Privacy Policy | The Salvation Army

You are here

Privacy Policy

Privacy Principles and Responsibilities

The Salvation Army (TSA) is committed to promoting and protecting individual privacy in relation to the collection, storage, use, access to, correction, and disclosure of personal information, in accordance with the Privacy Act 2020.

The protection of personal privacy is integral to The Salvation Army in fulfilling its role as an employer and providing good client service, and it is the responsibility of all staff who hold or work with personal information about staff and clients.

Personal Information

Information (no matter how it is stored) is personal information if the individual can be identified from that information. The information does not need to name the individual, as long as they are identifiable in other ways, such as their home address. The format can include notes, emails, recordings, photos and scans (soft and hard copy).

Principle 1: Purpose for Collection of personal information

Organisations must only collect personal information if it is for a lawful purpose connected with their functions or activities, and the information is necessary for that purpose.

Principle 2: Source of personal information

Personal information should be collected directly from the person it is about. The best source of information about a person is usually the person themselves. Collecting information from the person concerned means they know what is going on and have some control over their information.

It won’t always be possible to collect information directly from the person concerned, so organisations can collect it from other people in certain situations. For instance:

  • if the person concerned authorises collection from someone else
  • if it’s necessary to uphold or enforce the law
  • if the information is collected from a publicly available source
  • if collecting information from the person directly would undermine the purpose of collection.

Principle 3: What to tell an individual

Organisations should be open about why they are collecting personal information and what they will do with it.

When an organisation collects personal information, it must take reasonable steps to make sure that the person knows:

  • why it’s being collected
  • who will receive it?
  • whether giving it is compulsory or voluntary
  • what will happen if the information isn’t provided.

Sometimes there may be good reasons for not letting a person know about the collection – for example, if it would undermine the purpose of the collection, or it’s just not possible to tell the person.

Principle 4: Manner of Collection of personal information

Personal information must not be collected by unlawful, unfair or unreasonably intrusive means. When an organisation collects information about a person, it has to do so in a way that is fair and legal.

What is fair depends a lot on the circumstances. Threatening, coercive, or misleading behaviour is likely to be considered unfair. If you break a law when collecting information, then you have collected information unlawfully.

What is reasonable also depends on the circumstances, such as the purpose for collection, the degree to which the collection intrudes on privacy, and the time and place it was collected. 

You need to take particular care when collecting information from children and young people. It may not be fair to collect information from children in the same manner as you would from an adult.

Principle 5: Storage and Security

Organisations must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse, or disclosure of personal information.

Principle 6: Access to personal information

People have a right to ask for access to their own personal information.

Generally, an organisation must provide access to the personal information it holds about someone if the person in question asks to see it.

People can only ask for information about themselves. The Privacy Act does not allow you to request information about another person unless you are acting on that person’s behalf and have written permission.

Principle 7: Correction of personal information

Principle 7 states that a person has a right to ask an organisation or business to correct information about them if they think it is wrong.

If an organisation does not agree that the information needs correcting, an individual can ask that an agency attach a statement of correction to its records, and, if reasonable, the agency should do so.

Principle 8: Accuracy of personal information

An organisation must check before using or disclosing personal information that it is accurate, up to date, complete, relevant, and not misleading.

Principle 9: Retention of personal information

An organisation should not keep personal information for longer than it is required for the purpose it may lawfully be used.

Principle 10: Limits on use of personal information

organisations can generally only use personal information for the purpose it was collected, and there are limits on using personal information for different purposes.

Sometimes other uses will be allowed, such as if the new use is directly related to the original purpose, or if the person in question gives their permission for their information to be used in a different way.

Principle 11: Disclosure of personal information

An organisation may generally only disclose personal information for the purpose for which it was originally collected or obtained. Sometimes other reasons for disclosure are allowed, such as disclosure for a directly related purpose, or if the person in question gives their permission for the disclosure.

For instance, an organisation may disclose personal information when:

  • disclosure is one of the purposes for which the organisation got the information
  • the person concerned authorises the disclosure
  • the information is to be used in a way that does not identify the person concerned
  • disclosure is necessary to avoid endangering someone’s health or safety
  • disclosure is necessary to uphold or enforce the law.

Principle 12: Cross-border disclosure

Principle 12 sets rules around sending personal information to organisations or people outside New Zealand (cross-border disclosure).

A business or organisation may only disclose personal information to another organisation outside New Zealand if the receiving organisation:

  • is subject to the Privacy Act because they do business in New Zealand
  • is subject to privacy laws that provide comparable safeguards to the Privacy Act
  • agrees to adequately protect the information, e.g. by using model contract clauses.
  • is covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand Government.

If none of the above criteria apply, a business or organisation may only make a cross-border disclosure with the permission of the person concerned. The person must be expressly informed that their information may not be given the same protection as provided by the New Zealand Privacy Act.

Principle 13: Unique Identifiers

An organisation can only use unique identifiers when it is necessary and cannot assign a unique identifier to a person if that unique identifier has already been given to that person by another organisation.

Organisations must take reasonable steps to protect unique identifiers from misuse. 

Unique identifiers are individual numbers, references, or other forms of identification allocated to people by organisations, such as driver’s licence numbers, passport numbers, or IRD numbers. 


The Salvation Army acknowledges and accepts the principles and responsibilities embodied in the Privacy Act 2020, and, in relation to its provision of health care services (for example, but not limited to, Addictions and Homecare Services), the Health Information Privacy Code 2020 and the Health (Retention of Health Information) Regulations 2020. (For more information regarding these services, refer to the Addictions and Homecare Privacy Policies, which are tailored to those respective services.)
The Salvation Army policy and procedures for responding to requests for personal information, dealing with complaints under the Privacy Act, and managing breaches of privacy are to be found in The Salvation Army Human Resources Manual.