The Archdiocese of Wellington (Archdiocese) is committed to promoting and protecting the privacy of all individuals associated with its entities and Staff Members, Visitors, Donors and Contractors, and any others. The policy seeks compliance with the Privacy Act 2020 and the Information Privacy Principles. The Act describes how we may collect, use, store personal information and the requirements around breaches. The Office of the Privacy Commissioner is empowered by the Act to administer, monitor and enforce compliance. Among the many functions of the Privacy Commissioner’s Office is that of investigating any alleged breaches and non-compliance of the Act.
The Archdiocese has a Privacy Officer who understands the data collection and storage requirements of each entity and oversees requests for personal information. The Catholic Bishops Conference Securities Limited (CBCSL) and the New Zealand Catholic Bishops Conference (NZCBC) also have a National Privacy Officer, who provides advice to the Privacy Officers and liaises with the Privacy Commissioner if there are any breaches and/or investigations
The purpose of this Policy is to give us guidelines on:
- how we collect and store personal information
- what personal information we collect
- how we use and disclose personal information about individuals
- how individuals may access personal information relating to them that is held by the Archdiocese of Wellington or it’s entity
- how personal information is disposed
- how to address complaints of breaches of privacy
- how we respond to the requirements of the Privacy Commissioner
It is important that staff understand the Archdiocese information management, privacy and confidentiality guidelines.
This Policy covers those Archdiocesan entities and Staff Members of the Archdiocese who work in the Archdiocesan Catholic Centre in Wellington, other diocesan centres (including parishes in the greater Wellington region), from home or in another location listed in the Staff Members’ Employment Agreement.
The Privacy Act 2020 is primarily concerned with the protection of personal information and good information handling practices.
Entities are responsible for ensuring these guidelines are met through their processes and/or procedures. The following guidelines apply these principles:
Guidelines for collecting, using, accessing, correcting and storing personal information
(The number in brackets [ ] after each guideline refers to the relevant information privacy principle.)
- When we collect personal information about an individual, we make known the purpose of collecting it, who will have access to it, and whether it is compulsory or optional information. We advise that individuals have the right to request access to, and correction of, their personal information.
- We only collect personal information:
- for purposes connected with the function or activity of the entity, and only when it is necessary to have this information 
- directly from the person concerned, or, if a minor, their parent or guardian, unless it is publicly available from elsewhere, or the person’s interests are not prejudiced when we collect the information from elsewhere
- in a transparent and respectful manner. [1,3,4]
- We have reasonable safeguards in place to protect personal information from loss, unauthorised access, use, or disclosure. These safeguards include the use of individual logins for computers, and lockable filing cabinets. Any sensitive information should have extra layers of security (i.e, only certain members with the organisation will have a password to access the electronic file).We may also require volunteers and third-party contractors to sign confidentiality agreements. 
- If an individual wants access to information we hold about them, we provide it (unless there are good reasons for withholding it). Individuals may request correction of this information or, when not corrected, that a record of the request is attached to the information. [6,7]. Personal information may only be withheld in accordance with sections 49
- We take reasonable steps to make sure personal information is correct, up to date, relevant and not misleading. 
- We only keep information for as long as it is needed, and for the purposes for which it may be lawfully used 
- Information is only used for the purposes for which it was obtained except in certain circumstances (for example, for statistical purposes where the person’s identity is not disclosed). 
- We safeguard people’s information and we do not release that information to third parties unless we are allowed, or required, to release information by law. This covers disclosure to persons other than those able to legitimately access material about others (such as a guardian of a minor).
- As a general rule, information about any person is not given to a third party without the person’s knowledge, unless:
- the information is already publicly available
- it is being passed on in connection with a purpose for which it was obtained
- the right to privacy is over-ridden by other legislation or court order.
- it is necessary for the protection of individual or public health and safety. .
- In certain circumstances, we may disclose personal information to a foreign partner in reliance of IPP 11. We will only do this if we believe on reasonable grounds that our foreign partner is subject to comparable safeguards to those in the Privacy Act 2020 .
- From time to time, we may need to assign unique identifiers for operational reasons .
Guidelines for Legal Holds: preserving records during litigation or investigations
When litigation, an audit, or investigation occurs or is reasonably anticipated, a written notice (referred to as a “Litigation Hold Notice” or “Legal Hold”) will be issued to appropriate staff. All records, whether official records, information copies, working documents, or transitory records, potentially relevant to the matter must be retained until the Litigation Hold is terminated. The Litigation Hold will remain in place until litigation is no longer reasonably contemplated or cannot proceed (i.e, the limitation period for bringing a claim has expired). The effect of this notice is to freeze or suspend the destruction or alteration of records, electronically stored information, and other materials identified in the notice.
Where appropriate, we may need to advise third parties to retain documents once a Litigation Hold Notice has been issued.
The Motu Proprio by Pope Francis, Vos Estis Lux Mundi, Article 2, §2 also provides for data protection in relation to complaints of sexual abuse matters.
Records relevant to the matter may not be destroyed – even if the retention period in relevant Retention and Records Disposal Schedules have expired or expires during the Litigation Hold – until the action is resolved and a notice terminating the Hold has been issued. There are serious legal consequences for individuals that destroy or alter records under a Litigation Hold or know of a pending issue and do not halt destruction.
Guidelines for privacy breaches
Privacy breaches are the loss of personal information to a third party that has no right to that information. If a privacy breach is identified, the first step is to report to your entity manager and privacy officer and they should then report it to the ADW Privacy Officer.
The Privacy Officer will work through four steps:
- Contain the breach and make a first assessment
- Evaluate the breach
- Notify affected people if necessary
- Prevent the breach from happening again
If a privacy breach has caused (or is likely to cause) serious harm, the Privacy Officer will need to notify the Office of the Privacy Commissioner and affected individuals as soon as possible (ideally, no later than 72 hours). Breaches can be reported using the ‘NotifyUs’ Platform on the Privacy Commissioner’s website. Under the Privacy Act 2020, it is a criminal
n offence to fail to inform the Privacy Commissioner when there has been a notifiable privacy breach.
The threshold for a notifiable breach is ‘serious harm’. This can be assessed by considering, for example, the sensitivity of the information lost, actions taken to reduce the risk of harm, the nature of the harm that could arise, and any other relevant matters.
Guidelines for compliance notices
Under the Privacy Act 2020, the Privacy Commissioner will be able to direct agencies to provide individuals access to their personal information. The Privacy Officer is responsible for liaising with the Privacy Commissioner and any relevant entity should a compliance notice be received.
Guidelines for websites
The websites of all the Archdiocese of Wellington entities must be compliant with the Privacy Act 2020. The following guideline is provided as a template to inform website visitors about their privacy rights:
If you access our website, we may collect additional personal information about you in the form of your IP address and domain name.