Waka Kotahi NZ Transport Agency deals with the personal information of a large number of people and engages with a wide range of people and organisations who may handle personal information on its behalf.
Managing personal information appropriately is important to us and to the people whose personal information we hold. As an organisation who handles personal information on our behalf, we expect that you will also manage personal information appropriately and that if any issues arise (such as unauthorised access to or disclosure of personal information, whether accidental or deliberate), you will work with us to resolve them.
Personal information is information about an identifiable individual. Any information which tells us something about a specific individual is personal information. The information does not need to name the individual, as long as they are identifiable in other ways, like through their home address.
Personal information is not limited to information about an individual’s private or family life. This can include information about an individual’s business or work activities. Personal information can range from sensitive and confidential information to information that is publicly available. At Waka Kotahi, we also generally treat motor vehicle registration plate numbers as personal information.
All organisations have obligations to comply with the Information Privacy Principles set out in the Privacy Act (the Act). The Act covers the life-cycle of personal information and requires all organisations to have a Privacy Officer to oversee their compliance with the Act and to investigate any privacy complaints they may receive.
If you’re working with us, you have responsibilities when handling our customers’ information. In particular, unless your contract with us expressly states otherwise, we expect you to:
We expect you to have the following in place:
Privacy incidents can happen through complacency, inadequate security, poor procedures or by accident. Privacy incidents are often simple mistakes that only take a second to make but result in damage that can be serious and long-lasting. Proper incident management is critical, as it can help to minimise the harm to the individuals affected, your organisation, and Waka Kotahi.
We classify privacy incidents into two types:
A privacy breach is an incident where personal information is accessed by an unauthorised person, or is collected, used or disclosed without authorisation, for example, where personal information is used or disclosed for a different purpose to that for which it’s been collected, or a person not authorised to see that information accesses it. Failure to store personal information securely is also a privacy breach.
A near-miss is an incident that had the potential to become a privacy breach but was prevented before it could happen.
If you or any of your staff identify or suspect the existence of a privacy breach or near-miss involving personal information collected or processed on behalf of Waka Kotahi, you must as soon as practicable, notify your Waka Kotahi contract or relationship manager. Unless otherwise required by law, we will take responsibility for notifying affected individuals and the Privacy Commissioner, but you must provide all reasonable co-operation to assist us in securing or recovering the personal information and conducting an investigation into the cause of the privacy incident.
The terms of this privacy guide are in addition to those in your contract with us. If there is a conflict between any particular terms in this guide and those in your contract, the terms of your contract will take priority.
The Office of the Privacy Commissioner has comprehensive guidance and training on its website for agencies and organisations that deal with personal information. Some useful links are provided below.
If you would like to talk to someone at Waka Kotahi, please get in touch with your contract or relationship manager.