Hero photograph
Privacy Act 2020
 
Photo by Office of the Privacy Commissioner

Privacy Act 2020 Guidelines for Churches

ICB and the Diocesan Office —

The Privacy Act 2020 took effect on 1 December 2020. The privacy principles remain the same but there are changes to the way these are enforced. Read on for a reminder of what is required at a local level.

Disclaimer: Bishop Steve writes:

I have heard that the request to identify a Privacy Officer caused concerns for some places, especially smaller parishes or churches where people feel stretched and unable to take on any more roles. In talking to Andrew Metcalfe, he has indicated that this is not an onerous task (over the past few years we have not heard of any significant breaches that have had to be dealt with): what is important is to have it as a standing agenda item on your Vestry or Church Committee, with the Registrar (Andrew Metcalfe) being the main point of contact with any concerns that may arise. Andrew does need someone that he can talk to if anything is reported to the Diocesan Office, hence the request for a name.
If this feels "too hard", please let Andrew know and we will look at what we can do in your case. There may also be some ways we can explore handling this for smaller church groupings e.g. have a person that the Local Churches AGM nominates as their Privacy Officer.
I would encourage at least one person on your vestry to do the training modules and to let Andrew have the name of someone on your Vestry or Committee who is willing to be contacted on any privacy related matters. 

What is the main message in this legislation?

The Act brings obligations on all of us with regard to collection, access to, and use of personal information. Key elements are:

  • if an organisation has a privacy breach that has caused serious harm to someone (or is likely to do so) ii must notify the Office of the Privacy Commissioner
  • the Privacy Commissioner can now issue compliance notices if an organisation is not meeting its obligations under the Act.

What is meant by ‘harm’?

Harm can include:

  • loss, damage or disadvantage
  • loss of a benefit or right
  • emotional harm (significant humiliation or loss of dignity)


What should your church do?

The key step recommended by the Privacy Commissioner is to designate a privacy officer for your organisation, ministry unit, or parish. We suggest that a Parish Warden is the best person to take on this role, but it can be delegated to another person on your leadership group. 

The Privacy Act requires organisations to have at least one person who fulfils the role of privacy officer. The Registrar (Andrew Metcalfe) is the Privacy Officer for the wider Diocese of Dunedin.

What is the role of the privacy officer?

The privacy officer should be a responsible and practical person, familiar with the principles in the Privacy Act, who will work to make sure the organisation complies with the Act. The officer’s role will include:

  • being contacted about and responding to privacy breaches
  • raising awareness about privacy among staff, volunteers, and congregations  


How will the privacy officer respond to a breach?

There are four steps in responding to a breach:

  1. Contain: find out what has happened and take steps to prevent further harm
  2. Assess: make an assessment of the seriousness of the breach (for help go to www.privacy.org.nz/notify-us )
  3. Notify: if the privacy breach is serious, notify the Privacy Commissioner
  4. Prevent: when the breach has been resolved, take steps to prevent further breaches. 

Diocese of Dunedin: Our requirements

We are encouraging all local Privacy Officers to complete the on-line training provided by the Office of the Privacy Commissioner. More information on the training is available here: https://privacy.org.nz/tools/online-privacy-training-free/, see also below. 

We will be maintaining a record of all privacy breaches, whether notifiable or otherwise, for all faith communities of the Diocese of Dunedin, with these being reported to Diocesan Council. Please report all privacy breaches to the Privacy Officer (Andrew Metcalfe).

The Diocese of Dunedin is in the process of updating it's Privacy Policy within the Handbook. Peter Mann House (the Diocesan Office) has created its own Privacy Statement. All Parishes should have a privacy policy or statement - you may formulate your own or amend this Privacy Statement Template (attached below) for your context.  

If you manage any programmes and have staff, teams or volunteers who report to you, or clergy or anyone else who deals with any individual’s personal data, then please make sure they are aware of the above information and the privacy statement, and encourage them to look into the online training.

Privacy training

It is highly recommended that all key personnel complete introductory training in privacy matters. The Office of the Privacy Commissioner (OPC) has lots of training modules available on their website. These can be completed individually by creating a student profile and ‘enrolling’. Or your privacy officer can enrol and take a group through the modules together by sharing a screen on Zoom or casting to a shared screen, if that method of learning is preferred.

The three suggested introductory modules are:

  • Privacy Act 2020
  • Privacy ABC
  • Privacy breach reporting

The following handouts are available on the OPC website (and attached below) and can form part of this introductory training:


The privacy officer should also complete further training modules, so they have a full understanding of what is required. Other suggested modules include: Privacy 101, A guide to privacy impact assessments, Introduction to credit reporting, and Employment and privacy. 

Preventing privacy breaches

We suggest that your governing body/vestry runs a brainstorm session to discuss how to prevent privacy breaches through understanding how personal information is managed and used in your area. You may need to change and improve systems where you can identify potential breaches. Topics to consider include:

  • how personal information is secured
  • how to dispose of information and documents
  • employee browsing (internet)
  • how to prevent data breaches through email
  • how to keep your IT network secure.

Privacy breaches

If you have a privacy breach, use the Office of the Privacy Commissioner's (OPC's) NotifyUS toolfirst of all to a) ascertain if the breach is notifiable and b) work out the appropriate steps to take. Notifiable breaches must be reported to the OPC. You can also contact the OPC about how best to manage your breach, whether notifiable or not.

One of the responsibilities under the Act is to keep a breach register to track and manage all instances of privacy breaches, whether notifiable or not. If a privacy breach occurs, your privacy officer can advise management on appropriate actions to take and update the register. You should also inform the Diocesan Office's Privacy Officer (Andrew Metcalfe) about any breaches. Andrew is available to support you in your management of these.

Privacy — Image by: pixabay.com


Office of the Privacy Commissioner

All the resources above are based on information from the Office of the Privacy Commissioner website. You can also contact them directly with any questions. The Office of the Privacy Commissioner also has lots of helpful resources to help us navigate the requirements of the Privacy Act. Please refer to their website and especially the resources below:

Quick Tour of the Privacy Principles
Privacy Act Changes – available in Māori, Chinese, Samoan, Tongan and English.
Privacy Breach Brochure – available in Māori, Chinese, Samoan, Tongan and English.

Direct access to the e-Learning modules is at: https://elearning.privacy.org.nz/

Key contacts


Office of the Privacy Commissioner

  • Web: www.privacy.org.nz/notify-us
  • Email: notifyus@privacy.org.nz
  • Phone: 0800 803 909