Personal Information
Personal Information is only collected from individuals for a defined business purpose. The Privacy Act 2020 guides the collection, use, disclosure, storage and access to personal information by Priority One for both employees and clients. The Office Manager is appointed as a dedicated Privacy Officer.
Employees
Personal Information is collected by Priority One with permission from employees when they formalise their employment agreement. This is documented in the following documents:
- The Employment Agreement
- IRD Form
- Kiwisaver Forms
- Emergency Contact Details form
- Criminal conviction check
The physical documents are stored in a locked filing cabinet at Priority One’s premises and an electronic copy is maintained on the online Priority One BambooHR system. This information is used to formalise the employee’s employment agreement and to complete payroll and is not released to any third party.
Clients - Business
Personal Information including name, organisation, job title, email, phone and business address is collected by Priority One with permission from the client for the following purposes:
- To subscribe to the Priority One newsletters
- To become a Priority One Business Member
- When involved in a Priority One project
The personal information is entered into the Priority One database and saved securely to Priority One’s Microsoft 365 cloud storage and HubSpot CRM system. The contact and account details supplied by clients are not shared by Priority One unless published publicly (such as on the client’s business website or business card).
Ara Rau Clients
Personal information including name, date of birth, ethnicity, qualifications is collected by Ara Rau with permission from the client for the purpose of reporting to the Ministry of Social Development. The clients are informed of who will have access to their information at the time it is supplied.
The hard copy of the personal information is stored in a locked filing cabinet and saved electronically to the Priority One Microsoft 365 cloud storage.
The personal information is only shared by Ara Rau to the Ministry of Social Development, but names are substituted for numbers so that the individual cannot be identified.
PRIVACY BREACH
In the event of privacy breach, as defined by the Privacy Act 2020, of any personal information held by Priority One the following steps are to be followed:-
- Contain the breach by trying to get the lost information back, disable the breached system if appropriate and changing computer access codes. Consider whether to inform insurers, auditors, legal advisors or police (if a theft involved.
- Assess the impact of the breach by considering the type of personal information concerned, the cause and extent of the breach, potential harm that could arise from the breach and who now holds the information.
- Notify the person whose personal information has been disclosed to allow them to protect themselves. For a breach that can cause serious harm, this is a Notifiable Breach and must be reported to the Privacy Commissioner within 72 hours of the breach.
- Prevent future breaches by investigating the cause and circumstances of the breach and review any policies and procedures.