The Association regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal with, to this end, the Association will adhere to the Principles of Data Protection, as detailed in the Privacy Act 1993.
The Association will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.
Data may only be collected for a lawful purpose connected with, and necessary for, a function or activity of the Association.
Where data is collected it must be collected directly from the individual concerned unless the information is publicly available or for another reason authorised by the Privacy Act 1993.
The person providing their personal information to the Association will be advised about the purpose for collection and how the information will be used, who the information will be disclosed to and held by, their right to access their personal information and to ask to have that information corrected, and the consequences of not providing the information. The Association will publish a privacy statement which makes this disclosure on its website, at any ticket sales venue, on any survey forms or competition entry forms where data may be collected.
When collecting data, the Association will ensure that the Individual/Service User:
- a) Clearly understands why the information is needed
- b) Understands what it will be used for and what the consequences are should the Individual/Service User decide not to give consent to processing
- c) As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed
- d) Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress
- e) Has received sufficient information on why their data is needed and how it will be used
Information and records relating to service users will be stored securely and will only be accessible to authorised staff and volunteers and will be protected by appropriate security measures. Those security measures include limits on access to electronic databases where personal information is stored and “password protection” where appropriate.
Information will be stored for only as long as it is needed or required and will be disposed of securely by the Association.
It is the Association’s responsibility to ensure all personal, association and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party or otherwise disposed of.
Use and Disclosure of Personal Information
Personal information will only be used by the Association for the purposes for which is was collected and before using personal information the Association will take steps to ensure that the information is accurate, up to date and complete.
The Association may share data with other agencies such as the local authority, funding bodies, show partners and other voluntary agencies and this purpose will be disclosed to the individual concerned at the time of providing the personal information.
The Individual/Service User will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows the Association to disclose data (including sensitive data) without the data subject’s consent.
- to avoid prejudicing the maintenance of the law;
- for the conduct of proceedings before a court or tribunal; or
- to protect the public health, public safety, or the life or health of a person.
Other than as set out above, personal information will not be used for a purpose other than one for which it collected or disclosed to anyone other than the person to whom the information relates, unless the Association is required to do so by law or if the information is in a form in which the individual it relates to is not identified.
Data access and accuracy
All Individuals/Service Users have the right to access the information the Association holds about them except on limited grounds set out in the Privacy Act (including where disclosure would prejudice the maintenance s of the law, where the information is evaluative and was provided in confidence, and where disclosure would lead to the unwarranted disclosure of the affairs of another person or endanger the safety of any individual). The Association will also take reasonable steps ensure that this information is kept up to date by asking data subjects whether there have been any changes.
If a person believes their personal information is inaccurate then they may request that the material be corrected by the Association. If a decision is made not to correct the information, then the person’s requirements must be attached to all available copies of the information.
Where the Association receives a request for access to or correction of personal information it will be referred to the Privacy Officer and the Association will endeavour to respond to such requests as soon as possible, and within the 20 working days required by the Privacy Act. The requester will be advised of any extension of time required to respond to the request.
Once a request has been considered, the requester will be advised of any information is to be withheld and provid the reasons for withholding any information.
Action where there is a Potential Privacy Breach
Inadvertent privacy breaches may happen despite good processes.
Where a potential breach is identified it is important to act quickly and openly. As soon as a breach is detected, Association staff and volunteers are required to advise the Privacy Officer. The Privacy Officer will work with staff to address any privacy concerns, following the Privacy Commissioner’s guidelines for dealing with privacy breaches.
Training, Supervision and Procedures
In addition, the Association will ensure that:
- It has a Privacy Officer (as per Section 23 of the Privacy Act) with specific responsibility for ensuring compliance with Data Protection
- Everyone processing personal information understands that they are contractually responsible for following good data protection practice
- Everyone processing personal information is appropriately trained to do so
- Everyone processing personal information is appropriately supervised
- Anybody wanting to make enquiries about handling personal information knows what to do
- It deals promptly and courteously with any enquiries about handling personal information
- It describes clearly how it handles personal information
- It will regularly review and audit the ways it holds, manages, and uses personal information
- It regularly assesses and evaluates its methods and performance in relation to handling personal information
- All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them
The Show Association databases have value to us. They are collected either directly (i.e. surveys or newsletter sign-up), or indirectly (by contractor(s) i.e. for the school day out programme on our behalf). While the information in some cases is publicly available (i.e. the list of schools in the area) the collation of this information, the recording of contacts, and the rapport that is developed is highly valuable to our organisation.
Where the information is publicly available, the sharing of the full database is restricted only to those who are looking to support the Waikato A&P Show. The sharing of the full database may require an exchange in agreed value, either by contra or monetary items.
Where the information is not publicly available (i.e. best contact person, notes, and personal information that is gathered through the relationships) the full database is NOT to be shared. However, an introduction email to both parties is acceptable, or sharing of a person’s contact information allowed only when prior consent has been obtained.
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Privacy Act 1993.
In case of any queries or questions in relation to this policy, please contact The Waikato Agricultural & Pastoral Association Privacy Officer: firstname.lastname@example.org
Glossary of Terms
Data Controller – The person who (either alone or with others) decides what personal information the Waikato Agricultural & Pastoral Association will hold and how it will be held or used.
Data Protection Law in the Privacy Act 1993 – The NZ legislation that provides a framework for responsible behaviour by those using personal information.
Privacy Officer – The person(s) responsible within the organisation that ensure the Waikato Agricultural & Pastoral Association follows its data protection policy and complies with the Data Protection Law in the Privacy Act 1993.
Individual/Service User – The person/s or organisation whose personal information is being held or processed by the Waikato Agricultural & Pastoral Association for example: a client/customer, an employee or supporter, or stakeholder/partner.
Explicit consent – is a freely given, specific and informed agreement by an Individual/Service User in the processing of personal information about her/him. Explicit consent is needed for processing sensitive data.
Privacy Commissioner – The NZ Privacy Commissioner responsible for implementing and overseeing the Data Protection Law in the Privacy Act 1993.
Processing – means collecting, amending, handling, storing or disclosing personal information.
Personal Information – Information about living individuals that enables them to be identified – e.g. name and address. It does not apply to information about organisations, companies and agencies but applies to named persons, such as individual volunteers or employees within The Waikato Winter Show Association.
Sensitive data – refers to data about:
- Racial or ethnic origin
- Political affiliations
- Religion or similar beliefs
- Trade union membership
- Physical or mental health
- Criminal record or proceedings