The Dunedin City Council respects and protects the privacy of all people we deal with and who provide us with information. This policy sets out our approach to the privacy of personal information and is based on the principles expressed through the Privacy Act 1993.
Collection and Use of Personal Information
The DCC will only collect information from you that you volunteer. This information is required for lawful purposes used in the functioning of the Council. We will hold your personal information in accordance with the requirements set out in the Privacy Act 1993. In particular:
- Your personal information will only be used for the purposes for which it is collected.
- It will be retained only for as long as is necessary to fulfil the purposes for which the information was collected (including any time that we are required by law to retain such information).
- We will not release your personal information to any third party except where required to, permitted to, by law, and where you have authorised us to do so or where disclosure is connected to the purpose for which the information was collected.
- Information we collect will not be used in ways that you have not consented to.
For more detailed information about the Privacy Act you can refer to the Privacy Commissioner's Guide to the Privacy Act 1993. If you are concerned that the Council may have breached the Privacy Act or if you are not sure of our obligations, you can contact the Privacy Commissioner as follows:
- Privacy Hotline: 0800 803 909.
- Privacy Commission website (link to external website, new window)
How Dunedin City Council Uses Your Information
The DCC may use your information:
- To provide you with personalised content, services or facilities – including those our Council Controlled Organisations provide;
- To process and respond to inquiries;
- For the purposes for which you provided the information.
- To comply with relevant laws and regulations.
- For any specific purpose that we notify you of at the time your personal information is collected.
Storage of Personal Information
We have strict security procedures covering the storage of your information in order to prevent unauthorised access and to comply with the terms of the Privacy Act 1993.
We do not sell, trade or rent your personal information to others. All data is stored behind corporate firewalls and only specific employees can access your personal data. The DCC has in place measures to protect against the loss, misuse and alteration of your personal information. Our servers are protected by reasonable physical and electronic security measures.
This means that sometimes we may ask you for proof of identity or for other personal information before we can process your enquiry further.
DCC Website and Cookies
You may browse and access information contained on our website without providing personal information. This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media.
Security of web-based personal information
A secure method using SSL (secure socket layer) encryption is used when customers use for services such as e-shop.
Links to Third Parties
The website may contain links to other websites operated by third parties. The DCC takes no responsibility for the privacy practices of third parties. You should consult the privacy policies of each linked website to determine the policy that each third party adheres to.
This website may record information about user behaviour. This data cannot be used to identify individuals or any personal information. Any information collected will be used to improve your website experience and will not include any information that identifies you.
Access and editing personal information
At any stage, you have the right to access and correct or update your personal information or to request not to receive communications from us. This can be done by contacting us by email email@example.com or by phone on 03 477 4000. It is your responsibility to ensure that personal information provided to us is accurate.
Official Information Act and LGOIMA Requests
All enquiries about or formal requests for information in terms of the Local Government Official Information and Meetings Act 1987, or the Privacy Act 1993 should be in writing to:
Information requests, Governance Manager, Dunedin City Council, PO Box 5045, Moray Place, Dunedin 9058 or email: firstname.lastname@example.org.
General Data Protection Rules (GDPR)
If you are in the European Union, you have additional rights in relation to your personal data under the European Union General Data Protection Regulation (in effect on 25 May 2018). Under the GDPR you have the right to:
- Withdraw consent. You have the right to notify the DCC that you no longer want us to process or use your personal data. You can do that by contacting DCC on 03 477 4000 or email@example.com
- Right to data portability. You have the right to obtain a copy of any personal data stored and processed by DCC and you may direct DCC to transfer your personal data to another controller via csv format.
- Right to erasure/Right to be forgotten. You have the right to request that any of your personal data is deleted from our records. Please note that while we can delete your personal data from our current records, data may be stored in DCC inactive and archived records and will be deleted in accordance with DCC's document management policies. In some cases, your personal data may continue to be stored in archived records of transactions or activities where DCC is required by law to retain such records.
- Right to restriction of processing. You may request that DCC restrict the processing of your personal data. This may affect your ability to use or navigate some of our customer services.
Further information and complaints
For further information about this Privacy Statement or if you think that we have breached our obligations, you may make a complaint to our Privacy Officer by writing to firstname.lastname@example.org
- Dunedin City Council – Privacy Officer
- PO Box 5045, Moray Place, Dunedin 9058, New Zealand.
- Phone: 03 477 4000 Fax: 03 474 3366
- Email: email@example.com
- You can also call the Privacy Commissioner's privacy hotline: 0800 803 909.
General Data Protection Regulation (GDPR)
What is the GDPR regulation?
The European Union's (EU) General Data Protection Regulation (GDPR) came into force on 25 May 2018. It is a law passed by the European Parliament.
The GDPR aims to protect the personal data of individuals based in the EU. The GDPR applies to businesses located within the EU, and to all businesses (wherever they may be located) that collect, use and store personal data from individuals based in countries of the EU.
What is personal data?
The GDPR defines 'personal data' as any information relating to an identified or identifiable natural person. It includes information that by itself or when matched with another piece of information can identify an individual.
If the data used, collected or stored cannot identify an individual – the GDPR will not apply.
Who does it apply to?
Businesses who supply goods or services to individuals in the EU need to comply with the GDPR.
What rights does it give people?
Under the NZ Privacy Act, an individual has the right to know why their information is being collected, used and stored, and the right to request a copy of their information and to correct it.
However, the GDPR provides individuals in the EU with additional rights, namely the right to:
- erasure of their personal data;
- data portability; and
- object to the processing of their personal data.
A person can ask a business to erase their personal data in certain situations, such as where:
- the business no longer requires the personal data;
- the person withdraws consent to the processing of their data; or
- there was wrongful collection of the personal data.
Gives a person the right to ask for their personal data to be held by the business in a structured, commonly used and machine-readable format. It also gives a person the right to transmit their personal data to another business without any hindrance from the business they originally provided their data to.
Objecting to the Processing of Your Data
A person can object, at any time, object to the processing of their personal data.
This is unlike the NZ Privacy Act, which requires that businesses must only take reasonable steps to destroy or de-identify personal information that they no longer need for a specific purpose.
Business Tip: Automatically store personal information in a format that is easy to extract and provide to a customer upon request. Set up automatic notifications where customers can let you know if they wish to withdraw their consent, and establish business workflows to manage the actions to be taken.
Under the NZ Privacy Act, an individual must consent to the collection of their personal information. The consent can be either express or implied.
In NZ, filling in a web form may pass as implied consent to the collection of personal information, even if the form does not explicitly state that data will be collected, and the individual has not given their consent to this collection.
In contrast, the GDPR requires businesses to clearly demonstrate that a person is given appropriate information about the data to be collected, and has given their consent to this collection.
What do I do if someone tells me they want to EXERCISE their rights?
You can check with your manager, a member of the legal team or the Council's Privacy Officer (Jennifer Lapham) if you would like assistance to work through whether we need to act on their request or what is required to give effect to their request.
Data Breach Notifications
The GDPR provides an individual with the following rights:
- To be informed
- Of access
- To rectification
- To erasure
- To restrict processing
- To data portability
- To object, and
- Rights in relation to automated decision making and profiling
The GDPR provides a definite time frame for notifying authorities of a breach of an individual’s rights under this regulation. Where there has been a breach, the business must without delay and not later than 72 hours notify:
- the relevant supervisory authority in the country of the affected EU resident; and
- the individual.
What should I do if someone complains that the Council has breached their rights?
Ask them how you can put things right, and check with your manager, a member of the legal team or the Privacy Officer if they ask us to take steps.
Always offer them the opportunity to make a written complaint if they wish and provide them with the email address of Council’s Privacy Officer - firstname.lastname@example.org
This general GDPR guide will not apply to every situation. You should seek further legal advice by logging a job in LawVu Legal Advice Request Form (link to external website, new window) if:
- You are unsure whether the GDPR applies to the individual.
- Someone has alleged that their rights under the GDPR have been breached.
Still didn't find what you were looking for?