Horizons Regional Council’s privacy policy sets out how we collect, use, protect and share personal information. It incorporates the requirements set out in the Privacy Act 1993. The Privacy Act is supervised by the New Zealand Privacy Commissioner.

The privacy of personal information is important to us, so we will not provide your information to any third parties except:

  • to comply with any legislative obligations
  • where third parties provide you with services on our behalf or assist with delivery of our services
  • to anyone authorised by you to receive it



1. Purpose of this Policy

To outline the basic principles and guidelines for the collecting, recording and handling of personal and official information and requests for information. This policy does not cover how we treat Rate Payer/Customer information, except where a staff member is a Rate Payer (see section 3.8 of this policy).

2. General Statements

The way Horizons Regional Council (the Council) handles its information is subject to statutory responsibilities under the Privacy Act 1993, and the Local Government Official Information and Local Government Official Information and Meetings Act (LGOIMA) 1987 and any subsequent amendments to both these acts. This means that those who have information recorded about them, and who request information, have legal rights that must be respected. The Privacy Act relates to personal information, meaning information about an identifiable individual. The LGOIMA relates to all information the Council holds. The LGOIMA is the local government equivalent of the Official Information Act. It operates on the principle that all official information should be released unless there is a good reason to withhold it. The Act also defines the reasons that may be used to withhold information. The Council is accountable for its actions through complaint procedures, as well as through the courts. An individual may lodge a complaint under the Privacy Act with the Privacy Commissioner; and may lodge a complaint under the LGOIMA with the Ombudsman. The Council’s statutory obligations are complex and cannot be accurately summarised in this policy, to ensure it covers all foreseeable circumstances. Therefore, this policy operates at two levels:
1. For normal day-to-day situations the policy contains general principles, which when followed will provide assurance that actions meet requirements.
2. When unusual or complex situations arise, the answer will not be found in this policy, however other explanatory information may be used, such as that found on the Privacy Commissioner website (http://privacy.org.nz), and legislation must be consulted when necessary. When unsure of the legal requirements, the appropriate action to take is to seek assistance from the Privacy Officer (see section 3 of this policy). The Council can charge actual and reasonable costs for making information available. Details on the charges are published in the current Long Term or Annual Plans under the ‘Other Administrative Charges’ section.

3. Policy

3.1 Privacy Officer
The current Horizons Privacy Officer is the People & Capability Manager or their nominee. The Privacy Officer role is to assist Council and staff in managing personal information, especially where a request for information is received, or a complaint is made about Council’s actions or procedures. The Privacy Officer is familiar with the requirements of legislation and also has access to recent legal decisions and case notes. The Privacy Officer is able to give advice to cover most circumstances. Another source of advice, in appropriate cases, is the Office of the Privacy Commissioner. The Privacy Commissioner’s toll free hotline number is 0800 803 909 and the official Privacy Commission website.

3.2 Information Privacy Principles
There are twelve principles from the Privacy Act 1993 which govern how we must treat personal information. These principles are shown in Appendix 1.

3.3 Responsibility for Managing Personal Information All staff dealing with personal information are responsible to see that the provisions of the Privacy Act are met. The summarised principles in Appendix 1 are for guidance only. They do not cover all possible eventualities and cannot be used as a substitute for the legislation as the means of resolving individual cases. The application of the law is constantly being tested and shaped. If, in particular circumstances, you consider that it is necessary to do something that breaches the principles, or that the principles cannot apply, then you should seek advice from the Privacy Officer.

3.4 Requests for information File RAI 5 05 in the Horizons library, is used for requests for official information, i.e. for a specific piece or pieces of information. These requests are covered by the LGOIMA. Requests for information will also be found on subject files, if they have been answered routinely. If, however, any request for information has been declined (whether it refers to the LGOIMA or not) then it should be filed on RAI 5 05. File RAI 5 04 is used for requests for general information, such as those made by students seeking information for their projects. Both Principle 6 of the Privacy Act and S.23 of the LGOIMA cover the right of access by individuals to personal information about themselves. Therefore, it is possible for a request for such information to be made under either Act. Requests for personal information about another person are covered by the LGOIMA. Note, however, that one of the reasons that may be used under that Act for withholding information (unless outweighed by other considerations in the public interest), is “to protect the privacy of natural persons including deceased natural persons”.

3.5 Key points for handling a request for information

  • If the request is appropriate then action it.
  • If personal information is not readily retrievable, it need not be disclosed.
  • A request can be declined if good reason exists for withholding the information; or, if the request is frivolous or vexatious, or if the information requested is trivial.
  • If the request is to be declined, then it is important to be clear about which Act applies, and the reasons for declining the request. Both the decision and the reasons for it are liable to be reviewed. Ensure that documentation is filed on RAI 5 05.
  • If the request is approved, make a judgement whether documentation needs to be filed on RAI 5 05. Straightforward requests do not need to be recorded.
  • If the information is personal information, or is about an organisation, then prior to processing the request the person handling the request must satisfy themselves of the requester’s identity and, that that person is authorised to have access to the information.
  • If information requested does exist but there are practical difficulties in providing it, then this is not a reason to refuse the request. An estimate of the charges necessary under the Council’s charging policy should be provided, and if the information is still wanted, it should be supplied. If appropriate, payment in advance or a deposit may be sought.
  • Requests for information should be processed without delay. The legislation recognises 20 working days as a maximum response time unless urgency is requested. If this will be exceeded in any individual case the Privacy Officer must be informed before the 20 days has elapsed.
  • If a request for information is declined, there are requirements on the form of the decision. The decision must be in writing, must confirm the information exists if it does exist, must state the reasons for declining to release the information, and must state the individual’s right to review of the decision by the Privacy Commissioner (for personal information) or the Ombudsman (for official information).
  • When a complainant in a pollution incident requests confidentiality to protect their privacy, then their identity is to be kept confidential.
  • A common form of request is about the performance of a particular staff member from a prospective employer. It is important to check the identity of the person requesting the information, and that they are authorised to receive the information by the former employee in writing. Factual matters such as confirming the person’s title and length of service can be given. Documents such as personal appraisals are private and should only be given directly to the individual concerned. Questions such as “Do you consider (x) to be trustworthy?” are seeking your opinion, not official information, and the answer you give is over to you.
3.6 Collecting staff information
Information such as staff names, birth dates, addresses, and phone numbers are personal information. Some of the Privacy Act principles (see Appendix 1) apply to the Council’s collection and use of personal information. The specific principles which apply to the collection of staff information are:
  • Principle 1: Purpose of collection of personal information – the information must be collected for a necessary and lawful purpose connected with the function or activity of the council.
  • Principle 3: Collection of information from subject – when information is collected directly from the individuals concerned, the Council must take reasonable steps to ensure the individual is aware of the fact of collection, the purpose of collection, and the intended recipients of the information.
  • Principle 5: Storage and security of personal information - the Council has an obligation to protect personal information against unauthorised disclosure.
  • Principle 11: Limits on the disclosure of personal information - information gathered for one purpose may not be used for any other purpose, unless that purpose meets one of a set of conditions listed in the Act.
3.7 Purpose of collecting and recording personal staff information
Personal information such as staff names, birth dates, addresses, and phone numbers needs to be held by the Council for communication with the individual. This could be work-related matters, or for individual matters such as details of employment. There is also the possible need to call on any individual staff member to assist the Council to carry out its responsibilities in an emergency.

For individual matters the only staff who need to hold the individual’s contact details are the supervisor (if applicable), the individual’s manager, and the People & Capability Manager or their nominee.

For work related matters the number of staff who may need to contact any individual is much greater, and also more variable. Due to the nature of their position, a number of staff receive full or partial reimbursement of their telephone rental. These staff, by accepting the reimbursement, are deemed to have agreed to have their address and telephone number made available to all staff (and in many cases this is also available to the public). Where staff have indicated that they do not wish their address and phone number to be freely available, under the Privacy Act this wish must be respected.

3.8 Method of collecting and holding staff addresses and phone numbers
The People & Capability team will collect and hold personal staff information including names, dates of birth, addresses, and phone numbers on a confidential file. Other types of information collected include next of kin contact details, bank account details, and tax details. These will be obtained during initial appointment process, which will include a declaration of the reasons for collection; and the policy covering it will be made clear to staff at the time. The policy will be outlined at induction as required, and be part of the induction process.

All personal staff information obtained as above will be recorded in the ‘CHRIS 21’ Information system. Only the People & Capability staff have access to this system. Permission is sought from all staff during the initial appointment process as to whether they do or do not wish their home address and home phone number to appear on the staff address list. The current staff address list is held in the ‘IRIS” information system. This system will contain the names of all staff, plus addresses and phone numbers for all staff except those individuals who have asked for their addresses and phone numbers to remain private. This may mean that an individual’s manager or supervisor may not know the phone number of some of their staff. They may obtain this information either directly from the individual or from the People & Capability Manager. To clarify, the ‘IRIS’ information system holds contact details for all Council contacts, including Rate Payer information. This may mean that a staff member who has not given permission for their home address and phone number to be available on the staff address list (i.e. in ‘IRIS’), may have this information noted on their rate payer record in ‘IRIS’. The requirements regarding the collection and privacy of Rate Payer information is defined in the Local Government (Rating) Act 2002 and Privacy Act 1993, specifically Part 7.

A master list of all staff names, addresses and phone numbers will be prepared by the People & Capability Manager, or their nominee; who will issue the full list only to the designated Emergency Management Co-ordinators, Response Managers, and the Regional Controllers, with a note that it is personal information to be used for emergency management purposes only. The People & Capability Manager, or their nominee is responsible for updating the lists and reissuing them from time to time; and should be advised of any changes. Old lists should be destroyed.

3.9 Rules of Disclosure for information on the staff lists
The officers holding staff information, including names, addresses, birth dates, and phone numbers must not release the information to anyone unless they are satisfied that this is necessary for the purpose for which it was collected. In the event of a request for a staff member’s address or phone number being made which cannot be verified, (which would include any request from an outside source) the appropriate action is to take the contact details from the caller, and for the People & Capability Manager, or their nominee, to pass the message on to the staff member concerned.

4. Review Date
This policy may be reviewed from time to time by Horizons at its sole discretion, and in any event will be reviewed biennially. To be clear however, this Policy remains valid and in force, irrespective of whether the review date has passed. Horizons will notify employees of any changes made; and may, at its sole discretion, consult employees prior to making any such changes.
 

Appendix 1: Privacy Principles as described in the Privacy Act 1993
 
Principle Quotes from Act Description
1 Purpose of collection of personal information The collection must be for a lawful purpose and be necessary for that purpose.
2 Source of personal information Personal information shall be collected directly from the individual concerned (except as per the Act).
3 Collection of information from subject When personal information is collected directly from the individual concerned, Council must take reasonable steps to ensure individuals are aware the information is being collected and what it will be used for.
4 Manner of collection of personal information Personal information shall not be collected by unlawful means or by means that are unfair or intrude to an unreasonable extent on the personal affairs of the individual.
5 Storage and security of personal information Council is accountable for holding personal information secure against loss or unauthorised disclosure.
6 Access to personal information Individuals are entitled access to personal information. When given access, the individual shall be advised that under Principle 7 they may request correction of that information.
7 Correction of personal information Individuals may request correction of personal information, and may request there be attached to the information a statement of the correction sought but not made.
8 Accuracy, etc., of personal information to be checked before use Council must take reasonable steps to ensure information is accurate.
9 Agency not to keep personal information for longer than necessary Council must take action to destroy personal information no longer required.
10 Limits on use of personal information Information collected for one purpose shall not be used for another purpose (except as per the Act).
11 Limits on disclosure of personal information Personal information shall not be disclosed (except as per the Act).
12 Unique identifiers Unique identifiers shall not be used (except as per the Act). (Unique identifiers are numbers assigned to individuals, such as the IRD number).