‘TradeWindow’ or ‘we’
refers to TradeWindow Limited, its subsidiaries and affiliates
are Directors, employees and contractors of TradeWindow, as well as any third parties who process personal information on behalf of TradeWindow.
‘Information Privacy Principles’
are the privacy principles, rules and guidelines TradeWindow adheres to when processing personal information.
Office of the Privacy Commissioner.
refers to the Privacy Act 2020 effective from 1 December 2020.
is any information which tells us something about a specific individual. The information does not need to name the individual, as long as they are identifiable in other ways, like through their home address.
is an event where personal information is either inappropriately: disclosed, altered, lost, or accessed. Loss includes either the destruction of information or the temporary inability to access information.
‘TradeWindow’s Privacy Officer’
is the person responsible for all privacy related matters across TradeWindow on behalf of the leadership team, monitoring compliance, acting as the contact for the Office of the Privacy Commissioner for breach notification, complaints and other enquiries and to ensure TradeWindow complies with the provisions of the Privacy Act.
The purpose of this policy is to provide a privacy framework, including how TradeWindowwill collect, store, use, disclose and dispose of personal information (the “Information Privacy Principles”).
TradeWindow complies with the New Zealand Privacy Act 2020 and any other privacy and data protection laws where applicable.
This policy applies to all Directors, employees and contractors of TradeWindow, as well as any third parties who process personal information on behalf of TradeWindow(collectively known as “TradeWindowUsers”).
This policy covers all personal information regardless of whether it relates to:
- Members of the public.
3. INFORMATION PRIVACY PRINCIPLES
3.1 Collecting Personal Information
We will only collect the minimum personal information necessary for its business purposes. We will not collect information where it is not necessary.
We will endeavour to collect personal information:
- Directly from the individual it is about.
- In a way that is fair in the circumstances.
- In a way that does not intrude to an unreasonable extent on the personal affairs of the individual whose information is being collected.
We will take reasonable steps to inform individuals about what information we are collecting, why and key details about how we will treat it (in the form of a “Privacy Notice”) prior to collection. The privacy notice will include the consequence for not providing the personal information and information about the individuals rights to access and correct personal information.
3.2 Storage and Retention of Personal Information
TradeWindow’s users must take all reasonable steps to protect personal information from loss, unauthorised access, disclosure, or misuse.
We will not store personal information for longer than is necessary for a lawful or business purpose and will dispose of it when it is no longer needed. Information should be maintained consistently in accordance with our
3.3 Access to Personal Information
Individuals have the right to access information about themselves. A request can come from a customer, an employee, or any other individual. They do not need to cite the Privacy Act for it to be an appropriate request. Any request for personal information must be notified to TradeWindow’s Privacy Officer as soon as it is received. TradeWindow’s Privacy Officer can guide the request and advise you on appropriate withholding grounds if they apply in accordance with the
As a general principle, unless there are valid reasons why we would not disclose that information, we will provide access to personal information we hold about any individual if they request that information.
All employee personal information requests should also be notified to the Human Resources Managerby email at email@example.com. If you want to access your own personal information you should make the request to your manager or to the Human Resources Manager at firstname.lastname@example.org
All requests for access must normally be completed within 20 working days unless they are extended by TradeWindow’s Privacy Officer.
3.4 Correction of Personal Information
Individuals also have the right to correct personal information about themselves. These requests can be of simple facts (for example, an address) or more complex issues (such as a file note saying a customer was aggressive). In any instance we need to consider the request to correct the information and take appropriate action. If we do not agree that the information is incorrect, we do not need to correct it, but we must clearly note the individual’s view that the information is incorrect prominently next to the contentious information.
All correction requests must be made in accordance with the
3.5 Use and Disclosure of Personal Information
We will not use personal information without first considering whether it is reasonably accurate, up-to-date, and complete.
We will only use personal information where it is lawful to do so. Primarily this will be where we are using personal information for the reason it was initially collected.
We will not use an individual’s personal information for training or for system testing purposes.
We will not disclose personal information unless we have a reasonable basis for believing doing so is lawful. This will usually be where the disclosure is for the purpose the information was collected or because it is authorised by the individual. Other exceptions apply and if you are uncertain you should discuss these with TradeWindow’s Privacy Officer.
We will not disclose personal information overseas unless it is protected by equivalent safeguards to in New Zealand. For guidance on any overseas disclosure of personal information you should consult with TradeWindow’s Privacy Officer.
4. PRIVACY BREACHES
We have clear, consistent processes for reporting, managing and escalating privacy incidents. For any suspected privacy breach,you must immediately follow the Privacy Breach Process.
A privacy breach is when personal information is either inappropriately: disclosed, altered, lost, or accessed. Loss includes either the destruction of information or the temporary inability to access information.
You must report any suspected privacy breach to the Privacy Officer. TradeWindow’s Privacy Officer will confirm that there has been a privacy breach, and if they believe it may have caused or could cause serious harm.
All privacy breaches or suspected privacy breaches must be recorded in a central privacy breach log.
5. THIRD PARTIES
Where we contract with a third-party to outsource the processing of personal information you must ensure that the personal information is protected by equivalent safeguards to when it was managed by us.
Agreements must require the contracted party to meetour privacy requirements for example:
- Notify us of any privacy breach.
- Notify us of any privacy act access or correction requests made by an individual.
- Maintain security safeguards.
- Only retain information for a specified period.
- Not sub-contract the processing to a lower standard than is agreed in the contract.
The details how we assess and manage third parties from a privacy perspective.
6. CUSTOMER MANAGEMENT
Where we are acting as a third-party or service provider for a customer, it is still the customer’s responsibility to ensure personal information is protected by equivalent safeguards to when it is managed by themselves. Therefore, where TradeWindow holds or processes personal information on behalf of its customers we must ensure that personal information is protected in accordance with the customers agreement.
Customers are also responsible for the likes of notifying the Office of the Privacy Commissioner and individuals affected in the event the privacy breach is ‘notifiable’ and responding to an individual’s Privacy Act access or correction request. It is vital we inform customers as soon as practically possible of breaches, individual’s requests, or other privacy related matters.
All customer agreements should include the following privacy requirements at minimum:
- Notifying the customer of any privacy breaches involving personal information.
- Transfer of privacy act access or correction requests.
- Maintain security safeguards.
- Only retain information for a specified period.
The Privacy Officer is responsible for communicating privacy related matters to customers unless otherwise agreed or stated in the customer agreement.
Where you become aware of a complaint about privacy or the management of personal information you must immediately notify TradeWindow’s Privacy Officer in accordance with the
8. PRIVACY IMPACT ASSESSMENTS
If you are considering a new process, policy, product, service, or system that changes how we collect, use, store, disclose or dispose of personal information you must consider the privacy impacts and risk.
To initiate this, you should contact TradeWindow’s Privacy Officer outlining the proposal and any anticipated risks. TradeWindow’s Privacy Officer may ask that you undertake a Privacy Impact Assessment.
If a Privacy Impact Assessment is required, it must be signed off by the relevant business owner and TradeWindow’s Privacy Officer before the process, policy or system is brought into effect.
9. TRAINING AND EDUCATION
We will train those employees and contractors working with personal information as well as ensuring that all employees undertake regular training on privacy risk areas specific to their business area, as well as broader privacy best practices.
10. PROCESS REVIEW
We commit to retaining up to date privacy processes. Our business processes relating to the collection, access and correction, use and disclosure, storage anddisposal of personal information will be regularly reviewed, at least annually.
11. ACCOUNTABILITIES AND RESPONSIBILITIES
The Board is committed to managing personal information by:
- Setting clear expectations regarding privacy and protection of personal information, and communicating them to the leadership team.
- Holding the leadership team accountable for meeting those expectations.
- Ensuring that effective privacy risk management is fully embedded within TradeWindow’s overall risk management activities.
- Employing high-quality monitoring and information management practices.
TradeWindow’s Privacy Officer, on behalf of the leadership team, is accountable for:
- Promoting privacy and proactively assessing and manage privacy risk within TradeWindow.
- Monitoring compliance and to assist with access and correction requests.
- Monitoring and advising on Privacy Impact Assessments.
- Being the point of contact for the Office of the Privacy Commissioner for breach notification, complaints and other enquiries.
- Responsible for privacy breaches or any complaints raised about privacy.
- Ensuring that TradeWindow complies with the provisions of the Privacy Act.
- Ensure new employee induction includes privacy training.
TradeWindow Users have individual responsibility to:
- Maintain best practice privacy behaviours.
- Report all privacy breaches and near misses to the Privacy Officer.
- Promote privacy at work.
- Comply with all privacy policies and guidelines.
- Actively participate in privacy training.
- Identify privacy risks.
12. MONITORING AND GOVERNANCE
Our privacy policies and guidelines have been established to comply with the Privacy Act 2020. The monitoring and oversight of privacy follows a three lines of defence model to provide assurance that privacy risks are being managed effectively under different situations:
- The first line of defence is formed by managers and employee responsible for identifying and managing risks as part of their duties.
- The second line of defence is formed by privacy and internal governance policies, frameworks, tools and techniques to support privacy to be maintained.
- The third line of defence is formed by internal and external audits ensuring that the first two lines of defence are operating effectively and identifying opportunities for improvement.
Non-compliance of the terms of this policy may result in disciplinary action or dismissal.
Any privacy related concerns or requests for information should be initially directed to your manager.
Where required you can also contact TradeWindow’sPrivacy Officer, at email@example.com.
16. REVIEW OF POLICY
TradeWindow’s Privacy Officer is responsible for maintaining this policy.
This policy is reviewed annually and is approved by the Board.
Date of this Policy:
25 November 2020
Next Review of this Policy:
25 November 2023