The Privacy Act 2020 took effect on 1 December 2020. The privacy principles remain the same but there are changes to the way these are enforced. Read on for a reminder of what is required at a local level.

Disclaimer : 

We understand that the request to identify a Privacy Officer may cause concerns for some parishes or churches, especially smaller ones where individuals may feel stretched by their existing roles. However, the task of serving as a Privacy Officer is not expected to be onerous. Over the past few years, there have been no significant privacy breaches requiring resolution. The main focus is to ensure privacy matters are included as a standing agenda item on Vestry or Church Committee meetings, with the Registrar (currently Andrew Metcalfe) serving as the primary point of contact for any concerns that arise.

If designating a Privacy Officer feels challenging, please reach out to Andrew for assistance. We are open to exploring alternative solutions, particularly for smaller church groupings. For example, a representative nominated by the Local Churches AGM could serve as the Privacy Officer.

We encourage at least one person on your Vestry to complete the necessary training modules and to provide Andrew with the name of someone on your Vestry or Committee who is willing to be contacted regarding privacy-related matters.

What is the main message in this legislation?

The Act brings obligations on all of us with regard to collection, access to, and use of personal information. Key elements are:

• if an organisation has a privacy breach that has caused serious harm to someone (or is likely to do so) ii must notify the Office of the Privacy Commissioner

• the Privacy Commissioner can now issue compliance notices if an organisation is not meeting its obligations under the Act.

What is meant by ‘harm’?

Harm can include:

• loss, damage or disadvantage

• loss of a benefit or right

• emotional harm (significant humiliation or loss of dignity)

What should your church do?

The key step recommended by the Privacy Commissioner is to designate a privacy officer for your organisation, ministry unit, or parish. We suggest that a Parish Warden is the best person to take on this role, but it can be delegated to another person on your leadership group. 

The Privacy Act requires organisations to have at least one person who fulfils the role of privacy officer. The Registrar (Andrew Metcalfe) is the Privacy Officer for the wider Diocese of Dunedin.

What is the role of the privacy officer?

The privacy officer should be a responsible and practical person, familiar with the principles in the Privacy Act, who will work to make sure the organisation complies with the Act. The officer’s role will include:

• being contacted about and responding to privacy breaches

• raising awareness about privacy among staff, volunteers, and congregations  

How will the privacy officer respond to a breach?

There are four steps in responding to a breach:

1. Contain: find out what has happened and take steps to prevent further harm

2. Assess: make an assessment of the seriousness of the breach (for help go to www.privacy.org.nz/notify-us )

3. Notify: if the privacy breach is serious, notify the Privacy Commissioner

4. Prevent: when the breach has been resolved, take steps to prevent further breaches. 

Diocese of Dunedin: Our requirements

We are encouraging all local Privacy Officers to complete the on-line training provided by the Office of the Privacy Commissioner. More information on the training is available here: https://privacy.org.nz/tools/online-privacy-training-free/, see also below. 

We will be maintaining a record of all privacy breaches, whether notifiable or otherwise, for all faith communities of the Diocese of Dunedin, with these being reported to Diocesan Council. Please report all privacy breaches to the Privacy Officer (Andrew Metcalfe).

The Diocese of Dunedin is in the process of updating it's Privacy Policy within the Handbook. Peter Mann House (the Diocesan Office) has created its own Privacy Statement. All Parishes should have a privacy policy or statement - you may formulate your own or amend this Privacy Statement Template (attached below) for your context.  

If you manage any programmes and have staff, teams or volunteers who report to you, or clergy or anyone else who deals with any individual’s personal data, then please make sure they are aware of the above information and the privacy statement, and encourage them to look into the online training.

Privacy training

It is highly recommended that all key personnel complete introductory training in privacy matters. The Office of the Privacy Commissioner (OPC) has lots of training modules available on their website. These can be completed individually by creating a student profile and ‘enrolling’. Or your privacy officer can enrol and take a group through the modules together by sharing a screen on Zoom or casting to a shared screen, if that method of learning is preferred.

The three suggested introductory modules are:

• Privacy Act 2020

• Privacy ABC

• Privacy breach reporting

The following handouts are available on the OPC website (and attached below) and can form part of this introductory training:

• Privacy Act 2020 – Changes

• The 13 Privacy Principles – Overview

• Breach Notifications

• PADLOCK – How to secure personal information

The privacy officer should also complete further training modules, so they have a full understanding of what is required. Other suggested modules include: Privacy 101, A guide to privacy impact assessments, Introduction to credit reporting, and Employment and privacy. 

Preventing privacy breaches

We suggest that your governing body/vestry runs a brainstorm session to discuss how to prevent privacy breaches through understanding how personal information is managed and used in your area. You may need to change and improve systems where you can identify potential breaches. Topics to consider include:

• how personal information is secured

• how to dispose of information and documents

• employee browsing (internet)

• how to prevent data breaches through email

• how to keep your IT network secure.

Privacy breaches

If you have a privacy breach, use the Office of the Privacy Commissioner's (OPC's) NotifyUS tool first of all to a) ascertain if the breach is notifiable and b) work out the appropriate steps to take. Notifiable breaches must be reported to the OPC. You can also contact the OPC about how best to manage your breach, whether notifiable or not.

One of the responsibilities under the Act is to keep a breach register to track and manage all instances of privacy breaches, whether notifiable or not. If a privacy breach occurs, your privacy officer can advise management on appropriate actions to take and update the register. You should also inform the Diocesan Office's Privacy Officer (Andrew Metcalfe) about any breaches. Andrew is available to support you in your management of these.

Office of the Privacy Commissioner

All the resources above are based on information from the Office of the Privacy Commissioner website. You can also contact them directly with any questions. The Office of the Privacy Commissioner also has lots of helpful resources to help us navigate the requirements of the Privacy Act. Please refer to their website and especially the resources below:

Quick Tour of the Privacy Principles
Privacy Act Changes – available in Māori, Chinese, Samoan, Tongan and English.
Privacy Breach Brochure– available in Māori, Chinese, Samoan, Tongan and English.

Direct access to the e-Learning modules is at: https://elearning.privacy.org.nz/

Key contacts

Office of the Privacy Commissioner

• Web: www.privacy.org.nz/notify-us

• Email: notifyus@privacy.org.nz

• Phone: 0800 803 909