This Privacy Policy provides information relating to how Citycare Property collects, stores, uses, discloses and disposes of personal information.

Individuals are entitled to:

  • request access to personal information that is held about them

  • request that the information held about them be corrected 

By providing personal information to us, you are accepting and consenting to the practices described in this Privacy Policy. If you do not agree with any of the terms of this Privacy Policy, please inform us and do not submit any further personal information to us. This policy does not limit or exclude any individual rights under the Act. If you wish to seek further information on the Act, see www.privacy.org.nz.

Personal information under the Privacy Act 2020 (the Act) means “information about an identifiable individual”.

Information and Privacy Principles

The Act establishes 13 information and privacy principles (IPPs) that cover the collection, use and disclosure of information relating to individuals by the Employer, as well as the access to and correction of that information by the individuals concerned.

The privacy principles are subject to certain restrictions imposed by the Act, and may be expressly overridden by provisions in other Acts.

A breach of the IPPs may amount to interference to privacy, which may be investigated by the Privacy Commissioner.

Complaints not settled by the Privacy Commissioner may fall to be determined by the Human Rights Review Tribunal.

The IPPs provided for by the Act are:

  1. Principle 1 – Purpose:  Information must be collected for a lawful purpose connected with the activity and functions of the Employer. The collection of the information must be necessary for that purpose.

  2. Principle 2 – Source:  Personal information must be collected directly from the individual concerned apart from in limited circumstances.

  3. Principle 3 – Collection:  When personal information is collected directly from an individual, the person collecting must ensure that the individual is aware of a number of matters, including the purpose for which it is collected, the intended recipient, the fact that the individual has a right to access to, and a right to request correction of, that information.

  4. Principle 4 – Manner of Collection:  Personal information may not be collected unlawfully, or in any way that is unfair in the circumstances or which intrudes unreasonably on personal privacy.

  5. Principle 5 – Storage and Security:  The Employer must ensure that it has reasonable safeguards for securing from loss, access, use, modification, disclosure or misuse of the information.

  6. Principle 6 – Access to Personal Information:  Any individual is entitled to confirmation from the Employer as to whether it holds personal information, and access to that information about them if it is readily retrievable.

  7. Principle 7 – Correction:  An individual is entitled to request correction of personal information about them held by the Employer.

  8. Principle 8 – Accuracy:  The Employer cannot use personal information without taking reasonable steps to ensure that the information is up to date, complete, relevant and not misleading.

  9. Principle 9 – Time Limit:  Personal information may not be kept longer than necessary for the purpose for which it may lawfully be used.

  10. Principle 10 – Limits on Use:  Personal information obtained for one purpose may not be used for another purpose subject to certain exceptions.

  11. Principle 11 – Limits on Disclosure:  The Employer must not disclose personal information to any person or agency, unless one of the following applies:

    1. there is a reasonable belief that disclosure is one of the purposes for which information has been obtained;

    2. disclosure is to or on behalf of the individual concerned;

    3. disclosure is necessary to enable the sale of the business;

    4. disclosure is necessary to prevent a serious or imminent threat to public health or safety;

    5. it has been authorised by the Privacy Commission;

    6. the information is publicly available;

    7. disclosure is necessary to avoid prejudice to the maintenance of law; and

    8. the information will not be used in a form which identifies the individual concerned; and

  12. Principle 12 – Cross-Border Disclosure: The Employer may disclose information to a foreign person or entity only under limited circumstances as outlined in the Act.

  13. Principle 13 – Unique Identifier:  The Employer may not assign a unique identifier to an individual unless this is necessary to enable it to carry out its functions effectively.  A “unique identifier” is a tag that does not use the individual’s name.

Purpose

This Privacy Policy sets out the principles which are used by Citycare Property to collect, store, use, disclose and dispose of personal information. Citycare Property’s Privacy Policy is provided to all staff and Board members. It is the responsibility of each staff and Board member to understand and apply this policy. It also applies to contractors engaged by Citycare Property. It is the responsibility of the Manager engaging the contractor to ensure they comply with all Citycare Property policies while working for Citycare Property.

Scope

Citycare Property collects, holds and uses personal information in order to perform our work and also as part of employing and engaging staff. Citycare Property is committed to ensuring that personal information is managed appropriately, and we strive to uphold good practice privacy standards in the collection, storage, use and disposal of personal information. 

Personal information at Citycare Property is subject to:

  • The Act and associated 13 IPPs that cover the collection, handling, storage and use of personal information 

  • The Official Information Act 1982 

  • The Public Records Act 2005 

What personal information is collected?

Citycare Property only collects personal information that is reasonably necessary to conduct the functions or activities of our business. The purpose for collecting the personal information will be clearly articulated before, at, or as soon as practicable after the collection. Generally, personal information will be used for dealing with your request, enquiry or employment-related matters.

Personal information collected will differ depending on the purpose of collection. For example, a resume may be required from candidates applying for a position; mailing address details for subscriptions to company newsletters; and emergency contact and tax file numbers for human resource management.

By sending emails, you will be providing us with certain personal information which may include your name and contact details. This information is collected by us for the purpose of dealing with your request. We may not be able to deal with your request without collecting this information from you.

When it is reasonable and practicable to do so and provided another exception in the IPPs does not apply, we will collect your personal information directly from you.

Citycare Property also collects personal information from recruitment service providers in seeking out prospective job applicants.

Information collected via our website

To ensure we are meeting the needs and requirements of our website users, and to develop our online services, we may collect aggregated information by using cookies. Cookies are unique identification numbers like tags that are placed on the browser of our website users. The cookies do not in themselves identify users personally but are linked back to a database record about them. We may use cookies to track use of our website, and to compile statistics on visits to the site in an aggregated form and log anonymous information such as:

  • the address of a user’s server;

  • a user’s top-level domain (such as .com or .nz);

  • the date and time of a user’s visit;

  • the pages a user accessed and downloaded;

  • the search engine a user used;

  • the type of browser that was used.

When a user visits our site, a cookie may be placed on their machine. Where a user has visited us before, the cookie may be read each time they re-visit the site. We do not use this technology to access any other personal information of a user in our records and a user cannot be personally identified from a cookie.

Our website host Plato Creative Design Limited also has access to our website and may from time to time need to access the site and data contained within it. Plato Creative Design Limited’s privacy policy can be found on platocreative.co.nz). We currently have Google Analytics, Facebook Pixel, and LinkedIn Pixel codes on our website.

How will Citycare Property use and disclose personal information?

Citycare Property will use personal information only for the purposes for which it is collected, except where legislation allows it to be used for other purposes. Citycare Property will, when using information, take reasonable steps to ensure it is complete, relevant, up to date and not misleading. 

Personal information will only be disclosed to unrelated third parties with your consent or where required by law, or for one of the purposes for which the information was obtained. We may disclose your personal information to:

  • our employees, related bodies corporate, contractors or service providers for the purposes of operating our business or website, fulfilling requests by you or to provide products and services to you;

  • suppliers and third parties with whom we have commercial relationships, for business, marketing and related purposes; and

  • other organisations for authorised purposes with your express consent.

Citycare Property may share personal information with related companies or with contractors performing services for Citycare Property. In these instances, we will use reasonable endeavours to ensure that these organisations comply with the IPPs.

How will Citycare Property store and manage your data?

Citycare Property will maintain all reasonable safeguards against the loss, misuse or inappropriate disclosure of personal information, and maintain processes to prevent unauthorised use or access to that information. In particular:

  • Citycare Property will keep physical documents secure, including circumstances where there is a business need to take them outside of Citycare Property premises, and no technical solution is applicable.

  • Citycare Property will keep electronic personal information secure by ensuring its data storage is protected from external sources, maintaining regular back up of data to secure storage and applying good practice for information security management.

  • Citycare Property may use cloud computing services to manage and store information. Where used, Citycare Property will take reasonable steps to protect the personal information we hold from misuse and loss, interference and from unauthorised access, modification or disclosure.

Citycare Property will securely de-identify or dispose of personal information when we have no further need to use it, or when we are required by law to do so.

Email Security

In accordance with our email policy, any emails you send will be automatically scanned which may result in your email or attachments being blocked. Our IT administrators may have access to your emails to authorise the content for security purposes only and not thereafter.

How can I access and correct information?

You may request access to personal information that we hold about you. Citycare Property will provide you with access to personal information in accordance with the Act and IPPs. There may be instances where we cannot grant you access to the personal information that we hold, for example, if it would interfere with the privacy of others or if would result in breach of confidentiality. If you are refused access to information, we will provide you with reasons for the refusal and inform you of any exceptions relied upon under the IPPs.

Citycare Property will take reasonable steps to make sure that the personal information we collect, use or disclose is accurate, complete and up to date. If you believe that the personal information we hold about you is inaccurate or out of date, please let us know and request us to amend it. We will consider your request, and if we are satisfied with your request, we will take reasonable steps to correct the information. If we do not agree that there are grounds for amendments, then we will follow the procedures set out in the IPPs.

Privacy incidents 

A privacy incident includes an actual privacy breach, a potential privacy breach, or a near miss.

A privacy breach occurs when there is an unauthorised or accidental access to, or disclosure, alteration, loss or destruction of personal information. A privacy breach can also include an action that prevents Citycare Property from accessing the information on either a temporary or permanent basis.

A potential privacy breach occurs where an IPP might have been breached, but it is not known if an actual breach occurred. 

A near miss is where an action could have resulted in a breach but ultimately the breach does not occur. 

All privacy incidents (actual and potential breaches or near misses) discovered by staff should be notified to their immediate manager. Managers are responsible for managing the response to the privacy incident. 

A Privacy Incident Reporting form should be completed as soon as possible. This will be provided to Citycare Property’s Privacy Officer who will advise further on the management of the privacy incident. This may include notifying the incident to the Office of the Privacy Commissioner where required under the Act or if notification is considered necessary in the interests of transparency. 

Requests and Complaints 

Where any member of staff becomes aware of a privacy complaint made by an individual to Citycare Property or to the Office of the Privacy Commissioner, Citycare Property’s relevant Privacy Officer should be notified.

Who to contact?

Citycare Property's Privacy Officer is Claire Bourne.

To contact Claire please email: claire.bourne@citycareproperty.co.nz