Privacy Policy

DEFINITIONS

‘Health Information Privacy Code’ refers to the Health Information Privacy Code 2020 effective from 1 December 2020.

‘Health Information’ has the definition provided in clause 4.1 of the Health Information Privacy Code. In the context of Winsborough’s activities, this is health information about an identifiable individual, including personal information collected in relation to delivering health services as defined in the Code.

‘Information Privacy Principles’ are the privacy principles, rules and guidelines Winsborough adheres to when processing personal information, and as provided within the Privacy Act 2020.

‘OPC’ is the Office of the Privacy Commissioner.

‘Privacy Act’ refers to the Privacy Act 2020 effective from 1 December 2020.

‘Personal Information’ is any information which tells us something about a specific individual. The information does not need to name the individual, as long as they are identifiable in other ways, like through their home address. Personal information includes, but is not limited to, health information as defined above.

‘Privacy Breach’ is an event where personal information is inappropriately disclosed, used, altered, lost, or accessed. Loss includes either the destruction of information or the temporary inability to access information.

‘Winsborough’ or ‘we’ refers to Winsborough.

‘Winsborough’s Privacy Officer’ is the person responsible for all privacy related matters across Winsborough on behalf of the leadership team, monitoring compliance, acting as the contact for the Office of the Privacy Commissioner for breach notification, complaints and other enquiries and to ensure Winsborough complies with the provisions of the Privacy Act.

‘Winsborough Users’ are Directors, employees, associates and contractors of Winsborough, as well as any third parties who process personal information on behalf of Winsborough.

PURPOSE

Winsborough considers the protection of privacy to be of utmost importance and this Privacy Policy (“Policy”) is an essential part of ensuring Winsborough promote an individual’s confidence that their personal information is protected and will be treated properly.

Managing this information is important to Winsborough in building trust and confidence with individuals, as well as our clients when we process personal information on their behalf. It is also an essential element in maintaining compliance with the requirements of the Privacy Act and Health Information Privacy Code.

The purpose of this policy is to provide a privacy framework, including how Winsborough will collect, store, use, disclose and dispose of personal information (the “Information Privacy Principles”).

Winsborough complies with the New Zealand Privacy Act 2020, Health Information Privacy Code 2020, and any other privacy and data protection laws where applicable.

This policy applies to all Directors, employees, and contractors of Winsborough, as well as any third parties who process personal information on behalf of Winsborough (collectively known as “Winsborough Users”).

This policy covers all personal information regardless of whether it relates to:

• Clients
• Employees
• Contractors
• Associates
• Members of the public.

Winsborough may collect personal information including but not limited to:

• Contact information, including names, email addresses (work or private), phone and fax numbers, and postal addresses
• Identification details, for example IRD, driver licence, passport, visa/work permit status, credit card and account details
• Employment/human resource records and documentation
• Information, including health information, in the course of providing services
• Information pertinent to 360 reviews, in which case personal information will be collected about an individual by others
• Information relating to the organisation of, invitation to and/or hosting of a conference, seminar or similar Winsborough event
  
  

INFORMATION PRIVACY PRINCIPLES

Collecting Personal Information

We will only collect the minimum personal information necessary for business purposes. We will not collect information where it is not necessary. Any optional information is clearly highlighted, and individuals do not need to provide this information to utilise the service.

We will endeavour to collect personal information:

• Directly from the individual it is about
• In a way that is fair in the circumstances
• In a way that does not intrude to an unreasonable extent on the personal affairs of the individual whose information is being collected.

We will take reasonable steps to inform individuals about what information we are collecting, why and key details about how we will treat it (in the form of a “Privacy Notice”) prior to most acts of collection if the reasons for collection sit outside of those covered in this Policy. The privacy notice will include the consequence for not providing the personal information and information about the individual’s rights to access and correct their personal information.

By engaging/continuing to engage with Winsborough having had the opportunity to read this Policy you are consenting to provide Winsborough with your personal information and for it to collect, use, hold, or retain said information in connection within the lawful purpose for which it was collected under the Privacy Act 2020.

Where we are processing information on behalf of a client, the client is responsible for determining the appropriateness of any collection, including the provision of a primary privacy notice.

Storage and Retention of Personal Information

Winsborough’s users must take all reasonable steps to protect personal information from loss, unauthorised access, modification, disclosure, or misuse.

We will store personal information for as long as it is required and will dispose of it when it is no longer needed, including in accordance with any relevant policy introduced or amended from time to time.

Individuals have the right to access information about themselves. A request can come from a client, an employee, or any other individual. They do not need to cite that it is an access request for it to be an appropriate request. Any request for personal information must be notified to Winsborough’s Privacy Officer as soon as it is received. Winsborough’s Privacy Officer can guide the request and advise you on appropriate withholding grounds if they apply in accordance with the Privacy Act Access and Correction Request Process.

As a general principle, unless there are valid reasons why we would not disclose that information in accordance with the Privacy Act 2020, we will provide access to personal information we hold about any individual if they request that information.

Where we are processing personal information on behalf of a client, we must direct the request to that client so they can determine how they will respond.

All employee personal information requests should also be notified to privacy@winsborough.co.nz. If you want to access your own personal information you should make the request to your manager.

All requests for access must normally be responded to within 20 working days unless they are extended by Winsborough’s Privacy Officer.

Individuals also have the right to correct personal information about themselves. These requests can be of simple facts (for example, an address) or more complex issues (such as a file note saying a client was aggressive). In any instance we need to consider the request to correct the information and take appropriate action.

If we do not agree that the information is incorrect, we do not need to correct it, but we must clearly note the individual’s view that the information is incorrect prominently next to the contentious information.

Where we are processing personal information on behalf of a client, we must direct the request to that client so they can determine how they will respond.

All correction requests must be made in accordance with the Privacy Act Access and Correction Request Process.

We will not use personal information without first considering whether it is reasonably accurate, up-to-date, and complete.

We will only use personal information where it is lawful to do so. Primarily this will be where we are using personal information for the reason it was initially collected, including processing it in accordance with a client agreement.

We will not use an individual’s personal information for training or for system testing purposes.

We will not disclose personal information unless we have a reasonable basis for believing doing so is lawful. This will usually be where the disclosure is for the purpose the information was collected or because it is authorised by the individual. Other exceptions apply and if you are uncertain, you should discuss these with Winsborough’s Privacy Officer.

We will not disclose personal information overseas unless it is protected by equivalent safeguards to those in New Zealand. For guidance on any overseas disclosure of personal information you should consult with Winsborough’s Privacy Officer.

Winsborough may collect and use personal information in connection with, but not limited to, all of the following lawful purposes:

• Creating, modifying, or maintaining any Winsborough product or service
• Developing relationships with clients, sending clients information about specialist products or services, or receiving inquisitorial requests from clients toward Winsborough products or services
• Seeking feedback on Winsborough products or services
• Obtaining and maintaining proper employment records in order to comply with legislative requirements and for Winsborough’s own lawful use, such as wage, time, leave and health and safety records

PRIVACY BREACHES

We have clear, consistent processes for reporting, managing, and escalating privacy incidents. For any suspected privacy breach, we immediately follow the Privacy Breach Process.

A privacy breach is when personal information is either inappropriately disclosed, altered, lost, or accessed. Loss includes either the destruction of information or the temporary inability to access information.

Winsborough people must report any suspected privacy breach to the Privacy Officer. Winsborough’s Privacy Officer will confirm whether there has been a privacy breach, and if they believe it may have caused or could cause serious harm.

All privacy breaches or suspected privacy breaches must be recorded in a central privacy breach log.

THIRD PARTIES

Where we contract with a third-party to outsource the processing of personal information Winsborough will take appropriate steps to ensure that the personal information is protected by equivalent safeguards to when it is managed by us.

Agreements will require the contracted party to meet our privacy requirements for example:

• Notify us of any privacy breach
• Notify us of any privacy act access or correction requests
• Maintain appropriate security safeguards
• Only retain information for a specified period
• Not sub-contract the processing to a lower standard than is agreed in the contract.

The Third-Party Assessment Policy details how we assess and manage third parties from a privacy perspective.

Where Winsborough holds or processes personal information on behalf of its clients, we must ensure that personal information is processed and protected in accordance with the client’s agreement.

Clients are responsible for notifying the Office of the Privacy Commissioner and individuals affected if a privacy breach is ‘notifiable’ and for responding to an individual’s Privacy Act access or correction request. It is vital we inform clients as soon as practically possible of breaches, individual’s requests, or other privacy related matters.

All client agreements should include the following privacy requirements at minimum:

• Notifying the client of any privacy breaches
• Transfer of privacy act access or correction requests
• Maintain appropriate security safeguards
• Only retain information for a specified period, which can be purpose based rather than duration based.

The Privacy Officer is responsible for communicating privacy related matters to clients unless otherwise agreed or stated in the client agreement.

When Winsborough people become aware of a complaint about privacy or the management of personal information they must immediately notify Winsborough’s Privacy Officer.

If Winsborough is considering a new process, policy, product, service, or system that changes how we collect, use, store, disclose or dispose of personal information we will consider the privacy impacts and associated risks.

To initiate this, the relevant team member should contact Winsborough’s Privacy Officer outlining the proposal and any anticipated risks. Winsborough’s Privacy Officer may ask that you undertake a Privacy Impact Assessment.

If a Privacy Impact Assessment is required, it must be signed off by the relevant business owner and Winsborough’s Privacy Officer before the process, policy or system is brought into effect.

We ensure all employees and contractors undertake training at appropriate intervals on privacy risk areas specific to their business area, as well as broader privacy best practices.

We commit to retaining up to date privacy processes. Our business processes relating to the collection, access, correction, use, disclosure, storage and disposal of personal information will be regularly reviewed, at least annually.

The Board is committed to managing personal information by:

• Setting clear expectations regarding privacy and protection of personal information, and communicating them to the leadership team
• Holding the leadership team accountable for meeting those expectations
• Ensuring that effective privacy risk management is fully embedded within Winsborough’s overall risk management activities
• Employing high-quality monitoring and information management practices.

Winsborough’s Privacy Officer, on behalf of the leadership team, is accountable for:

• Promoting privacy and proactively assessing and manage privacy risk within Winsborough
• Monitoring compliance
• Assisting with access and correction requests
• Monitoring and advising on Privacy Impact Assessments
• Being the point of contact for the Office of the Privacy Commissioner for breach notification, complaints, and other enquiries
• Handling privacy breaches or any complaints raised about privacy
• Ensuring that Winsborough complies with the provisions of the Privacy Act
• Ensuring employees are aware of and recognise the importance of their role in privacy, are compliant with the Privacy Policy and the Privacy Act
• Ensuring new employee induction includes privacy training.

Winsborough Users have individual responsibility to:

• Maintain best practice privacy behaviours
• Report all privacy breaches and near misses to the Privacy Officer
• Promote privacy at work
• Comply with all privacy policies and guidelines
• Actively participate in privacy training
• Identify and report privacy risks. 

Our privacy policies and guidelines have been established to comply with the Privacy Act 2020. The monitoring and oversight of privacy follows a three lines of defence model to provide assurance that privacy risks are being managed effectively under different situations:

• The first line of defence is formed by managers and employees responsible for identifying and managing risks as part of their duties.
• The second line of defence is formed by privacy and internal governance policies, frameworks, tools, and techniques to embed privacy in our business.
• The third line of defence is formed by internal and external audits ensuring that the first two lines of defence are operating effectively as well as identifying opportunities for improvement.

Non-compliance of the terms of this policy by employees may result in disciplinary action up to and including dismissal.

CONTACT

Any privacy related concerns or requests for information should be directed to Winsborough’s Privacy Officer at privacy@winsborough.co.nz

APPROVAL

This Privacy Policy has been approved by the Board of Directors of Winsborough on 23 February 2023.

OUR CONTACT DETAILS:

Privacy Officer
Email: privacy@winsborough.co.nz
Telephone: 0800 222 061

Level 3, The Formery
87 Albert Street,
Auckland

PO BOX 106-112
Auckland 1010