Privacy Policy

Introduction

When a client uses our services, they are trusting Rod Schubert Financial Advice Limited (“RSFA”) with their personal and financial information. We understand this is a big responsibility and we work hard to protect their information as per the Privacy Act 2020.

Policy Statement

A key aspect of our business is obtaining and storing client information and other types of data. We ensure all providers of services always meets the New Zealand privacy laws.

We must also ensure that personal client information is held in a safe and secure way and disposed of securely when we have finished with it and/or are no longer required to hold it.

We follow The Privacy Act 2020 thirteen principles when collecting, using and storing client’s personal information:

Principle 1	Personal information must only be collected when: the collection is for a lawful purpose, connected with what RSFA and; necessary deemed to collect the information for that purpose.
Principle 2	Personal information must usually be collected from the person the information is about. But sometimes it is all right to collect information from other people instead – for instance, when: getting it from the person concerned would undermine the purpose of the collection it’s necessary so a public sector body can uphold or enforce the law the person concerned authorises collection from someone else.
Principle 3	When we collect personal information from the person the information is about, it must take reasonable steps to make sure that person knows things like: why the information is being collected who will get the information? whether the person has to give the information or whether this is voluntary what will happen if the information isn’t provided their rights of access to and correction of information Sometimes there are good reasons for not letting a person know about the collection, for example, if it would undermine the purpose of the collection, or it’s just not possible to inform the person.
Principle 4	Personal information must not be collected by unlawful means or by means that are unfair or unreasonably intrusive in the circumstances.
Principle 5	It’s impossible to stop all mistakes. But we must ensure that there are reasonable safeguards in place to prevent loss, misuse, or disclosure of personal information.
Principle 6	People are entitled to receive from RSFA upon request confirmation of whether RSFA holds any personal information about them: and Access to their personal information If a person is given access to personal information, they must be advised that under principle 7 they may request the correction of that information There are situations where we can refuse to give access to information because doing so would Endanger a person’s safety Prevent detection and investigation of criminal offences Involve an unwarranted breach of someone else’s privacy. RSFA has a legal duty to respond to requests for access to information or correction of information within 20 working days of receiving the request.
Principle 7	People have a right to ask us to correct information about themselves, if they think it is wrong. RSFA must on request take reasonable steps to ensure the information is accurate, up to date, complete and not misleading When people are requesting the correction of personal information, they are entitled to provide a statement of correction and request it is added to file RSFA must take all reasonable and practical steps to inform every other person that information has been disclosed to that there has been a change.
Principle 8	Before we use or discloses personal information, we must take reasonable steps to check that information is accurate, complete, relevant, up to date and not misleading.
Principle 9	We must not keep information for longer than is necessary for the purposes for which the information may be lawfully used.
Principle 10	We must use personal information only for the purpose for which it has been collected. Other uses are occasionally permitted (for example because this is necessary to enforce the law, or the use is directly related to the purpose for which the agency got the information).
Principle 11	We can only disclose personal information in limited circumstances, such as where another law requires us to disclose the information. We can also disclose information if we reasonably believe that: disclosure is one of the purposes for which we got the information disclosure is necessary to uphold or enforce the law disclosure is necessary for court proceedings the person concerned authorised the disclosure the information is going to be used in a form that does not identify the person concerned.
Principle 12	Where disclosure of personal information happens outside of New Zealand (i.e. where the third-party provider is based overseas), we must confirm that the provider meets the New Zealand privacy and data laws before entering into a business relationship with the. If they do now meet our criteria, we cannot allow them to hold our data.
Principle 13	RSFA cannot use the unique identifier given to a person by another business. For example, some businesses or agencies give people a ‘unique identifier’ instead of using their name (e.g. a driver’s license number, a student ID number, a IRD number, etc.). People are not required to disclose their unique identifier unless this Is one of the purposes for which the unique identifier was set up or is directly related to those purposes.

Privacy Officer

RSFA has appointed the Compliance Officer, Rod Schubert, as the company Privacy Officer. The Privacy Officer must have a general understanding of the Act and can deal with privacy issues when they arise. Any breaches or ‘near misses’ should be reported to the Privacy Officer as soon as possible.

Privacy Breaches

Privacy breaches are a reality for any business that holds personal information. Businesses and organisations can inadvertently release personal information through employee complacency, inadequate security measures, poor procedures or by accident. If a privacy breach happens, it must be carefully managed and resolved.

RSFA must report any serious privacy breaches to the Office of the Privacy Commissioner. A serious breach is one that poses a risk of harm (e.g. leaked personal information is published online or used to facilitate identity theft). Where a serious breach occurs, we must also notify the people whose information was affected.

Breach notifications to the Office of the Privacy Commissioner can be made by email, telephone or byusing their online enquiry form: https://www.privacy.org.nz/privacy-for-agencies/privacy- breaches/

Key Processes

RSFA collects personal information from,

→ Employees / Prospective Employees

→ Contractors,

→ Authorised bodies

→ Outsource providers

→ Clients and prospective clients

We will only collect information that is directly relevant to our business relationship with our
The primary source of information will be from the client directly. Where we use other sources, we must inform the client of those sources before proceeding.
We will not share, sell or trade personal information to any other company or person. We may contact clients from time to time for relationship management purposes or to advise of other
We will use all reasonable endeavours to ensure that personal information is kept secure and
Only authorised staff will have access to personal
We only keep personal information for as long as it is necessary (refer record Keeping policy).
Client information is safely disposed
We ensure that our IT network is secure
We take all reasonable steps to ensure information is protected when working
If we are considering engaging an overseas – based service provider (e.g. cloud storage services), we must ensure that the provider meets all New Zealand privacy
Any request for access to information must be referred to the Privacy / Compliance Officer.
We record breaches on the Breaches

Breach Process

These are four key steps in dealing with a privacy breach:

Contain
– Once you discover a privacy breach, contain it immediately and find out what went wrong
Assess
– Assessing the risks of the privacy breach will help figure out our next steps
Notify
– We will be open and transparent with people about how we are handling their personal information
Prevent
– The most effective way to prevent future breaches is through our security plan for all personal information

Further information about the four steps, follow https://www.privacy.org.nz/privacy-for-agencies/privacy-breaches/responding-to-privacy-breaches/

If we are unsure if a breach is notifiable, we can refer to the commission’s website https://www.privacy.org.nz/privacy-foragencies/privacy-breaches/notify-us/

Real advice, in really easy to understand terms