Owner
Chief Executive

Content Manager
Chief Executive, Operations Manager, Group Registrar

Prepared by
Administration Project Contractors

Approval
7th October, 2022

Review date
7th October, 2023

‍