Openness and transparency are important to us. The Privacy Act 2020 requires us to tell you certain things about the personal information we need to carry out our functions. This is where we explain our privacy practices and why you can trust us to handle your information.
In this Privacy Statement we explain what personal information we collect and how we use or share it. We also explain about the way we store and protect personal information and your rights to access and correct it.
In short, here are a few key privacy messages to note:
- We only collect personal information where this is necessary to carry out our functions
- We may collect personal information about you either directly from you or from other people or agencies, and we may generate personal information about you when we carry out our functions
- We store some of our data (including your personal information) on secure Microsoft Azure, Amazon Web Services (AWS) cloud platforms, in secure data centres, and on secure servers in our premises. We protect our data with all reasonable technical and process controls
- You can ask us for a copy of your personal information at any time. We will be as open as we can with you but must also ensure we meet our confidentiality obligations we have with other people
- We will only use and share personal information where necessary to carry out the functions for which we collected it, or if required by law.
If you cannot find the information you need, or you have concerns about the way we are managing your personal information, then please contact us at any time.
We may update this privacy statement from time to time, for example to reflect changes to the Privacy Act, so feel free to check in again occasionally to see what might have changed. This statement was last updated in December 2020
Storage and security
We use third party providers to store and process our data.
We store most of the personal information we collect and generate electronically on secure servers in data centres in New Zealand, in our premises and in Microsoft Azure and AWS cloud servers located in overseas jurisdictions these arrangements offer comparable privacy protections to New Zealand through local legislation and/or our contractual arrangements. This means that the personal information we hold may be transferred to, or accessed from, countries other than New Zealand.
We retain personal information in compliance with the requirements of the Public Records Act 2005.
We take all reasonable steps to ensure the personal information we collect is protected against loss, unauthorised access and disclosure or any other misuse, including meeting the requirements prescribed by the New Zealand government for the secure handling, storage and disposal of any protectively marked or security classified information.
We ensure that our third party data processors can meet our privacy and security requirements by undertaking Privacy Impact Assessments on systems where personal information may be collected, used or stored. We are satisfied, for example, that Microsoft has adequate security and privacy safeguards in place to protect information it holds on our behalf.