Keeping information safe and private
Created: July 30, 2013 at 10:28 AM | Updated: March 8, 2022 | By Community Resource Kit
Protecting private information about people is just as important as safeguarding other important business data. This includes contact details, employment agreements, personnel records, and payment information.
Some information, like client records and personal staff files should not be accessible to everybody in the organisation. You can only collect personal information that is needed for business purposes, and you must not let it be leaked or misused — even accidentally. It also means doing whatever you reasonably can to protect any paper files or documents. How you safeguard personal information depends on the sorts of information you collect. The more sensitive the information, the more measures you will need to take to protect it.
Privacy Acts 1993 and 2020
The Privacy Act 1993 (and associated principles) governed the way organisations need to keep information private. It also gave a guide to sharing information with others. The Act was based on 12 privacy principles. These set out broad rules (together with limited exceptions) relating to the collection, storage, security, accuracy, use and disclosure of personal information, as well as an individual's rights to access and correct personal information.
The Privacy Act applies only to personal information about an identifiable individual. It does not apply to information about organisations, companies or other bodies. See more at https://privacy.org.nz.
Agencies - that is almost everyone holding personal information about others - have to comply with the Privacy Act. The Act's information privacy principles model the way in which good organisations handle personal information.
The new Privacy Act 2020 came into force on 1 December 2020. Find out more about the 2020 Act here.
The 2020 Act addresses the protection of personal information in the digital age, enhancing the principles and protection of the 1993 Act.
New protections in the Privacy Act 2020 include:
- coverage of information sent overseas - overseas companies that collect information in New Zealand are required to comply with NZ Privacy Laws.
- new rules covering disclosure of privacy breaches - people affected by breaches and the Privacy Commissioner must be notified.
- the Privacy Commissioner now has greater powers to:
- order an organisation to give a person their personal information and
- issue a compliance notice if an organisation fails to comply with the Privacy Act.
Information Privacy Principles
The following principles from the Privacy Act 1993 describe the key issues around privacy for organisations:
- Only collect personal information if you really need it.
- Get it straight from the people concerned where possible.
- Tell them what you're going to do with it.
- Collect it legally and fairly.
- Take care of it once you've got it.
- People can see their personal information if they want to.
- They can correct it if it's wrong.
- Make sure personal information is correct before you use it.
- Get rid of it when you're done with it.
- Use it for the purpose you got it.
- Only disclose it if you have a good reason.
- Only assign unique identifiers where permitted.
Some of these privacy principles have been updated in the 2020 Act:
- if unique IDs/customer numbers are used, the organisation must protect this information.
- the collection of information from young people must be 'fair and reasonable'.
Together, these principles form a 'life-cycle' for personal information.
Organisations must first decide what information they need, and where and how they are going to get it. They then need to ensure they hold the information with appropriate protections and that they comply with any access or correction requests they receive.
Finally, personal information should be used and disclosed with care and kept securely, and in line with the purposes for which the information was collected.
Source: Privacy Commissioner - https://privacy.org.nz/privacy-for-agencies/your-obligations/
The Privacy Commission's website includes a number of tools to help your organisation meet its legal requirements and identify potential risks of collecting, using and handling personal information.
You can undertake a privacy impact assessment (PIA), particularly useful when you are looking at new proposals or systems or system changes. Read more here: Privacy Impact Assessment Toolkit - https://privacy.org.nz/news-and-publications/guidance-resources/privacy-impact-assessment/
Find more information here: https://privacy.org.nz/privacy-for-agencies/privacy-resources-for-agencies/
The basics you need to think about are:
- the purpose
- what responsibilities you have when you are handling personal information
- how you will collect personal information fairly
- can you justify your use of personal information?
- how long will you keep personal information for?
- how will you dispose of personal information appropriately?
Technology and digital guidance
Organisations are responsible for a considerable amount of digital information, and therefore need to design, recommend or install systems which manage personal information in a privacy protective way.
You can find guidance on privacy obligations around technical developments on the Privacy Commissioner's website, including:
- app development - describing your obligations when gathering personal information through mobile apps, in particular the following key points:
- Integrating privacy starts on day one - make a plan and spot the risks.
- Be open and transparent about your privacy practices - when a user makes decisions - to download your app, update it, or share personal information - be there with the right information.
- Collect and keep only what your app needs to function, and secure it - "Nice to know" doesn't mean "need to know".
- Obtain meaningful consent despite the small screen challenge - spend time working out how to make privacy understandable with the tools you have.
- Timing of user notice and consent is critical - providing information in real time is as important as being up front in advance.
- how to deal with a data breach. The four key steps in dealing with a data breach are:
- Contain the breach and make a first assessment
- Evaluate the risks
- Notify affected people if necessary, along with the Privacy Commissioner
- Prevent a repeat
- using the cloud - evaluate your needs and work out which cloud services will work for you, considering your risk level and responsibilities. You are still responsible for any information you put in the cloud. See this article about cloud computing.
- use of data and analytics - Stats NZ and the Privacy Commissioner have jointly developed six key principles (pdf version here) to support safe and effective data analytics:
- deliver clear public benefit
- ensure data is fit for purpose
- focus on people
- maintain transparency
- understand the limitations and
- retain human oversight
Information privacy checklist
To ensure privacy of information:
- have a procedure that identifies records that are sensitive and make sure authorised staff know they are sensitive
- have a clear desk policy for sensitive records put records away promptly
- be aware of physical security and lock records away when not in use
- take care when disposing of confidential records they should be shredded or disposed of securely (an option for larger organisations)
- develop a confidentiality policy
- do not leave records where an unauthorised person can read them or steal them
- keep records in their covers, folders or boxes
- do not take records home
- make a note of who took them if records are taken from where they are normally kept, including, when they were taken, and when returned
- protect sensitive computer-based information with passwords, and
- do not keep personal information longer than required either by law or for the purpose for which it was obtained.
Non-digital information and records are vulnerable from slow destruction and from disaster. It's important to take active steps to protect your records from risk.
Avoiding gradual destruction
Some sources of damage are slow-acting or infrequent, but can still make information unusable. They include heat, humidity, light, computer security threats (viruses, malware, etc.) vermin (insects and rodents), damp and mould (which can adversely affect paper, disks, photos, slides and videos).
You can reduce these risks by keeping records in folders, covers or boxes in clean, dry surroundings. Keep them off the floor, and away from:
- cleaning supplies and other chemicals
- heaters and open flames
- water, heating and sewerage pipes.
- have fire extinguishers, smoke detectors and/or a sprinkler system in the records area
- keep your computer safe and your information secure - always back-up your data. Secure cloud storage is a cost-effective way of securing your data.
- keep records in secure storage in a safe if necessary.
Protecting against disaster
Some damage happens suddenly and unexpectedly. Examples include fire, flood, storm, earthquake, explosion, computer crash and power failure. Your group should have a disaster recovery plan for records.
Disaster protection checklist
You can help protect your records from being damaged in a disaster by:
- duplicating information and keeping hard copies
- by having backups of your computer records
- keeping important originals (e.g. leases, bonds etc.) at the bank, with the lawyer, or in a fireproof safe
- keeping copies of important records away from your office (e.g. creditor lists, insurance documentation etc)
- knowing where to find experts who can help in the event of disaster. There are experts in this field, called conservators, and most computer firms have expertise in recovering computer records.
Previous page: Organising your filing system
Next topic: Introduction to raising funds
Contents of the Community Resource Kit