Please turn your device to view in portrait mode.

Privacy Policy

1.0 INTRODUCTION

In its everyday business operations Digital Arena Limited makes use of a variety of data about identifiable individuals, including data about:

  • Current, past and prospective employees
  • Customers
  • Users of its websites
  • Other stakeholders

In collecting and using this data, the organisation is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it. The purpose of this policy is to set out the relevant legislation and to describe the steps Digital Arena Limited is taking to ensure that it complies with it. This control applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Digital Arena Limited systems.

2.0 PRIVACY AND PERSONAL DATA PROTECTION POLICY

2.1.1 THE PRIVACY ACT 2020

The Privacy Act 2020 provides the rules in New Zealand for protecting personal information and puts responsibilities on agencies and organizations about how they must do that. It is Digital Arena Limited’s policy to ensure that our compliance with The Privacy Act 2020 and other relevant legislation is always clear and demonstrable.

2.1.2 DEFINITIONS

The privacy and information rules in the Privacy Act apply only to information about identifiable individual people (but not people who are now dead). The Act calls this “personal information”, using the word “personal” to indicate that it’s information about any individual person, not that it’s particularly private or sensitive information. The Act doesn’t apply to information about organisations – like companies, incorporated societies or charitable trusts.

2.1.3 PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA

There are several fundamental principles upon which The Privacy Act 2020 is based.

PRINCIPLE 1: Purpose for collection of personal information - organisations must only collect personal information if it is for a lawful purpose connected with their functions or activities, and the information is necessary for that purpose.

PRINCIPLE 2: Sources of personal information - personal information should be collected directly from the person it is about. The best source of information about a person is usually the person themselves. Collecting information from the person concerned means they know what is going on and have some control over their information.

PRINCIPLE 3: What to tell an individual - organisations should be open about why they are collecting personal information and what they will do with it. When an organisation collects personal information, it must take reasonable steps to make sure that the person knows: why it is being collected; who will receive it; whether giving it is compulsory or voluntary; what will happen if the information isn't provided.

PRINCIPLE 4: Manner of collection of personal information - personal information must not be collected by unlawful, unfair or unreasonably intrusive means. When an organisation collects information about a person, it must do so in a way that is fair and legal.

PRINCIPLE 5: Storage and security of personal information - organisations must ensure there are safeguards in place that are reasonable i the circumstances to prevent loss, misuse or disclosure of personal information.

PRINCIPLE 6: Access to personal information - people have a right to ask for access to their own personal information. An organisation must provide access to the personal information it holds about someone if the person in question asks to see it. Information cannot be requested about another person, unless you are acting on that person's behalf and have written permission.

PRINCIPLE 7: Correction of personal information - a person has a right to ask an organisation or business to correct information about them if they think it is wrong.

PRINCIPLE 8: Accuracy of personal information - an organisation must check before using or disclosing personal information that it is accurate, up to date, complete, relevant and not misleading.

PRINCIPLE 9: Retention of personal information - an organisation should not keep personal information for longer than it is required for the purpose it may lawfully be used.

PRINCIPLE 10: Use of personal information - organisations can generally only use personal information for the purpose it was collected. Sometimes other uses will be allowed, such as if the new use is directly related to the original purpose, or if the person in question gives their permission for their information to be used in a different way.

PRINCIPLE 11: Disclosure of personal information - an organisation may only disclose personal information in limited circumstances e.g. disclosure is one of the purposes for which the organisation got the information; the person concerned authorises the disclosure; the information is to be used in a way that does not identify the person concerned; disclosure is necessary to avoid endangering someone's health or safety; disclosure is necessary to uphold or enforce the law.

PRINCIPLE 12: Cross-border disclosure - A business or organisation may only disclose personal information to another organisation outside New Zealand if the receiving organisation: is subject to the Privacy Act because they do business in New Zealand; is subject to privacy laws that provide comparable safeguards to the Privacy Act; agrees to adequately protect the information; is covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand Government. If none of these apply, cross-border disclosure requires permission of the person concerned. The person must be informed that their information may not be given the same protection as provided by the New Zealand Privacy Act.

2.1.4 BREACH NOTIFICATION

A privacy breach occurs when an organisation or individual either intentionally or accidentally:

  • Provides unauthorised or accidental access to someone's personal information.
  • Discloses, alters, loses or destroys someone's personal information. A privacy breach also occurs when someone is unable to access their personal information due to, for example, their account being hacked.
  • Under the Privacy Act 2020, if Digital Arena Limited has a privacy breach that either has caused or is likely to cause anyone serious harm, Digital Arena Limited must notify the Privacy Commissioner and any affected people as soon as practically able.
  • As a guide, our expectation is that a breach notification should be made no later than 72 hours after agencies are aware of a notifiable privacy breach.
  • Breaches must be reported to the Data Protection Officer immediately.
  • Breaches can be reported online via the Privacy Commissioner website.

2.1.5 ADDRESSING COMPLIANCE TO THE PRIVACY ACT 2020

The following actions are undertaken to ensure that Digital Arena Limited always complies with the accountability principle of The Privacy Act 2020:

  • The legal basis for processing personal data is clear and unambiguous.
  • All staff involved in handling personal data understand their responsibilities for following good data protection practice.
  • Training in data protection has been provided to all staff.
  • Rules regarding consent are followed.
  • Regular reviews of procedures involving personal data are carried out.