Purpose
This policy outlines UCOL’s commitment to protecting personal information and ensuring compliance with the Privacy Act 2020. It supports transparency, accountability, and responsible data handling across all organisational activities.
Scope
This policy applies to all UCOL staff, contractors, and consultants. The Privacy Act 2020 governs the collection, use, storage, and disclosure of personal information relating to any identifiable individual.
Policy Statements
- UCOL adheres to the Privacy Act 2020, including its 13 Information Privacy Principles, in its day-to-day activities. A summary of these principles is included in this Policy.
- UCOL has established procedures and guidelines to manage requests for access to and correction of personal information.
- Staff personal files are retained for seven years following the end of employment.
- UCOL has a designated Privacy Officer.
Responsibility
UCOL has a Privacy Officer who is responsible for:
- Encouraging staff compliance with the Information Privacy Principles and the Act.
- Advising staff on privacy-related inquiries, complaints, and requests.
- Working with the Office of the Privacy Commissioner during investigations into complaints received in respect to the Act.
- Ensuring organisational compliance with privacy legislation.
- Coordinating staff training and awareness on privacy obligations.
Summary of the 13 Information Privacy Principles
Principle 1, Principle 2, Principle 3 and Principle govern the collection of personal information. This includes the reasons why personal information may be collected, where it may be collected from, and how it is collected.
Principle 5 governs the way personal information is stored. It is designed to protect personal information from unauthorised use or disclosure.
Principle 6 gives individuals the right to access information about themselves.
Principle 7 gives individuals the right to correct information about themselves.
Principle 8 and Principle 9, Principle 10 and Principle 11 place restrictions on how people and organisations can use or disclose personal information. These include ensuring information is accurate and up-to-date, and that it isn’t improperly disclosed.
Principle 12 sets rules around sending personal information to organisations or people outside New Zealand.
Principle 13 governs how “unique identifiers” – such as IRD numbers, bank client numbers, driver’s licence and passport numbers – can be used.
Further Information
Further information can be obtained on the Office of the Privacy Commissioner website:
Making a Privacy Request
Relevant Legislation
Privacy Act 2020
Privacy Act 2020 Codes of Practice
Official Information Act 1982