GVI LOGISTICS LIMITED - PRIVACY POLICY

1. POLICY APPLICATION

1.1               This privacy policy sets out how GVI Logistics Limited (“GVI”) will collect, use, disclose and protect the Personal Information of relevant Individuals.

1.2               The purpose of this document is to provide a foundation of best practices to ensure compliance with the provisions of the Privacy Act 2020 (“The Act”) and the New Zealand Privacy Principles.

 

2. INTERPRETATION

2.1               Terms and definitions (for example, “evaluative material”, “information privacy principles”, “foreign person or entity”, “serious harm” etc.) referred to in this policy shall have the same meaning and interpretation as those referred to in the Act.

2.2               “Individuals” refers to any of the following persons:

2.2.1             Job applicants;

2.2.2             Staff;

2.2.3             Volunteers;

2.2.4             Contractors;

2.2.5             People receiving a service from GVI;

2.2.6             Students on placement;

2.2.7             Board members;

2.2.8             Persons on work experience; and

2.2.9             Other people who meet with GVI;

2.3               “Notifiable Privacy Breach” is any unauthorised or accidental access to, disclosure, alteration, loss or destruction of personal information, or an action that prevents GVI from accessing Personal Information on either a temporary or permanent basis, which has caused or is likely to cause ‘serious harm’ to affected Individuals.

2.4               “Personal Information” means any information held about an identifiable person that is of a personal nature that could be used to identify that person. See the types of information collected in section 4.

2.5               “Site” means https://www.gvi.co.nz, https://tracking.gvi.co.nz or https://mci.gvi.co.nz.

2.6               “Third Parties” means any person or organisation other than GVI or an agent of GVI.

 

3. RESPONSIBILITIES AND ACCOUNTABILITIES

3.1               All GVI’s workers are responsible for compliance with this document. GVI has appointed a Privacy Officer to assist with compliance.

3.2               The Privacy Officer is responsible for:

3.2.1             Encouraging compliance with the information privacy principles;

3.2.2             Ensuring policies comply with relevant legislation;

3.2.3             Managing requests for personal information made under the Privacy Act; and

3.2.4             Working with the Privacy Commissioner in relation to any investigations or complaints.

3.3               Senior managers and Team leaders are responsible for:

3.3.1             Ensuring adherence to policy, procedures, and guidelines; and

3.3.2             Being familiar with the information privacy principles.

3.4               Workers are responsible for:

3.4.1             Being familiar with the information privacy principles;

3.4.2             Immediately notifying the Privacy Officer of any involvement in or knowledge of any actual or potential interferences with or breaches of privacy rights;

3.4.3             Complying with all other obligations set out in the Act, this policy, the applicable employment agreement, and/or any other relevant policies; and

3.4.4             Completing the Privacy Act 2020 e-learning modules.

 

4. PERSONAL INFORMATION

4.1               GVI will only collect and access information it needs to know about. It will not unnecessarily intrude on the privacy of Individuals.

4.2               GVI may collect Personal Information including but not limited to:

4.2.1             Full name and any alias or previous names;

4.2.2             Contact details (including address, telephone, and email address/es);

4.2.3             Date of birth;

4.2.4             Personal hobbies and interests;

4.2.5             Employment;

4.2.6             Professional skills; 

4.2.7             Disability information (to provide appropriate facilities and equal opportunity access;

4.2.8             Health information;

4.2.9             Emergency contacts;

4.2.10          Criminal Conviction check;

4.2.11          Gender; and

4.2.12          Qualifications.

4.3               When visitors visit the Site, GVI makes use of software and services through its Site to collect general information about the device accessing the Site (“Device Information”). Device information will not include any information which personally identifies any person. Collecting Device Information contributes towards GVI functions and website services. Device Information includes, but is not limited to:

4.3.1             Internet address of the browser;

4.3.2             Web browser;

4.3.3             Cookies installed on the browsing device;

4.3.4             Internet server address;

4.3.5             Domain name;

4.3.6             IP address;

4.3.7             Date, time, and duration of visit to the Site;

4.3.8             Pages accessed and documents downloaded;

4.3.9             Websites or search terms referred the visitor to the Site;

4.3.10          Information about how visitors interact with the Site;

4.3.11          Previous site the user visited;

4.3.12          Type of web browser software used; and

4.3.13          Cookies.

 

5. HOW PERSONAL INFORMATION IS USED

5.1               GVI may use Personal Information to;

5.1.1             Carry out GVI’s functions and activities;

5.1.2             Conduct day to day business activities;

5.1.3             Provide and market its services;

5.1.4             Ensure compliance with health and safety obligations;

5.1.5             Character suitability assessment;

5.1.6             Improve GVI’s operations;

5.1.7             Respond to communications;

5.1.8             Administer and maintain information technology services and facilities for GVI; or

5.1.9             Protect and/or enforce legal rights and interests;

5.1.10          For any other purpose authorised by the Individual or the Act;

5.1.11          For internal business and administrative purposes; and

5.1.12          To meet its legal obligations and to provide specific personal information to various government agencies (e.g., Inland Revenue, Ministry of Social Development, Accident Compensation Corporation) and to other organisations (e.g., Kiwisaver Scheme managers).

5.2               GVI also uses third party web analytic services on its Site, like Google Analytics (collectively referred to as “Analytics Services”). Analytics Service providers use technologies such as cookies, web server logs and web beacons to analyse how visitors use a website. GVI only uses the information it receives from Analytics Services to improve its Site. Analytics Services only collect IP address assigned to any Site visitor on the date they visit the Site. How Google uses Personal Information can be found here: https://www.google.com/intl/en/policies/privacy/. Anyone can opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.

5.3               GVI will only use Personal Information collected for the above purposes and will only retain Personal Information for as long as it is required to fulfil the above purposes or as otherwise required by law.

5.4               GVI may use Personal Information for other purposes if it believes on reasonable grounds the disclosure of Personal information:

5.4.1             Does not identify the relevant Individual concerned;

5.4.2             Is permissible as the Personal Information was obtained from a publicly available publication;

5.4.3             Is necessary to avoid prejudice to the maintenance of the law by any public sector agency, including prejudice to the prevention, detection, investigation, prosecution, and punishment of offences, or for the enforcement of a law that imposes a pecuniary penalty, or for the protection of public revenue, or for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation);

5.4.4             Is necessary to prevent or lessen a serious threat to public health or public safety, or the life or health of the Individual concerned or another; or

5.4.5             In any other circumstances allowed by the Act or any other relevant law.

 

6. SECURITY OF PERSONAL INFORMATION

6.1               GVI will take reasonable steps to protect Personal Information it collects from misuse, loss, unauthorised access, unauthorised modification, or unauthorised disclosure. Personal Information can be stored in electronic form, which is protected from unauthorised access.

6.2               Personal information in hard-copy form may also be stored in a secure place at GVI’s premises.

 

7. DISCLOSURE OF PERSONAL INFORMATION

7.1               GVI will take reasonable steps to ensure that Personal Information is not disclosed to Third Parties except in appropriate circumstances.

7.2               Circumstances where Personal Information can be disclosed include:

7.2.1             If its permissible to disclose the information under the Act;

7.2.2             When it is allowable under this Privacy Policy

7.2.3             Where the GVI is required or authorised by law or where it has a public duty to do so, for example, but not limited to, lawful disclosure to IRD; or

7.2.4             The relevant Individual has expressly consented to the disclosure or the disclosure can be reasonably inferred from the circumstances.

7.3               Individuals with access to the Personal Information of others cannot disclose that information unless the circumstances set out in section 7.2 apply. If in doubt, Individuals should not disclose Personal Information without first speaking to the privacy officer.

7.4               Where disclosure is being made to a foreign person or entity, GVI will carry out the due diligence necessary to ensure it has reasonable grounds to believe that the foreign person or entity meets at least one Information Privacy Principle 12 criterion.

7.5               If disclosure to a foreign person or entity will not meet an Information Privacy Principle 12 criterion, GVI can make a cross-border disclosure only with the permission of the Individual concerned. Individuals must be expressly informed that their information may not be afforded the same protection as provided by the Act.

 

8. AUTHORISATION BY INDIVIDUALS

8.1               Authorisation given by Individuals to collect or disclose their information to Third Parties should be obtained and noted. Further authorisation is not required if Personal Information is used only for the purposes stated for its collection and use at the time consent is given.

8.2               If a matter arises that will necessitate using collected information for purposes not previously authorised and/or agreed to, then new consent is required. This should be informed consent. Individuals must be aware of all the intended uses/disclosures for the personal information and that there is no obligation to give such consent.

 

9. PERSONAL INFORMATION ACCURACY

9.1               GVI will take reasonable steps to ensure Personal Information is accurate, complete, and up to date whenever it is collected, used, or disclosed.

9.2               Individuals can request a correction of their Personal Information (other than Evaluative Material and other material that is subject to an exception under the Information Privacy Principles).

9.3               Individuals should contact the Privacy Officer as soon as practicable if they need to update their Personal Information or if they believe the Personal Information GVI holds is inaccurate, incomplete, or out of date.

9.4               If correction is considered unnecessary or unwarranted, the Individual will be advised. The Individual may then ask for the requested correction to be attached to the information concerned, so that it is visible whenever others have access to the information.

 

10. ACCESS TO PERSONAL INFORMATION

10.1           Individuals can ask GVI at any time what Personal Information it holds about themselves and GVI will provide access in accordance with the requirements in the Act. Individuals can do this by emailing privacy@gvi.co.nz. Please advise GVI by email of any changes to Personal Information as required

10.2           GVI will respond to access requests as soon as practicable but no later than 20 working days. GVI will contact the requester and advise if more time is required and the reasons for such a delay.

10.3           If the requester making such a request is not satisfied with the time taken to provide the information, they are advised of their right to complain to the Office of the Privacy Commissioner.

10.4           The requester is required to provide reasons if their request is made with urgency.

10.5           GVI may withhold access to Personal Information pursuant to the Act if allowing access would:

10.5.1          Endanger the safety of any person;

10.5.2          Create a serious threat to public health or public safety;

10.5.3          Create a significant likelihood of serious harassment of another person;

10.5.4          Would cause significant distress to the victim of an offence;

10.5.5          Involve the unwarranted disclosure of the affairs of another person;

10.5.6          Breach a promise to a person who supplied evaluative material that the information or the identity of the person who supplied it or both would be held in confidence;

10.5.7          Be likely to prejudice the physical or mental health of the individual concerned; and

10.5.8          Be contrary to the interests of an individual under the age of 16.

10.6           Access may also be withheld if:

10.6.1          The request is frivolous or vexatious, or where the information requested is trivial;

10.6.2          The information requested is not readily retrievable;

10.6.3          The information requested does not exist or cannot be found; or

10.6.4          The information requested does not exist or cannot be found, and there is no reason to believe the information is held by another agency.

10.7           Evaluative material may be withheld if disclosure would breach an express or implied promise of confidentiality to the person who supplied the material.

10.8           GVI will notify the relevant person of the basis for any denial of access to Personal Information. An explanation of the reason should be given if requested.

10.9           The requester must be told the refusal may be reviewed by the Privacy Commissioner or an Ombudsman.

 

11. COSTS

11.1           GVI reserves discretion to charge reasonable costs to the requesting Individual in relation to the provision of requested Personal Information, or a correction thereof, or any assistance in the above respects. GVI will notify the requesting Individual of any such charges before processing the request.

11.2           GVI may request the payment of any such costs in advance of processing an Individual’s request.

 

12. PRIVACY COMPLAINTS AND BREACHES

12.1           An Individual should contact the Privacy Officer if they wish to access or change their personal information, or to lodge a complaint about a possible breach of privacy or has any query on how personal information is collected or handled. Requests or complaints provided to the Privacy Officer should include all relevant details (what, when, who, witness statements, etc).

12.2           The Privacy Officer will investigate and take all appropriate actions as required by the Act and this policy.

12.3           Unless the protections of the Protected Disclosures Act 2000 apply or the information is explicitly given in confidence, the informing itself and the provided information are not subject to confidentiality.

12.4           The complaint and the outcome of the investigation are to be recorded and included on the Individual’s personal file.

12.5           Internal reporting of privacy-related complaints is encouraged in the first instance as this will usually facilitate a quicker and less stressful resolution. Nevertheless, Individuals are entitled to seek independent advice and/or complain to the Privacy Commission. Privacy Commission advice and complaint procedures can be made via its website at https://privacy.org.nz/your-rights/making-a-complaint/.

12.6           GVI may be required to notify the Privacy Commission and any affected Individuals, and potentially the public, of a Notifiable Privacy Breach.

12.7           Individuals must immediately inform the Privacy Officer of any involvement in or knowledge of an actual or potential privacy breach, as per section 3.4.2 of this policy. The failure of an employee to make such notification may constitute serious misconduct and potentially result in disciplinary action up to and including termination of employment.

12.8           GVI, through its Privacy Officer, will assess if a breach is a Notifiable Privacy Breach. The following factors will be considered during an assessment:

12.8.1          Whether any action has been taken to reduce the risk of harm following the breach;

12.8.2          Whether the personal information is sensitive in nature;

12.8.3          The nature of the harm, if any, that may be caused to affected individuals;

12.8.4          The person or body that has obtained or may obtain personal information as a result of the breach (if known);

12.8.5          Whether the personal information is protected by a security measure; and

12.8.6          Any other relevant factor.

12.9           If a Notifiable Privacy Breach is assessed to have occurred, GVI may elect not to notify affected people if it has a genuine belief that notification would likely:

12.9.1          Endanger the safety of any person;

12.9.2          Prejudice the security or defence of New Zealand or the international relations of the Government of New Zealand;

12.9.3          Prejudice the maintenance of the law by any public sector agency, including the prevention, investigation, and detection of offences, and the right to a fair trial; or

12.9.4           Reveal a trade secret.

 

13. PRIVACY OFFICER

13.1           Kate Newcombe is the designated Privacy Officer. In the first instance, the Privacy Officer should be consulted if any Individual is unsure about their obligations or entitlements. The contact details of the Privacy Officer are listed below so that questions or complaints can be directed to them.

13.1.1          Mobile – +64 21 277 1711;

13.1.2          Email – privacy@gvi.co.nz

 

14. POLICY APPROVAL DATE

14.1           GVI has approved this policy on 08/12/2021

14.2           GVI may revise its privacy policy from time to time. If GVI updates this Privacy Policy, the revised copy will be uploaded on its Site. The version number below is the most recent copy of our Privacy Policy.