NZBT Privacy Policy

  

New Zealand Business Tools Limited (NZBT) is committed to protecting your privacy in relation to your use of our products and services, and as such, fully complies with the New Zealand Privacy Act 2020. This Privacy Policy applies to our web site and governs all forms of personal information and related data collection and usage by us. Personal information is information or an opinion, that identifies an individual.

 

NZBT have adopted New Zealand’s Privacy Principles (NZPP’S) contained in the Privacy Act 2020. For ease of reference, the Principles are featured at the end of this Policy. NZBT ensures that all its staff members adhere to the NZPP’s to safeguard your Personal information.

 

NZBT have also adopted the EU General Data Protection Regulation (GDPR) guidelines covering data protection for all businesses transferring data to the European Union.

 

By using our website, or otherwise supplying your personal information to us, you consent to the data practices described in this Policy. This Privacy Policy also needs to be read in conjunction with our web site terms of use, as displayed on our website.

 

NZBT may review and update this Privacy Policy on occasion, (for example to reflect changes to the Privacy Act), any revision or update will be published on the NZBT web site.

 

This Policy does not seek to limit or exclude any of your rights as an individual under the Privacy Act 2020. If you wish to seek further information on the Act, see www.nzbt.co.nz/resources

 

 What is Personal Information and why do we collect it?

 

Personal information is information or an opinion that identifies an individual. Most of the Personal information that NZBT may collect about you, will be voluntarily provided by you, or your authorised representative, when you engage with us, to allow us to operate our wider operations and to deliver the products and services that you have requested.

 

Examples of Personal Information we collect may include;

 

  • Your name (including that of your authorised representative, if applicable),
  • Your contact details, including your addresses, email addresses, phone and facsimile numbers.
  • Content of a sensitive financial nature (primarily only in a Debt Recovery scenario).
  • Bank details or Credit Card information relating to the payment of services.
  • Publicly available information relating to you.
  • Any documents or other information that you provide to us as part of our provision of services.

 

This Personal Information can be captured in many ways including (interviews, correspondence, by telephone, by email, via our website www.nzbt.co.nz, from your website, from media and publications, from other publicly available sources, from cookies, and from third parties.

 

Disclosure of Personal Information

 

NZBT will only disclose your information as authorised by you, as required by law or where required for us to provide our services. NZBT will not, sell, rent or lease any client list or information to third parties.

 

Security of Personal Information

 

Your Personal Information is stored in a manner that reasonably protects it from misuse and loss from unauthorised access, modification or disclosure.

 

NZBT may hold your Personal Information in either an electronic or hard copy form.

 

Personal information collected in hard copy form may be subsequently converted to electronic form. Hard copy information that remains as such, will be securely stored at NZBT’s premises.

 

Personal information held or provided to us in electronic form is held on servers controlled by third parties under contractual arrangements with NZBT. NZBT uses physical security, password protection and other measures that ensure that Personal Information stored in electronic form is protected from misuse, interference and loss: and from unauthorised access, modification and disclosure. However, it is not possible for any organisation (including ours), to state that 100% security can be guaranteed.

 

Retention of Personal Information

 

When your Personal Information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify your Personal Information. However, most of the Personal Information is or will be stored in client files (electronic or hard copy) which will be securely retained by us for a minimum of 7 years.

 

Access to your Personal Information

 

You have the right to request a copy of the Personal Information we hold about you and to update and/or correct it, subject to certain exceptions, if you think it is incorrect.

 

If you wish to access your Personal Information, please contact us in writing. NZBT will process your request as soon as possible, no later than 20 working days after we receive your request. New Zealand Business Tools will not charge any fee for your access request but may charge an administrative fee for providing a copy of your Personal Information.

 

In respect of a request for correction, if we think the correction is reasonable, justified and we are reasonably able to amend the Personal Information, we will make the correction.

 

In order to protect your Personal Information, we may require identification from you before releasing the requested information.

 

 Third Parties

 

Where reasonable and practicable to do so, we will collect your personal information only from you. However, in some circumstances we may be provided with information by third parties. In such a case we will take reasonable steps to ensure that you are made aware of the information provided to us by the third party.

 

Maintaining the Quality of your Personal Information

 

It is important to us that your Personal Information is up to date. We will take reasonable steps to make sure that your Personal Information is accurate, and complete, this may involve us contacting you directly.

 

Use of Cookies

 

The NZBT web site uses cookies. A cookie is a small element of data that our web site may send to your computer. A cookie is typically stored on your computer’s hard drive and permits our web site to recognise you when you return, to our web site. Our use of cookies helps us to provide you with a better experience during your use of our web site by allowing us to understand what areas of the site are of interest to you. You may configure your web browser to not accept cookies, although you may experience a loss of functionality as a result of this action.

 

Role of the Privacy Officer

 

NZBT have adhered to recommended guidelines from the Privacy Commissioner, and as such have appointed an internal Privacy Officer. As part of their role, the NZBT Privacy Officer needs to ensure that NZBT’s (the business) internal policies and procedures are fully compliant with requirements under the Privacy Act 2020, NZPP and GDPR. The NZBT Privacy Officer must ensure that all NZBT staff and associated contractors understand their commitments under the Privacy Act, NZPP’s and the GDPR.

 

The NZBT Privacy officer is the focal point for all privacy matters relating to NZBT business. This contact may be from NZBT Clients, NZBT staff or associated contractors, or the Privacy Commission / Commissioner.

 

The NZBT Privacy Officer is also responsible for ensuring this Privacy Policy is reviewed regularly and maintains NZBT’s compliance to the most up-to-date version of the Privacy Act, NZPP’s and the GDPR.

 

Privacy Policy Complaints and Enquiries

 

NZBT want to know if you have any concerns about our privacy practices, whether these relate to the way we collect or share information about you or our decision on your access request. If you do have any concerns at all, please contact our Privacy Officer and they will endeavour to resolve any issues. The NZBT Privacy Officer’s contact details are recorded below.

 

Privacy Officer

 Joseph Clapp

 Landline:   03 390 9090

 Email:        privacy@nzbt.co.nz     

 

 

 

Privacy Principles

 

Principle 1

 

Purpose of collection of personal information

 

(1) Personal information must not be collected by an agency unless—

 

(a) the information is collected for a lawful purpose connected with a function or an activity of the agency; and

 

(b) the collection of the information is necessary for that purpose.

 

(2) If the lawful purpose for which personal information about an individual is collected does not require the collection of an individual’s identifying information, the agency may not require the individual’s identifying information.

 

 

 

Principle 2

 

Source of personal information

 

(1) If an agency collects personal information, the information must be collected from the individual concerned.

 

(2) It is not necessary for an agency to comply with subclause (1) if the agency believes, on reasonable grounds,—

 

(a) that non-compliance would not prejudice the interests of the individual concerned; or

 

(b) that compliance would prejudice the purposes of the collection; or

 

(c) that the individual concerned authorises collection of the information from someone else; or

 

(d) that the information is publicly available information; or

 

(e) that non-compliance is necessary—

 

(i) to avoid prejudice to the maintenance of the law by any public sector agency, including prejudice to the prevention,
detection, investigation, prosecution, and punishment of offences; or

 

(ii) for the enforcement of a law that imposes a pecuniary penalty; or

 

(iii) for the protection of public revenue; or

 

(iv) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or

 

(v) to prevent or lessen a serious threat to the life or health of the individual concerned or any other individual; or

 

(f) that compliance is not reasonably practicable in the circumstances of the particular case; or

 

(g) that the information—

 

(i) will not be used in a form in which the individual con- cerned is identified; or

 

(ii) will be used for statistical or research purposes and will not be published in a form that could reasonably be expec- ted to identify the individual concerned.

 

 

 

     

     Principle 3

     

    Collection of information from subject

     

    (1) If an agency collects personal information from the individual concerned, the agency must take any steps that are, in the circumstances, reasonable to ensure that the individual concerned is aware of—

     

    (a) the fact that the information is being collected; and

     

    (b) the purpose for which the information is being collected; and

     

    (c) the intended recipients of the information; and

     

    (d) the name and address of—

     

    (i) the agency that is collecting the information; and

     

    (ii) the agency that will hold the information; and

     

    (e) if the collection of the information is authorised or required by or under law,—

     

    (i) the particular law by or under which the collection of the information is authorised or required; and

     

    (ii) whether the supply of the information by that individual is voluntary or mandatory; and

     

    (f) the consequences (if any) for that individual if all or any part of the requested information is not provided; and

     

    (g) the rights of access to, and correction of, information provided by the IPPs.

    (2) The steps referred to in subclause (1) must be taken before the information is collected or, if that is not practicable, as soon as practicable after the information is collected.

     

    (3) An agency is not required to take the steps referred to in subclause (1) in relation to the collection of information from an individual if the agency has taken those steps on a recent previous occasion in relation to the collection, from that individual, of the same information or informa- tion of the same kind.

     

    (4) It is not necessary for an agency to comply with subclause (1) if the agency believes, on reasonable grounds,—

     

    (a) that non-compliance would not prejudice the interests of the individual concerned; or

     

    (b) that non-compliance is necessary—

     

    (i) to avoid prejudice to the maintenance of the law by any public sector agency, including prejudice to the prevention, detection, investigation, prosecution, and punishment of offences; or

     

    (ii) for the enforcement of a law that imposes a pecuniary penalty; or

     

    (iii) for the protection of public revenue; or

     

    (iv) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or

     

    (c) that compliance would prejudice the purposes of the collection; or

     

    (d) that compliance is not reasonably practicable in the circum- stances of the particular case; or

     

    (e) that the information—

     

    (i) will not be used in a form in which the individual concerned is identified; or

     

    (ii) will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.

     

     

     

     

     

    Principle 4

     

    Manner of collection of personal information

     

    (a) by a lawful means; and

     

    (b) by a means that, in the circumstances of the case (particularly in circum- stances where personal information is being collected from children or young persons),—

    (i) is fair; and

     

    (ii) does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

     

     

     

     

    Principle 5

     

    Storage and security of personal information

     

    An agency that holds personal information must ensure—

    (a) that the information is protected, by such security safeguards as are reasonable in the circumstances to take, against—

    (i) loss; and

    (ii) access, use, modification, or disclosure that is not authorised by the agency; and

    (iii) other misuse; and

    (b) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information.

     

       

      Principle 6

       

      Access to personal information

      (1) An individual is entitled to receive from an agency upon request—

      (a) confirmation of whether the agency holds any personal informa- tion about them; and

      (b) access to their personal information.

      (2) If an individual concerned is given access to personal information, the individual must be advised that, under IPP 7, the individual may request the correction of that information.

      (3) This IPP is subject to the provisions of Part 4.

       

       

      Principle 7

       

      Correction of personal information.

      (1) An individual whose personal information is held by an agency is entitled to request the agency to correct the information.

      (2) An agency that holds personal information must, on request or on its own initiative, take such steps (if any) that are reasonable in the circumstances to ensure that, having regard to the purposes for which the information may lawfully be used, the information is accurate, up to date, complete, and not misleading.

      (3) When requesting the correction of personal information, or at any later time, an individual is entitled to—

      (a) provide the agency with a statement of the correction sought to the information (a statement of correction); and

      (b) request the agency to attach the statement of correction to the information if the agency does not make the correction sought.

      (4) If an agency that holds personal information is not willing to correct the information as requested and has been provided with a statement of correction, the agency must take such steps (if any) that are reasonable in the circumstances to ensure that the statement of correction is attached to the information in a manner that ensures that it will always be read with the information.

      (5) If an agency corrects personal information or attaches a statement of correction to personal information, that agency must, so far as is reasonably practicable, inform every other person to whom the agency has disclosed the information.

      (6) Subclauses (1) to (4) are subject to the provisions of Part 4.

       

         

        Principle 8

         

        Accuracy etc, of personal information to be checked before use

        An agency that holds personal information must not use or disclose that information without taking any steps that are, in the circumstances, reasonable to ensure that the information is accurate, up to date, complete, relevant, and not misleading.

         

         

         

        Principle 9

        Agency not to keep personal information for longer than neccesary

         

        An agency that holds personal information must not keep that information for longer than is required for the purposes for which the information may lawfully be used.

         

         

        Principle 10

         

        Limits on use of personal information

        (1) An agency that holds personal information that was obtained in connection with one purpose may not use the information for any other purpose unless the agency believes, on reasonable grounds,—

        (a) that the purpose for which the information is to be used is directly related to the purpose in connection with which the information was obtained; or

        (b) that the information—

        (i) is to be used in a form in which the individual concerned is not identified; or

        (ii) is to be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or

        (c) that the use of the information for that other purpose is authorised by the individual concerned; or

        (d) that the source of the information is a publicly available publication and that, in the circumstances of the case, it would not be unfair or unreasonable to use the information; or

        (e) that the use of the information for that other purpose is necessary—

        (i) to avoid prejudice to the maintenance of the law by any public sector agency, including prejudice to the prevention, detection, investigation, prosecution, and punishment of offences; or

        (ii) for the enforcement of a law that imposes a pecuniary penalty; or

        (iii) for the protection of public revenue; or

        (iv) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or

        (f) that the use of the information for that other purpose is necessary to prevent or lessen a serious threat to—

        (i) public health or public safety; or(ii) the life or health of the individual concerned or another individual.

        (2) In addition to the uses authorised by subclause (1), an intelligence and security agency that holds personal information that was obtained in connection with one purpose may use the information for any other purpose (a secondary purpose) if the agency believes on reasonable grounds that the use of the information for the secondary purpose is necessary to enable the agency to perform any of its functions.

         

           

          Principle 11

           

          Limits on disclosure of personal information

          (1) An agency that holds personal information must not disclose the information to any other agency or to any person unless the agency believes, on reasonable grounds,—

          (a) that the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained; or

          (b) that the disclosure is to the individual concerned; or

          (c) that the disclosure is authorised by the individual concerned; or

          (d) that the source of the information is a publicly available publication and that, in the circumstances of the case, it would not be unfair or unreasonable to disclose the information; or

          (e) that the disclosure of the information is necessary—

          (i) to avoid prejudice to the maintenance of the law by any public sector agency, including prejudice to the prevention, detection, investigation, prosecution, and punishment of offences; or

          (ii) for the enforcement of a law that imposes a pecuniary penalty; or

          (iii) for the protection of public revenue; or

          (iv) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or

          (f) that the disclosure of the information is necessary to prevent or lessen a serious threat to—

          (i) public health or public safety; or

          (ii) the life or health of the individual concerned or another individual; or

          (g) that the disclosure of the information is necessary to enable an intelligence and security agency to perform any of its functions; or

          (h) that the information—

          (i) is to be used in a form in which the individual concerned is not identified; or

          (ii)  is to be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or

          (i)    that the disclosure of the information is necessary to facilitate the sale or other disposition of a business as a going concern.

          (2) This IPP is subject to IPP 12.

           

           

          Principle 12

           

          Disclosure of personal information outside New Zealand

          (1) An agency (A) may disclose personal information to a foreign person or entity (B) in reliance on IPP 11(1)(a), (c), (e), (f), (h), or (i) only if—

          (a) the individual concerned authorises the disclosure to B after being expressly informed by A that B may not be required to protect the information in a way that, overall, provides comparable safeguards to those in this Act; or

          (b) B is carrying on business in New Zealand and, in relation to the information, A believes on reasonable grounds that B is subject to this Act; or

          (c) A believes on reasonable grounds that B is subject to privacy laws that, overall, provide comparable safeguards to those in this Act; or

          (d) A believes on reasonable grounds that B is a participant in a prescribed binding scheme; or

          (e) A believes on reasonable grounds that B is subject to privacy laws of a prescribed country; or

          (f) A otherwise believes on reasonable grounds that B is required to protect the information in a way that, overall, provides comparable safeguards to those in this Act (for example, pursuant to an agreement entered into between A and B).

          (2) However, subclause (1) does not apply if the personal information is to be disclosed to B in reliance on IPP 11(1)(e) or (f) and it is not reason- ably practicable in the circumstances for A to comply with the require- ments of subclause (1).

          (3) In this IPP,—prescribed binding scheme means a binding scheme specified in regulations made under section 213prescribed country means a country specified in regulations made under section 214.

           

            Principle 13

            Unique identifiers

            (1) An agency (A) may assign a unique identifier to an individual for use in its operations only if that identifier is necessary to enable A to carry out 1 or more of its functions efficiently.

            (2) A may not assign to an individual a unique identifier that, to A’s knowledge, is the same unique identifier as has been assigned to that individual by another agency (B), unless—

            (a) A and B are associated persons within the meaning of subpart YB of the Income Tax Act 2007; or

            (b) the unique identifier is to be used by A for statistical or research purposes and no other purpose.

            (3) To avoid doubt, A does not assign a unique identifier to an individual under subclause (1) by simply recording a unique identifier assigned to the individual by B for the sole purpose of communicating with B about the individual.

            (4) A must take any steps that are, in the circumstances, reasonable to ensure that—

            (a) a unique identifier is assigned only to an individual whose identity is clearly established; and

            (b) the risk of misuse of a unique identifier by any person is minimised (for example, by showing truncated account numbers on receipts or in correspondence).

            (5) An agency may not require an individual to disclose any unique identifier assigned to that individual unless the disclosure is for one of the purposes in connection with which that unique identifier was assigned or is for a purpose that is directly related to one of those purposes.