policy framework

policy framework

Under construction.

Under construction.

Status: late draft

Table of Contents

Scope
Sensitive Information
Collection of Sensitive Information
Creating and Collecting Sensitive Information
Receipt of Incorrect Information
Use of Email for Communicating Sensitive Information
Storing Sensitive Information
Accessing and Availability of Sensitive Information
Managing Requests to Change Sensitive Information
Use of and Maintenance of Sensitive Information
Archiving and Destruction of Sensitive Information
Privacy Incidents
Responsibilities for Sensitive and Information
Who to Contact


Scope

This privacy policy applies to all Employees, Volunteers, Contractors, Service Providers, and Suppliers of Massey University Extramural Students’ Society Incorporated (Massey@Distance, hereinafter referred to as M@D).

It provides the principles that M@D will adhere to in the: collection, use and storage, of sensitive information (i.e. members and personnel).  It forms the basis of how M@D will receive, process, manage and destroy sensitive information.


Sensitive Information

In order to enable organisational mission and objectives, M@D requires the ability to collect, retain and utilise sensitive information on behalf of their members and personnel.

M@D is committed to ensuring that sensitive information is kept private, protected and secure.  Privacy at M@D is subject to, and moderated by the following:


Collection of Sensitive Information

M@D may need to collect and store information for a number of statistical and organisational related objectives.

Timely and efficient accessibility to information enables M@D to:

  • Identify members through sensitive information
  • Maintain personnel records as required by statutory requirements
  • Maintain a comprehensive record of members
  • Facilitate the monitoring and operations of M@D performance, processes and systems
  • Assist in policy development for M@D

Information that pertains to these principles may be collected via various media (this may be in the form of mail, telephone, face-to-face conversations, password-protected databases, websites, and email) and in various formats, such as: forms, letters, spreadsheets, survey responses, electronic file notes, taped conversations, common internet technologies.


Creating and Collecting Sensitive Information

M@D will collect information only for the purposes linked to the organisational functions and processes previously stated.

M@D will fully disclose the intent of the collection of information, our purposes for doing so, and the employee/member’s rights to access, and correct that information.  Disclosure is provided during the collection process, through verbal dialogue between the Board of Directors, members and personnel before subsequent requests for information are made on behalf of members or personnel.


Receipt of Incorrect Information

M@D will endeavour to return irrelevant/incorrect sensitive information provided upon receipt back to the supplier of the information, where possible.  If it’s not possible or if it’s inconvenient to return incorrect/irrelevant information then information will be destroyed.


Use of Email for Communicating Sensitive Information

Email is an acceptable way of sending information; however, it isn’t the most secure form of transmission (as ISP’s can view information and can be sent to an incorrect recipient).  However, it is deemed more secure than fax.

M@D considers that the most secure way of transmitting information is by email.

If an employee or member, or another 3rd party (with permission) wishes us to email information (e.g. Massey University, Studylink, etc) they should first email the request to M@D – we can then reply directly to that request with the required information.

Alternatively, we can email the individual requesting the information and they can reply to confirm that the email details are correct. The information can then be sent.

All information/data should be saved into PDF format before emailing. This decreases the risk of information being manipulated. The PDF file shouldn’t include any signatures as these can still be extracted and used for unwarranted purposes.


Storing Sensitive Information

An over-arching policy is that M@D should

  1. Collect just barely enough information, and
  2. Delete all stored information as soon as possible
  3. Make information viewable by as few people as possible

except where there is need for information to be collected and/or retained and/or disclosed in order for M@D to most effectively do its job and fulfil its legal and contractual obligations.

M@D is committed to providing safeguards and best practice standards to ensure sensitive information (whether electronic or in hard copy) is kept secure and private and to prevent against loss, misuse or inappropriate disclosure.

Where there is a requirement to take physical documents outside of M@D’s premises, and there is no technical solution applicable, M@D will keep documentation secure.

M@D will ensure that sensitive information is kept secure from external sources by ensuring data storage is protected, through such provisions as: maintaining regular server back-ups, password protection of all electronic databases, shredding of paper information, providing confidentiality disclaimers to all staff, and applying best-practice standards for information security management (i.e. quick keys for dropping down screens and locking computers/turning off computers when the user leaves the desk).

M@D uses password protected computer systems to manage and store member information.


Accessing and Availability of Sensitive Information

M@D commits to providing employees, Directors and members with access to their sensitive information, where appropriate.

M@D will acknowledge and respond to requests for sensitive information held by M@D within 20 working days of the request being made unless sections 27-29 of the Privacy Act 1993 apply.

http://www.legislation.govt.nz/act/public/1993/0028/latest/whole.html#DLM297083

A request can be made to access an individual’s own sensitive information by calling, writing or emailing M@D.  An individual can request someone else’s information if they have authority to act on their behalf and can provide evidence to support this.

To avoid confusion with individuals who may have similar names or dates of birth, a requestor may be required to verify their identity to M@D before receiving their file.  This can be done by answering some identifying questions (Date of Birth, Address, GP, etc.).

Where a dual request for official information is received at the same time as a request for sensitive information, M@D will respond with separate replies for official information and the relevant sensitive information.


Managing Requests to Change Sensitive Information

M@D is respectful of members’ and personnel’s right to seek amendment of factually incorrect information.  When M@D receives a request from member or personnel to change their sensitive information, the following process will be used to ensure that the requests are treated in a fair and consistent way.  Requests for changes can be for factual data or opinion-based information.

A staff member of M@D will always contact the individual to advise them that their request has been received and that the original author of the information will be contacted (if received from another party).

If the information is about a staff member, they can email the President.

If the incorrect information is held M@D will:

  • Amend it on the member’s/personnel file and enter notes to advise of the amendment.
  • Send the corrected information to any third party who may have also received the incorrect information.
  • Advise the member/personnel that we have made the change.

Sometimes M@D will not be able to make a change to the information as requested.  The main reason for this would be because it is related to opinion-based information (e.g. a medical assessment from an employee’s doctor or training assessor).  If we are unable to make the requested change, we will:

  • Contact the member/personnel to explain why we cannot make the change
  • Ask the member/personnel if they wish to provide a written statement of correction, which we will add to their file.  This statement shows that the member/personnel requested a change to their information, but that we haven’t made the change
  • Send a copy of the new information with the statement of correction attached to any third party who has recently received the original information
  • Contact the member/personnel to let them know the actions that have been taken

Use of and Maintenance of Sensitive Information

M@D is committed to only disclosing or using sensitive information for the purposes for which it is collected, taking reasonable steps to ensure it is complete, relevant, and up to date, and will engage the member/personnel who owns that information in ensuring the quality of that information.

M@D will not use or disclose information for a purpose that is inconsistent with the original purpose of collection, unless legislatively able to do so or for which we have consent, or legislatively required to do so.

M@D is authorised to disclose information with a number of third-party sources and external providers (Social Services, DHB’s) for the purpose of:

  • Maintaining personnel records as required by statutory requirements
  • Maintaining a comprehensive record of members
  • Facilitating the monitoring and operations of M@D performance, processes and systems
  • Assisting in policy development for M@D

Of utmost importance is the principle that M@D will not disclose information to any outside commercial entities without clear informed consent, freely given. For example, you will not receive phone calls for life insurance or changes of electricity provider due to some company getting hold of your contact info.

However, there are cases where requests for support made to Massey@Distance may require specialised case management. In some such cases, it will be appropriate to engage another independent service provider


Archiving and Destruction of Sensitive Information

To ensure that M@D keeps detailed records of members and employees, sensitive records will be kept in the company’s password protected computer system for an undefined period of time.

Employee Files/Member Registrations are uploaded to the encrypted system.  Paper files are stored in a filing cabinet for an undefined period of time.


Privacy Incidents

A privacy incident includes a breach, a near miss, or actions where M@D has not complied with the provisions of the privacy policy or governing legislation.

M@D employees, Board of Directors, employees, contractors, and our providers and suppliers will endeavour to resolve privacy incidents, with affected parties, at the time, to ensure that they are made aware of the incident.

All privacy incidents (refer to the Risk Register at the end of document for examples) shall be reported to the President(s) and will be documented in an Incident Register.  The President(s) will advise the best course of action for resolving the breach.

Affected parties will be notified as soon as practicable (unless a risk to health and/or safety is identified), if the incident is serious and likely to cause harm to the individual.

The person/parties, who are in receipt of the information breach, should be contacted as promptly as possible and advised that they have received sensitive information, that is not for their receipt and ask them to destroy the communications.

Before advising the affected parties (of whose information has been disseminated in error), be sure to have a plan of what needs to be done to fix the situation, or can be done, so that this can be advised to the person who the breach affects.


Responsibilities for Sensitive and Information

M@D is committed to ensuring that the following principles are adhered to.

  • The Board of Directors are responsible for ensuring that the organisation is aware of the need to look after member/personnel information through training, high-quality monitoring and information management practices.
  • The Board of Directors will actively direct and implement best practice privacy standards and ensure that privacy is central to the organisation’s values.
  • All Trustee’s and Staff will all act as Privacy Officers and will be the points of contact for all matters relating to organisational privacy.
  • The Board of Directors will ensure that operational processes and procedures are in place to support the privacy policy, enable staff awareness, collate, report and analyse privacy incidents to identify and coordinate strategies for risk controls and to ensure that privacy knowledge is disseminated throughout the organisation.
  • The Board of Directors will ensure that this policy is embedded in their area of responsibility, and that processes are directed through discussion and training and are used consistently to collect, store and destroy private information, reporting any privacy incidents to the Privacy Officer.
  • All M@D staff (including contractors) will maintain best practice privacy behaviours, promote privacy at work, actively participate in privacy training, report all privacy breaches and near misses to the Presidents and identify privacy risks.
  • The Board of Directors will regularly review the Privacy Policy and associated best-practice processes which relate to the collection, recording, access, use, storage and destruction of sensitive information in order to remain relevant.
  • Everyone at M@D is responsibility for the privacy and management of sensitive information.

Who to Contact

For general enquiries, concerns and complaints please contact the M@DPresident or Secretary.

Under construction.

Accordion Content

Accordion Content

Under construction.

Under construction.

Under construction.