Version 1/2001 as at March 2001
1.1 This Policy sets out how North Shore RDA (NSRDA) uses and protects any personal information that it may store/collect in relation to any individual (including, but not limited to employees, contractors, volunteers, patients, families of patients, and supporters) and sets privacy standards within the workplace.
1.2 The NSRDA is committed to ensuring that privacy is protected in accordance with the requirements of the Privacy Act 2020 (herein after referred to as The Act) and any amending or substituting legislation.
1.3 For the purposes of The Act, NSRDA is considered to be the Primary Agency, and remains the sole authorised holder of that personal information. [See section 11(2) and 11 (5) of The Act.]
2.1 Personal information: is information about an identifiable individual.
Personal information can be information obtained directly from an individual, but also publicly available information and authorised collection from a third party (i.e. a referee).
2.2 Privacy breach: any unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, transferred information, or any action that prevents an individual from accessing transferred information on either a temporary or permanent basis.
2.3. Recording means any information recorded or stored by means of any tape-recorder, computer, or other device; and any material subsequently derived from information so recorded or stored: any photograph, film, negative, tape, or other device in which one (1) or more visual images are embodied so as to be capable (with or without the aid of some other equipment) of being reproduced.
2.4 Privacy Officer: NSRDA will maintain the responsibility for monitoring and ensuring compliance with the Privacy Act 2020, [and any amending or substituting legislation.] As of December 2020, the Privacy Officer is Philippa Nicholls.
3 Personal Information:
3.1 NSRDA will only collect personal information from individuals as far as reasonably necessary for lawful purposes connected with its functions or activities.
3.2 The terms and conditions of an individual’s employment/engagement contract with NSRDA, including remuneration, shall remain confidential between NSRDA and the individual and are not permitted to be disclosed by an individual without the written consent of both parties.
3.3 Where possible (and with the exception of conducting reference checks), personal information will be collected directly from the individual concerned.
3.4 All personal information held will be protected by reasonable security safeguards against loss, unauthorised access, use, modification or disclosure and other misuse.
3.5 Individuals may ask NSRDA for access to any/all of their personal information held by them. [See section 40 of The Act]
3.6 Any requests to correct personal information, as specified in 3.5 above, held by NSRDA should be made to the Privacy Officer. [See section 59 of The Act]
4 Covert recordings:
4.1 So as to protect all individuals from unwarranted intrusion into their privacy, and protect their right to privacy, recordings (whether video or audio) are prohibited in NSRDA`s workplace or at any work-related event. The prohibition on covert recording includes (but is not limited to) employee and/or employer and/or volunteer conversations/meetings/riding sessions (regardless of their nature i.e. whether disciplinary or not).
4.2 If an individual wishes to make a recording in the workplace, including recording a conversation/meeting/riding session, the individual must expressly ask all parties to the conversation/activity if it is permitted to record the activity prior to recording.
4.3. If this is agreed to, the other party(s) must be provided with a copy of the recording. If a transcript is made it will be provided to the other party(s).
4.4. Any such documents relating to this agreement and copies of the recording must be provided to the NSRDA Privacy Officer.
4.5 Where an employee or volunteer or any other person, records in breach of this Policy, or records where consent is not provided or consent to record is withdrawn, NSRDA may commence a disciplinary process with that employee or volunteer on the basis that the employee may have breached this Policy and/or may have breached their trust and confidence and/or good faith obligations. Covert recordings made by employees may also amount to serious misconduct, warranting disciplinary action up to an including summary dismissal.
5 Mandatory reporting of privacy breach:
5.1 If NSRDA experiences a privacy breach that has or is likely to cause anyone serious harm (whether intentional or not), NSRDA shall notify:
a. The Office of the Privacy Commissioner; and
b. Any affected persons,
Both to be actioned no later than 20 working days after such a breach.
5.2 Employees must notify the Privacy Officer of any potential or actual privacy breach as soon as possible. The Privacy Officer shall then determine if the breach has or is likely to cause anyone serious harm, and if the Office of the Privacy Commissioner must be notified. [See section 70 of The Act]
6 Cross border disclosures:
6.1 The NSRDA may share information for the purpose of storage or safekeeping, if an entity holds information as an agent for NSRDA it is only for the purpose safe custody or processing. The holding entity has no authority to manage use or release that information [See section 11(1) of The Act
6.2 Where NSRDA intends to disclose an individual’s personal information to an overseas or any other entity, NSRDA will ensure that the entity is subject to comparable privacy safeguards as those under the Privacy Act 2020.
6.3 If this is not possible, NSRDA will inform the individual concerned that their information may not be adequately protected, and the individual must expressly authorise the disclosure.
7 Disciplinary consequences:
7.1 NSRDA will take any breach of this Policy very seriously. Disciplinary action up to and including dismissal may result should an employee breach any provision of this Policy.
8.1 NSRDA may vary or amend this Policy from time to time, in conjunction with the provisions of the Privacy Act 2020 and any amending or substituting legislation.
8.2 In any event the policy will be reviewed every 12 months.