Timbertank Enterprises Limited
Privacy Policy Manual
Table Of Contents
1. Introduction Page 3
2. Privacy Principles Page 4
3. General Data Protection Regulation ("GDPR") Page 5
4. Types Of Personal Information That Is Collected & Held Page
5
5. Procedures and responding to potential breaches of Privacy Page
7
6. Purposes For Which Information Is Collected, Held, Used And
Disclosed Page 9
7. How An Individual May Access Personal Information Held, And
How
They May Seek Correction Of Such Information Page 10
8. How An Individual May Complain About A Breach Of The NZPP,
And
How The Complaint Will Be Dealt With Page 11
9. Will Personal Information Be Disclosed To Overseas Recipients
Page 12
10. Availability Of This Privacy Policy Manual Page 12
11. Privacy Officer (Responsibilities) Page 13
12. Appendix A - Summary of Individuals Rights Page 14
13. Appendix B - Information Privacy Principles Page 16
1. Introduction
With the passing of the Privacy Act 1993 the government
introduced legislation to protect personal information about
individuals. Privacy Act 1993 ("the Act") incorporates the New
Zealand's Privacy Principles (NZPP's) covered in Part 2 of the Act.
These principles apply to private sector organisations who deal
with information relating to individuals. This legislation is
designed to protect personal information about individuals and sets
in place a framework and guidelines about how to deal with this
information.
As at 25 May 2018, the EU General Data Protection Regulation
("GDPR") was introduced providing increased transparency for data
protection for all businesses transferring data to the Europe Union
"EU". While the GDPR and the NZPP share some similarities,
Timbertank Enterprises Limited is providing robust privacy policies
and procedures for its staff and clients. This includes ensuring
that it conforms to all required NZPP's including the provision of
a clearly expressed and readily available Privacy Policy. This is
completed by the provision of this Privacy Policy Manual.
An NZPP privacy policy is a key tool for meeting NZPP 1's
requirements.
To assist with this compliance, Timbertank Enterprises Limited
ensures that all of its staff members adhere to these policies and
procedures. Any breaches of these policies and procedures must be
reported to the relevant staff member's manager or supervisor
immediately so that any appropriate measures can be taken to
mitigate any issues surrounding an identified breach.
Every staff member of Timbertank Enterprises Limited who handles
personal information is required to have an understanding of the
New Zealand Privacy Principles (NZPP's), the Act and the GDPR,
where necessary. Where a more detailed knowledge of Timbertank
Enterprises Limited's rights and responsibilities is required, the
Privacy Officer will be able to provide assistance.
All staff is encouraged to discuss privacy issues with the
nominated Privacy Officer.
Review
Formal review of this privacy policy shall be undertaken on a 6
monthly basis with the details of this review recorded by the
Privacy Officer.
2. New Zealand Privacy Principles (NZPP's)
The Privacy Act 1993 and the Credit Reporting Privacy Code 2004
places obligations and responsibilities on employers and employees
to ensure that information collected from individuals is collected,
retained and used in line with the NZPP's. Timbertank Enterprises
Limited shall abide by the following NZPP's at all times:
1/ Purpose of collection of personal information
2/ Source of personal information
3/ Collection of personal information from subject
4/ Manner of collection of personal information
5/ Storage and security of personal information
6/ Access to personal information
7/ Correction of personal information
8/ Accuracy of personal information
9/ Retention of personal information
10/ Limits on use of personal information
11/ Limits on disclosure of personal information
12/ Use of unique identifiers
NZPP No.
NZPP 1 to 4 governs the reason for collection of personal
information, where personal information may be collected from, and
how it is collected.
NZPP 5 governs how personal information should be stored.
NZPP 6 governs that individuals have access to the personal
information held about them.
NZPP 7 governs that if an individual requests changes to their
personal information held about them then it should be done unless
there are grounds not to do so.
NZPP 8 - 11 govern how personal information is used or
disclosed.
NZPP 12 governs that an individual's bank number, IRD number,
drivers licence number, passport number etc cannot be used to
identify an individual.
Further information regarding the NZPP's can be obtained from
the office of the Privacy Commissioner at
http://www.privacy.org.nz/comply/comptop.html. A full copy of the
Privacy Principles is attached as Appendix B.
A copy of the NZPP's as produced by the Office of the Privacy
Commissioner is attached as Appendix B. In the event of any
potential data breach that is likely to result in serious harm to
any individuals whose personal information is involved in the
breach, Timbertank Enterprises Limited's Privacy Policy Manual
provides a data breach preparation and response to any potential
breaches to ensure compliance under the Act.
3. General Data Protection Regulation ("GDPR")
Upon the implementation of the GDPR on 25 May 2018, Timbertank
Enterprises Limited has updated the way they use and collect
personal data from residents in the EU. This involves, identifying
Timbertank Enterprises Limited's data protection officer ("Privacy
Officer"), how clients can contact the Privacy Officer and
identifying the process of transferring client's personal
information. Further, the implementation of cookies notices on
Timbertank Enterprises Limited's website has been activated to
ensure Timbertank Enterprises Limited's clients have adequate
protection in providing consent to Timbertank Enterprises Limited
withholding their personal data.
4. Types Of Personal Information That Is Collected, used,
processed & Held
Timbertank Enterprises Limited collects personal information for a
variety of reasons. This personal information will be collected in
the normal course of business and will relate to Goods and/or
Services that are provided by Timbertank Enterprises Limited to
clients. This information collected will be done so in the course
of business where the client is a customer of Timbertank
Enterprises Limited or when the client acts as a guarantor for
another person or company that is a client of Timbertank
Enterprises Limited. Timbertank Enterprises Limited will not
collect information that is not relevant or sensitive in nature
unless it is required in the normal course of business.
The personal information that is collected may include, but will
not be limited to the following;
1/ Full name
2/ Address
3/ Date of birth
4/ Credit references if applicable
5/ Publically available information which relate to the clients
activities in New Zealand
6/ Any information recorded in the New Zealand Insolvency Trustee
Service Register
7/ The client acknowledges that provided the correct Privacy Act
disclosures have been made that Timbertank Enterprises Limited may
conduct a credit report on the client for the purposes of
evaluating the credit worthiness of the client.
8/ Driver's license details
9/ Medical insurance details (if applicable)
10/ Electronic contact details including email, Facebook and
Twitter details
11/ Next of kin and other contact information where applicable
Timbertank Enterprises Limited ensures that all personal
information is held in a secure manner. Where applicable and to the
best of Timbertank Enterprises Limited's knowledge all computers or
servers have the required security protections in place to
safeguard and protect any personal information that is held by
Timbertank Enterprises Limited.
We use cookies on our website. Cookies are small files which are
stored on your computer. They are designed to hold a modest amount
of data (including personal information) specific to a particular
client and website, and can be accessed either by the web server or
the client's computer. In so far as those cookies are not strictly
necessary for the provision of Timbertank Enterprises Limited's
services, we will ask you to consent to our use of cookies when you
first visit our website.
In the event that you utilise our website for the purpose of
purchases/orders, Timbertank Enterprises Limited agrees to display
reference to cookies and /or similar tracking technologies, such as
pixels and web beacons (if applicable), and requests consent for
Timbertank Enterprises Limited collecting your personal information
which may include:
(a) IP address, browser, email client type and other similar
details;
(b) Tracking website usage and traffic; and
(c) Reports are available to Timbertank Enterprises Limited when
Timbertank Enterprises Limited sends an email to the client, so
Timbertank Enterprises Limited may collect and review that
information
Our website incorporates privacy controls which affect how we will
process your personal data. By using the privacy control, you can
advise us if you would like to receive direct marketing
communications. You can access the privacy controls via [URL].
Timbertank Enterprises Limited also regularly conducts internal
risk management reviews to ensure that its infrastructure (to the
best of its knowledge) is secure and any identifiable risks have
been mitigated as much as they can be in the normal course of
business.
5. Procedures and responding to potential breaches of
Privacy
In accordance with the Act Timbertank Enterprises Limited is aware
of its responsibilities to notify its clients in the event of a
potential data breach that may cause serious harm to clients.
Further, in the event the client is located in the EU, Timbertank
Enterprises Limited acknowledges that any potential data breaches
will be safeguarded by the provisions of the GDPR.
Timbertank Enterprises Limited will collect and process personal
information in the normal course of business. This personal
information may be collected and processed (but is not limited to)
by any of the following methods;
1/ Credit applications forms
2/ Work authorisation forms, quote forms or any other business
documentation
3/ Publically available databases that hold information
4/ Websites that detail information such as Sensis, Facebook,
Google etc
5/ By verbally asking you for information as part of normal
business practices
Where relevant to data processing as per the GDPR, and in
particular where Timbertank Enterprises Limited uses new
technologies, and takes into account the nature, scope, context and
purposes of processing and considers that the data processing is
likely to result in a high risk to the rights and freedoms of
natural persons, the Privacy Officer shall, prior to the processing
of personal information, carry out an assessment of impact of the
envisaged processing operations on the protection impact
assessment. The data protection assessment will be required in
instances whereby:
(a) a systematic and extensive evaluation of personal aspects
relating to natural persons which is based on automated processing,
including profiling, and on which decisions are based that produce
legal effects concerning the natural person or similarly
significantly affect the natural person;
(b) processing on a large scale of special categories of data
referred to in Article 9(1) of the GDPR, or of personal data
relating to criminal convictions and offences referred to in
Article 10 of the GDPR; or
(c) a systematic monitoring of a publicly accessible area on a
large scale.
The assessment shall be carried out in accordance with Article
35 (7) of the GDPR and carry out reviews of such data protection
impact assessments when there is any change of the risk associated
with the processing of personal information.
As a client of Timbertank Enterprises Limited and agreeing to
Timbertank Enterprises Limited's Terms and Conditions of Trade,
which comprises of Timbertank Enterprises Limited's privacy
statement you hereby agree and consent to the provisions of this
Privacy Policy Manual, including but not limited to the collection,
processing, use and disclosure of your personal information. In the
event that you do not wish to agree or consent to any of the above
use, processing collection and disclosure, then Timbertank
Enterprises Limited warrants that any request by you to withdraw
your consent or agreement shall be deemed as confirmation by you to
cease any and/or all collection use, processing and disclosure of
your personal information. You may make a Request to withdraw your
consent at anytime by telephone and/or by e-mail to the following
contact details;
The Privacy Officer
Timbertank Enterprises Limited
83 Ridge Toad
TUAKAU 2694
administration@timbertanks.co.nz
0800 222 428
Timbertank Enterprises Limited will ensure that any Information
that is to be obtained from you is done so using Timbertank
Enterprises Limited's prescribed forms which;
Authorise Timbertank Enterprises Limited:
1/ To collect personal information; and
2/ Inform the individual what personal information is being
collected; and
3/ Inform the individual why (the purpose) the personal
information is being collected; and
4/ Inform the individual why & when personal information will
be disclosed to 3rd parties.
It is the responsibility of Timbertank Enterprises Limited to
ensure that any personal information obtained is as accurate and up
to date as possible and information is only collected by lawful
means in accordance with the Act and relevantly, in accordance with
the GDPR.
6. Purposes For Which Information Is Collected, Held, Used And
Disclosed
Disclosure to Third Parties
Timbertank Enterprises Limited will not pass on your personal
information to third parties without first obtaining your
consent.
In accordance with the Act, and relevantly the GDPR, Personal
Information can only be used by Timbertank Enterprises Limited for
the following purposes:
1/ Access a credit reporter's database for the following
purposes:
a) To assess your application for a credit account; or
b) To assess your ongoing credit facility; or
c) To notify a credit reporter of a default by you; or
d) To update your details listed on a credit reporter's database;
or
2/ Check trade references noted on the prescribed form for the
following purposes:
a) To assess your application for a credit account; or
b) To assess your ongoing credit facility; or
c) To notify a default.
3/ Market Timbertank Enterprises Limited's products and
services.
4/ Any other day to day business purposes such as complying with
IRD requirements, managing accounting returns or legal matters.
Relationship with Credit Reporter - In the event that
notification of a default has been reported to a Credit Reporter
and your credit file has been updated (including any changes to the
balance outstanding or contact details), then the Credit Reporter
shall be notified as soon as practical of any such changes.
Timbertank Enterprises Limited will only gather information for
its particular purpose (primary purpose). In accordance with the
Act, and relevantly the GDPR Timbertank Enterprises Limited will
not disclose this information for any other purpose unless this has
been agreed to by both parties.
7. How An Individual May Access Personal Information Held, And
How They May Seek Correction Of Such Information
You shall have the right to request from Timbertank Enterprises
Limited a copy of all the information about you that is retained by
Timbertank Enterprises Limited. You also have the right to request
(by telephone and/or by e-mail) that Timbertank Enterprises Limited
correct any information that is incorrect, outdated or
inaccurate.
Any requests to receive your personal information or to correct
personal information should be directed to the following contact
details;
The Privacy Officer
Timbertank Enterprises Limited
83 Ridge Toad
TUAKAU 2694
administration@timbertanks.co.nz
0800 222 428
Timbertank Enterprises Limited will destroy personal information
upon your request (by telephone and/or by e-mail) or when the
personal information is no longer required. The exception to this
is if the personal information is required in order to fulfil the
purpose of Timbertank Enterprises Limited or is required to be
maintained and/or stored in accordance with the law
8. How An Individual May Complain About A Breach Of The NZPP, And
How The Complaint Will Be Dealt With
You can make a complaint to Timbertank Enterprises Limited's
internal dispute resolution team ('IDR') regarding an interference
with and/or misuse of your personal information by contacting
Timbertank Enterprises Limited via telephone or e-mail.
Any complaints should be directed to the following contact
details in the first instance;
The Privacy Officer
Timbertank Enterprises Limited
83 Ridge Toad
TUAKAU 2694
administration@timbertanks.co.nz
0800 222 428
In your communication you should detail to Timbertank
Enterprises Limited the nature of your complaint and how you would
like Timbertank Enterprises Limited to rectify your complaint.
We will respond to that complaint within 7 days of receipt and
will take all reasonable steps to make a decision as to the
complaint within 30 days of receipt of the complaint.
We will disclose information in relation to the complaint to any
relevant credit provider and or CRB that holds the personal
information the subject of the complaint.
In the event that you are not satisfied with the resolution
provided, then you can make a complaint to the Privacy Commissioner
at http://www.privacy.org.nz/comply/comptop.html.
9. Will Personal Information Be Disclosed To Overseas
Recipients
Timbertank Enterprises Limited does not disclose information about
the client to third party overseas recipients unless the client has
provided its consent. Timbertank Enterprises Limited will notify
you if circumstances change regarding overseas disclosure and will
comply with the Act and the GDPR in all respects.
Unless otherwise agreed, Timbertank Enterprises Limited agrees
not to disclose any personal information about the client for the
purpose of direct marketing. You have the right to request (by
telephone and/or by e-mail) that Timbertank Enterprises Limited
does not disclose any personal information about you for the
purpose of direct marketing.
10. Availability Of This Privacy Policy Manual
This Privacy Policy manual is available to all clients of
Timbertank Enterprises Limited. It will be made available (where
applicable) on Timbertank Enterprises Limited's website.
This manual will also be available upon request at Timbertank
Enterprises Limited's business premises and is available to be sent
to you if required.
If you require a copy of this Privacy Policy please make a
request utilising the following contact information in the first
instance:
The Privacy Officer
Timbertank Enterprises Limited
83 Ridge Toad
TUAKAU 2694
administration@timbertanks.co.nz
0800 222 428
11. Privacy Officer (Responsibilities)
Timbertank Enterprises Limited has appointed an internal Privacy
Officer to manage its privacy matters. The name of this officer is
available by making contact with Timbertank Enterprises Limited.
The privacy officers duties include (but are not limited to) the
following:
The Privacy Officer needs to be familiar with the NZPP's.
Educational material is available from the office of the Privacy
Commissioner which explains what Timbertank Enterprises Limited
needs to know in order to comply with the Privacy Act.
If a person complains to the Privacy Commissioner that
Timbertank Enterprises Limited has breached their privacy, the
Privacy Commissioner may contact the Privacy Officer to discuss the
complaint, and to see whether there is any means of settling the
matter. The Privacy Officer shall provide whatever assistance is
necessary. The Privacy Officer may be asked to provide background
information or identify the staff members who can do so.
Complaints
In the event that a complaint about privacy issues is received the
Privacy Officer will:
1/ Take ownership of the complaint and ensure that it is dealt
with in a timely manner.
2/ Acknowledge receipt of the complaint within 24 hours and advise
the complainant of their rights.
3/ Fully investigate the complaint.
4/ Respond, with findings, to the complainant within 30 days of
receipt.
5/ Keep a record of all complaints received for ongoing review of
policies and procedures.
In the event that a complaint about privacy issues is received
via a credit reporter the Privacy Officer will:
1/ Take ownership of the complaint and ensure that it is dealt
with in a timely manner.
2/ Acknowledge receipt of the complaint to the credit reporter
within 24 hours (see attached Appendix A).
3/ Fully investigate the complaint.
4/ Respond, with findings, to the credit reporter within 7 days of
receipt.
5/ Keep a record of all complaints received for ongoing review of
policies and procedures.
Other
The Privacy Officer shall ensure that Timbertank Enterprises
Limited's documentation complies with the Privacy Act and Credit
Reporting Privacy Code at all times.
APPENDIX A - SUMMARY OF RIGHTS
(Rules 6 and 7 and clause 8)
A Summary of Your Rights Under the Credit Reporting Privacy Code
2004
The Credit Reporting Privacy Code 2004 is issued under the
Privacy Act 1993. It promotes fairness, accuracy, and privacy in
the practice of credit reporting. Credit reporters gather and sell
information about you such as a failure to pay your bills or if you
have been made bankrupt. You can find the complete text of the Code
at http://www.privacy.org.nz and the Privacy Act at
http://www.legislation.govt.nz/browse_vw.asp?content-set=pal_localprivate.
The Code, together with the Act, gives you specific rights, many of
which are summarised below.
Limited information can be reported about you.
A credit reporter can only collect certain classes of information,
set out in the Code, for its credit reporting database. A credit
reporter will generally report information for no longer than 5 - 7
years: the actual retention periods are required to be displayed on
each credit reporter's website.
Only certain people can access your file for certain
purposes.
The Code limits the people who can gain access to your credit
information. These will usually be credit providers who are
considering your application for credit, but in some strictly
defined situations the information may be available to prospective
landlords, employers or insurers, to debt collectors, to those
involved in court proceedings and to certain public sector
agencies.
Your consent is required in most situations.
Most credit checks can only take place with your authorisation.
This applies to access by credit providers, prospective landlords
and prospective employers. Your authorisation may not be required
for access by certain public sector agencies, those involved in
court proceedings and debt collectors. The credit reporter is
required to log each access that is made to your information and
will normally disclose this information to you on request.
You can find out what is held about you.
You are entitled to request a copy of the credit information held
about you by a credit reporter. You can ask for just the
information contained in your credit report or for all the
information held about you (which may include additional
information, such as a more complete list of those who have
accessed your report). If you want the information quickly (within
5 working days) you may be required to pay a reasonable charge, but
otherwise no charge may be made. A credit reporter must take
precautions to check the identity of anyone making a personal
access request. This may involve asking you for certain
identification details, although these cannot be added to the
credit reporter's database without your authorisation.
You can dispute inaccurate information with the credit
reporter.
Credit reporters must take reasonable steps to ensure the accuracy
of the information they hold and must act promptly to correct any
errors they become aware of. If you tell a credit reporter that
your report contains an inaccuracy, the credit reporter must take
steps to correct it. This will usually involve checking the
information you provide with the source, such as a creditor who
submitted a default. While the checking process is under way, the
credit reporter must flag your credit report to show that the item
has been disputed. The credit reporter must, as soon as reasonably
practicable, decide whether to make the correction you have
requested or to confirm the accuracy of the information. If the
credit reporter needs longer than 20 working days to make a
decision it must notify you of the extension and the reasons for
it. If the requested correction is not made you must be told the
reason and you may ask to have a statement of the correction sought
but not made, attached to the relevant information. This statement
will be included with future reports. If a correction is made or a
correction statement is added, the credit reporter must inform
anyone who has recently received your credit report of the change.
They must tell you what they have done and provide you with a copy
of the amended report. A credit report describes your credit
history, not simply your current debts. Information about a
bankruptcy that has been discharged or a default that has
subsequently been paid in full can continue to be reported,
provided it is updated to reflect the later developments, as it
remains an accurate statement of those historical events.
You have the right to make a complaint.
Each credit reporter must maintain an internal complaints
procedure and have a designated person to facilitate the fair,
simple, speedy and efficient resolution of complaints. If you
believe a credit reporter has breached the Code you should first
approach them directly. If your complaint is not resolved you may
complain to the Privacy Commissioner who has statutory powers to
investigate the matter. Some cases that cannot be settled can be
taken to the Human Rights Review Tribunal for final determination.
Other civil law remedies may also be available including defamation
and negligence.
Contact addresses.
Timbertank Enterprises Limited
83 Ridge Toad
TUAKAU 2694
Ph 0800 222 428
Office of the Privacy Commissioner
PO Box 10094, The Terrace
WELLINGTON 6143
Fax (04) 474 7595
Warning: This is only a generalised summary. In the event of a
discrepancy between this summary and a provision of the code or
Act, the code or Act prevails.
APPENDIX B - INFORMATION PRIVACY PRINCIPLES
NOTE
In some cases agencies are authorised or required by other
legislation to collect, use, retain, or make available, personal
information, and in most cases where an agency collects, uses,
retains or makes available personal information in accordance with
such legislation this will not amount to a breach of the Privacy
Act. (section 7 of the Privacy Act 1993).
PRINCIPLE 1
Purpose of collection of personal information
Personal information shall not be collected by any agency
unless-
(a) The information is collected for a lawful purpose connected
with a function or activity of the agency; and
(b) The collection of the information is necessary for that
purpose.
PRINCIPLE 2
Source of personal information
(1) Where an agency collects personal information, the agency
shall collect the information directly from the individual
concerned.
(2) It is not necessary for an agency to comply with sub clause
(1) of this principle if the agency believes, on reasonable
grounds,-
(a) That the information is publicly available information;
or
(b) That the individual concerned authorises collection of the
information from someone else; or
(c) That non-compliance would not prejudice the interests of the
individual concerned; or
(d) That non-compliance is necessary --
(i) To avoid prejudice to the maintenance of the law by any public
sector agency, including the prevention, detection, investigation,
prosecution, and punishment of offences; or
(ii) For the enforcement of a law imposing a pecuniary penalty;
or
(iii) For the protection of the public revenue; or
(iv) For the conduct of proceedings before any court or Tribunal
(being proceedings that have been commenced or are reasonably in
contemplation); or
(e) That compliance would prejudice the purposes of the
collection; or
(f) That compliance is not reasonably practicable in the
circumstances of the particular case: or
(g) That the information-
(i) Will not be used in a form in which the individual concerned
is identified; or
(ii) Will be used for statistical or research purposes and will
not be published in a form that could reasonably be expected to
identify the individual concerned; or
(h) That the collection of the information is in accordance with
an authority granted under section 54 of this Act.
PRINCIPLE 3
Collection of information from subject
(1) Where an agency collects personal information directly from
the individual concerned, the agency shall take such steps (if any)
as are, in the circumstances, reasonable to ensure that the
individual concerned is aware of -
(a) The fact that the information is being collected; and
(b) The purpose for which the information is being collected;
and
(c) The intended recipients of the information; and
(d) The name and address of -
(i) The agency that is collecting the information; and
(ii) The agency that will hold the information; and
(e) If the collection of the information is authorised or required
by or under law -
(i) The particular law by or under which the collection of the
information is so authorised or required; and
(ii) Whether or not the supply of the information by that
individual is voluntary or mandatory; and
(f) The consequences (if any) for that individual if all or any
part of the requested information is not provided; and
(g) The rights of access to, and correction of, personal
information provided by these principles.
(2) The steps referred to in sub clause (1) of this principle
shall be taken before the information is collected or, if that is
not practicable, as soon as practicable after the information is
collected.
(3) An agency is not required to take the steps referred to in sub
clause (1) of this principle in relation to the collection of
information from an individual if that agency has taken those steps
in relation to the collection, from that individual, of the same
information or information of the same kind, on a recent previous
occasion.
(4) It is not necessary for an agency to comply with sub clause
(1) of this principle if the agency believes, on reasonable grounds
-
(a) That non-compliance is authorised by the individual concerned;
or
(b) That non-compliance would not prejudice the interests of the
individual concerned; or
(c) That non-compliance is necessary -
(i) To avoid prejudice to the maintenance of the law by any public
sector agency, including the prevention, detection, investigation,
prosecution, and punishment -of offences; or
(ii) For the enforcement of a law imposing a pecuniary penalty;
or
(iii) For the protection of the public revenue; or
(iv) For the conduct of proceedings before any court or Tribunal
being proceedings that have been commenced or are reasonably in
contemplation); or
(d) That compliance would prejudice the purposes of the
collection; or
(e) That compliance is not reasonably practicable in the
circumstances of the particular case; or
(f) That the information -
(i) Will not be used in a form in which the individual concerned
is identified; or
(ii) Will be used for statistical or research purposes and will
not be published in a form that could reasonably be expected to
identify the individual concerned.
PRINCIPLE 4
Manner of collection of personal information
Personal information shall not be collected by an agency-
(a) By unlawful means; or
(b) By means that, in the circumstances of the case, -
(i) Are unfair; or
(ii) Intrude to an unreasonable extent upon the personal affairs
of the individual concerned.
PRINCIPLE 5
Storage and security of personal information
An agency that holds personal information shall ensure -
(a) That the information is protected, by such security safeguards
as it is reasonable in the circumstances to take, against -
(i) Loss; and
(ii) Access, use, modification or disclosure, except with the
authority of the agency that holds the information; and
(iii) Other misuse; and
(b) That if it is necessary for the information to be given to a
person in connection with the provision of a service to the agency,
everything reasonably within the power of the agency is done to
prevent unauthorised use or unauthorised disclosure of the
information.
PRINCIPLE 6
Access to personal information
(1) Where an agency holds personal information in such a way that
it can be readily be retrieved, the individual concerned shall be
entitled -
(a) To obtain from the agency confirmation of whether or not the
agency holds such personal information; and
(b) To have access to that information.
(2) Where, in accordance with sub clause (1)(b) of this principle,
an individual is given access to personal information, the
individual shall be advised that, under principle 7, the individual
may request the correction of that information.
(3) The application of this principle is subject to the provisions
of Parts IV and V of this Act.
PRINCIPLE 7
Correction of personal information
(1) Where an agency holds personal information, the individual
concerned shall be entitled
(a) To request correction of the information; and
(b) To request that there be attached to the information a
statement of the correction sought but not made.
(2) An agency that holds personal information shall, if so
requested by the individual concerned or on its own initiative,
take such steps (if any) to correct that information as are, in the
circumstances, reasonable to ensure that, having regard to the
purposes for which the information may lawfully be used, the
information is accurate, up to date, complete, and not
misleading.
(3) Where an agency that holds personal information is not willing
to correct that information in accordance with a request by the
individual concerned, the agency shall, if so requested by the
individual concerned, take such steps (if any) as are reasonable in
the circumstances to attach to the information, in such a manner
that it will always be read with the information, any statement
provided by that individual of the correction sought.
(4) Where the agency has taken steps under sub clause (2) or sub
clause (3) of this principle, the agency shall, if reasonably
practicable, inform each person or body or agency to whom the
personal information has been disclosed of these steps.
(5) Where an agency receives a request made pursuant to sub clause
(1) of this principle, the agency shall inform the individual
concerned of the action taken as a result of the request.
PRINCIPLE 8
Accuracy, etc., of personal information to be checked before
use
An agency that holds information shall not use that information
without taking such steps (if any) as are, in the circumstances,
reasonable to ensure that, having regard to the purpose for which
the information is proposed to be used, the information is
accurate, up to date, complete, relevant, and not misleading.
PRINCIPLE 9
Agency not to keep personal information for longer than
necessary
An agency that holds personal information shall not keep that
information for longer than is required for the purposes for which
the information may lawfully be used.
PRINCIPLE 10
Limits on use of personal information
An agency that holds personal information that was obtained in
connection with one purpose shall not use the information for any
other purpose unless the agency believes, on reasonable
grounds:-
(a) That the source of the information is a publicly available
publication; or
(b) That the use of the information for that other purpose is
authorised by the individual concerned; or
(c) That non-compliance is necessary -
(i) To avoid prejudice to the maintenance of the law by any public
sector agency, including the prevention, detection, investigation,
prosecution, and punishment of offences; or
(ii) For the enforcement of a law imposing a pecuniary penalty;
or
(iii) For the protection of the public revenue; or
(iv) For the conduct of proceedings before any Court or Tribunal
(being proceedings that have been commenced or are reasonably in
contemplation); or
(d) That the use of the information for that other purpose is
necessary to prevent or lessen a serious and imminent threat
to-
(i) Public health or public safety; or
(ii) The life or health of the individual concerned or another
individual; or
(e) That the purpose for which the information is used directly
related to the purpose in connection with which the information was
obtained; or
(f) That the information-
(i) Is used in a form in which the individual concerned is not
identified; or
(ii) Is used for statistical or research purposes and will not be
published in a form that could reasonably be expected to identify
the individual concerned or;
(g) That the use of the information is in accordance with an
authority granted under section 54 of this Act.
PRINCIPLE 11
Limits on disclosure of personal information
An agency that holds personal information shall not disclose the
information to a person or body or agency unless the agency
believes, on reasonable grounds -
(a) That the disclosure of the information is one of the purposes
in connection with which the information was obtained or is
directly related to the purposes in connection with which the
information was obtained; or
(b) That the source of the information is a publicly available
publication; or
(c) That the disclosure is to the individual concerned; or
(d) That the disclosure is authorised by the individual concerned;
or
(e) That non-compliance is necessary -
(i) To avoid prejudice to the maintenance of the law by any public
sector agency, including the prevention, investigation,
prosecution, and punishment of offences; or
(ii) For the enforcement of the law imposing a pecuniary penalty;
or
(iii) For the protection of the public revenue; or
(iv) For the conduct of proceedings before any court or Tribunal
(being proceedings that have been commenced or are reasonably in
contemplation); or
(f) That the disclosure of the information is necessary to prevent
or lessen a serious and imminent threat to-
(i) Public health or public safety; or
(ii) The life or health of the individual concerned or another
individual; or
(g) That the disclosure of the information is necessary to
facilitate the sale or other disposition of a business as a going
concern; or
(h) That the information -
(i) Is to be used in a form in which the individual concerned is
not identified; or
(ii) Is to be used for statistical or research purposes and will
not be published in a form that could reasonably be expected to
identify the individual concerned; or
(i) That the disclosure of the information is in accordance with
an authority granted under section 54 of this Act.
PRINCIPLE 12
Unique identifiers
(1) An agency shall not assign a unique identifier to an
individual unless the assignment of that identifier is necessary to
enable the agency to carry out any one or more of its functions
efficiently.
(2) An agency shall not assign to an individual a unique
identifier that, to that agency's knowledge, has been assigned to
that individual by another agency, unless those two agencies are
associated persons within the meaning of section 8 of the Income
Tax Act 1976.
(3) An agency that assigns unique identifiers to individuals shall
take all reasonable steps to ensure that unique identifiers are
assigned only to individuals whose identity is clearly
established.
(4) An agency shall not require an individual to disclose any
unique identifier assigned to that individual unless the disclosure
is for one of the purposes in connection with which that unique
identifier was assigned or for a purpose that is directly related
to one of the of those purposes.