If you run a charity, it will be an organisation that operates with a charitable purpose. Therefore, it is likely you are handling personal information, such as that of donors or volunteers. It is important that you take care to protect any personal information you take in. Furthermore, you must let people know when you collect their data. A good way to communicate this is in a privacy policy. This article will explain whether a charity privacy policy is what you need to comply with New Zealand privacy laws.
Who Does New Zealand Privacy Law Apply To?
The Privacy Act is New Zealand’s primary law that governs privacy protection. Any company that deals with personal information must comply with this law. Personal information is any data you can use to identify a living individual, such as:
- names;
- images;
- email addresses;
- geolocation information; or
- IP addresses.
Such information does not need to be sensitive or confidential to qualify as personal information. However, it is essential to remember that personal information rules only apply to living individuals. Therefore, this privacy law does not protect non-living legal entities such as:
- companies;
- incorporated societies; or
- charitable trusts.
Is My Charity an Agency?
The law classifies any organisation that deals with personal information as an ‘agency’. This is regardless of whether they are in the public or private sphere. As such, if your charity deals with personal data you qualify as an agency. As a result, you must comply with privacy law. Examples of personal data your charity may deal with includes:
- the financial details of donors;
- your donors’ names;
- volunteer details;
- files of the people your charity employs;
- references to individuals in meeting minutes;
- correspondence with your charity containing identifying information;
- personal member files;
- the names and contact details of the people you help; or
- the contact details and names of your board members.
Your Privacy Obligations as a Charity
People expect charities to be trustworthy, and you can face devastating reputational losses if you break that trust. Therefore, you need to ensure you have appropriate privacy procedures within your charity. Firstly, you should have a privacy officer in charge of privacy issues. Furthermore, if a privacy breach occurs and is likely to cause harm, you must inform the Privacy Commission and any impacted people.
In particular, you need to:
- legally collect personal data directly from the source;
- adequately protect and secure any personal information you hold;
- allow people to access and correct their personal data;
- only use correct and up to date data;
- use and keep data only for as long as needed;
- only disclose personal information where needed;
- avoid unauthorised disclosure or use of personal data you handle;
- comply with overseas disclosure conditions;
- handle unique identifiers (such as drivers licence numbers) with due care; and
- let people know how you use their personal data.
Does My Charity Need a Privacy Policy?
As a part of your privacy obligations, you must let people know you are collecting their personal data. You must also let them know your intentions. A privacy policy is a good place to communicate this.
If your charity only deals with small amounts of personal information, a privacy statement may be enough. Indeed, a privacy statement is usually a few paragraphs that summarise what personal data you collect and use. However, it is important you ensure you provide all details of what personal information you handle in this policy. If you deal with large amounts of personal or sensitive information, you may need a more detailed privacy policy.
What Should My Privacy Policy Include?
Your privacy policy should detail what people agree to when they give you their personal information. You must provide a full list of the personal data you collect from people. This is regardless of whether interactions occur in person or through your website. You should include information relating to:
- why you collect certain kinds of personal data;
- any laws that may apply;
- who has access to a person’s data;
- whether people can choose not to give you their data;
- what happens if they don’t give you personal data;
- an individual’s right to access and correct their data; and
- your contact details for privacy concerns.
Key Takeaways
If your charity handles personal information, you need to ensure you meet legal privacy obligations. One of those obligations is to inform individuals you collect their personal data and why. You can display this information in a privacy policy. This can be helpful if you deal with lots of personal or sensitive data. If you would like more information or help with your charity’s privacy policy, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.
Frequently Asked Questions
To be a legally recognised and registered charity, you need to register with Charities Services. This means you need to have an identifiable charitable purpose that benefits the community and the wider public.
If your charity deals with any personal information, you need to comply with New Zealand privacy law sets with that personal information. Personal information is anything that can identify a living person.
If your charity handles lots of personal information, you need to tell individuals that you do so. You can provide a comprehensive explanation of how you deal with personal information in a privacy policy.
We appreciate your feedback – your submission has been successfully received.
