When a client uses our services, they are trusting Rod Schubert Financial Advice Limited (“RSFA”) with their personal and financial information. We understand this is a big responsibility and we work hard to protect their information as per the Privacy Act 2020.
A key aspect of our business is obtaining and storing client information and other types of data. We ensure all providers of services always meets the New Zealand privacy laws.
We must also ensure that personal client information is held in a safe and secure way and disposed of securely when we have finished with it and/or are no longer required to hold it.
We follow The Privacy Act 2020 thirteen principles when collecting, using and storing client’s personal information:
|Personal information must only be collected when:
|Principle 2||Personal information must usually be collected from the person the information is about. But sometimes it is all right to collect information from other people instead
– for instance, when:
|Principle 3||When we collect personal information from the person the information is about, it must take reasonable steps to make sure that person knows things like:
Sometimes there are good reasons for not letting a person know about the collection, for example, if it would undermine the purpose of the collection, or it’s just not possible to inform the person.
|Principle 4||Personal information must not be collected by unlawful means or by means that are unfair or unreasonably intrusive in the circumstances.|
|Principle 5||It’s impossible to stop all mistakes. But we must ensure that there are reasonable safeguards in place to prevent loss, misuse, or disclosure of personal information.|
|Principle 6||People are entitled to receive from RSFA upon request
There are situations where we can refuse to give access to information because doing so would
RSFA has a legal duty to respond to requests for access to information or correction of information within 20 working days of receiving the request.
|Principle 8||Before we use or discloses personal information, we must take reasonable steps to check that information is accurate, complete, relevant, up to date and not misleading.|
|Principle 9||We must not keep information for longer than is necessary for the purposes for which the information may be lawfully used.|
|Principle 10||We must use personal information only for the purpose for which it has been collected. Other uses are occasionally permitted (for example because this is necessary to enforce the law, or the use is directly related to the purpose for which the agency got the information).|
|Principle 11||We can only disclose personal information in limited circumstances, such as where another law requires us to disclose the information. We can also disclose information if we reasonably believe that:
|Principle 12||Where disclosure of personal information happens outside of New Zealand (i.e. where the third-party provider is based overseas), we must confirm that the provider meets the New Zealand privacy and data laws before entering into a business relationship with the. If they do now meet our criteria, we cannot allow them to hold our data.|
|Principle 13||RSFA cannot use the unique identifier given to a person by another business. For example, some businesses or agencies give people a ‘unique identifier’ instead of using their name (e.g. a driver’s license number, a student ID number, a IRD number, etc.). People are not required to disclose their unique identifier unless this Is one of the purposes for which the unique identifier was set up or is directly related to those purposes.|
RSFA has appointed the Compliance Officer, Rod Schubert, as the company Privacy Officer. The Privacy Officer must have a general understanding of the Act and can deal with privacy issues when they arise. Any breaches or ‘near misses’ should be reported to the Privacy Officer as soon as possible.
Privacy breaches are a reality for any business that holds personal information. Businesses and organisations can inadvertently release personal information through employee complacency, inadequate security measures, poor procedures or by accident. If a privacy breach happens, it must be carefully managed and resolved.
RSFA must report any serious privacy breaches to the Office of the Privacy Commissioner. A serious breach is one that poses a risk of harm (e.g. leaked personal information is published online or used to facilitate identity theft). Where a serious breach occurs, we must also notify the people whose information was affected.
Breach notifications to the Office of the Privacy Commissioner can be made by email, telephone or byusing their online enquiry form: https://www.privacy.org.nz/privacy-for-agencies/privacy- breaches/
FSA collects personal information from,
→ Employees / Prospective Employees
→ Authorised bodies
→ Outsource providers
→ Clients and prospective clients
- We will only collect information that is directly relevant to our business relationship with our
- The primary source of information will be from the client directly. Where we use other sources, we must inform the client of those sources before proceeding.
- We will not share, sell or trade personal information to any other company or person. We may contact clients from time to time for relationship management purposes or to advise of other
- We will use all reasonable endeavours to ensure that personal information is kept secure and
- Only authorised staff will have access to personal
- We only keep personal information for as long as it is necessary (refer record Keeping policy).
- Client information is safely disposed
- We ensure that our IT network is
- We take all reasonable steps to ensure information is protected when working
- If we are considering engaging an overseas – based service provider (e.g. cloud storage services), we must ensure that the provider meets all New Zealand privacy
- Any request for access to information must be referred to the Privacy / Compliance Officer.
- We record breaches on the Breaches
These are four key steps in dealing with a privacy breach:
– Once you discover a privacy breach, contain it immediately and find out what went wrong
– Assessing the risks of the privacy breach will help figure out our next steps
– We will be open and transparent with people about how we are handling their personal information
– The most effective way to prevent future breaches is through our security plan for all personal information
Further information about the four steps, follow https://www.privacy.org.nz/privacy-for-agencies/privacy-breaches/responding-to-privacy-breaches/
If we are unsure if a breach is notifiable, we can refer to the commission’s website https://www.privacy.org.nz/privacy-foragencies/privacy-breaches/notify-us/