Privacy Policy for Midlands Sexual Assault Support Services Charitable Trust
Intent
We collect and manage a range of personal information. We treat it respectfully and carefully, and are open with people about why we collect it, how it is held and stored, what we do with it and rights of access.
We comply with regulatory standards and only release and share information in accordance with our policies and the law. Wherever possible, we forewarn and seek consent from people about when their information may have to be disclosed.
Definitions
"Personal information" is defined in section 7 of the Privacy Act 2020. It entails information about an identifiable person, including but not limited to:
names, contact details, date of birth, photographs
demographic, academic, employment, financial, and health information
opinions about a person, not just factual content
online identifiers such as IP address, device IDs, or location data
any information (in paper or electronic form, including emails, recordings, notes, or verbal communications), where there is a reasonable chance a person could be identified—directly or indirectly—even if no name is attached.
"Health information" - includes any information about a person’s health, medical history, disabilities (past or present), and any services received, collected before, during, or incidental to the provision of health or disability support services (see clause 4(1) Health Information Privacy Code for more.)
"Privacy Officer"- the General Manager or their delegate who supports our compliance with privacy law and policies, and acts as a liaison with the Office of the Privacy Commissioner. See here for the statutory role.
Responsibilities
Management will:
act as or delegate the responsibilities of "Privacy Officer" to kaimahi
monitor and manage our information management system
monitor and manage our privacy and data breach risks with appropriate safeguards
manage privacy and data breach incidents.
The Privacy Officer(s) will:
monitor the organisation's compliance with this policy and the Privacy Act 2020
assist with privacy-related training
liaise with the Office of the Privacy Commissioner as necessary.
support kaimahi when dealing with privacy-related issues.
Kaimahi and volunteers will comply with this policy.
Requirements
When and how we collect personal information
Personal information will only be collected when necessary for service provision and business purposes.
Information will be collected in a way that is sensitive to a person’s culture, age, abilities, level of understanding and circumstances.
People will be asked to consent to the collection and use of their personal information and for this purpose, will be informed, at the time of collecting their personal information, of:
The reasons for collecting it
When their information might be disclosed
Who will have access to it
Their right to request access to it
What information MSASS will hold about them
How their personal information will be used and kept secure
If MSASS collects personal information about a person from someone else or through other indirect means, we will, take reasonable and prompt steps to make sure that person is aware of the matters listed above, unless an exception applies under IPP 3A of the Privacy Act 2020 or, for health information, Rule 3A of the Health Information Privacy Code 2020, including where:
the person was previously advised and agreed to the collection (eg the person who directly collected it advised they would provide it to us)
the person has authorised collection from another source
notification would prejudice the person’s interests or the purpose of collection
notification would prejudice the maintenance or enforcement of the law, protection of public revenue, or court or tribunal proceedings, or
the information will not be used in an identifiable form or only used for research or statistical purposes and will not be published in an identifiable form.
Reasonableness
What is reasonable in notifying a person will depend on the circumstances, including the sensitivity of the personal information collected indirectly and the practicality of contacting them. The more sensitive the information, the greater the steps MSASS will take to notify the person.
Source of personal information
If non-identifying information would achieve the same purpose as personal information, non-identifying information will be collected and used instead.
Where possible, personal information will be collected directly from the person concerned or their representative. When personal information is collected from a third party or via an AI tool, reasonable steps will be taken to check accuracy (eg check with the person whose information it is; check reliability of AI tool for that purpose.)
However, if personal information is collected from third parties for evaluative purposes (eg referee checks) it will not be checked for accuracy.
Use of Personal Information
Personal information will only be used or shared for the purposes for which it was collected or as allowed by law (HIPC Rule 10; IPP 10 Privacy Act).
Staff should be "risk-aware" when using people's personal information.
Privacy risks should be identified and resolved, or if unable to be resolved, discussed with management, before personal information is used.
As a general rule, information collected for one purpose cannot be re-purposed. Staff/kaimahi must seek approval from the Privacy Officer/management before using personal information for purposes that are not directly related to the reason(s) for collecting the information.
Personal information will only be shared with overseas organisations and people if the same or better privacy protections apply to the receipt and use of the information in that country as in this country. Unless specifically authorised by MSASS, personal information will not be input to AI tools.
Right to Withdraw Consent
A person has the right to withdraw their consent for sharing their personal information at any time.
Once consent is withdrawn, MSASS will stop any further sharing unless required by law.
The withdrawal will be documented, and relevant parties notified.
Accuracy
Reasonable steps will be taken to ensure that the information we hold or use is accurate, up-to-date, relevant, and not misleading.
A person may request that personal information/ health information we hold is corrected.
If the correction is agreed, it will be documented in the file notes. A printed copy of the change will be given to any other party who holds the notes that require correction.
A refusal to correct will be documented in the relevant file with reasons. At the person's request, the proposed correction will be placed on their file (ie without the correction made). MSASS will ensure that the proposal can be read with the file information and others to whom the information has been disclosed are informed of the proposed correction.
Before using AI or other tools, we will check for accuracy given known risks including:
whether there is a risk of bias in the AI tool (eg if the tool's outputs are based solely on training data generated overseas)
how reliable and accurate the tool is known to be when used in the way we intend
that the personal information generated or collected by MSASS through AI will be able to be corrected (on request by a person or at our initiative).
Access to personal information
A person may request access to their own or their child's personal information. Unless there is good reason to refuse, we will facilitate access as follows:
enable access within 20 working days of receiving the request for access
remove information about another person on their file beforehand (under the oversight of management/their delegate)
encourage the person to have support while viewing their record (ie for sensitive information)
inform the person of their right to seek a correction to their personal information.
A parent/guardian's request to access their child's personal information may be declined if the child is under 16 years and we reasonably believe that parental access to their health information would not be in the young person's interests after considering:
the young person's views on access
the nature of the personal information to be accessed
the parent's reasons for wanting access
the importance of privacy to the wellbeing of the young person/rangatahi.
If access is denied, the parent/guardian will be informed of our reasons and their right to complain to the Privacy Commissioner.
People will be informed in writing about who will access their personal information.
Recordkeeping
A record will be kept of:
how MSASS notifies people about the collection of their personal information
any decision to rely on a legal exception to the obligation to notify people about the indirect collection of their personal information and the grounds for decision
any request for access and of the date when received
a copy of the information accessed
authorisation to access (if given by a person relevant)
the reasons for delay or refusal (if applicable)
safeguards implemented to action the request
other steps taken for the request (eg in relation to parental access).
Privacy Officer
We have a Privacy Officer to support our compliance with the law and policies and to support our interactions with the Office of the Privacy Commissioner (eg about privacy breaches; complaints etc.)
AI and Personal Information
MSASS will take a cautious approach to using AI and be guided by advice from the Office of the Privacy Commissioner about responsible use under the Privacy Act 2020.
Compliance
Social Sector Accreditation Standards - Levels 1 & 2 Client services and programmes 5.0; Governance and management structure and systems 6-6.3
Social Sector Accreditation Standards - Levels 3 & 4, Governance and management structure and systems 2.0
Ngā Paerewa NZS 8134:2021 Criteria 2.5, 1.4
