Select Page

Purpose

The purpose of this document is to provide a framework for Harbour Sport in dealing with confidentiality and privacy considerations in relation to the Privacy Act 2020, the Official Information Act and the Public Records Act 2005.

Policy

Harbour Sport collects and administers a range of information for a variety of purposes. Some of this information is restricted in its circulation for commercial, privacy, or ethical reasons.

Harbour Sport will place the minimum of restrictions on the information it holds, but will ensure that such restrictions as are considered necessary are observed by its staff and volunteers. Harbour Sport will ensure security of data with regards to access to the computer network and authorization.

Collecting personal information
When someone participates in Harbour Sport programmes and courses, we may collect personal information such as name, contact details and health information.

Using personal information
Generally, personal information is used for activities and operations, to respond to and process requests for information about training programmes, to enrol in a programme, to administer and manage programmes and courses, including recording details of progress and results achieved, to notify of any changes or updates to our programmes and courses or to complete a programme; Information may be for a business or professional relationship Harbour Sport has if someone applies for employment with us, to consider an application to amend records to remove or update personal information or for other everyday business purposes that involve use of personal information.

Harbour Sport adheres to the following Privacy principles
At the core of the Privacy Act 2020 are the Information Privacy Principles which set out rules, and exceptions to those rules.

Principle 1: You may only collect personal information, which is information about a particular individual, for a lawful purpose.

Principle 2: You must collect personal information directly from the individual concerned.

Principle 3: You must ensure that the individual is aware of the purpose for which the personal information is collected, the intended recipients, and the fact that the individual has a right of access to, and a right to request correction of, that information.

Principle 4: You must not collect personal information unlawfully or unfairly, or in a way which encroaches unreasonably upon personal privacy.

Principle 5: You must ensure that there are reasonable security safeguards to protect personal information against loss and unauthorised access, use, modification, or disclosure.

Principle 6: Any individual is entitled to confirmation from you of whether you hold personal information, and to have access to that information if it is readily retrievable.

Principle 7: An individual is entitled to request correction of personal information. You may refuse to correct the information, but if you do so, you must, if requested, attach a statement to the information noting that a correction has been sought but not made. You must notify the individual of steps taken to do this.

Principle 8: You cannot use personal information without taking reasonable steps to ensure that the information is up to date, complete, relevant, and not misleading.

Principle 9: Personal information may not be kept longer than necessary for the purposes for which it may lawfully be used.

Principle 10: Personal information obtained for one purpose may not be used for another purpose.

Principle 11: You must not disclose personal information to any body or agency without the consent of the person whom it is about.

Principle 12: Unique identifiers: you may not assign a unique identifier to an individual unless this is necessary to enable your agency to carry out its functions efficiently. A “unique identifier” is a tag which may identify a particular person but does not use the individual’s name

Storing and disclosing your personal information

Harbour Sport will only store and disclose personal information as per the privacy principles. Harbour Sport commits to maintaining all reasonable safeguards against the loss, misuse or inappropriate disclosure of personal information, and maintaining processes to prevent unauthorised use or access to that information. Harbour Sport will keep physical documents secure when there is a business need to take them outside of Harbour Sport premises, and no technical solution is applicable. Harbour Sport will keep electronic personal information secure by ensuring its data storage is protected from external sources, maintaining regular back up of data to secure storage and applying good practice for information security management. Harbour Sport may use cloud computing, where used, Harbour Sport will ensure that cloud computing solutions meet all applicable government security requirements.

Responsibilities

Harbour Sport’s CEO is responsible for the implementation of this policy.

Harbour Sport’s CEO is responsible for reviewing this policy as and when the need arises.

All employees are responsible for observing confidentiality procedures in their workplace.

Restrictions

Harbour Sport will place restrictions on the information it holds when the information:

·        is commercial in confidence;

·        concerns the privacy of its staff, volunteers, clients or customers;

·        requires protection to safeguard the intellectual property of the organisation.

Staff dealing with restricted material will be instructed in the recognition of material falling under these headings.

Identification

Any information on which restrictions have been placed shall be as far as possible clearly identified on the document or file. Where categories of information, rather than individual documents, are restricted this restriction will be conveyed to staff and volunteers dealing with this information.

Dealing with requests for personal information
If an individual requests an employer provides personal information that they hold about that individual, the employer is required (within 20 working days after the request) to decide whether the request is to be granted, what costs (if any) will be imposed and to inform the individual accordingly.

If a large amount of information is sought, the employer must inform the individual:

·         If an extension of time is required; and

·         Of the reason for the extension.

Refusals to provide personal information may be given where an exception exists, or where the information is “evaluative material”.

“Evaluative material” is information compiled solely for the purpose of determining the suitability, eligibility, or qualifications of the individual to whom the material relates:

·         For employment or for appointment to office;

·         For promotion in employment or office or for continuance in employment or office; or

·         For removal from employment or office.

Privacy incidents
A privacy incident includes a privacy breach or a near miss. A privacy breach occurs when there is an unauthorised access, collection, use or disclosure of personal information. A near miss is where an action could have resulted in a breach but ultimately the breach does not occur. All privacy incidents (actual or near misses) discovered by staff should be notified to their immediate manager. Team Leaders and the Chief Executive are responsible for managing the response to the privacy incident in accordance with Harbour Sport’s Privacy Incident Guidelines. Harbour Sport’s Privacy Incident Reporting form should be completed as soon as possible. This will be provided to Harbour Sport’s Privacy Officer who will advise further on the management of the privacy incident.

Complaints procedure
Any person may complain firstly to the Chief executive and if not satisfied may complain to the Privacy Commission if there has been an interference with privacy of an individual, in that there has been a refusal, or breach of the correct procedure for:

·         Access to personal information

·         Correction of personal information

·         A breach of the Information Privacy Principles

·         A breach of a code of practice; or

·         Non-compliance with the controls on information matching.

This only applies where the action has:

·         Caused loss, detriment, damage, or injury, or may do so;

·         Adversely affected rights, benefits, privileges, obligations, or interests, or may do so; or

·         Resulted in significant humiliation, loss of dignity, or injury to feelings, or may do so.