Table of Contents
Collection of Sensitive Information
Creating and Collecting Sensitive Information
Receipt of Incorrect Information
Use of Email for Communicating Sensitive Information
Storing Sensitive Information
Accessing and Availability of Sensitive Information
Managing Requests to Change Sensitive Information
Use of and Maintenance of Sensitive Information
Archiving and Destruction of Sensitive Information
Responsibilities for Sensitive and Information
Who to Contact
It provides the principles that M@D will adhere to in the: collection, use and storage, of sensitive information (i.e. members and personnel). It forms the basis of how M@D will receive, process, manage and destroy sensitive information.
In order to enable organisational mission and objectives, M@D requires the ability to collect, retain and utilise sensitive information on behalf of their members and personnel.
M@D is committed to ensuring that sensitive information is kept private, protected and secure. Privacy at M@D is subject to, and moderated by the following:
- Privacy Act 1993 (as at December 2019)
- Human Rights Act 1993
- Anti Money Laundering and Countering of Financing of Terrorism Act 2009
- Education Act 1989
- Incorporated Societies Act 1908
- Charitable Trusts Regulations 2019
M@D may need to collect and store information for a number of statistical and organisational related objectives.
Timely and efficient accessibility to information enables M@D to:
- Identify members through sensitive information
- Maintain personnel records as required by statutory requirements
- Maintain a comprehensive record of members
- Facilitate the monitoring and operations of M@D performance, processes and systems
- Assist in policy development for M@D
Information that pertains to these principles may be collected via various media (this may be in the form of mail, telephone, face-to-face conversations, password-protected databases, websites, and email) and in various formats, such as: forms, letters, spreadsheets, survey responses, electronic file notes, taped conversations, common internet technologies.
M@D will collect information only for the purposes linked to the organisational functions and processes previously stated.
M@D will fully disclose the intent of the collection of information, our purposes for doing so, and the employee/member’s rights to access, and correct that information. Disclosure is provided during the collection process, through verbal dialogue between the Board of Directors, members and personnel before subsequent requests for information are made on behalf of members or personnel.
M@D will endeavour to return irrelevant/incorrect sensitive information provided upon receipt back to the supplier of the information, where possible. If it’s not possible or if it’s inconvenient to return incorrect/irrelevant information then information will be destroyed.
Email is an acceptable way of sending information; however, it isn’t the most secure form of transmission (as ISP’s can view information and can be sent to an incorrect recipient). However, it is deemed more secure than fax.
M@D considers that the most secure way of transmitting information is by email.
If an employee or member, or another 3rd party (with permission) wishes us to email information (e.g. Massey University, Studylink, etc) they should first email the request to M@D – we can then reply directly to that request with the required information.
Alternatively, we can email the individual requesting the information and they can reply to confirm that the email details are correct. The information can then be sent.
All information/data should be saved into PDF format before emailing. This decreases the risk of information being manipulated. The PDF file shouldn’t include any signatures as these can still be extracted and used for unwarranted purposes.
An over-arching policy is that M@D should
- Collect just barely enough information, and
- Delete all stored information as soon as possible
- Make information viewable by as few people as possible
except where there is need for information to be collected and/or retained and/or disclosed in order for M@D to most effectively do its job and fulfil its legal and contractual obligations.
M@D is committed to providing safeguards and best practice standards to ensure sensitive information (whether electronic or in hard copy) is kept secure and private and to prevent against loss, misuse or inappropriate disclosure.
Where there is a requirement to take physical documents outside of M@D’s premises, and there is no technical solution applicable, M@D will keep documentation secure.
M@D will ensure that sensitive information is kept secure from external sources by ensuring data storage is protected, through such provisions as: maintaining regular server back-ups, password protection of all electronic databases, shredding of paper information, providing confidentiality disclaimers to all staff, and applying best-practice standards for information security management (i.e. quick keys for dropping down screens and locking computers/turning off computers when the user leaves the desk).
M@D uses password protected computer systems to manage and store member information.
M@D commits to providing employees, Directors and members with access to their sensitive information, where appropriate.
M@D will acknowledge and respond to requests for sensitive information held by M@D within 20 working days of the request being made unless sections 27-29 of the Privacy Act 1993 apply.
A request can be made to access an individual’s own sensitive information by calling, writing or emailing M@D. An individual can request someone else’s information if they have authority to act on their behalf and can provide evidence to support this.
To avoid confusion with individuals who may have similar names or dates of birth, a requestor may be required to verify their identity to M@D before receiving their file. This can be done by answering some identifying questions (Date of Birth, Address, GP, etc.).
Where a dual request for official information is received at the same time as a request for sensitive information, M@D will respond with separate replies for official information and the relevant sensitive information.
M@D is respectful of members’ and personnel’s right to seek amendment of factually incorrect information. When M@D receives a request from member or personnel to change their sensitive information, the following process will be used to ensure that the requests are treated in a fair and consistent way. Requests for changes can be for factual data or opinion-based information.
A staff member of M@D will always contact the individual to advise them that their request has been received and that the original author of the information will be contacted (if received from another party).
If the information is about a staff member, they can email the President.
If the incorrect information is held M@D will:
- Amend it on the member’s/personnel file and enter notes to advise of the amendment.
- Send the corrected information to any third party who may have also received the incorrect information.
- Advise the member/personnel that we have made the change.
Sometimes M@D will not be able to make a change to the information as requested. The main reason for this would be because it is related to opinion-based information (e.g. a medical assessment from an employee’s doctor or training assessor). If we are unable to make the requested change, we will:
- Contact the member/personnel to explain why we cannot make the change
- Ask the member/personnel if they wish to provide a written statement of correction, which we will add to their file. This statement shows that the member/personnel requested a change to their information, but that we haven’t made the change
- Send a copy of the new information with the statement of correction attached to any third party who has recently received the original information
- Contact the member/personnel to let them know the actions that have been taken
M@D is committed to only disclosing or using sensitive information for the purposes for which it is collected, taking reasonable steps to ensure it is complete, relevant, and up to date, and will engage the member/personnel who owns that information in ensuring the quality of that information.
M@D will not use or disclose information for a purpose that is inconsistent with the original purpose of collection, unless legislatively able to do so or for which we have consent, or legislatively required to do so.
M@D is authorised to disclose information with a number of third-party sources and external providers (Social Services, DHB’s) for the purpose of:
- Maintaining personnel records as required by statutory requirements
- Maintaining a comprehensive record of members
- Facilitating the monitoring and operations of M@D performance, processes and systems
- Assisting in policy development for M@D
Of utmost importance is the principle that M@D will not disclose information to any outside commercial entities without clear informed consent, freely given. For example, you will not receive phone calls for life insurance or changes of electricity provider due to some company getting hold of your contact info.
However, there are cases where requests for support made to Massey@Distance may require specialised case management. In some such cases, it will be appropriate to engage another independent service provider
To ensure that M@D keeps detailed records of members and employees, sensitive records will be kept in the company’s password protected computer system for an undefined period of time.
Employee Files/Member Registrations are uploaded to the encrypted system. Paper files are stored in a filing cabinet for an undefined period of time.
M@D employees, Board of Directors, employees, contractors, and our providers and suppliers will endeavour to resolve privacy incidents, with affected parties, at the time, to ensure that they are made aware of the incident.
All privacy incidents (refer to the Risk Register at the end of document for examples) shall be reported to the President(s) and will be documented in an Incident Register. The President(s) will advise the best course of action for resolving the breach.
Affected parties will be notified as soon as practicable (unless a risk to health and/or safety is identified), if the incident is serious and likely to cause harm to the individual.
The person/parties, who are in receipt of the information breach, should be contacted as promptly as possible and advised that they have received sensitive information, that is not for their receipt and ask them to destroy the communications.
Before advising the affected parties (of whose information has been disseminated in error), be sure to have a plan of what needs to be done to fix the situation, or can be done, so that this can be advised to the person who the breach affects.
M@D is committed to ensuring that the following principles are adhered to.
- The Board of Directors are responsible for ensuring that the organisation is aware of the need to look after member/personnel information through training, high-quality monitoring and information management practices.
- The Board of Directors will actively direct and implement best practice privacy standards and ensure that privacy is central to the organisation’s values.
- All Trustee’s and Staff will all act as Privacy Officers and will be the points of contact for all matters relating to organisational privacy.
- The Board of Directors will ensure that this policy is embedded in their area of responsibility, and that processes are directed through discussion and training and are used consistently to collect, store and destroy private information, reporting any privacy incidents to the Privacy Officer.
- All M@D staff (including contractors) will maintain best practice privacy behaviours, promote privacy at work, actively participate in privacy training, report all privacy breaches and near misses to the Presidents and identify privacy risks.
- Everyone at M@D is responsibility for the privacy and management of sensitive information.