Privacy Policy
Download a pdf of WMS's Privacy Policy
CONTENTS
- Purpose of policy 1
- Scope of policy 1
- Appointing a Privacy Officer 1
- Collecting, using, and disclosing information 2
- Storing information 3
- Unique identifiers 4
- Requests to access or correct information 4
- Disclosing information overseas 5
- Potential breaches of privacy 5
- Handling complaints 6
- Some practical privacy ‘do’s and ‘don’ts’ 7
- Exemplar Privacy forms 8
- Authorisation to collect information form (Part 1) 9
- Privacy policy statement 10
- Authorisation to collect information form (Part 2) 11
- Privacy policy statement 12
- Additional Authority to Release Information 12
- Privacy policy statement 14
- SubScription/Donation form 15
- Privacy policy statement 16
- Appendices 16
______________________________________________________
Wellington Multiple Sclerosis privacy policy
1. Purpose of policy
The Wellington Multiple Sclerosis society (the Society) is committed to maintaining best privacy practice by ensuring staff and volunteers are familiar with privacy rights, are diligent with clients’ information, and can respond to any privacy concerns effectively.
This policy guides staff and volunteers on how clients’ personal, health and financial information is to be managed by the Society. It also ensures our communication on privacy issues is consistent with our values of delivering services with understanding, collaboration, clarity, purpose, and trust.
We expect all Committee or Board members, staff, and volunteers to keep themselves up to date and engaged on their privacy obligations, confidentiality monitoring and reporting.
2. Scope of policy
This policy is based on the Privacy Act 2020 and the Heath Information Privacy Code 2020 (Attachment 1).[1] In particular, this policy gives effect to the thirteen Health Information Privacy Rules from the Code.
This policy applies to the following types of information collected and held by the Society:
- Personal information: information about an identifiable individual. For example, this includes information such as a staff member’s or client’s name, address, date of birth, and contact information.
- Health information: information about the health, disability status, and health or disability services being provided to an identifiable individual. For example, this includes information such as when a person was diagnosed with multiple sclerosis, the symptoms they experience, and the medication and treatment they receive.
- Financial information: information about donors, their credit card or bank account details, and the amount of any donation.
This policy applies to information held by the Society regardless of whether it is recorded on paper or digitally.
3. Appointing a Privacy Officer
The Society will appoint a staff or Committee member to fulfil the role of Privacy Officer, as required by section 201 of the Privacy Act 2020. The duties of the Privacy Officer will be recorded in their position description.
The Privacy Officer is responsible for encouraging and fostering a culture that respects the privacy of clients. The Privacy Officer will meet with all new staff and volunteers as part of their induction and will ensure that they as well as all existing staff and volunteers know how to apply this policy.
The Policy Officer is responsible for considering requests to access or correct information, acting where there is a potential privacy breach, and responding to complaints.
The Privacy Officer will prepare reports on the Society’s adherence to this policy to the Committee or Board on an agreed basis. The identity of the Privacy Officer(s) will be recorded in annual reports.
The Society will advise Multiple Sclerosis New Zealand of the Privacy Officer’s name and contact details to be held on a national MS register.
Training for the Privacy Officer
The Privacy Officer will complete the e-learning modules available from the Office of the Privacy Commissioner: https://privacy.org.nz/further-resources/online-privacy-training-free/ Board or Committee members, staff and volunteers are also encouraged to complete these modules.
4. Collecting, using, and disclosing information
The Society will only collect information that the organisation needs for a specific purpose.
Where possible, the Society will collect information directly from the person concerned. The Society will advise the person why their information is needed, who else will see the information and where it will be stored.
When collecting information about a person, the Society will gain written consent from that person to:
- hold and use the information, and
- ensure the information is accurate and appropriate to use, following full disclosure of the purposes for which the information is collected.
The Society will be respectful when collecting information. For instance, as far as possible, staff and volunteers will collect information in a private place where the client cannot be overheard by members of the public. The Society will also not mislead or be unnecessarily intrusive when collecting information.
The Society will only use information for the purposes for which it is collected or, in exceptional situations, for other reasons permitted under the Privacy Act 2020.
Most expected uses of personal and health information are explained in the Privacy Policy form provided to new clients. Should the Society identify an additional use for the information, such as for research in a particular study, it will seek written consent from the person concerned to use the information for that purpose.
Procedure for collecting information from a new client 1. When a new client joins, ask them to fill in the “Authorisation to Collect Personal Information” form. 2. Explain the privacy policy, including why we collect the information, how the Society will use it, and their right to access and request correction to their information. 3. Add the signed authorisation form to their file. 4. Provide the client with a copy of the signed authorisation form and Privacy Policy Statement |
Procedure for collecting information from donors 1. When a new donor wishes to donate, ask them to fill in the “Donation Form” and share the standard privacy policy statement. 2. Explain the privacy policy, including why we collect the personal and financial information, how the Society will use it. 3. Add the signed authorisation form to their file. |
The standard privacy statement notes that information may be used for some generic fundraising or promotion. However, if the Society undertakes major promotional activities, such as photo shoots or filming, the Society will seek consent using the General filming/Photography Consent Form.
Procedure for collecting information for publicity 1. When filming or photographing a person for a specific promotional use, ask them to fill in the “General filming/Photography Consent Form”. 2. Explain how the photographs or film will be used. 3. Add the signed authorisation form to their file. 4. Provide the client with a copy of the signed authorisation form and Privacy Policy Statement |
5. Storing information
The Society will store securely any information it collects or creates. It will ensure the information can only be accessed by authorised staff and volunteers for purposes connected with the activities of the Society. For instance:
- financial information will only be accessible by those that deal with finances
- health information should only be accessible by those that provide health services
- if information is kept on computers, those computers will be password protected.
The Society will only hold information for as long as it is needed and will securely destroy information once it no longer requires. This may differ depending on the type of information. For instance:
- an individual’s health information will be kept for a minimum period of 10 years from the most recent date on which the Society provides services to that person.
- financial information will be kept for 7 years, consistent with the requirements of Inland Revenue.
Paper records will be destroyed using a shredder or secure document destruction. Electronic records will be deleted from all computers or servers on which they are stored.
Community-based services
The Society will ensure that while staff and volunteers are providing community-based health services they will keep any information collected safe. They will also only take with them information about a person that is needed to complete their work.
All staff and volunteers that provide community-based care are encouraged to read and consider the Privacy Commissioner’s ‘Health on the Road’ tips for keeping personal information safe.[2]
6. Unique identifiers
The Society will only assign a unique identifier to an individual if it is necessary to carry out its functions effectively. It will not assign a unique identifier that it knows is being used by another agency, but it may use such the unique identifier for the purposes of communicating with the agency that assigned it.
Note: The Society can collect and use National Health Index numbers assigned to clients for engaging with other health agencies.
7. Requests to access or correct information
Under the Privacy Act and Health Information Privacy Code, a person has the right to request access to their information.
There are limited grounds upon which the Society may refuse to permit a person to access their information. These include situations where:
- the provision of information would prejudice the maintenance of the law (including the prevention, investigation, and detection of offences)
- it would breach legal professional privilege
- the information is evaluative and was provided in confidence
- disclosure would lead to the unwarranted disclosure of the affairs of another person or endanger the safety of any individual.
If a decision is made by the Privacy Officer to refuse to correct information, the request must be attached to all available copies of the documents and / or information that the person asked to be corrected.
Procedure if there is a request to access or correct information 1. All requests to access or correct information will be referred to the Privacy Officer for consideration. 2. Requests to correct information will be considered positively and the Society will aim to respond to such requests as soon as possible. 3. If a decision is made by the Privacy Officer to refuse to correct information, the Privacy Officer will explain why this decision was made. The request to correct the information will be attached to all available copies of the documents and / or information that the person asked to be corrected. |
8. Disclosing information overseas
The Society will only disclose information to an overseas agency if that agency has a similar level of protection to New Zealand, or the individual is fully informed and authorises the disclosure. If a disclosure to an overseas agency is likely to be outside the purpose for which the information was collected, the Society will seek additional authorisation from the individual concerned.
Note: Information stored on cloud software is not considered a disclosure under the Act.
9. Potential breaches of privacy
Inadvertent privacy breaches may happen despite good processes and best intentions. Where a potential breach is identified the Society understands the need to act quickly and transparently.
Procedure if a potential privacy breach may have occurred 1. If the Society becomes aware that a breach of privacy may have occurred, the Privacy Officer will be informed. 2. The Privacy Officer, together with any relevant staff member involved with the potential breach, will consider any steps that can be taken immediately to limit the potential breach or limit harm from the potential breach. 3. The Privacy Officer will also inform the President of the Society. 4. If the breach is serious and likely to be of high media interest the National Manager of MSNZ will also be advised as soon as possible 5. The Privacy Officer will use the Privacy Commissioner’s online self-assessment tool, NotifyUs, as a guide to help determine whether a privacy breach is likely to cause serious harm: https://privacy.org.nz/privacy-for-agencies/privacy-breaches/notify-us/. Whether harm is “serious harm” depends on the unique circumstances of a privacy breach and requires an assessment on a breach-by-breach basis. Some questions to consider when assessing whether a breach is likely to cause serious harm will include: a. how sensitive is the information that is involved in the breach? b. who has obtained or may obtain the information? c. what types of harm may be caused to people affected by the breach? d. how likely is it that someone will be harmed because of this breach? e. what steps have been taken to reduce the risk of harm or further harm from this breach? f. are there security measures in place that protect the information from being accessed? g. is someone’s physical or psychological safety in immediate danger? h. is someone at risk of serious financial harm? 6. If a privacy breach is likely to cause serious harm, the Privacy Officer will notify the Privacy Commission and the affected person as soon as possible. |
10. Handling complaints
The Privacy Officer will be responsible for dealing with any complaints alleging a breach of the Health Information Privacy Code or the Privacy Act. The Privacy Officer will facilitate the fair, simple, speedy, and efficient resolution of privacy breach complaints.
Procedure for handling complaints 1. If the Society receives a complaint related to this policy, it will be referred to the Privacy Officer. 2. The Privacy Officer will encourage the person to fill out a complaints form. This will help to ensure the Society has all the information it needs to respond. 3. The Privacy Officer will: a. inform the President of the Society of the complaint b. acknowledge the complaint in writing within 5 working days of receipt c. If the breach is serious and likely to be of high media interest the National Manager of MSNZ will also be advised as soon as possible d. inform the complainant of the relevant internal and external complaints procedures e. document the complaint and the actions taken to respond to it. 4. Within 10 working days of acknowledging the complaint, the Society will decide whether it accepts that the complaint is justified. 5. If the Society decides that more time is needed to investigate the complaint, it will: a. determine how much additional time is needed b. if that additional time is more than 20 working days, inform the complainant of that determination and of the reasons for it. 6. As soon as practicable after the Society decides to accept that a complaint is justified, the Privacy Officer will inform the complainant of: a. the reasons for the decision b. any actions the Society proposes to take c. the Society’s appeal procedure, as set out in its Constitution d. the right to complain to the Privacy Commissioner. |
11. Some practical privacy ‘do’s and ‘don’ts’
- When collecting information, do so in a private place where the client cannot be overheard by members of the public.
- Turn computer screens away from any public areas so they are not visible to members of the public.
- Place computers and printers where they cannot be accessed by unauthorised personnel.
- If a client brings in a friend or support person, check whether the client is comfortable answering personal questions in front of that person.
- Do not leave documents with personal or health information unattended on a desk or in a vehicle. Lock away information when not in use.
- If information is kept on electronic devices, keep these devices password-protected, including USB sticks. When not in use, lock computers with a password.
- Update passwords regularly, particularly after staff changes or there is a security concern.
- When working in the community, only take the information needed for the work. Where possible, load electronic versions of any required files onto a password-protected electronic device, rather than take paper files.
- When emailing large groups of individuals, use the BCC function to protect the identity of recipients.
- Ensure email newsletters enable people to unsubscribe.
Last updated: 11 March 2021
exemplar Privacy forms
authorisation to collect information form
(Part 1)
To be completed when a new client joins the society or seek services.
Personal and Health Information
Name: ………………………………………………………………………
Address: ………………………………………………………………………
...................................................................................................
Phone number: ……………………………...........................................................
Email: ……………………………………...........………………………....
Date of birth: ……………………......................................................................
Preferred means of contact: Phone / Email / Txt / Either
Are you a New Zealand citizen or Permanent Resident: Yes / No
Are you a Community Services Card holder: Yes / No
Ethnicity: ..……………...……………… Gender: ..……………...………………
Do you have MS? Yes / No Approximate date of diagnosis: ...........................……
If no, state condition: ......................................................................………………………………………………............
GP name: ……………………………… GP phone number: .............…………….....
GP address: ……………….………………………………………………………
Neurologist name: ..……………...………………………………………………………
Emergency Contact Name: ..……………...………………………………………………..
Emergency Number: ..……………...……………………………… Relation: ..……………...............................
I, ……………………………………………………, authorise the Society to collect, store and disclose personal and health information on my behalf, consistent with the Society’s privacy policy statement. Signed: ....………………………………………....... Date: ……………………
If unable to sign, please state the name of person signing on your behalf and their relationship to you:
Name: ……………………………………… Relation: …………………………………
This authorisation is made according to the Privacy Act 2020, Health Information Privacy Code 2020, and in line with the Society’s Privacy policy.
If you have any concerns or questions regarding this policy, please contact us at info@mswellington.org.nz or phone 04-388 8127
Privacy policy statement
Your privacy is precious, and we treat your information accordingly.
Why do we collect your information?
The Wellington Multiple Sclerosis Society (the Society) is a non-profit organisation formed to empower people with MS to lead their best lives: we do this by providing information, education and advocacy.
You do not have to provide us with any information, but we may not be able to fully engage with you if you do not.
How will we use your information?
We will use your information to provide services to assist you to manage your multiple sclerosis, to stay in touch and inform you about our activities, for fund raising purposes, and to advocate for improved services and well-being of people with multiple sclerosis. We only collect information that is necessary for these purposes.
There may be times where we need to disclose some of your information:
- to District Health Boards or other health agencies to enhance the support you receive
- to the Multiple Sclerosis Society of New Zealand to enable more effective national advocacy
- to support research into multiple sclerosis
- to provide funding organisations with statistical data as a proof of service delivery
- to process donations
- due to safety considerations.
How will we manage your information?
We take the security and accuracy of your personal and health information very seriously. For instance, we are required to hold your health information for 10 years. Once it is no longer required, we will destroy in a secure manner.
Any information we collect may be stored on our behalf, such as by using cloud-based data storage. We will take reasonable steps to protect personal and health information that is held by us from unauthorised access, use, disclosure, alteration, or destruction.
What are your rights to access and correct your information?
You have the right to ask for a copy of any information that we hold about you and may ask for it to be corrected if you think it is inaccurate.
If you would like to ask for a copy of your information or to have it corrected—or if you consider we have breached the Privacy Act 2020 or Health Information Privacy Code 2020—please contact us at: info@mswellington.org.nz or phone 04-388 8127
Authorisation to collect information form
(Part 2)
Diagnosis (Circle): Suspected MS Clinically Definite MS
Relapsing MS Progressive MS
Not MS
Symptoms: ..................................................................................................................
Current EDSS Score: ..……………...………………………………………………………...............
Disease Modifying Treatment: …………………….......................................................................
Other Medications: …………………….......................................................................
Other health conditions: …………………………….......................................................................
Smoker: Yes / No / Vape
Exercise (circle): Never / Sometimes / Regularly
MS Diet: ...................................................................................................
In the last 12 months have you had an assessment by a/an (circle):
Physiotherapist: Yes / No Occupational Therapist: Yes / No
Additional Personal Information
Dependants (under 18): Yes / No Number:……………………
Animals living on the property? ……………………………………………………….
Government benefits: ..……………...…………………………………………………….
Total Mobility User (circle): Yes / No / N/A
Community Services Card (circle): Yes / No / N/A
Do you have a Carer (circle): Yes / No
If yes, carers name: ..……………...…………………………………………………….
If yes, carers contact: ..……………...…………………………………………………….
Are you currently working (circle)? Full Time / Part Time / Not currently working / Retired
Current profession: ……………………………………………………………………….
Current employer: ……………………………………………………………………….
Privacy policy statement
Your privacy is precious, and we treat your information accordingly.
Why do we collect your information?
The Wellington Multiple Sclerosis Society (the Society) is a non-profit organisation formed to empower people with MS to lead their best lives: we do this by providing information, education and advocacy.
You do not have to provide us with any information, but we may not be able to fully engage with you if you do not.
How will we use your information?
We will use your information to provide services to assist you to manage your multiple sclerosis, to stay in touch and inform you about our activities, for fund raising purposes, and to advocate for improved services and well-being of people with multiple sclerosis. We only collect information that is necessary for these purposes.
There may be times where we need to disclose some of your information:
- to District Health Boards or other health agencies to enhance the support you receive
- to the Multiple Sclerosis Society of New Zealand to enable more effective national advocacy
- to support research into multiple sclerosis
- to provide funding organisations with statistical data as a proof of service delivery
- to process donations
- due to safety considerations.
How will we manage your information?
We take the security and accuracy of your personal and health information very seriously. For instance, we are required to hold your health information for 10 years. Once it is no longer required, we will destroy in a secure manner.
Any information we collect may be stored on our behalf, such as by using cloud-based data storage. We will take reasonable steps to protect personal and health information that is held by us from unauthorised access, use, disclosure, alteration, or destruction.
What are your rights to access and correct your information?
You have the right to ask for a copy of any information that we hold about you and may ask for it to be corrected if you think it is inaccurate.
If you would like to ask for a copy of your information or to have it corrected—or if you consider we have breached the Privacy Act 2020 or Health Information Privacy Code 2020—please contact us at: info@mswellington.org.nz or phone 04-388 8127
additional Authority to Release Information
To be completed when if a client agrees to information being used for a purpose not covered by the standard Privacy Policy Statement.
I authorise the Society to release, exchange and discuss my information for the purpose of: ...............................................................................................................................……………………………………………………
...............................................................................................................................…………………………………………………… ...............................................................................................................................…………………………………………………… ...............................................................................................................................…………………………………………………… ...............................................................................................................................…………………………………………………… ...............................................................................................................................…………………………………………………… ...............................................................................................................................……………………………………………………
Name: .....................................………………………………………...............................................………
Address: .....................................………………………………………...............................................………
.....................................………………………………………...............................................………
Phone number: .....................................………………………………………...............................................………
Email: .....................................………………………………………...............................................………
Signature: ........................................................................................... Date: ........................................
Contact Information
This authorisation is made according to the Privacy Act 2020, Health Information Privacy Code 2020, and in line with the Society’s Privacy policy.
If you have any concerns or questions regarding this policy, please contact us at: info@mswellington.org.nz or phone 04-388 8127
Privacy policy statement
Your privacy is precious, and we treat your information accordingly.
Why do we collect your information?
The Wellington Multiple Sclerosis Society (the Society) is a non-profit organisation to empower people with MS to lead their best lives: we do this by providing information, education and advocacy.
You do not have to provide us with any information, but we may not be able to fully engage with you if you do not.
How will we use your information?
We will use your information to provide services to assist you to manage your multiple sclerosis, to stay in touch and inform you about our activities, for fund raising purposes, and to advocate for improved services and well-being of people with multiple sclerosis. We only collect information that is necessary for these purposes.
There may be times where we need to disclose some of your information:
- to District Health Boards or other health agencies to enhance the support you receive
- to the Multiple Sclerosis Society of New Zealand to enable more effective national advocacy
- to support research into multiple sclerosis
- to provide funding organisations with statistical data as a proof of service delivery
- to process donations
- due to safety considerations.
How will we manage your information?
We take the security and accuracy of your personal and health information very seriously. For instance, we are required to hold your health information for 10 years. Once it is no longer required, we will destroy in a secure manner.
Any information we collect may be stored on our behalf, such as by using cloud-based data storage. We will take reasonable steps to protect personal and health information that is held by us from unauthorised access, use, disclosure, alteration, or destruction.
What are your rights to access and correct your information?
You have the right to ask for a copy of any information that we hold about you and may ask for it to be corrected if you think it is inaccurate.
If you would like to ask for a copy of your information or to have it corrected—or if you consider we have breached the Privacy Act 2020 or Health Information Privacy Code 2020— please contact us at: info@mswellington.org.nz or phone 04-388 8127
SubScription/Donation form
The Wellington Multiple Sclerosis Society invites clients and all interested members of the public to become financial members by completing this form.
When making donations or payments you may provide us with personal information (including, without limitation, your name, email address, phone number, postal address, and credit card details). You agree that we may disclose your personal information for the purposes of processing and recording donations or payments.
If you wish to pay your subscription online via Internet Banking, please pay to:
Name of Account: [insert account details]
Account Number: [insert account details]
Reference: (your name) and Membership
Name: ……………………………………………………… Client, already receiving our service
Address: ………………………………………………… A Family Member
………………………………………………………………………... A supporter
……………………………………………………………………………..
Phone: …………………………………………………………………
Phone number: ………………………………………………………….
Email: ………………………………………………………………… (for receipt of the newsletters)
Annual Subscription Individual: [insert amount]
5 Year Membership: [insert amount]
Would you be interested in doing volunteer work for the Society? If so what would you be interested in doing?
………………………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………………………
Privacy policy statement
Your privacy is precious, and we treat your information accordingly.
Why do we collect your information?
The Wellington Multiple Sclerosis Society (the Society) is a non-profit organisation formed to empower people with MS to lead their best lives: we do this by providing information, education and advocacy.
You do not have to provide us with any information, but we may not be able to fully engage with you if you do not.
How will we use your information?
We will use your information to provide services to assist you to manage your multiple sclerosis, to stay in touch and inform you about our activities, for fund raising purposes, and to advocate for improved services and well-being of people with multiple sclerosis. We only collect information that is necessary for these purposes.
There may be times where we need to disclose some of your information:
- to District Health Boards or other health agencies to enhance the support you receive
- to the Multiple Sclerosis Society of New Zealand to enable more effective national advocacy
- to support research into multiple sclerosis
- to provide funding organisations with statistical data as a proof of service delivery
- to process donations
- due to safety considerations.
How will we manage your information?
We take the security and accuracy of your personal and health information very seriously. For instance, we are required to hold your health information for 10 years. Once it is no longer required, we will destroy in a secure manner.
Any information we collect may be stored on our behalf, such as by using cloud-based data storage. We will take reasonable steps to protect personal and health information that is held by us from unauthorised access, use, disclosure, alteration, or destruction.
What are your rights to access and correct your information?
You have the right to ask for a copy of any information that we hold about you and may ask for it to be corrected if you think it is inaccurate.
If you would like to ask for a copy of your information or to have it corrected—or if you consider we have breached the Privacy Act 2020 or Health Information Privacy Code 2020— please contact us at: info@mswellington.org.nz or phone 04-388 8127
__________________________________________
Appendices
- Health Information Privacy Code 2020
- Health on the Road, How to keep health information safe while working in the community, Officer of the Privacy Commissioner
[1] https://privacy.org.nz/privacy-act-2020/codes-of-practice/hipc2020/
[2] https://privacy.org.nz/assets/Uploads/3-Health-on-the-Road-Guidance-Publication-version-final-pdf-version-A498856.pdf