When a client uses our services, they are trusting Rod Schubert Financial Advice Limited (“RSFA”) with their personal and financial information. We understand this is a big responsibility and we work hard to protect their information as per the Privacy Act 2020.
A key aspect of our business is obtaining and storing client information and other types of data. We ensure all providers of services always meets the New Zealand privacy laws.
We must also ensure that personal client information is held in a safe and secure way and disposed of securely when we have finished with it and/or are no longer required to hold it.
We follow The Privacy Act 2020 thirteen principles when collecting, using and storing client’s personal information:
Principle 1 |
Personal information must only be collected when:
|
Principle 2 |
Personal information must usually be collected from the person the information is about. But sometimes it is all right to collect information from other people instead – for instance, when:
|
Principle 3 |
When we collect personal information from the person the information is about, it must take reasonable steps to make sure that person knows things like:
Sometimes there are good reasons for not letting a person know about the collection, for example, if it would undermine the purpose of the collection, or it’s just not possible to inform the person. |
Principle 4 | Personal information must not be collected by unlawful means or by means that are unfair or unreasonably intrusive in the circumstances. |
Principle 5 | It’s impossible to stop all mistakes. But we must ensure that there are reasonable safeguards in place to prevent loss, misuse, or disclosure of personal information. |
Principle 6 |
People are entitled to receive from RSFA upon request
There are situations where we can refuse to give access to information because doing so would
RSFA has a legal duty to respond to requests for access to information or correction of information within 20 working days of receiving the request. |
Principle 7 |
|
Principle 8 | Before we use or discloses personal information, we must take reasonable steps to check that information is accurate, complete, relevant, up to date and not misleading. |
Principle 9 | We must not keep information for longer than is necessary for the purposes for which the information may be lawfully used. |
Principle 10 | We must use personal information only for the purpose for which it has been collected. Other uses are occasionally permitted (for example because this is necessary to enforce the law, or the use is directly related to the purpose for which the agency got the information). |
Principle 11 |
We can only disclose personal information in limited circumstances, such as where another law requires us to disclose the information. We can also disclose information if we reasonably believe that:
|
Principle 12 | Where disclosure of personal information happens outside of New Zealand (i.e. where the third-party provider is based overseas), we must confirm that the provider meets the New Zealand privacy and data laws before entering into a business relationship with the. If they do now meet our criteria, we cannot allow them to hold our data. |
Principle 13 | RSFA cannot use the unique identifier given to a person by another business. For example, some businesses or agencies give people a ‘unique identifier’ instead of using their name (e.g. a driver’s license number, a student ID number, a IRD number, etc.). People are not required to disclose their unique identifier unless this Is one of the purposes for which the unique identifier was set up or is directly related to those purposes. |
RSFA has appointed the Compliance Officer, Rod Schubert, as the company Privacy Officer. The Privacy Officer must have a general understanding of the Act and can deal with privacy issues when they arise. Any breaches or ‘near misses’ should be reported to the Privacy Officer as soon as possible.
Privacy breaches are a reality for any business that holds personal information. Businesses and organisations can inadvertently release personal information through employee complacency, inadequate security measures, poor procedures or by accident. If a privacy breach happens, it must be carefully managed and resolved.
RSFA must report any serious privacy breaches to the Office of the Privacy Commissioner. A serious breach is one that poses a risk of harm (e.g. leaked personal information is published online or used to facilitate identity theft). Where a serious breach occurs, we must also notify the people whose information was affected.
Breach notifications to the Office of the Privacy Commissioner can be made by email, telephone or byusing their online enquiry form: https://www.privacy.org.nz/privacy-for-agencies/privacy- breaches/
RSFA collects personal information from,
→ Employees / Prospective Employees
→ Contractors,
→ Authorised bodies
→ Outsource providers
→ Clients and prospective clients
These are four key steps in dealing with a privacy breach:
Further information about the four steps, follow https://www.privacy.org.nz/privacy-for-agencies/privacy-breaches/responding-to-privacy-breaches/
If we are unsure if a breach is notifiable, we can refer to the commission’s website https://www.privacy.org.nz/privacy-foragencies/privacy-breaches/notify-us/