Use of Member Information

Status

This policy was formally adopted by the PSA executive board at its November 2022 meeting. It replaces the 2011 Policy on the Management of Member Information. It is made pursuant to rule 43 of the PSA Rules and derives its status from and sits under the purpose and objects set out in part 1 of the PSA Rules.

Rationale

This new policy covers all uses of data and information. It reflects changes to legislation and practice, since our previous policy was developed. The approach is to focus on principles and commitments as well as a risk and assurance process to ensure those principles are followed. The policy is part of a wider project ensuring that information and data is gathered, stored and used appropriately.

Purpose of policy

Data Principles

Data Stewardship

The use of data is crucial to modern organising. The PSA aims to be a good steward of data. This means when we collect data it is for a clear purpose, the data is high quality, it is stored securely in a way that it can be accessed efficiently when needed and kept only as long as needed.

Purpose of collection, storage and use of data

The PSA collects, stores and uses data in pursuit of its purpose: to build a union able to influence the political, economic, industrial and social environments in the interests of the membership of the PSA.

Effective, ethical data use is central to our ability to organise and bargain collectively, a right protected by International Labour OrganisationConventions 87 and 98 and recognised in the Employment Relations Act (2000).

Māori Data Sovereignty

Personal Information

Collecting Personal Information

The PSA collects personal information on members, service users, campaign supporters, staff, non-members and others in pursuit of our purpose.

Information is collected by the PSA when it is held by a staff member or member who holds a delegate role, or other formal role within the PSA, in the capacity of their roles within the PSA.

The PSA has an obligation to collect personal information in a fair way, this means we:

Recognise the principle that personal information about an individual should ordinarily be collected from that individual. Only collect personal information from third parties: with the person’s permission, if collecting information from the person directly is not really practicable, if it would undermine the purpose of collection, when provision of that information is provided for under statute, or under other legitimate exceptions outlined under principle 2 of the Privacy Act.
Take reasonable steps to ensure that personal information is accurate.

The PSA will, when practicable, provide a statement at the time the information is collected as to the purpose for which personal information is to be used, who will be able to access it, and how people may access and update their own personal information.

Before embarking on a project that collects personal information in new ways, the PSA shall complete a privacy impact assessment that identifies the sensitivity of the information involved and the risks around its use. If a privacy impact assessment identifies a project is high risk, then it may only proceed with the approval of the risk and assurance committee.

‍

Internal Access to Personal Information

PSA staff have access to personal information the PSA holds in order to do their jobs and will only access the personal information necessary to do their jobs. PSA kuia, kaumatua, holders of elected roles and delegates may need access to personal information the PSA holds as in order to fulfil their role and will only access the personal information necessary to fulfil their role. The PSA will ensure that the necessary policies, training, practices and resources are in place around internal access of data to protect the privacy rights of individuals and the integrity of their information.

Disclosure of Personal Information

The PSA will never sell personal information.

The PSA will usually only disclose individual information for the purpose the information is collected, or a directly related purpose, or with permission of the person concerned, or in a way that does not identify the individual. The PSA may need to disclose individual information to avoid endangering someone’s health or safety, or to uphold or enforce the law. The PSA will only disclose personal information in ways consistent with the Principle 11 of the Privacy Act.

The PSA will has identified two situations where it is necessary and therefore permitted for third parties to have access to substantial datasets that include personal information held by the PSA: employers and vendors and contractors.

The PSA may exchange datasets that include personal information with employers, for example:

to assist the PSA in the recruitment of new members,
to enable provisions under the Fair Pay Agreements Act and the Equal Pay Act
application of the provisions in collective agreements.

The PSA will limit personal information shared with employers to the details necessary, for example names and payroll numbers.

The PSA may need to grant vendors and contractors access to substantial datasets that include personal information to complete work that cannot be undertaken internally. For example, those involved in building and maintaining our data systems, printers or travel agents. Such access will only be granted when it is necessary to complete the purpose for which the data was collected, or a closely related purpose. The PSA will only grant access to third party vendors and contractors if it is satisfied that the third parties will only access personal information if necessary to complete the work and that sufficient safeguards are in place to protect that information from misuse.

Third party access to substantial datasets that include personal information, beyond these two specified permitted examples and that required under statute, must be approved by the Secretariat and the Risk and Assurance committee.

Use of Personal Information

The PSA will only use personal information for the stated purpose it was originally collected for, unless the individual concerned authorised the new use, the information is otherwise publicly available and the new use is reasonable, the individual is not identifiable, or under other legitimate exceptions outlined under principle 10 of the Privacy Act.

Before embarking on a project that uses personal information in new ways, the PSA shall complete a privacy impact assessment. If a privacy impact 4assessment identifies a project is high risk it must be approved by the risk and assurance committee before proceeding.

Use of Personal Information

The PSA stores information under best practice security arrangements to provide safeguards that prevent loss, misuse or unauthorised disclosure. The PSA manages information in a manner that minimises the risk of unauthorised persons including staff or other individuals sighting the details.

The PSA will only work with organisations that store information outside of New Zealand if the information is subject to privacy safeguards, and provides people based in New Zealand with rights in respect to their data, that are at least equal to those in New Zealand. That means that any other organisation involved does business in New Zealand, or they are subject to privacy laws that provide comparable safeguards to our Privacy Act, or they are a participant in a binding scheme under the Privacy Act, or we are satisfied that the contractual obligations we have entered into will ensure comparable safeguards to the Privacy Act

Disposal of Personal Information

The PSA will dispose of information when it is no longer required for the purpose it was collected. The PSA will follow best practice in the destruction of both physical and digital data.

Privacy Officers

The Secretariat appoints privacy officers to manage the privacy aspects of this policy, provide advice and training materials on privacy and related matters, and ensure that the PSA meets its obligations under the Privacy Act. Normally at least one privacy officer will be a member of the legal team and at least one privacy officer will have an operations and systems role.

Consultation and Engagement

The PSA recognises that member engagement and consultation is key to legitimate use of data within a membership-based organisation and that engagement and consultation with staff unions is key to legitimate use of data by an employer. The PSA’s privacy impact assessments will include considering if consultation with either group is required. The Risk and Assurance Committee may also recommend further consultation and engagement on any aspect of data and privacy that it has discussed.

When undertaking consultation around member data and privacy, the PSA will consider whether its appropriate to consult samples of less engaged members and members with privacy expertise in addition to governance structures.

Individual’s right to access their personal information

Individuals have the right to access and correct information about themselves by making a request. If an individual requests a correction the PSA will either carry that request out or attach their statement of correction.

Management of privacy breaches

In the event of a privacy breach, the PSA response will be informed by the guidelines of the Office of the Privacy Commissioner. Currently these are summarised as undertaking four key steps: contain, assess, notify and prevent. The PSA will report breaches and near misses to the risk and assurance committee. If a breach has caused or is likely to cause someone serious harm the PSA will report the breach to the Office of the Privacy Commissioner.

Mitigation of risk

The PSA has a risk management plan that identifies risks around the management of personal information and has strategies in place to mitigate any problems arising out of those risks. This plan shall include the risks identified in privacy impact assessments. This risk management plan is reviewed annually and reported to the risk and assurance committee.

Risk and Audit Committee Approval and Reporting

The organisation will report to the Risk and Assurance committee annually on data and privacy. The report will include the risk mitigation plan, any privacy breaches, any guidelines published under this policy and an over-view of privacy impact assessments. It will also include an in-depth discussion of one or more elements of this policy: how the PSA is meeting its obligations, developments since the last report, risks and mitigations, and any other pertinent matters. The elements that are reported on in-depth will be scheduled in a rotating order so that each element of this policy is reported on in time (though the Risk and Assurance Committee may ask for an update to be bought forward if necessary).

Reports on how the PSA is meeting its obligations under this policy shall be made available to members.

The Risk and Assurance committee may report any data and privacy question to the board. The Risk and Assurance committee shall report to the board on data and privacy on a schedule agreed between the two.

Publication of guidelines

The secretariat may, from time to time, issue guidelines on the application of this policy.

Purpose

The PSA gathers information from members to allow it to administer its membership so as to fulfil the purpose and objects of the union. That purpose is to build a union that is able to influence the industrial, economic, political and social environment in order to advance the interests of PSA members.

Privacy officer

The PSA has a privacy officer appointed by the Secretariat to manage policy, provide advice and training on privacy, and make sure that the PSA meets its obligations under the Privacy Act. The privacy officer will usually be a member of the legal team.

Gathering member information

The PSA has an obligation to collect information in a fair way.

This means we:

Gather the information required in order to administer a member’s membership in pursuit of the purpose of the PSA;
Collect information on members only from members unless exceptional circumstances apply;
Collect any information from delegates necessary to support them in that role;
Take all practicable steps to ensure that the information is accurate;
Provide members with a statement of the purpose for which the information will be used, and how they may access and update that information, at the time they provide it to the PSA.

Email newsletters

With many of our email newsletters, we now gather information to enable us to better communicate with members and keep members informed. We record when an email is opened and the links within the email that are clicked and when.

We have specifically designed our collection of this information so it is not linked on our systems to the email recipient and cannot be used to determine who clicked a link or opened an email. The collection of this tracking information is carried out directly by the PSA, not third parties.

Mitigating risk

The PSA's plan identifies the risks in managing member information and has strategies to mitigate any problems arising from those risks. This risk management plan is reviewed annually.

Join Now / uru inaianei

Join more than 90,000 other Kiwis by becoming a member of Aotearoa New Zealand’s largest union.

Join the PSA

Got a question? Get in touch with one of our PSA team members today:

Contact the Psa

Loading. Please wait...