Privacy

PRIVACY & CONFIDENTIALITY POLICY AND PROCEDURE

Policy

The purpose of this policy is to provide guidance to Employees, Volunteers (e.g., trustees, student placements), and/or Contractors, of their obligations to maintain the Privacy and Confidentiality Principles of ALL personal information, as per the Privacy Act 2020.

The new Privacy Act 2020 controls how organisations such as Te Pā collect, use, disclose, store, provide access to, or correct personal information. As such, the organisation will ensure all personal information is kept confidential by use of a variety of robust security measures.

In addition to the Privacy Act 2020, any organisation within the Health Sector, or that is funded by the Ministry of Health (MoH), or a local District Health Board (DHB), must follow the requirements listed within the Health Information Privacy Code 2020.

This policy is to be read in conjunction with the Oranga Tamariki Act 1989 (latest version), Section 65A to Q – Information Sharing. The principles relating to Information Sharing under the Oranga Tamariki Act differ from those of the Privacy Act, where the wellbeing of Children and/or Young Persons at Risk overrides some of the principles contained within the Privacy Act.

The Privacy Act and the Health Information Privacy Code 2020 ensure Te Pā maintains their commitment of obtaining, using, disclosing, and storing personal information in a sensitive manner and secured in a format specific to how the information was initially received. This will be explained further within the procedural section of this policy.

Procedure

The procedures within this policy cover 7 categories, outlining the requirements of both the Privacy Act and the Health Information Privacy Code 2020:

1. Responsibilities (including those of the Privacy Officer)
2. Collection and use of Personal Information (adults, children, and young persons)
3. Disclosure and Sharing of Personal Information
4. Access and Correction of Personal Information
5. Storage and Security of Personal Information
6. Destruction of Personal Information
7. Breaches of Privacy and/or Confidentiality

1. Responsibilities

Everyone working at Te Pā has a responsibility to ensure all forms of personal information are kept private and confidential at all times.

Roles and responsibilities of a Privacy Officer:

a. To ensure Te Pā complies with requirements within the Information Privacy Principles (IPP) listed in the Privacy Act, and the Health Information Privacy Code 2020.
b. To assist the CEO in resolving complaints received by Te Pā, or the Privacy Commissioner’s Office, relating to breaches in Privacy.
c. To handle any personal information requests received from Tangata, Employees, Volunteers, or Contractors.

The Privacy Officer must ensure all personnel at Te Pā understand the requirements associated with the Privacy Act and the Health Information Privacy Code, to prevent breaches from occurring. In some instances, an individual Employee may be solely liable for a potential breach or breaches of the Act.

All Employees, Volunteers (including Trustees, Student Placements), and Contractors of Te Pā must sign a Confidentiality Agreement prior to commencement of their roles.

2. Collection and Use of Personal Information

The collection and use of personal information must align with Part 3 of the Privacy Act. Information is collected only for the purpose for which it was obtained.

2.1 Who do we collect your personal information from?
a. From you personally, as part of your employment or engagement into Te Pā.
b. Through any contact you have with us (e.g., telephone, email, postal mail).
c. From third parties, where authorised, e.g., Police, Department of Corrections, or publicly available sources.

When collecting personal information, Te Pā must inform you of the reason.

d. For Employees – verbally during recruitment and included in the Individual Employment Agreement.
e. For Tangata – verbally via the Kaiārahi and in writing via the Referral form.

2.2 Collection of Health Information
a. Employees – medical certificates, accident reports, payroll or billing details, ACC payments.
b. Tangata – medical or treatment history, as part of service contracts or risk/needs assessment.

2.3 How is your personal information used?
a. To verify identity.
b. To undertake pre-employment checks or confirm contractor reputation.
c. To improve delivery of services.
d. To communicate electronically.
e. To respond to communications or complaints.
f. To conduct research or produce anonymous statistics.
g. To protect or enforce legal rights.
h. For any other purpose authorised by you.

3. Disclosure and Sharing of Personal Information

Instances of sharing or disclosing personal information occur:
a. During recruitment.
b. For Police vetting.
c. With training providers.
d. When tangata engage with services.
e. With other health providers or agencies.
f. With IT and data service providers.
g. When working with rangatahi or tamariki.
h. In alignment with Oranga Tamariki Act 1989.

Other agencies Te Pā may share with include:
i. NZ Transport Agency, Ministries, funders, or auditors.
j. Police, Corrections, Oranga Tamariki.
k. Any person authorised by you.
l. Overseas businesses supporting Te Pā (e.g., cloud storage).

3.1 Reasons for Te Pā to Refute Access
a. If disclosure would involve unwarranted disclosure of another individual.
b. If disclosure poses a threat to health, safety, or life.
c. If disclosure could lead to serious harassment.
d. If disclosure involves employment suitability or evaluations.
e. If a tamariki or rangatahi discloses abuse or neglect.

4. Access and Correction of Personal Information

4.1 Access
a. Requests must be made in writing to the Privacy Officer.
b. Evidence of identity is required.
c. Representative requests must be verified.
d. Te Pā has 20 working days to respond.
e. If refused, reasons must be provided.

4.2 Correction
a. Simple corrections (e.g., change of contact details) can be made immediately.
b. Corrections can be requested when information is provided.
c. More complex corrections require written submission to the Privacy Officer.

5. Storage and Security of Personal Information

Personal information may be stored electronically or in hardcopy.

a. Te Pā takes reasonable steps to protect information from misuse, loss, or unauthorised access.
b. Information is stored in secure databases with restricted access and cloud backup.
c. Employees are given unique logins with restricted access.
d. Devices must be locked or shut down when unattended.
e. Hardcopy documents are stored securely in locked cabinets or scanned into secure drives.
f. Printers/photocopiers must be cleared daily, and sensitive material destroyed.

Note: Employees working remotely must maintain the same confidentiality and security.

6. Destruction of Personal Information

Personal information no longer required will be archived, deleted, or destroyed unless required by legislation.

  • Healthcare information retained for 10 years.
  • Financial information retained for 7 years.

a. Soft copy – archived with identifying details until permanent deletion.
b. Hard copy – stored securely until destruction is legally permitted.

7. Privacy Breaches

A breach is unauthorised or accidental access, disclosure, alteration, or loss of personal information. It may include cyber-attacks or malware.

Breaches can result in:
a. Physical harm or intimidation.
b. Financial fraud.
c. Family violence or emotional harm.

The Privacy Officer must be notified immediately of any breach. Breaches are taken seriously and may result in disciplinary action, termination, or criminal charges.

The Privacy Officer is currently the CEO of Te Pā.

Related Policies

  • Misconduct or Serious Misconduct Policy and Procedure
  • Copyright and Intellectual Property Policy and Procedure
  • Complaints and Official Inquiries Policy and Procedure
  • Interest (Conflicts) Policy and Procedure
  • Social Media Policy and Procedure
  • Media Policy and Procedure
  • Cyber Security Register

Supporting Documents/Forms/Legislation

  • Privacy Act 2020
  • Oranga Tamariki Act 1989 (1 July 2022)
  • Social Sector Accreditation Standards – Level 2
  • Confidentiality Agreement
  • Individual Employment Agreement
  • Tangata Service Referral and/or Enrolment Form
  • Tangata or Employee Consent Form

Stay in the loop

Keep informed, sign up for our newsletter

Navigation

About
Services
Who we support
Media
Stories
Donate
Contact us
Complaints & feedback

Te Whare o te Pā

Level 3
711 Mt Albert Rd
Royal Oak
Auckland 1023
PO Box 108-104
Newmarket
Auckland
1149

Connect with Te Pā

Terms & Conditions | Privacy
© 2025 Te Pā. All rights reserved

Privacy Preference Center

Privacy Preferences