1. Purpose
This policy outlines how Ngā Taonga Sound & Vision protects the privacy of its employees, its email subscribers, and its database of stakeholders. All personal information will be handled in accordance with privacy-related legislation.
2. Scope and Interpretation
This policy applies to all employees across all departments, whether permanent, temporary, casual, or voluntary. It also applies to contractors. Its focus is on personal information and the protection of individuals’ privacy. The Ngā Taonga Sound & Vision Privacy Policy will be published on the website, and hard copies will be available on-site.
3. The Privacy Act (1993)
The Privacy Act underpins this privacy policy. Accordingly, Ngā Taonga Sound & Vision will:
- only collect personal information for lawful and necessary functions
- collect information directly from the individuals concerned, wherever possible
- ensure that the individuals are aware why it is being collected and how it will be used
- protect the information against loss, or unauthorised modification / use / disclosure
- confirm to an individual that their information is being held and allow that individual to access his / her own information or to request correction of the information
- not retain personal information for longer than is necessary
- only disclose information in accordance with any authority granted under the Act
4. Privacy Officer
The Manager of Business Support (privacyofficer@ngataonga.org.nz) has the role of Privacy Officer within the organisation and handles any queries, complaints or breaches related to privacy.
5. Employees’ Private Information
Personnel paper records are held in locked cabinets in the HR office. Electronic personnel records are stored with appropriate access controls on the central records server. The Senior HR Advisor manages the security of the personal information of employees. This information is only accessed through HR staff, or directly by the Leadership Team or Executive in times of emergency.
Some documents must be routinely destroyed in order to respect the rights of individuals and comply with privacy laws, for example, the personal information contained in unsuccessful job applications. The Retention and Disposal Schedules, based on Archives NZ Disposal Authorities, cover the security of private information in detail.
Employee pay, tax, and leave records may be destroyed after 7 years. The personnel files of the Chief Executive and Leadership Team will be retained as public archives. Other employees’ files may be destroyed after seven years. However, summaries of employment history will be retained. Ex-employees’ files are stored off-site in a locked room at the Map Depot in Taranaki St, Wellington.
6. Stakeholders’ Private Information
6.1 Members of the public may browse the Ngā Taonga Sound & Vision website without providing any personal information. When they voluntarily provide such details, e.g. through email feedback, registering for services and online forms, their information will only be viewable by site administrators and nominated Ngā Taonga Sound & Vision employees who need it for the purpose it was collected. In addition it may be viewed by the contractors who provide website administration services. Personal information will not be disclosed to third parties without permission. Personal information will never be sold.
6.2 All payment information is transmitted via third party payment providers (GiveALittle and Eventfinder) and is only accessible by authorised persons with special access to such systems. After a transaction, credit card information will not be stored on Ngā Taonga Sound & Vision’s servers.
6.3 Ngā Taonga Sound & Vision may only send promotional emails to those subscribers who have consented to receive them. The "unsubscribe" option will be clear and conspicuous for recipients and their request will be actioned immediately.
6.4 The Ngā Taonga Sound & Vision website has been designed to automatically collect statistical information about visits to the site. This includes the server address, top-level domain name, date and time of visit, pages viewed, and type of browser used. This does not include personal information about individual users. Site statistics allow Ngā Taonga Sound & Vision to monitor use and performance of the website, and therefore provide a better service to users.
6.5 Ngā Taonga Sound & Vision photographers frequently take photographs, video and audio recordings at events presented by the archive, and share these on our website and social media channels. We will make best endeavours to let people know they are being recorded at the time, but if members of the public object to an image of themselves appearing online, they should contact website@ngataonga.org.nz and include a link to the image in question. Ngā Taonga Sound & Vision will respond within three working days, in line with our Take-Down Notice and External Complaints Procedure.
6.6 Depositors’ personal details, contact information, next of kin, or the circumstances of their deposits with Ngā Taonga Sound & Vision, may not be disclosed to a third party without the depositor's permission and with the approval of the Collection Development Manager.
7. Portable Devices and Data
Employees must take precautions with portable storage devices including all laptops, phones, smart phones, tablets, "watches," usb sticks etc. Private data which is uploaded and moved around is at risk of unauthorised access by third parties, for example depositor contact details; the provenance of material items; or job applicants’ details. Managers’ approval must be sought before private information is stored on portable devices. Managers must also advise and follow up on the subsequent deletion of this information.
8. Data Breaches
A data breach is unauthorised or accidental access to or disclosure of personal information, e.g. lost or stolen laptops or papers containing personal information. A "near miss" is a potential data breach that does not result in unauthorised access to or disclosure of personal information. All data breaches and "near misses" are to be logged and reported to a relevant Manager and also the Privacy Officer.
8.1 In the event of a data breach, Ngā Taonga Sound & Vision will immediately try to contain it e.g. stop the unauthorised practice, attempt to retrieve the records, change the computer access codes or try to fix any weaknesses in physical or electronic security. The more sensitive the information, e.g. health information, driver license numbers, and credit card details, the higher the risk of harm.
8.2 Ngā Taonga Sound & Vision will need to assess the risk and determine whether harm could result from the breach and whether affected individuals need to be notified. If notification is deemed necessary, it will be made by phone, letter, email or in person rather than posted publicly.
If the breach is particularly serious, the Office of the Privacy Commissioner will be notified.
8.3 A "near miss" is regarded with equal importance as a data breach. These will be documented and reported.
8.4 Unauthorised access by employees to private files, paper or electronic, or attempts to circumvent any security measures would be a breach of this policy and Ngā Taonga Sound & Vision’s Code of Conduct and may constitute serious misconduct, resulting in possible disciplinary action.
9. Related Documents
Official Information Act 1982
Privacy Act 1993
Ngā Taonga Sound & Vision Records Security Principles 2013-06
Ngā Taonga Sound & Vision Internet Use Policy 2013-07
External Complaints Procedure 2016