The Salvation Army (TSA) is committed to promoting and protecting individual privacy in relation to the collection, storage, use, access to, correction, and disclosure of personal information, in accordance with the Privacy Act 2020.
The protection of personal privacy is integral to The Salvation Army in fulfilling its role as an employer and providing good client service, and it is the responsibility of all staff who hold or work with personal information about staff and clients.
Information (no matter how it is stored) is personal information if the individual can be identified from that information. The information does not need to name the individual, as long as they are identifiable in other ways, such as their home address. The format can include notes, emails, recordings, photos and scans (soft and hard copy).
Principle 1: Purpose for Collection of personal information
Organisations must only collect personal information if it is for a lawful purpose connected with their functions or activities, and the information is necessary for that purpose.
Principle 2: Source of personal information
Personal information should be collected directly from the person it is about. The best source of information about a person is usually the person themselves. Collecting information from the person concerned means they know what is going on and have some control over their information.
It won’t always be possible to collect information directly from the person concerned, so organisations can collect it from other people in certain situations. For instance:
Principle 3: What to tell an individual
Organisations should be open about why they are collecting personal information and what they will do with it.
When an organisation collects personal information, it must take reasonable steps to make sure that the person knows:
Sometimes there may be good reasons for not letting a person know about the collection – for example, if it would undermine the purpose of the collection, or it’s just not possible to tell the person.
Principle 4: Manner of Collection of personal information
Personal information must not be collected by unlawful, unfair or unreasonably intrusive means. When an organisation collects information about a person, it has to do so in a way that is fair and legal.
What is fair depends a lot on the circumstances. Threatening, coercive, or misleading behaviour is likely to be considered unfair. If you break a law when collecting information, then you have collected information unlawfully.
What is reasonable also depends on the circumstances, such as the purpose for collection, the degree to which the collection intrudes on privacy, and the time and place it was collected.
You need to take particular care when collecting information from children and young people. It may not be fair to collect information from children in the same manner as you would from an adult.
Principle 5: Storage and Security
Organisations must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse, or disclosure of personal information.
Principle 6: Access to personal information
People have a right to ask for access to their own personal information.
Generally, an organisation must provide access to the personal information it holds about someone if the person in question asks to see it.
People can only ask for information about themselves. The Privacy Act does not allow you to request information about another person unless you are acting on that person’s behalf and have written permission.
Principle 7: Correction of personal information
Principle 7 states that a person has a right to ask an organisation or business to correct information about them if they think it is wrong.
If an organisation does not agree that the information needs correcting, an individual can ask that an agency attach a statement of correction to its records, and, if reasonable, the agency should do so.
Principle 8: Accuracy of personal information
An organisation must check before using or disclosing personal information that it is accurate, up to date, complete, relevant, and not misleading.
Principle 9: Retention of personal information
An organisation should not keep personal information for longer than it is required for the purpose it may lawfully be used.
Principle 10: Limits on use of personal information
organisations can generally only use personal information for the purpose it was collected, and there are limits on using personal information for different purposes.
Sometimes other uses will be allowed, such as if the new use is directly related to the original purpose, or if the person in question gives their permission for their information to be used in a different way.
Principle 11: Disclosure of personal information
An organisation may generally only disclose personal information for the purpose for which it was originally collected or obtained. Sometimes other reasons for disclosure are allowed, such as disclosure for a directly related purpose, or if the person in question gives their permission for the disclosure.
For instance, an organisation may disclose personal information when:
Principle 12: Cross-border disclosure
Principle 12 sets rules around sending personal information to organisations or people outside New Zealand (cross-border disclosure).
A business or organisation may only disclose personal information to another organisation outside New Zealand if the receiving organisation:
If none of the above criteria apply, a business or organisation may only make a cross-border disclosure with the permission of the person concerned. The person must be expressly informed that their information may not be given the same protection as provided by the New Zealand Privacy Act.
Principle 13: Unique Identifiers
An organisation can only use unique identifiers when it is necessary and cannot assign a unique identifier to a person if that unique identifier has already been given to that person by another organisation.
Organisations must take reasonable steps to protect unique identifiers from misuse.
Unique identifiers are individual numbers, references, or other forms of identification allocated to people by organisations, such as driver’s licence numbers, passport numbers, or IRD numbers.
The Salvation Army acknowledges and accepts the principles and responsibilities embodied in the Privacy Act 2020, and, in relation to its provision of health care services (for example, but not limited to, Addictions and Homecare Services), the Health Information Privacy Code 2020 and the Health (Retention of Health Information) Regulations 2020. (For more information regarding these services, refer to the Addictions and Homecare Privacy Policies, which are tailored to those respective services.)
The Salvation Army policy and procedures for responding to requests for personal information, dealing with complaints under the Privacy Act, and managing breaches of privacy are to be found in The Salvation Army Human Resources Manual.