Source: New Zealand Privacy Commissioner – Blog
As part of Privacy Week 2022, staff members from the Office of the Privacy Commissioner joined Charities Services Ngā Ratonga Kaupapa Atawhai on a webinar called ‘Privacy 101 for Charities’.
People in the charity sector already have enough on their plate so we focused our presentation on the foundations of privacy. Our Office really enjoyed talking to people from the charity sector, and we were blown away by your interest in privacy and doing the right thing when it comes to personal information.
As always, we want to help all organisations do the right thing. An organisation’s obligations at law will be context dependent – what’s reasonable for one charitable organisation won’t necessarily be reasonable for another. This means that our guidance is focussed on compliance with the information privacy principles – you will need to consider our guidance alongside your organisation’s particular role and circumstances.
Our Privacy Week session gave us some great insight into areas of interest for your sector, and we’ll be continuing to improve our information and resources to make it as easy as possible for you to protect the personal information of your stakeholders, members, customers and clients.
It is the people within your organisation who will be dealing with personal information on a day-to-day basis. We recommend that your organisation regularly trains and upskills staff and volunteers on good privacy practice – we think our free online training modules are pretty great, too.
We’ve also pulled together some of the most-asked questions from our session, as we couldn’t get to them all on the day.
What is ‘privacy’?
In general terms, “privacy” covers a person’s right to be free from unreasonable intrusion into their personal affairs. Our Office is concerned with a certain type of privacy – the kind that deals with personal information. You might have seen other countries call it “data protection”.
The Privacy Act 2020 governs how organisations and businesses can collect, store, use and share your personal information. It ensures that:
- people know when their information is being collected
- organisations use and share information in an appropriate way
- people’s information is kept safe and secure, and
- people can get access to their own information.
Do we need to report all breaches to the Privacy Commissioner?
No – only if a breach has either caused or is likely to cause someone serious harm.
A “privacy breach” for the purposes of the Privacy Act 2020 is:
- unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
- an action that prevents the organisation from accessing the information on either a temporary or permanent basis.
The unwanted sharing, exposure or loss of access to people’s personal information may cause individuals or groups serious harm. This is the point at which we want to know more –you must let the Commissioner and affected people know about a privacy breach which has caused or is likely to cause serious harm.
Remember, a ‘privacy breach’ under the Privacy Act is different to a breach of the Privacy Act itself. For example, if an organisation fails to follow an information privacy principle under the Privacy Act, that organisation is in breach of the Privacy Act but has not necessarily suffered a ‘privacy breach’.
For more information, check out our guidance on privacy breaches here.
Our organisation uses cloud service providers to store personal information. What responsibilities and best practices should our charity follow to protect ourselves and all those we serve?
Under the Privacy Act, your organisation will generally be responsible for personal information that another organisation holds information on your behalf. The exception to this rule is if the other organisation uses that information for its own purposes.
Therefore, the rest of the Privacy Act and its information privacy principles continue to apply to your organisation and our advice remains the same – continue to exercise your good judgment with respect to personal information. We particularly encourage organisations to be mindful of their obligation under privacy principle 5 – to ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information.
Your organisation is also likely to have entered into specific arrangements with your service provider. Such terms and conditions can affect how your organisation and your service provider respond to privacy issues in practice, and may also place further obligations on your organisation in addition to the privacy principles. We recommend reviewing those terms and conditions periodically. If you have any doubts, consult a lawyer to make sure that your contractual arrangements with your service providers are robust.
How long do we have to hold personal information?
Under the Privacy Act, you should not keep personal information for longer than it is required for the purpose it may lawfully be used.
Sometimes, the law makes it clear how long your organisation must hold personal information (see for example the Employment Relations Act or the Tax Administration Act). Otherwise, your organisation must decide how long you have a lawful purpose to use the information you have collected. This will largely depend on what the information is and what you told the person when you first collected it.
For more information, check out our guidance on principle 9 here.
How do we control a data breach if a member circulates personal information to a third party?
The best thing that your organisation can do is to prevent such breaches from happening in the first place. All organisations have obligations under privacy principle 5 to ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information (including, for example, employee browsing).
However, your organisation can still suffer a privacy breach even with the best systems in place. Consider whether the privacy breach is likely to cause serious harm (see above) and have a look at our guidelines on how to respond to a privacy breach.
As always, we’re here to help. If you think your organisation has suffered a notifiable privacy breach, please get in touch.
