APM WorkCare Privacy and Confidentiality Policy
Advanced Personnel Management (APM) is strongly committed to maintaining the privacy of personal information it collects as part of the services it offers. APM places great importance on protecting the privacy of its employees, valued clients, customers and other stakeholders.
This policy sets out how APM will comply with its obligations under the Privacy Act 1993 (NZ) (Act). Part 2 of the Act lists the 12 Information Privacy Principles, which regulate how APM may collect, store, use, transfer or disclose personal information, the duration for which personal information can be kept and how individuals may access and correct personal information held about them.
APM will ensure that all employees and sub-contractors are aware of, and understand, APM’s obligations and their own obligations under the Act and are provided with training to enable them to fulfil these obligations.
APM will also achieve this through maintaining internal policies and processes to prevent personal information being collected, used, stored, transferred or disclosed or disposed of improperly.
APM fully endorses and adheres to the Information Privacy Principles given below.
The purpose of this policy is to:
This policy relates to personal information collected through the course of APM’s business or by any other means and assumes that the information is acquired from a resident of New Zealand (NZ).
This policy applies to all APM (NZ) employees, contractors and third parties. Compliance with this policy is subject to internal and regulatory audit.
Disciplinary action may be taken against employees failing to comply with this policy.
For clarity, throughout this policy, where there is reference to a “person” or “individual” it is taken to include that person’s/individual’s duly appointed authorised representative (where appropriate).
APM has aligned its personal information privacy approach to the 12 information privacy principles of the Privacy Act 1993 (NZ) as summarised below.
Principle 1: Purpose of collection of personal information
Personal information must not be collected unless it is for a lawful purpose connected with a function or activity of the agency collecting the information and it is necessary to collect the information for that purpose.
Principle 2: Source of personal information
Personal information must be collected directly from the individual concerned unless allowed through exceptions to the Act
Principle 3: Collection of information
Reasonable steps are taken to disclose the collection of and purpose for the collection of personal information in a timely manner unless allowed through exceptions to the Act.
Principle 4: Manner of collection of personal information
Personal information must not be collected by unlawful means or via means that are unfair or intrude unreasonably on the personal affairs of the individual concerned.
Principle 5: Storage and security of personal information
An agency holding personal information must ensure that there are reasonable safeguards against loss, misuse or disclosure and everything reasonable is done to prevent unauthorised use or unauthorised disclosure of the information via third parties.
Principle 6: Access to personal information
Where personal information is held in a way that it can readily be retrieved, the individual concerned is entitled to obtain confirmation of whether the information is held and have access to information about them. An agency may refuse to disclose personal information for a range of reasons, as outlined in the Act.
Principle 7: Correction of personal information
Everyone is entitled to request the correction of their personal information and request that if it is not corrected, a statement is attached to the original information saying what correction was sought but not made.
Principle 8: Accuracy of personal information to be checked before use
An agency must not use or disclose personal information without taking reasonable steps to check it is accurate, complete, relevant, up-to-date and not misleading.
Principle 9: Personal information not to be kept for longer than necessary
An agency holding personal information must not keep it for longer than needed for the purpose for which the agency collected it.
Principle 10: Limits on use of personal information
Personal information obtained in connection with one purpose must not be used for another unless provided for within the Act.
Principle 11: Limits on disclosure of personal information
Personal information must not be disclosed unless the agency reasonably believes that the disclosure is in connection with, or directly related to, one of the purposes for which it was obtained or as identified within the Act.
Principle 12: Unique identifiers
Unique identifiers - such as IRD numbers, bank customer numbers, driver/s licence and passport numbers - must not be assigned to individuals unless this is necessary for the organisation concerned to carry out its functions efficiently. No-one is required to disclose their unique identifier unless it is for, or related to, one of the purposes for which the identifier was assigned.
The Privacy Act 1993 (NZ) gives the Privacy Commissioner the power to issue codes of practice that become part of the law. These codes may modify the operation of the Act for specific industries, agencies, activities or types of personal information. Codes often modify one or more of the information privacy principles to take account of special circumstances which affect a class of agencies (e.g. credit reporters) or a class of information (e.g. health information). The rules established by a code may be more stringent or less stringent than the principles they replace.
The Health Information Privacy Code applies rules to agencies in the health sector. When it comes to health information, the 12 rules of the code substitute for the 12 principles of the Privacy Act.
Detailed information about the Health Information Privacy Code can be found on the Office of the Privacy Commissioner’s website.
For the purpose of this policy, the following terms will have the following meanings, as defined by the Act:
Agency means any person or body of persons, whether corporate or unincorporate, and whether in the public sector or the private sector and, for the avoidance of doubt, includes a department
Individual means a natural person, other than a deceased natural person
Individual concerned, in relation to personal information, means the individual to whom the information relates
Personal Information means information about an identifiable individual
Unique identifier means an identifier
(a) that is assigned to an individual by an agency for the purposes of the operations of the agency; and
(b) that uniquely identifies that individual in relation to that agency but, for the avoidance of doubt, does not include an individual's name used to identify that individual
APM undertakes that the specific conditions contained in the Information Privacy Principles regarding the fair collection and use of personal information will be fully complied with.
Individuals concerned will be made aware that their personal information has been collected and the intended use of the information specified, either at the time of collection or at the earliest reasonable opportunity thereafter.
Personal information will be collected and used only to the extent that it is needed to facilitate the provision of a service by APM or to comply with legal requirements.
Retention of personal information will be evaluated and risk assessed to determine and meet operational and legal requirements, with the appropriate retention schedules applied to the information.
APM respects the privacy of individuals’ personal information and will take all reasonable steps to keep it strictly confidential. APM may disclose an individual’s personal information to members of the APM group of companies or our service providers, but will only do so where equivalent commitments of confidentiality are provided.
Otherwise, APM will only disclose personal information without the individual concerned’s consent if this is necessary to protect or enforce APM’s legal rights or interests or to defend any claims made against APM by any person; necessary to lessen a serious threat to a person's health or safety; or required by law.
Under no circumstances will APM sell or receive payment for licensing or disclosing personal information.
Appropriate technical and operational security measures to safeguard personal information will be in place.
APM staff will report any actual, near miss or suspected information privacy breach to senior management for investigation. Issues identified during the investigation of breaches will be relayed to those processing information, in compliance with APM’s Continuous Improvement Policy.
Any unauthorised use of APM email by staff, including sending of personal information to unauthorised persons, will be regarded as a breach of this policy. The use of personal email accounts to transmit personal information is strictly forbidden.
Information Privacy Awareness Training will be regularly provided to staff and contractors to keep them informed of changes to legislation and guidance regarding the collection, use, storage, disclosure and disposal of personal information.
APM staff will have access to personal information, only where it is required as part of their employment.
All individuals concerned have a right to access their own personal information. This policy provides a contact address for individuals concerned to use in the event that they wish to submit a Request for Access to Personal Information, make a comment or complaint about how APM is managing their information, or about APM’s handling of their request for information.
A Request for Access to Personal Information will be acknowledged to the individual making the request within three working days, with the final response and disclosure within 40 calendar days. A fee may be charged for this, at APM’s discretion, which will be no more than $10.
An individual’s personal information will not be disclosed to them until their identity has been sufficiently verified.
Third-party personal information will not be released by APM when responding to a Request for Access to Personal Information unless consent is specifically obtained, it is obliged to be released by law or it is necessary to take such action in the public interest.
APM will ensure that all personal information it collects, uses, stores or discloses is accurate, complete and up-to-date. An individual concerned has the right to contact APM to correct any personal information that the organisation holds about the individual.
If APM is aware that it holds personal information that (having regard to the purpose for which it was collected) is inaccurate, out of date, incomplete or irrelevant, it will take reasonable steps to correct that information.
This policy will be made available to all APM staff and contractors and stored within the APM intranet.
This policy will be communicated externally by publishing it on the APM New Zealand website.
This policy is to be reviewed as follows:
APM is committed to effectively managing risks through compliance with legislation, alignment with best practice and through a practical approach that carefully plans for and prioritises risks and balances the costs and benefits of action.
This policy will ensure:
If an individual wishes to gain access to personal information about them that is held by APM or wishes to make a request for the correction of personal information held by APM, they can put their request in writing to:
The Compliance Manager
PO Box 302501
If an individual considers that there has been a breach of this policy or the Privacy Act 1993 or scheduled principles, they are entitled to complain to APM.
All complaints are to be in writing and directed to:
The Compliance Manager
PO Box 302501
Or by telephoning: 0800 "WorkCare" (967522)
APM New Zealand’s senior management or delegate will investigate the complaint and attempt to resolve it within 20 business days after the written complaint is received. Where it is anticipated that this time-frame is not achievable, APM will contact the person making the complaint to provide an estimate of how long it will take to investigate and respond to the complaint.
If an individual considers that APM has not adequately dealt with a complaint, he or she may complain to the Office of the Privacy Commissioner on the below details:
Office of the Privacy Commissioner
PO Box 10-094
04 - 474 7590 (Wellington)
09 - 302 8680 (Auckland)