The Privacy Act 2020 applies to all agencies in NZ, which means it applies to The Navigators of New Zealand staff and volunteers. The Act is based on a set of principles about the collection, use and disclosure of personal information that is designed to protect individual's privacy. To find out more see the Privacy Principles on the Privacy Commissioner's website.
This Confidentiality Policy is part of helping The Navigators of NZ comply with its obligations under the Privacy Act. Complying with the Privacy Act is one way of protecting the significant trust placed in Navigator staff. Compliance reduces the risk of a privacy breach with the resulting negative impacts on any affected individuals and The Navigators of NZ. A privacy breach can cause significant harm to affected individuals. A privacy breach could result insignificant financial and reputational costs to The Navigators of NZ. In the event of a complaint the policies and processes of The Navigators of NZ would be scrutinised to determine whether its management of personal information complied with the principles in the Privacy Act.
This policy contains guidelines for how Navigator staff and volunteers (for simplicity both will be referred to as Navigators) use, retain, disclose and dispose of personal information about the people they meet with. Navigators may collect personal information when they meet with people for mentoring, bible study discussion etc. The policy does not apply to information gathered when Navigators staff are meeting with people in their personal capacity and not representing The Navigators of New Zealand.
Personal information is any information which tells us something about a specific individual. The information does not need to name the individual if they are identifiable in other ways e.g., their home address or specific facts about the person.
Principle 5 states that organisations must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse, or disclosure of personal information.
Sharing Personal Information
Love is patient, love is kind. It does not envy, it does not boast, it is not proud. It does not dishonour others, it is not self-seeking, it is not easily angered, it keeps no record of wrongs. Love does not delight in evil but rejoices with the truth. It always protects, always trusts, always hopes, always perseveres.
1 Corinthians 13:4-7 NIV
Navigators can share personal information with other Navigators if it is necessary to discuss the needs of individuals. Where possible, names should not be used to identify individual people. Navigators should apply the principles in 1 Corinthians 13:4-7, sharing only what is loving and honouring to protect others.
The following steps should be taken, in order of best to worst:
Consent to disclose personal information is not required in the following situations:
Use of Information Collected
It is important not to use information collected for one purpose for an unrelated purpose. An example that would be unacceptable would be sending fundraising requests to an individual using information collected during registration for attending a camp. A good rule of thumb is to think about whether it would be “creepy” to the recipient to be contacted about something using information provided for something else.
Newsletters and Prayer Letters
Navigators can share information about people they are helping if they do this in a way that does not disclose a person’s identity, or if they have received permission to share personal information. For names, pseudonyms or fake initials can be used instead of a person’s actual name. For example, “when I met with ‘L’ he agreed to pray together after sharing about his struggles with anxiety.”
If people are not identifiable in the image e.g. the image is of the back of a persons’ head or from far away, then you do not need permission to use an image. If the person is identifiable in the image, then you need permission to use the image. If you are unsure whether you need to ask for permission, ask for permission.
Permission not required
Here are some practical suggestions on how to obtain permission:
When in doubt ask for permission to use images.
Newsletters and Prayer Letters
Having good security over personal information you hold is essential to meeting Principle 5 of the Privacy Act. Therefore, all Navigators need to have strong passwords on any device storing personal information. Particular care needs to be taken with portable devices such as laptops or cell phones. Your work Microsoft account and any other website you use to store personal information should have a strong password.
Passwords on laptops should be passphrases, these are sentences you can easily remember, rather than a cryptic set of random characters. These are easier to remember and harder to crack. Your passphrase should not use separators like spaces or dashes between the words, because that gives a clue to where the words end. Each passphrase should have at least 4 words. There is no need to use symbols. Passphrases should not be based on personal information such as family names. Consider using a password manager (some, for example, Dashlane have effective free versions) to store passwords so that you can have unique and complex passwords for each application you use.
An example of a good passphrase is: "Godsolovedtheworld" (God so loved the world).
See this article if you want to know more: How to create a good password | CERT NZ.
Disposing of Personal Information
A key way to prevent a privacy breach is not to hold personal information. If you don’t hold personal information there is no risk of a privacy breach. A practical application of this is not collecting information unless it is necessary. A related discipline is to dispose of personal information that is no longer required.
Store required personal information in secure places. Once personal information is no longer needed destroy the personal information completely and safely digitally or physically (for example with a shredder or burnt). Examples of personal information no longer being required include registration information after a conference or mentoring notes after a mentoring relationship ends.
Confidentiality Agreement Template
I _____________________ agree that in this mentoring relationship my mentor___________________ can share information about me with other Navigator staff when necessary for my development. I can expect that my mentor will not share more information than is necessary.
Signed ____________________ Date___________________