Privacy Policy
1.0 Purpose
The purpose of this PFRA Privacy Policy is to describe how the PFRA maintains the privacy of individuals in accordance with the Privacy Act 2020 (the Act) and the Information Privacy Principles under the Act.
2.0 Scope of this Policy
This Policy applies when the PFRA collects, stores, uses, or discloses the personal information of any individual.
3.0 Types of personal information collected
- Personal information means information about an identifiable individual
- The PFRA will only collect personal information if that information is necessary for the purposes of the PFRA's functions and activities.
- Types of personal information the PFRA might collect include:
- An individual's
- name, address, and contact details;
- educational background, training records, job title, employment history, and areas of expertise;
- remuneration, benefits, and bank details;
- performance history, performance appraisals, misconduct complaints; and
- Information relating to fundraising activities.
- Information relating to complaints and the PFRA’s Code of Conduct.
- Information that is required for the accreditation of PFRA members.
- Records of correspondence between an individual and the PFRA.
- Other personal information provided by the individual to the PFRA.
- Any other information that is necessary to facilitate the purposes of the PFRA’s functions and activities.
- An individual's
4.0 Methods of collection of personal information
- The PFRA will collect personal information directly from the
individual concerned. Some personal information may also be collected
from other sources, such as:
- PFRA members;
- Third party service providers;
- Publicly available sources; and
- Other sources authorised by an individual (such as referees during recruitment).
- If an individual refuses to provide their personal information, or if the PFRA is otherwise unable to collect an individual's personal information, the PFRA may not be able to carry out its functions or discharge its obligations to that individual. In such circumstances, the PFRA will inform the individual of the consequences of not being provided with the personal information.
5.0 Purposes of collection of personal information
- The PFRA collects personal information for a variety of purposes connected with its functions and activities. The PFRA will only use personal information for the purposes for which it was collected (or directly related purposes), or for any other purposes authorised by the individual concerned, or as required by law.
- Purposes of collection include:
- Verifying the identity of individuals;
- Assessing the suitability of applicants during recruitment;
- Administering the SAL scheme;
- Administering payroll;
- Fulfilling the legal and regulatory obligations of the PFRA;
- Purposes connected to the general management of the PFRA; and
- Any other purpose authorised by the individual.
- Before using personal information, the PFRA will take reasonable steps to ensure the information is accurate, up to date, complete, relevant, and not misleading.
6.0 Disclosure of personal information
- The PFRA may disclose personal information where disclosure is
one of the purposes for which it was collected (or a directly related
purpose), or to the individual concerned or to a third party if the
individual has authorised that disclosure, or as required by law.
- The PFRA may disclose personal information to:
- Legal and regulatory authorities (such as the Inland Revenue Department);
- Third-party professional providers (such as accountants, auditors, and lawyers); and
- Third-party providers of products and services to the PFRA (such as pay-roll providers, SAL, KiwiSaver providers, IT system suppliers, information management providers).
- The recipients of disclosed personal information may be located outside of New Zealand. Some of the countries to which personal information is disclosed may not have privacy laws that provide comparable safeguards to those in the Act. In these cases, the PFRA will either:
- Take steps to ensure that the recipient of any personal information protects the personal information in a way that provides comparable safeguards to those in the Act, or otherwise complies with the Act; or
- Obtain the authorisation of the individual concerned to the disclosure, after informing the individual that their personal information may not be protected by the recipient with comparable safeguards to those in the Act.
- Before disclosing personal information, the PFRA will take reasonable steps to ensure the information is accurate, up to date, complete, relevant, and not misleading.
7.0 Storage of personal information
- The PFRA will take steps to ensure personal information is protected by reasonable security safeguards against unauthorised use, modification or disclosure, or loss, or misuse.
- The PFRA will not keep personal information for longer than is required for the purposed of which it was collected.
8.0 Notifiable privacy breaches
- A privacy breach occurs when personal information held by the PFRA is accessed, disclosed, altered, lost, or destroyed without authority or by accident. A privacy breach also occurs when the PFRA is prevented from accessing personal information that the PFRA should have access to.
- If a privacy breach occurs and the PFRA believes this has caused, or is likely to cause, serious harm to any information, the PFRA will notify the affected individual(s) as soon as possible. There are certain circumstances under the Act where notification may be delayed or not required.
- If a notifiable privacy occurs, the PFRA will also notify the Privacy Commissioner as required by the Act.
9.0 Access and correction
- Individuals have a right to access to their personal information and to request that any inaccuracies are corrected. Individuals may request access to or correction of their personal information by submitting their request in writing to the PFRA. The PFRA will consider the request and will respond as soon as reasonably practicable by not later than 20 working days from the date the request is received.
- Individuals have a right, at any time, to provide the PFRA with a statement of the correction sought and to request the PFRA attach that statement to their personal information (if the correction sought is not made). If the correction sought is not made, the PFRA will take reasonable steps to attach that statement to the individual’s personal information so that it is always read with the personal information.
- The individual may need to pay an administrative fee to cover the PFRA’s costs associated with allowing the individual to access or correct their personal information.
- There are certain circumstances where the PFRA may not be required or permitted to allow an individual to access or correct their personal information. In some situations, the PFRA may grant access to part, but not all, of the personal information requested. The PFRA will inform the individual of the reasons for refusing their request for access (or part of their request for access) or correction.
10.0 Complaints
- Individuals who have concerns or complaints about the privacy of their personal information should contact the National Manager of the PFRA.
- Individuals may also complain to the Privacy Commissioner if they believe an action of the PFRA may be an interference with their privacy.
11.0 Changes to this policy
The PFRA may vary, replace, withdraw or not apply this policy at its absolute discretion. This policy does not form part of any employment agreements between the PFRA and its employees.