If you run a charity in New Zealand, you need to be careful if you deal with personal information and other kinds of confidential data. Many organisations are moving their operating systems online, and this raises concerns around your data security. More technology means more convenience but also more risk. Therefore, you need to prioritise data protection when that data is sensitive or high-risk. That way, you can reassure your donors and members of the public that the information you hold of theirs is secure. Additionally, data protection is important for complying with your obligations under privacy law. So, this article will explain what you need to know about data protection if you run a charity in New Zealand.
Privacy Law and Data Protection
If you deal with personal information, then the Privacy Act applies to your organisation, whether that information is digital or not. To clarify, personal information is any data that can identify a person. Therefore, the Privacy Act aims to protect the privacy rights of every individual in New Zealand by imposing obligations on those that handle their personal data.
Following that, your charity will likely deal with all kinds of personal information, such as the:
- donor’s financial information;
- volunteer details;
- donor’s names and addresses;
- employee details;
- names and contact details of board members;
- meeting minutes that mention people by name;
- reports or surveys of the general public;
- tracking of cookies from your website; and
- identifying details of charity members or the people you help.
Your Obligations
One of your obligations is to protect the personal data you hold with security measures appropriate to:
- where you store it;
- the kind of information it is; and
- information sensitivity.
Therefore, when you store personal data online, you need efficient data protection measures. These play out both in what security you have and your charity’s practices that reduce the risk of:
- a data breach; or
- other unauthorised disclosure.
Mishandling data protection could lead to losing your reputation as a trustworthy charity organisation and legal penalties under privacy regulation.
Continue reading this article below the formReview What Data is Necessary
Under the Privacy Act, you can only collect and use data that is necessary for a legitimate purpose. You need to have this purpose in mind before you collect any personal data, and tell people that is why you are collecting their information. Once you have used that data for its intended purpose, you should dispose of it securely.
If you limit the personal data your charity collects, there is less to protect and lose in a data breach. Regularly review the personal data your organisation holds so that you are not retaining anything unnecessarily.
Determine What Security Measures Work for You
When you store your charity’s data online, it is important that you implement robust and effective cybersecurity measures. If you do not have skills or experience in this area, consider getting the help of an IT expert to ensure your security is enough to protect the important data you hold.
An example of a good data protection measure is encryption. You should engage an encryption service for any personal data that you:
- collect over an internet connection;
- share over email; or
- store in a database.
Sharing Data
You may wish to share the data that your charity holds with another organisation, such as if you want to recommend a volunteer for their excellent work. Or, you may give them information about your donors if the other party wants to reach a larger audience.
However, you cannot share any personal data unless you have met the necessary requirements. You need to confirm that:
- you have the consent of the relevant individual it is about;
- disclosure was one of the reasons you collected it;
- a law or court requires it; or
- you cannot identify who the information is about.
When you share this information, you also need assurances from the other party that they will handle it securely and comply with privacy law. Otherwise, this poses a risk to your charity’s personal data and undermines your data protection.
Key Takeaways
When your charity deals with personal data, such as donor information or volunteer details, you need to adequately protect that data, both for legal and reputational reasons. Therefore, make sure you receive assurances from anyone you share data with that they will not undermine the protection measures you have in place. Additionally, implement appropriate cybersecurity measures, such as strong passwords and encryption.
If you would like more information or help with your charity’s data protection, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.
Frequently Asked Questions
An agency is the legal name of any business or organisation that handles personal information. If your organisation in the charity sector deals with personal data of this kind, you are an agency that must comply with the Privacy Act.
When you collect personal information, you must tell the individual you are collecting it from who you will share it with. You cannot share information with a new third party without consent from the original individual.
We appreciate your feedback – your submission has been successfully received.
