Just Life Group Limited (“Just Life”) complies with the New Zealand Privacy Act 2020 (the Act) when dealing with personal information. Personal information is defined as information about an identifiable individual (a natural person).
This policy sets out how we will collect, use, store, disclose and protect our customers’ personal information.
This policy does not limit or exclude any of your rights under the Act. If you wish to seek further information on the Act, see www.privacy.org.nz.
Collection of Information
We collect personal information about you from:
you, when you provide that personal information to us, including via the website and any related service, through any registration or subscription process, through any contact with us (e.g. telephone call or email), or when you buy or use our services and products
- third parties where you have authorised this or the information is publicly available (for example, a credit check through Equifax or Centrix).
If possible, we will collect personal information from you directly.
We use information:
- To verify your identity ( we may ask you for your D.O.B. or your last payment amount)
- To provide services and products to our customers;
- To undertake credit checks;
- To invoice and collect money that is owed to us, including authorising and processing credit card transactions and direct debit transactions;
- To respond to communications from our customers;
- To carry out market, product and customer analysis
- To protect and/or enforce our legal rights and interests, including defending any claim.
- Any other purposes as authorised under the Privacy Act 2020.
We may disclose information to:
- Any business that supports our services and products, including any person that hosts or maintains any IT systems. Such a business may be located outside of New Zealand. This may mean personal information is held outside New Zealand;
- A credit check company for the purpose of credit checking a current or potential new customer;
- A debt collection agency where an account remains unpaid;
- A person who can require us to supply personal information (e.g. a regulatory authority);
- Any person authorised by the Privacy Act or any other law (e.g. a law enforcement agency);
- Any person authorised by the customer of whom the personal information is being disclosed.
Credit card security
We work diligently to protect the security of your personal information, including credit card information. Your credit card details do not get processed or transmitted through or via Hometech web site; all transactions are processed through a secure payment service provider. Hometech uses Windcave to provide this service. Windcave hosts and manages the payment page. All transaction sessions are stored and processed in encrypted strings. Your credit card details are not held by Hometech and cannot be accessed by Hometech staff.
Storage and Security of Personal Information
We store personal information collected from our customer’s and we will take all reasonable steps to keep the personal information safe from loss, unauthorised activity or any misuse.
However, we cannot guarantee that all personal information cannot be accessed by an unauthorised person (for example, a hacker) or that unauthorised disclosure will not occur.
The following steps are taken by Just Life to help keep information secure:
- Policies and procedures are in place. Employees are aware of the policies and procedures and follow them. Where a policy or procedure has not been followed, feedback and corrective action is undertaken;
- Access to physical documents is appropriately restricted to the relevant employees;
- Access to personal information is limited to those employees with a demonstrable need. Digital footprints can be tracked if required;
- Information, including physical documents, are only disposed of securely;
- Software is kept regularly updated to ensure that known vulnerabilities are addressed promptly;
- Backups are performed regularly and kept securely.
Accessing and Correcting your Personal Information
Subject to certain grounds for refusal set out in the Act, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates.
While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.
If you post your personal information on the website’s, social media sites, chat rooms, you acknowledge and agree that the information you post is publicly available.
A privacy breach occurs when an organisation or agency does not comply with one or more of the Information Privacy Principles set out in section 6 of the Privacy Act 2020. A breach of a privacy principle can occur without causing serious harm to an individual.
If a suspected breach of privacy has occurred, Just Life will follow the ‘Notify Us’ guidelines and assessment we based tool, as provided by the Privacy Commissioner:
Step 1: Contain the breach and make a first assessment
Step 2: Evaluate the risks
Step 3: Notify affected people if necessary
Step 4: Prevent a repeat
Step 1: Contain the breach and make a first assessment
- Contain the breach. Depending on the type of breach, stop the unauthorised practice, try and get back the records, consider disabling the system that was breached, cancel or change the computer access codes and try to fix any weaknesses in the physical or electronic security.
- Our Privacy Officer will be appointed to lead the initial investigation.
- Determine whether a team needs to be put together. It may be people in and outside the business, depending on the expertise required.
- Communicate with those who need to know. Consider whether Marsh Insurance needs to be informed, as well as the auditors. If the breach is due to criminal activity, inform the Police.
Just Life will assess the seriousness of a privacy breach by using the NotifyUs tool; a resource tool from the Privacy Commissioner.
Step Three: Notify affected people as identified by NotifyUs tool
- If the assessment from NotifyUs identifies the breach as Notifiable then we will notify the Privacy Commissioner;
- And those individuals affected.
- It is always best to notify affected individuals directly – by phone, letter, email or in person. Indirect notification should only occur where direct notification could cause further harm, is prohibitively costly or the contact information is not known.
Breach notifications should generally contain the following information:
- Information about the incident, including when it happened;
- A description of the personal information that has been disclosed and what has not been disclosed;
- What the company is doing to control or reduce the harm;
- What it is doing to help people and what steps they can take to protect themselves;
- Contact information for enquiries or complaints;
- Whether the company has notified the Office of the Privacy Commissioner;
- Contact information for the Privacy Commissioner.
Consider whether any of these third parties need to be notified:
- Credit card companies, financial institutions or credit reporting agencies;
- Third party contractors;
- The Board;
- Union or other employee representatives.
Step Four: Prevent a repeat
Following a breach, the company shall investigate the cause of the breach and make changes to their prevention plan and how it is being applied. The amount of effort should reflect the significance of the breach and whether it happened as a result of a systematic problem or an isolated event. It could include:
- A security audit of both physical and technical security;
- A review of policies and procedures;
- A review of employee training procedures.
- A review of any service delivery partners caught up in the breach.