Waka Kotahi NZ Transport Agency deals with the personal information of a large number of people and engages with a wide range of people and organisations who may handle personal information on its behalf.
Managing personal information appropriately is important to us and to the people whose personal information we hold. As an organisation who handles personal information on our behalf, we expect that you will also manage personal information appropriately and that if any issues arise (such as unauthorised access to or disclosure of personal information, whether accidental or deliberate), you will work with us to resolve them.
Personal information is information about an identifiable individual. Any information which tells us something about a specific individual is personal information. The information does not need to name the individual, as long as they are identifiable in other ways, like through their home address.
Personal information is not limited to information about an individual’s private or family life. This can include information about an individual’s business or work activities. Personal information can range from sensitive and confidential information to information that is publicly available. At Waka Kotahi, we also generally treat motor vehicle registration plate numbers as personal information.
All organisations have obligations to comply with the Information Privacy Principles set out in the Privacy Act (the Act). The Act covers the life-cycle of personal information and requires all organisations to have a Privacy Officer to oversee their compliance with the Act and to investigate any privacy complaints they may receive.
If you’re working with us, you have responsibilities when handling our customers’ information. In particular, we expect you to have the following in place:
Privacy incidents can happen through complacency, inadequate security, poor procedures or by accident. Privacy incidents are often simple mistakes that only take a second to make but result in damage that can be serious and long-lasting. Proper incident management is critical, as it can help to minimise the harm to the individuals affected, your organisation, and Waka Kotahi.
We classify privacy incidents into two types:
A privacy breach is an incident where personal information is accessed by an unauthorised person, or is collected, used or disclosed without authorisation (for example, where personal information is used or disclosed for a different purpose to that for which it’s been collected, or a person not authorised to see that information accesses it. Failure to store personal information securely is also a privacy breach.
A near-miss is an incident that had the potential to become a privacy breach but was prevented before it could happen.
If you or any of your staff identify a privacy breach or near-miss resulting from your mis-management or mis-handling of personal information on Waka Kotahi’s behalf, you must immediately notify your Waka Kotahi contract or relationship manager. Together we will work to assess the incident and identify the best actions necessary to manage it appropriately and minimise the harm to the individual concerned.
The Office of the Privacy Commissioner has comprehensive guidance and training on its website for agencies and organisations that deal with personal information. Some useful links are provided below.
If you would like to talk to someone at Waka Kotahi, please get in touch with your contract or relationship manager.