Created: July 30, 2013 at 10:28 AM | Updated: September 1, 2020 | By Community Resource Kit
Non-digital information and records are vulnerable from slow destruction and from disaster. It's important to take active steps to protect your records from risk.
Some sources of damage are slow-acting or infrequent, but can still make information unusable. They include heat, humidity, light, computer security threats (viruses, malware, etc.) vermin (insects and rodents), damp and mould (which can adversely affect paper, disks, photos, slides and videos).
You can reduce these risks by keeping records in folders, covers or boxes in clean, dry surroundings. Keep them off the floor, and away from:
Some damage happens suddenly and unexpectedly. Examples include fire, flood, storm, earthquake, explosion, computer crash and power failure. Your group should have a disaster recovery plan for records.
You can help protect your records from being damaged in a disaster by:
Protecting private information about people is just as important as safeguarding other important business data. This includes contact details, employment agreements, personnel records, and payment information.
Some information, like client records and personal staff files should not be accessible to everybody in the organisation. You can only collect personal information that is needed for business purposes, and you must not let it be leaked or misused — even accidentally. It also means doing whatever you reasonably can to protect any paper files or documents. How you safeguard personal information depends on the sorts of information you collect. The more sensitive the information, the more measures you will need to take to protect it.
The Privacy Act 1993 (and associated principles) govern the way organisations need to keep information private. It also gives a guide to sharing information with others. The Act is based on 12 privacy principles. These set out broad rules (together with limited exceptions) relating to the collection, storage, security, accuracy, use and disclosure of personal information, as well as an individual's rights to access and correct personal information.
The Privacy Act applies only to personal information about an identifiable individual. It does not apply to information about organisations, companies or other bodies. See more at https://privacy.org.nz.
Agencies - that is almost everyone holding personal information about others - have to comply with the Privacy Act. The Act's 12 information privacy principles model the way in which good organisations handle personal information.
The new Privacy Act 2020 will come into force on 1 December 2020. Find out more about the new Act here.
The following the principles describe the key issues around privacy for organisations:
Together, these principles form a 'life-cycle' for personal information.
Organisations must first decide what information they need, and where and how they are going to get it. They then need to ensure they hold the information with appropriate protections and that they comply with any access or correction requests they receive.
Finally, personal information should be used and disclosed with care and kept securely, and in line with the purposes for which the information was collected.
Source: Privacy Commissioner - https://privacy.org.nz/privacy-for-agencies/your-obligations/
The Privacy Commission's website includes a number of tools to help your organisation meet its legal requirements and identify potential risks of collecting, using and handling personal information.
You can undertake a privacy impact assessment (PIA), particularly useful when you are looking at new proposals or systems or system changes. Read more here: Privacy Impact Assessment Toolkit - https://privacy.org.nz/news-and-publications/guidance-resources/privacy-impact-assessment/
Another easy assessment can be found here: https://privacy.org.nz/privacy-for-agencies/getting-started/
The basics you need to think about are:
Organisations are responsible for a considerable amount of digital information, and therefore need to design, recommend or install systems which manage personal information in a privacy protective way.
You can find guidance on privacy obligations around technical developments on the Privacy Commissioner's website, including:
To ensure privacy of information: