Privacy Policy

Pūtake | Purpose

  • The purpose of this policy is to ensure Toi Ohomai Institute of Technology (Toi Ohomai) complies fully with its obligations under the Privacy Act 2020 (the Act), including any applicable codes of practice issued by the Privacy Commissioner under the Act.
     
  • The purpose of the Act is to promote and protect individual privacy by:
    • providing a framework for protecting an individual’s right to privacy of personal information, including the right of an individual to access their personal information, while recognising that other rights and interests may at times also need to be taken in to account; and
    • giving effect to internationally recognised privacy obligations and standards in relation to the privacy of personal information.
  • This policy should be read in conjunction with Toi Ohomai Privacy Procedure. 

Mō Wai Me Te Whānuitanga | Scope

This policy applies to:

  • all employees of Toi Ohomai, including contracted staff and consultants providing services for Toi Ohomai, and those on fixed-term contracts (collectively referred to as kaimahi in this policy); and
  • where appropriate, Governance, which extends to all those operating at a governance level, including Council members and members of Council committees.

Ngā Mātāpono | Policy Principles

  • All Kaimahi and governance must ensure that, when using or dealing with personal information relating to any individual, they comply fully with the Act, including the Information Privacy Principles within the Act (and as also referred to within the Appendix to this policy) and any applicable codes of practice issued by the Privacy Commissioner under the Act. Where Personal Information is being received or collected from outside of New Zealand, it should also be considered whether other privacy/data protection regimes.
  • Kaimahi who are responsible for contractors or consultants working for, or on behalf of Toi Ohomai, must ensure that the contractors or consultants understand and comply with their obligations under the Act and the requirements of this policy.
  • The Privacy Officer is the primary person responsible for engaging with the Privacy Commissioner in relation to privacy matters. This includes responding to compliance notices, cooperating with investigations or complaint proceedings and submitting a notice of any Notifiable Privacy Breach.
  • The Chief Executive or delegate will ensure that at all times Toi Ohomai has a duly appointed Privacy Officer. These roles will be the first point of contact for any questions and complaints in relation to privacy issues occurring within their respective areas of accountability. 
  • The Privacy Procedures contain procedural information, and the Data Breach Response Plan contains processes to be followed in the event of a data breach.

Ngā Haepapa | Responsibilities

Role Responsibilities 
Chief Executive or 
delegate
  • Ensures Toi Ohomai appoints a Privacy Officer.
Toi Ohomai Executive
Leadership Team
  • Ensures procedures that support the operation of this policy within Toi Ohomai are reviewed periodically, remain fit for purpose and are compliant with legislation.
Privacy Officer
  • Ensures that personal information held by Toi Ohomai is held in accordance with the Act.
  • Encourages Toi Ohomai Kaimahi to comply with the Information Privacy Principles set out in the Act.
  • Ensures all within Toi Ohomai comply with this policy and the Act.
  • Deals with requests made to Toi Ohomai under the Act with assistance from the teams that hold the relevant personal information.
  • Acts as the point of contact for Toi Ohomai as a whole with the Privacy Commissioner, including responding to compliance notices and cooperating with investigations or complaint proceedings.
  • Upon being notified of a privacy breach, complies with the Data Breach Response Plan to determine whether or not the breach is a Notifiable Privacy Breach and, if so, notifies the Privacy Commissioner and any affected parties.
  • Engages with Privacy Leads when notified of high-risk privacy matters.
  • Ensures details of the Privacy Officer remains up to date on the Toi Ohomai website and Te Aka.
Toi Ohomai Kaimahi
  • Comply with this policy.
  • Promptly report any privacy breaches to the Privacy Officer in accordance with this policy.
  • Assists with requests made to Toi Ohomai under the Act, where required.
  • Promptly forward any compliance notices or other correspondence received from the Privacy Commissioner to the Privacy Officer.
  • If responsible for engaging contractors or consultants, ensure contractors and consultants understand their obligations under the Act and undertake to comply with this policy.

Ngā Tikanga | Definitions 

  Definitions
Kaimahi All employees of Toi Ohomai, including contracted staff, consultants and secondees providing services for Toi Ohomai, and those on fixed term contracts.
Notifiable Privacy Breach

In accordance with section 112 of the Act, a notifiable privacy breach means a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so (taking into account the factors set out in section 113 of the Act).

The factors set out in section 113 of the Act are:

  • any action taken by the agency to reduce the risk of harm following the breach
  • whether the personal information is sensitive in nature
  • the nature of the harm that may be caused to affected individuals
  • the person or body that has obtained or may obtain personal information as a result of the breach (if known) whether the personal information is protected by a security measure and any other relevant matters. 
Governance All those operating at a governance level, including Council members and members of Council advisory committees.
Personal Information In accordance with the Act, personal information means information about an identifiable individual and includes information relating to a death that is maintained by the Registrar-General under the Births, Deaths, Marriages, and Relationships Registration Act 1995 or any former Act.
Privacy Officer One or more individuals appointed in accordance with section 201 of the Act.