The Privacy Act 2020 sets out a series of principles which relate to and promote:
the collection, use, and disclosure of information about individuals; and
providing individuals with access to information about them held by an organisation.
The Act gives the Privacy Commissioner the power to issue codes of practice which may modify the effect or operation of the Act in respect of particular sectors, industries, occupations, or activities.
Under the Act, individuals have a right to request access to personal information about them held by an organisation, and to seek corrections to that information if the individual considers it to be incorrect.
Capital Risk Solutions Limited undertakes to recognise and observe the information principles set out in the Privacy Act.
Complying with the principals gives employees and others confidence that their personal information is properly safeguarded.
Before Capital Risk Solutions Limited discloses any personal information overseas, the overseas entity will need to provide evidence of similar levels of privacy protection that have the same legal protection as it would in New Zealand.
In the course of its business activities, Capital Risk Solutions Limited collects, stores, uses, and discloses personal information about employees and others. It may do this in order to comply with legislative requirements and the needs of government and official agencies; or to manage its business and operations, or for internal administration and internal reporting purposes.
Capital Risk Solutions Limited undertakes that it will endeavour at all times to collect, store, use, and disclose personal information in accordance with the principles set out in the Privacy Act and only to the extent necessary for the efficient and effective conduct of its business.
Capital Risk Solutions Limited will keep its needs for personal information under constant review, and will change its information collection, storage, usage, and disclosure processes and methods whenever appropriate.
If Capital Risk Solutions Limited believes “serious harm” has been caused to affected individuals, it is mandatory to report the breach as defined by the reporting regime.
For the purposes of the Privacy Act and this policy:
Capital Risk Solutions Limited is an agency.
Personal information is information about an identifiable natural person, whether that individual is an employee, independent contractor, other worker, agent, consultant, or a person who is otherwise associated with Capital Risk Solutions Limited.
Personal information may be in any form. It may be a document (see below), but not necessarily. It includes any information that Capital Risk Solutions Limited has about an identifiable individual, even when that information is held only in the mind of a person who represents the organisation.
A document may take any form, including written or printed material; information that is recorded or stored electronically; books, maps, plans, graphs, or drawings; and photographs, films, negatives, tapes, or other devices used to store and reproduce images.
Evaluative or opinion material is material in any form that has been compiled solely for the purpose of determining the suitability, eligibility, or qualifications of the individual to whom the material relates for employment or appointment, for promotion or continuance in employment or office, for removal from employment or office, or for the awarding, continuing, modifying or cancelling of contracts, awards, scholarships, honours, or other benefits.
Employees and Others are any persons employed by Capital Risk Solutions Limited or are clients, customers and any other worker of Capital Risk Solutions Limited
Any personal information held by an officer or manager or employee of Capital Risk Solutions Limited and held in that capacity, is deemed to be information held by the organisation itself.
IMPLEMENTATION AND PROCEDURES
Authority to deal with personal information
In return for the assurance that Capital Risk Solutions Limited will observe the information privacy principles set out in the Privacy Act, employees and other persons are presumed to authorise at the time of their engagement the collection, storage, use, and disclosure of personal information.
A statement to this effect will be given to each intending employee or other persons for signature or approval before the engagement is confirmed.
Capital Risk Solutions Limited is required to provide specific personal information about employees and others to various government agencies (e.g. Inland Revenue, Ministry of Social Development, Accident Compensation Corporation) and to other organisations (e.g. KiwiSaver scheme managers). It is assumed that employees and others authorise the disclosure of this information.
Capital Risk Solutions Limited may provide your client information to companies as required to arrange insurances. This may include insurers or service providers which may provide us with additional support in connection with our provision of services
ACCESS TO INFORMATION
Employees and other persons may request access to any personal information about them which Capital Risk Solutions Limited might have.
Requests for access to personal information may be made directly to the person or department where the information is believed to be held. Alternatively, requests may be made to the Managing Director.
The person who receives a request for access to personal information must respond without undue delay. In most cases, the individual making the request will be able to inspect the information in the form in which it is held or stored and, where appropriate and if requested, be provided with a printed or electronic copy.
The person who receives a request for access to personal information may consider that the request raises issues that need further consideration. The request must then be referred to the Managing Director for a decision. That decision must be made and communicated to the individual concerned within 20 days of the date on which the request for access was received.
REFUSING ACCESS TO PERSONAL INFORMATION
In limited circumstances, a request for access to personal information from an employee may be declined. A decision to decline a request must be discussed with and approved by the Managing Director.
A request for access may be declined if the information concerned is evaluative or opinion material.
A request for access may be declined if disclosure of the information concerned would:
lead to the unwarranted disclosure of the affairs of another person
breach a promise to a person who supplied evaluative material that the information or the identity of the person who supplied it or both would be held in confidence
be likely to prejudice the physical or mental health of the individual concerned
be contrary to the interests of an individual under the age of 16
breach legal professional privilege.
A request for access may be declined, with the approval of the Managing Director, if:
the request is frivolous or vexatious
the information requested is trivial
the information requested is not readily retrievable
the information requested does not exist or cannot be found, and there is no reason to believe that the information is held by another agency.
If a request for access to personal information is declined, the individual who made the request must be given, in writing, the reason or reasons for the refusal. An explanation of the reason or reasons should be given if requested. The person who made the request must be told that the refusal may be reviewed by the Privacy Commissioner or an Ombudsman
CORRECTING PERSONAL INFORMATION
An individual or representative of a company who is a client, who believes that any personal information about them is not accurate may ask for the information to be corrected.
The request for a correction should be made in writing and specify the change or changes that the individual or representative wishes to have made. The request should be made directly to the person who holds the information or to the Managing Director.
If warranted, the requested correction will be made.
If correction is considered to be unnecessary or unwarranted, the individual must be advised accordingly. The individual or representative may then ask for the requested correction to be attached to the information concerned, so that it is visible whenever others have access to the information.
PROCEDURE FOR MAKING COMPLAINTS OF INTERFERENCE WITH PRIVACY
Employees and others may complain to Capital Risk Solutions Limited that there has been interference with their privacy, and that this has caused them loss or damage, adversely affected their rights or interests, or resulted in significant humiliation, loss of dignity or injury to their feelings.
As an alternative, under the Privacy Act, complaints may be made to the Privacy Commissioner or an Ombudsman.
Employees and others who wish to complain that there has been interference with their privacy should first approach the person responsible for the alleged breach.
If that is not possible or appropriate, or the outcome of the approach does not satisfy the complainant, the complaint should be made again to the Managing Director. The complaint may be made in person or in writing.
Capital Risk Solutions Limited aims to investigate and resolve any complaint speedily and informally if possible.
Employees and others who wish to make a formal complaint that there has been interference with their privacy should set out in writing the details and circumstances of the alleged interference and deliver it to the Managing Director.
The Managing Director will investigate the complaint as quickly as possible. The complainant, who may have the support or assistance of a representative or other person(s) chosen by the employee, will have the opportunity to contribute to the investigation.
The investigation will aim to achieve speedy resolution or satisfaction of the complaint. If that is not possible, and the complaint is upheld by the investigation, the matter may become the subject for training, counselling or disciplinary action.
The complaint and the outcome of the investigation are to be recorded and included on the employee’s personal file or in the Clients file.