Purpose and Application
This policy applies to individuals and entities that share information with the firm including clients, suppliers, employees, and any other business contacts including users of our website www.heskethhenry.co.nz. The use of the term “you” in this policy refers to any or all of these individuals, entities or employees, contractors, owners and directors of entities as may be relevant.
The Privacy Act contains a set of privacy principles which broadly follows many international privacy and data protection laws including OECD Guidelines. The principles apply to any information about an identifiable living individual. There may be instances in which we process the personal data of individuals who are located within the European Union. Accordingly, there may be instances where the European Union’s General Data Protection Regulation applies.
This policy relates to Hesketh Henry’s collection and handling of personal information that is covered by the Privacy Act. It is not intended to cover categories of information or situations that are not covered by the Privacy Act.
Collection of Personal Information
Personal information is information about an identifiable individual.
Hesketh Henry collects and holds personal information from clients, potential clients, suppliers, employees and prospective employees, contractors and other individuals. We collect and hold this information when it is necessary for business purposes and/or to meet our legal obligations including (but not limited to) in relation to our Anti Money Laundering and Countering Financing of Terrorism obligations.
The main types of personal information Hesketh Henry collects and holds relate to the contact details and organisational roles of our clients, suppliers and other business contacts. Typically, this information includes names, addresses, telephone numbers, e-mail addresses and job titles. In the course of providing professional services to our clients, we may collect and hold more detailed personal information (for instance financial details if we are asked to handle client funds). In the case of employees or prospective employees, we may collect information such as qualifications, IRD numbers, bank details, employment history, education, testimonials or references.
We collect most information directly from individuals when we deal with them. The personal information we collect may be provided in forms filled out by individuals, face to face meetings, email messages, telephone conversations, registration and attendance at seminars, business cards, and from publically available information.
We also collect information from third parties (for example, when seeking an employment reference from a previous employer) or when we use third parties to analyse website traffic.
Because of the nature of our business, it is generally impracticable for us to deal with individuals on an anonymous basis or through the use of a pseudonym, although sometimes this is possible (for example, when seeking staff or client feedback generally).
Use of Personal Information
The main purposes for which we collect, hold, use and disclose personal information are:
- to provide our services;
- to engage with courts, tribunals and regulatory authorities;
- to respond to an individual’s request;
- to communicate with you/maintain contact with clients;
- to keep clients and other contacts informed of the services we offer and industry developments that may be of interest to them, and to notify them of service offerings, seminars and other events we are holding;
- for general management and reporting purposes, such as invoicing and account management;
- to engage third parties on your behalf;
- for recruitment purposes;
- for purposes related to the employment of our personnel and providing internal services to our staff;
- to comply with our legal obligations (including meeting our Anti Money Laundering and Countering Financing of Terrorism obligations); and
- other purposes related to our business.
If you choose not to provide us with personal information, we may be unable to do such things.
We may collect, hold and use personal information about individuals to market our services, including by email. We may also share your information with third party email marketing providers to assist us in delivering email marketing material to you.
Individuals always have the opportunity to elect not to receive further marketing information from us by writing to the Privacy Officer at email@example.com. Alternatively, if we have contacted you by email, you may use the ‘unsubscribe’ function in that email to notify us that you do not want to receive further marketing information from us by email.
If you are a client, we may assign a unique identifier to you in the form of a ‘client number’. This is for identification, file management, time recording and invoicing purposes.
If we collect, hold, use or disclose personal information in ways other than as stated in this policy, we will ensure we do so pursuant to the requirements of the Privacy Act.
Please note that our Terms of Engagement also apply when we provide our services to you. These may be found at the foot of each page of our website.
Disclosure of Personal Information
Hesketh Henry does not routinely disclose personal information to third parties unless:
- use or disclosure is permitted by this policy;
- we believe it is necessary to provide you with a product or service which you have requested (or, in the case of a partner, employee or contractor of Hesketh Henry, it is necessary for maintaining or related to your role at Hesketh Henry) for example with arbitrators, legal counsel, the Court, document management services and associated platforms, experts, insurers, process servers and regulators;
- to protect the rights, property or personal safety of any member of the public or a customer of Hesketh Henry or the interests of Hesketh Henry;
- some or all of the assets or operations of Hesketh Henry are or may be transferred to another party as part of the sale of some or all of Hesketh Henry’s business;
- you give your consent; or
- such disclosure is otherwise required or permitted by law, regulation, rule or professional standard.
We may also share non-personal, de-identified and aggregated information for research or promotional purposes. Except as set out in this policy, we do not sell to or trade personal information with third parties.
Hesketh Henry uses a range of service providers to help maximise the quality and efficiency of our services and business operations (including internal business requirements, such as recruitment and human capital requirements). This means that individuals and organisations outside of Hesketh Henry will sometimes have access to personal information held by Hesketh Henry and may collect or use it from or on behalf of Hesketh Henry. This may include, but is not limited to, independent contractors and consultants, travel service providers, mail houses, off-site security storage providers, information technology providers, event managers, credit managers and debt collecting agencies. We require our service providers to adhere to our privacy guidelines and not to keep, use or disclose personal information we provide to them for any unauthorised purposes.
Storage of Information in Cloud Systems
Hesketh Henry may store personal information within services provided by offshore cloud service providers. Currently, Hesketh Henry only utilises the services of cloud service providers who are able to provide a guarantee that information remains within a specific geographic location within the cloud service provider’s infrastructure. Hesketh Henry utilises cloud services from cloud service providers who have met the data sovereignty and data privacy framework stipulated by the New Zealand Government..
Privacy on our Websites and Applications
This policy also applies to any personal information we collect via our websites, including heskethhenry.co.nz, and applications. In addition to personal information you provide to us directly (such as where you make a request or complete a registration form), Hesketh Henry may also collect personal information from you via its applications and websites.
In order to properly manage our websites and applications, we may log certain statistics about the users of the facilities, for example the users’ domains and browser types. None of this information specifically identifies an individual and it is used solely to ensure that our websites and applications present the best possible navigational experience for users.
We may share your personal information with a variety of third party service providers to assist us with client insight analytics including through Google Analytics. Personal information will only be shared with an agency outside New Zealand if we are confident that the receiving agency is subject to similar safeguards to those in the Privacy Act.
If you have registered an account with us, you will be identified by a user name and password when you log into our website or applications. The information we collect about use of our websites may be used for measuring use and performance and in assisting to resolve any technical difficulties.
Retention of Information
In relation to visitors to our website, we will retain relevant personal information for at least 12 months from the date of our last interaction with you and in compliance with any other obligations under New Zealand privacy legislation and, where applicable, under the European Union General Data Protection Regulation. We may also keep your personal information longer if we are required to do so under our Professional Rules of Conduct or professional indemnity obligations.
In relation to personal information we have processed as part of providing our services to you as a client, we will retain that personal information for at least six years from the date of our last interaction with you as a client and otherwise in compliance with New Zealand privacy legislation or, if applicable, the European Union General Data Protection Regulations. We may also keep your personal information longer if we are required to do so under our Professional Rules of Conduct or professional indemnity obligations. Please also refer to our Terms of Engagement which are located at the foot of each page of our website.
Confidentiality and Security
We take keeping the personal information you have provided to us secure very seriously and will therefore take reasonable precautions to protect that information from loss, misuse or alteration. We have implemented security policies, rules and technical measures to protect the personal information that we have under our control from any such loss, misuse or alteration.
Access to Personal Information
We will provide access to personal information upon request by an individual, except in the limited circumstances in which it is permitted for us to withhold this information (for instance, where granting access would infringe another person’s privacy).
When you make a request to access personal information, we will require you to provide some form of identification (such as a driver’s licence or passport) so we can verify that you are the person to whom the information relates.
If at any time you want to know what personal information we hold about you, you may contact us via email; Privacy Officer at firstname.lastname@example.org.
A privacy breach occurs when there is unauthorised access, use, disclosure or collection of personal information. The meaning of “unauthorised” in this context means the activity has occurred in contravention of the Privacy Act.
A privacy breach may be the result of human error (such as accidently emailing personal information to an unintended recipient), system error, or from an external source (such as a cyber-attack).
Responding to a Privacy Breach
There are four key steps in responding to a privacy breach:
(b) Risk assessment;
(c) Notification; and
Steps (a) – (c) should be utilised either at the same time or in quick succession. Step (d) is to ensure long term strategies are in place.
Step One: Containment
- Once a breach is discovered, we will move to immediately contain it. Depending on the circumstances, this may include measures such as: Attempting to retrieve lost information;
- disabling a breached system;
- revoking or changing computer access codes;
- fixing weaknesses in our physical or electronic security.
To better contain the breach, it may be necessary to appoint an individual within Hesketh Henry to conduct an internal investigation and make recommendations. A more thorough investigation can be conducted at a later stage if necessary. In addition, a team of people with an appropriate level of expertise (i.e IT analysts or risk advisors) will be assembled, if required, to manage the situation.
Our Privacy Officer will be notified of the breach and will consider whether any other internal or external parties should be made aware.
The Police or other external agencies may need to be notified where the breach appears to involve criminal activity. Where this is the case, careful efforts will be made to preserve evidence where possible.
Step Two: Risk Assessment
The Privacy officer will determine the scope of the breach and risks associated with it, by considering the following factors:
- The type of personal information involved: the more sensitive the data, the higher the risk of harm to the people affected. Other considerations include whether the data is encrypted, anonymised or otherwise inaccessible and how the information may be used for fraudulent or harmful means.
- The cause and extent of the breach: where possible the cause of the breach should be determined. Factors to consider include whether the cause is systemic or is an isolated incident, how many people have been affected, the risk of the lost/stolen information being circulated further and whether steps can be taken to mitigate the harm.
- The potential harm resulting from the breach: this should be considered from the perspective of the parties affected. Types of harm include but are not limited to identity theft, financial loss, loss of business/employment opportunities and humiliation or loss of dignity.
- Who is in possession of the information: information in the hands of persons with malicious or unknown intentions present a greater risk than those in a trusted position where the information is expected to be returned.
Step Three: Notification
In accordance with our obligations under the Privacy Act, if a breach occurs and has caused or is likely to cause anyone serious harm, we will notify the Privacy Commissioner and all affected persons as soon as we are practically able. As a guideline, we aim to make these notifications no later than 72 hours after we are aware of a notifiable privacy breach unless it is not possible to do so.
When a notification must be made
Notification is mandatory if “serious harm” has occurred or is likely to occur as a result of the breach. This will be assessed on a case-by-case basis to determine whether notification is necessary. A key consideration is whether affected individuals need to be notified in order to mitigate the harm resulting from the breach (eg. to reset a password or put a hold on credit card transactions). In some circumstances the affected individuals may not be able to mitigate the harm themselves, but the breach is so serious as to nevertheless require notification.
In considering whether a privacy breach is likely to cause “serious harm” we will consider:
- any action already taken to reduce the risk of harm following the breach:
- whether the personal information is sensitive in nature:
- the nature of the harm that may be caused to affected individuals:
- the person or body that has obtained or may obtain personal information as a result of the breach (if known):
- whether the personal information is protected by a security measure:
- any other relevant matters.
The notification process:
If you are affected by a privacy breach, we will notify you directly unless doing so could cause further harm, is disproportionate in expense, or we do not have your contact information. Where this is the case, we will notify you indirectly (eg. through our website, posted notices or the media).
We will include the following information in our notification to you:
- information about the incident such as what occurred and when;
- a description of the personal information compromised;
- the steps taken by us to control and mitigate the breach;
- what we are able to offer in order to help you deal with the effects of the breach;
- what steps you can take to protect yourself;
- our contact information for enquires and complaints;
- offers of support where necessary;
- whether we have notified the Privacy Commissioner; and
- the contact information of the Privacy Commissioner should you wish to be in contact.
In addition to notifying individuals affected by the breach, the following organisations will be notified by us if we deem it necessary:
- professional or regulatory bodies
- financial institutions
- third parties who the breach may affect
- internal business units
Step Four: Prevention
Following a breach, we will investigate the cause of the breach and determine whether a prevention plan is required. If a prevention plan is required the following may be included:
- a security audit of both physical and technical security;
- review of policies and procedures;
- review of employee training processes; an/or
- review of any service delivery partners involved in the breach.
Corrections and Concerns
We endeavour to ensure that the personal information we hold is accurate, complete and up to date. If your personal information is not correct, you have the right to correct it. If you believe that information we hold about you is incorrect or out of date, or if you have concerns about how we are handling your personal information, please contact us and we will try to resolve those concerns.
If you wish to have your personal information deleted or transferred to third party, please let us know and we will take reasonable steps to delete or transfer it (unless we need to keep it for legal, auditing or internal risk management reasons).
You may withdraw any consent that you may have granted to us previously in relation to any processing of your personal information in circumstances where your consent was necessary.
Effect of Policy