-
Audience and Scope
-
Purpose
-
Compliance
-
Definitions
-
Policy Principles
-
Responsibilities
-
Appendices
-
Privacy Procedure
-
Data Breach Response Plan
-
Information Privacy Principles
-
The relevant Otago Polytechnic policies, procedures and guidelines and the New Zealand Institute of Skills and Technology (NZIST) policies, procedures and guidelines as per the Otago Polytechnic Transitioning (Grandparenting) From NZIST Policy.
Audience and Scope
Purpose
Compliance
Definitions
Policy Principles
Responsibilities
Appendices
Privacy Procedure
Data Breach Response Plan
Information Privacy Principles
1.1. Otago Polytechnic policies and procedures are guided by and give effect to Te Tiriti ō Waitangi and honour our obligations as a Tiriti partner.
1.2. This is a policy of Otago Polytechnic and applies to:
a) all employees of Otago Polytechnic, including contracted staff, and consultants providing services for Otago Polytechnic, and those on fixed-term contracts (collectively referred to as kaimahi in this policy); and
b) where appropriate, Council, which extends to all those operating at a governance level, including Council members and members of Council’s advisory committees.
Contact Details
1.3. The name and contact details for the Privacy Officer will be notified on Otago Polytechnic’s website and staff intranet, Tūhuno.
2.The following definitions that apply to this policy:
Council: All those operating at a governance level, including Council members and members of Council’s advisory committees.
Information Privacy Principles (IPP): The information privacy principles prescribed in section 22 of the Act, as also set out in the Appendix to this policy.
Kaimahi: All employees of Otago Polytechnic, including contracted staff and consultants providing services for Otago Polytechnic, and those on fixed-term contracts.
Notifiable Privacy Breach: In accordance with section 112 of the Act, a notifiable privacy breach means a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so (taking into account the factors set out in section 113 of the Act).
a) The factors set out in section 113 of the Act are:
any action taken by the agency to reduce the risk of harm following the breach
whether the personal information is sensitive in nature
the nature of the harm that may be caused to affected individuals
the person or body that has obtained or may obtain personal information, as a result of the breach (if known) whether the personal information is protected by a security measure and
any other relevant matters.
Personal Information: In accordance with the Act, personal information means information about an identifiable individual and includes information relating to a death that is maintained by the Registrar-General under the Births, Deaths, Marriages, and Relationships Registration Act 1995 or any former Act.
For the avoidance of doubt, personal information includes (without limitation) the following types of information: name, age, contact details, images, course of study, Inland Revenue Department (IRD) number and banking details.
Privacy Officer: Otago Polytechnic kaimahi appointed in accordance with section 201 of the Act.
3.1. The purpose of this policy is to ensure Otago Polytechnic complies fully with its obligations under the Privacy Act 2020 (the Act), including any applicable codes of practice issued by the Privacy Commissioner under the Act. It is intended to provide high level guidance when using the privacy procedures.
3.2. The purpose of the Act is to promote and protect individual privacy by:
a) providing a framework for protecting an individual’s right to privacy of personal information, including the right of an individual to access their personal information, while recognising that other rights and interests may at times also need to be taken in to account; and
b) giving effect to internationally recognised privacy obligations and standards in relation to the privacy of personal information.
3.3. This policy should be read in conjunction with the Privacy Procedure and the Data Breach Response Plan (refer to Appendix 2).
4.1. All kaimahi and Council must ensure that, when using or dealing with personal information relating to any individual, they comply fully with the Act, including the Information Privacy Principles (IPP) within the Act (and as also referred to within the Appendix to this policy) and any applicable codes of practice issued by the Privacy Commissioner under the Act. Where personal information is being received or collected from outside of New Zealand, it should also be considered whether other privacy/data protection regimes apply.
4.2. Kaimahi who are responsible for contractors or consultants working for, or on behalf of Otago Polytechnic, must ensure that the contractors or consultants understand and undertake to comply with their obligations under the Act and the requirements of this policy.
4.3. The Otago Polytechnic Privacy Officer is the primary person responsible for engaging with the Privacy Commissioner in relation to privacy matters. This includes responding to compliance notices, cooperating with investigations or complaint proceedings and submitting a notice of any Notifiable Privacy Breach.
4.4. The Chief Executive will ensure that at all times Otago Polytechnic has a duly appointed Privacy Officer. The Privacy Officer will be the first point of contact for any questions and complaints in relation to privacy issues occurring within the organisation.
4.5. The Privacy Procedures (refer to Appendix 1) contain procedural information, and the Data Breach Response Plan contains processes to be followed in the event of a data breach.
6. Roles and responsibilities that apply to this policy:
Chief Executive:
Kaimahi:
Comply with this policy.
Promptly reports any privacy breaches to the Privacy Officer in accordance with this policy.
Assists with requests made to the Provider under the Act, where required.
Promptly forwards any compliance notices or other correspondence received from the Privacy Commissioner to the Privacy Officer.
If responsible for engaging contractors or consultants, ensures contractors and consultants understand their obligations under the Act and undertake to comply with this policy.
Privacy Officer:
Ensures that personal information held by Otago Polytechnic is held in accordance with the Act.
Encourages Kaimahi to comply with the Information Privacy Principles set out in the Act.
Ensures all within Otago Polytechnic comply with this policy and the Act.
Ensures procedures that support the operation of this policy are reviewed periodically, remain fit for purpose and are compliant with legislation
Deals with requests made to Otago Polytechnic under the Act with assistance from the teams that hold the relevant personal information.
Acts as the point of contact for Otago Polytechnic with the Privacy Commissioner, including responding to compliance notices and cooperating with investigations or complaint proceedings.
Upon being notified of a privacy breach, complies with the Data Breach Response Plan to determine whether or not the breach is a Notifiable Privacy Breach and, if so, notifies the Privacy Commissioner and any affected parties.
Ensures details of the Privacy Officer remains up to date on Otago Polytechnic’s website and staff intranet, Tūhono.
Appendix 1. Privacy Procedure (click to download)
Appendix 2. Data Breach Response Plan (click to download)
Appendix 3. Information Privacy Principles (IPP) (click to download)
John Gallaher (Chairperson)
Otago Polytechnic Council
Date 18 December 2025