Privacy

LinkPeople Limited (we, us, our) uses this Privacy Policy to ensure that we handle personal information in accordance with the Privacy Act 2020 (the Act).

This policy does not limit or exclude any of your rights under the Act.  More information on the act is available on the Privacy Commissioner’s website.

In short, here are a few key privacy messages.

• We only collect personal information where this is necessary to carry out our functions.
• We may collect personal information about you either directly from you or from other people or agencies, and we may generate personal information about you when we carry out our functions.
• We store all our data (including your personal information) on a secure Microsoft Azure cloud platform and we use Microsoft Office 365 applications. We protect our data with all reasonable technical and process controls.
• You can ask us for a copy of your personal information at any time.
• We will only use and share personal information where necessary to carry out the functions for which we collected it, or if required by law.

Personal Information

Effectively engaging with people and providing our services requires us to collect and use some personal information. However, we only collect the personal information you choose to give us, your employer has provided us, or that is required by us to adequately identify you. You can opt out of our communications activities, such as receiving our newsletter, at any time.

We collect information about you from:

• you, when you provide personal information about yourself to us, including via our website and any related service, through any contact with us, or when you use our services or products
• third parties authorised by you to provide personal information or who provide publicly available information
• a third party where this is allowed by law
• if possible, we will collect personal information directly from you.

The information we may collect when you engage with us includes:

• your name
• your contact details, including your region, email address or phone number
• the content of your enquiry

We collect the following information about your use of our website (though please note we make no efforts to associate this with your identity unless you have signed up to our website):

• your IP address
• the search terms you used
• the pages, resources, and files you accessed on our website and the links you clicked on
• the date and time you visited the site
• the referring site (if any) through which you clicked to our website
• your operating system (such as Windows 10)
• the type of web browser you use (such as Mozilla Firefox)
• The type of device used for browsing
• This data is anonymized

 Third party providers

We use some third-party providers to manage some of our engagement processes and services, such as newsletters, events registration, live chat and e-learning. Where we do this, any personal information you provide (such as your email address) may also be collected and stored by this provider and you should also check their privacy statements when using those services. We take steps to ensure that any providers we use protect any personal information they process for us.

We use the following third-party providers.

• Google Analytics (by Google LLC) – to collect web analytics
• MailChimp (by Rocket Science Group) – to deliver our privacy newsletters.
• Mailgun (by Mailgun Technologies Inc.) – to send our system generated e-mails.
• Gravity Forms (by Rocketgenious Inc.) – to collect information via website
• Cornerstone (by Cornerstone OnDemand Inc.) – for recruitment purposes

Links to social networking services

We use social networking services such as Twitter, Facebook, YouTube and LinkedIn to communicate with the public about our work. When you communicate with us using these services, the social networking service may collect your personal information for its own purposes.

These services may track your use of our website on those pages where their links are displayed. If you are logged into those services (including  Facebook and any Google service) while using our site, their tracking will be associated with your profile with them.

These services have their own privacy statements which are independent of ours. They do not have any access to the personal information we hold on our systems.

Storage, retention, and security

We use third party providers to store and process our data.

We store most of the personal information we collect and generate electronically on Microsoft Azure cloud servers located in Australia, Digital Ocean servers in Singapore and Amazon Web Services servers. We also use Microsoft Office 365 for our email and other office productivity applications. While your information may be stored overseas, we only use providers that have comparable privacy safeguards to New Zealand.

We retain personal information in compliance with the requirements of the Public Records Act 2005.

Security

We take all reasonable steps to ensure any personal information we collect is protected against loss, unauthorised access and disclosure or any other misuse, including meeting the requirements prescribed by the New Zealand Government for the secure handling, storage and disposal of any protectively marked or security classified information.

We take reasonable steps to ensure that our third-party data processors can meet our privacy and security requirements.

What we do with your personal information

How we use it

We will only use the personal information you provide to us for the purposes of delivering the services you have requested (such as registering you for an event, applying for funding) or carrying out our lawful functions.
We may use your personal information to:

• verify your identity
• contact you about your request, query, registration or possible research or evaluation related to a workshop or event you participated in
• send you electronic or hard copy newsletters, resources, or information you have requested
• consider and respond to your enquiry
• improve our website and the delivery of our online services
• conduct internal statistical analysis and meet our reporting requirements.
• to protect and/or enforce our legal rights and interests, including defending any claim

When we share it

We do not generally share your personal information with third parties other than third parties which are providing services to us. However, we may share your personal information if necessary, to appropriately respond to your enquiry. We may share your personal information with a third party where the disclosure is authorised by you.

We may share personal information if required by law (for example to assist with the investigation of a criminal offence), to prevent or lessen a serious threat to the health and safety of a person or the public, for statistical purposes where you will not be identified, or for any other lawful purpose under the Act. If our staff are threatened or abused, we may refer this to the Police.

Your privacy rights and how to contact us

The Act gives you rights to request access to and correction of the personal information we hold about you. You can take steps to control the ways we use your information (such as opting out of receiving newsletters). You can also complain to us at any time if you think we have misused your personal information.

Contact us to exercise any of these rights, including the right to complain about our privacy practices.

Contact us requesting access to or correction of your personal information

You have the right to request a copy of the personal information we hold about you (whether we have collected from you directly or from a third party). You also have the right to ask us to correct your information if you think it is wrong.

We will process your request as soon as possible, and no later than 20 working days after we receive it.

We will be as open as we can with you, but please note that your right to request personal information may be limited if it breaches another person’s right to privacy or is subject to an overriding national security legislation.

We may occasionally need to withhold personal information under sections 27-29 of the Privacy Act, for example where the information requested is legally privileged. However, we will only ever withhold information where necessary.

You may request a correction of personal information that you consider is inaccurate. Where the correction requested is not able to be made or we dispute the accuracy of the correction, we will make a note on your personal information.

Opting out of certain uses of your information

You can opt out of receiving our newsletter or being included on any other subscription list or news feed by following the unsubscribe link at the end of the email or contacting us.
When you visit the LinkPeople Limited website it will attempt to set cookies on your browser. A cookie is a text file that a website transfers to your browser to remember specific information about your visit or visits. Some of these cookies may remain on your computer after you close your browser. Some of these cookies are from organisations we use to monitor website usage.

LinkPeople Limited does not use cookies to collect personal information about you, only about your browser session. The cookies make it easier for you to use the dynamic features of certain website pages.
You can configure your internet browser not to store cookies and set your browser to ask for your permission before it accepts a cookie.

Privacy breaches

All staff receive relevant information privacy training to minimise the risk of a privacy breach.

Personal information is only used for the purposes LinkPeople Limited has declared it will be used for. If it is disclosed outside of the purpose, any potential impact on individuals affected is assessed once the incident is discovered. If the impact is likely to cause serious harm our Privacy Officer is notified, so an internal investigation can be carried out and action plan implemented.

If a breach of privacy occurs that is likely to cause affected individuals’ serious harm (guidance on this is available through the Privacy Commissioner’s Notify Us tool on their website), the Privacy Officer will notify the Privacy Commissioner and any affected individuals unless an exemption under the Act applies.

Complaining about our privacy practices

We want to know if you have concerns about our privacy practices, whether these relate to the way we collect or share information about you or our decision on your access request. This allows us to try and put things right for you and helps us to identify and fix any problems with our systems or processes.

In the first instance, let us know about your concerns and we will try our best to resolve it. This could include escalating your concerns to a senior staff member to ensure we have made the right decision and fully considered your concerns.

Contact us

If we cannot resolve your concerns, then you have the right to complain to the Privacy Commissioner about our actions. In the first instance, please email or write to us at the following address, marking it for the attention of the Privacy Officer.

Contact LinkPeople Limited Privacy Officer

Please contact the LinkPeople Privacy Officer by writing to LinkPeople, PO Box 307, Hamilton, or email info@linkpeople.co.nz

Changes to the Privacy Policy

We may change this policy by uploading a revised policy onto the website.  The change will apply from the date that we upload the revised policy.

Privacy Policy Version

New policy published
September 2025

1. Purpose and scope

To clearly guide LinkPeople staff about privacy of information and obtaining and maintaining informed consent for our tenants and the people we support. This includes consent to engage with LinkPeople services, collect information, share information, what to do if there is a privacy breach and the role of the privacy officer.

This policy complements other LinkPeople and Wise Group core policies. It should also be considered and implemented alongside relevant LinkPeople Promapp processes.

2. Overview

This policy covers:

• guiding philosophy
• principles
• definitions
• policy
• privacy officer
• privacy and confidentiality
• consent
• sharing information
• uncertainty over informed choice and consent
• consent is an ongoing process
• withdrawal/partial withdrawal of consent
• personal information requests
• responding to a request
• assessing a privacy request
• request for information about deceased persons
• correction or deletion of personal information
• release of information without consent
• providing information to funders
• use of paper-based notes and files
• use of electronic files
• access to information and records
• security and storage of records
• use of people’s information in internal correspondence
• use of people’s information in external correspondence
• use of de-identified data for research
• responding to a privacy breach
• retention of information
• reference documents.

3. Guiding philosophy

At LinkPeople, we are guided by the belief “Ko ngā tāngata te mea nui o te ao” (People are the most important thing in the world) inspired by the whakataukī “Hutia te rito o te harakeke”.

We acknowledge Te Tiriti o Waitangi as a founding document of Aotearoa and recognise Māori as the indigenous people of the land.

Embracing kaitiakitanga, we act as guardians of our communities, ensuring sustainable stewardship for present and future generations. Our foundation is built on manaakitanga, fostering an environment of hospitality, care and respect. We strive to demonstrate rangatiratanga, exercising leadership that empowers and uplifts whānau and our communities while respecting their autonomy and selfdetermination. Guided by whanaungatanga we embrace diversity, promote equity, and ensure inclusion in our mahi to foster strong meaningful relationships and create a sense of belonging where everyone feels valued.

Our purpose is to support people into healthy homes with the connections they need to thrive.

4. Principles

LinkPeople respects and upholds the privacy and confidentiality of every person we work with, and their families and whānau.

Obtaining informed consent and ensuring people know their rights are essential concepts in the delivery of our services.

LinkPeople is committed to protecting people’s data and information.

5. Definitions

Informed consent is an ongoing process involving an individual person being appropriately informed, willing, and able to agree to what is being suggested without feeling pressured to do so. We obtain consent to protect an individual’s right to be an active partner in determining what support they will receive. Consent must be freely given by a person who has the capacity or is competent to give consent.

Competent is having the necessary ability, knowledge, or skill to do something successfully.

Personal information is information that does, or could, identify someone (like their name, date of birth, NHI, phone number and address), and other information about health, housing, income, and employment when attached to a person’s name. The fact that a person is accessing LinkPeople services is also personal information.

Non-personal information is information that does not and cannot identify a person (like the region they live in, gender or religion). Non-personal information should still be treated as sensitive information because it could identify a person when combined with other data.

A privacy breach is:

• an action that results in accidental or unauthorised:
• access to personal information
• disclosure of personal information
• alteration of personal information
• loss, or destruction of personal information; or
• an action that prevents the agency accessing the information on a temporary or permanent basis (systems down, accidental deletion that can’t be undone, etc.).

Interference with privacy occurs if (amongst other things) an organisation takes any action that breaches any of the privacy principles.

A notifiable privacy breach is a breach where it is reasonable to believe that it has, or is likely to, result in serious harm. Notifiable breaches require the Privacy Commissioner to be notified (with some specific information), as well as the affected individuals (again following specific rules). The rules around notification include public notification in certain circumstances. The Privacy Commissioner can issue compliance notices (directions to sort it out in some manner) to an organisation in relation to the personal information they hold on a range of things including those things that constitute an interference with privacy, a breach, or a notifiable breach.

Serious harm.  Some information is more sensitive than others and therefore more likely to cause people serious harm. Examples of serious harm include physical harm or intimidation, family violence, psychological, or emotional harm and financial /credit fraud.

In addition to a privacy breach the act also covers when a person’s privacy is considered interfered with.

6. Policy

6.1. Privacy Officer

Every business in New Zealand must have a Privacy Officer, for LinkPeople this is our Chief Executive. The Privacy Officer plays a vital role in liaising with the Privacy Commission on LinkPeople’s behalf.

The role of the Privacy Officer is to:

• be familiar with the privacy principles in the Privacy Act 2020, Health Information Privacy Code (HIPC) 2020 and any amendments.
• work to make sure LinkPeople complies with the Privacy Act 2020, HIPC 2020, and any amendments.
• deal with any complaints from the people LinkPeople supports about possible breaches of privacy, as per LinkPeople policy and process.
• deal with and respond promptly to requests for access to personal information, or correction of personal information; and
• act as LinkPeople’s liaison with the office of the Privacy Commissioner.

All requests from people we support or staff about their personal or health information and responses to these requests need to be reviewed and/or approved by the Privacy Officer, or a person delegated by the Privacy Officer.

Any suspected breaches of the Privacy Act 2020 need to be notified to the Privacy Officer who will review or delegate the review of these to a Regional Manager. Any reporting to the Privacy Commission will be completed or delegated by the Privacy Officer.

6.2. Privacy and confidentiality

Staff must always protect the privacy of people in accordance with the Privacy Act 2020 and the HIPC 2020, which applies to health information.

LinkPeople will only collect a person’s identifying information if it is necessary. If we can achieve the same purpose without identifying information, then LinkPeople will avoid collecting it.

LinkPeople will always try to collect information directly from the person the information is about, however some information may be given to LinkPeople by the agency referring people to our services. It is the responsibility of the referring agency, or referring person to ensure they have consent and to document they have consent to share information with LinkPeople for the purpose of the referral. Once a referral is received and accepted by LinkPeople this allows LinkPeople to communicate, receive and share information with the referrer and relevant parties in order to assess the referral. Once a referral has been accepted into the service then consent must be reviewed and updated with the person receiving services. (see also 6.3 Consent)

LinkPeople will keep a person’s involvement with LinkPeople confidential, unless required to disclose involvement through the referral or consenting process, as part of funded services, or legally required to disclose to a statutory agency and/or where there are serious concerns regarding a person’s safety and wellbeing.

Staff shall not divulge private and confidential information about an individual person with people outside of work or with colleagues who are not involved with delivering services to that person. Noting this includes divulging information online and over social media.

Staff shall notify their line manager as soon as possible following a potential privacy breach, who will then advise them of the actions to take and will notify the LinkPeople Privacy Officer. (See also 6.16).

6.3. Consent

It is important for LinkPeople to explain the service and people’s rights to each person we support (see the Preserve people’s rights policy for more information).

LinkPeople shall obtain informed consent to receive services from LinkPeople from the person, and this will be documented on the Privacy and Consent form.

In addition, the Privacy and Consent form is where we discuss and document the person’s preferences and consent for collecting and sharing information after the referral period. A new Privacy and Consent form must be completed and signed before collecting information or starting to deliver LinkPeople    services. A copy of the signed form must be offered to the person we support, and a copy filed on Recordbase.

Staff shall always obtain additional express consent before taking or publishing photographs of people we support. This includes using images online and on social media platforms. Consent forms for this can be accessed from the LinkPeople Senior Communications and Engagement Advisor.

Informed consent is an ongoing process, and not a one-off, so staff must review consent with a person as often as necessary to ensure it is up-to-date and the person’s rights continue to be upheld.

The Privacy and Consent form must be reviewed a minimum of every twelve months.

Sharing Information

Best practice is to always check first with the person we support before sharing any information, even if there is a signed consent form in place.

When this is not practical then staff must check the Privacy and Consent form to confirm who consent has been given for LinkPeople to share information with.

The Privacy Act 2020 and HIPC 2020 do allow for some sharing of information between services for the purpose of providing care and support, however, there must be a clear purpose and reason for sharing and if there is not then it is not okay to share.

Uncertainty over informed choice and consent

LinkPeople believes that informed consent requires that a person:

• has received written and verbal information and is provided with opportunities to check their understanding of that information.
• absorbs and understands the information and can recall it later.
• understands the significance of making the choice or decision, for themselves and others.
• can communicate their understanding of the situation, the information given to them and reach a decision as a result.
• has considered the outcomes or consequences of the decision, in the context of the culture, values and beliefs of the person using LinkPeople’s services.

LinkPeople acknowledges that there may be times when it is not possible to ensure that informed choices are being made, or that the person using our services is giving informed consent because of:

• the mental health state of the person using our services (for example, the presence of active symptoms which may impede the ability to give informed consent)
• physical health issues
• cognitive impairment (for example, head injury, learning disability)
• the effects of intoxication or withdrawal from alcohol or other drugs
• emergency situations and serious safety concerns that do not allow a comprehensive information giving and consent process.

Where there are concerns about a person’s ability to give informed consent, these will be escalated to a manager immediately.

When informed choice and/or informed consent cannot be assumed to have occurred, LinkPeople will:

• attempt to inform the person using LinkPeople services about what is happening and why, in a way that increases the likelihood of the person using LinkPeople services, and/or their family/whānau understanding the events or actions taking place.
• inform the relevant line manager.
• make a plan to revisit informed choice and informed consent with the person using LinkPeople services, and/or their family/whānau at a later time. This will cover the events, actions and decisions made, so that information can be understood, and the implications considered.
• document in the person’s Recordbase file:
• the ways in which staff attempted to give the person using our services and family/whānau all possible information relating to treatment options and support services available.
• the actual information that was provided to the person using LinkPeople services, and family/whānau.
• why staff have concerns about the ability of the person using LinkPeople services to make informed choices or give informed consent at the time.

Consent is an ongoing process

LinkPeople staff will ensure that whenever there is change in circumstance, consent is re- evaluated in collaboration and agreement with the person.

LinkPeople acknowledges that it is not possible to get consent every time information is shared about a person we support but will review the written consents it holds (Privacy and Consent forms) regularly, and no less than every twelve months.

Withdrawal/partial withdrawal of consent

A person using LinkPeople services may withdraw their consent at any time, either verbally or in writing.

A person may withdraw consent to engagement with LinkPeople services or may withdraw consent for LinkPeople to share information with third parties.

Where the person withdraws consent to engage with our services, LinkPeople staff will work with the person to understand their reasoning as far as possible and will always maintain the person’s best interests. LinkPeople will also clearly document the withdrawal of consent in Recordbase, with the extent of withdrawal and reasons clearly detailed.

Where the person withdraws consent to share information with third parties, LinkPeople staff will work with the person to ascertain their specific concerns and address these on a case-by-case basis, with input from a line manager. In these situations, LinkPeople will also need to establish whether it is viable to continue to engage with a person in the absence of consent to share their information. This decision will be made on a case-by-case basis.

LinkPeople understands there are situations that require information sharing, even when a person has withdrawn consent to share their information.

6.4. Personal information requests

Any person can request a copy of the personal information LinkPeople holds about them.

A personal information request can be in any form, written or verbal, and does not need to mention the Privacy Act 2020.

Generally, requests should be made in writing to the Privacy Officer, so that a formal record can be retained, and the request responded to formally and within the timeframes specified by the Privacy Act 2020.

If a person we support verbally asks to see their personal information, LinkPeople staff have an obligation to support them with that request, including submitting the request to the Privacy Officer in writing.

Responding to the request

All personal information requests must be formally responded to within 20 working days of the written request and ideally the response will be to facilitate access to the information. The requested information should be made available as soon as reasonably practical, and no longer than 20 working days from the date of the original request unless there is a reason to not disclose as outlined in this policy or under the law. If there is a reason the information cannot be provided within 20 working days, the timeframe may be extended to a maximum of another 20 days however the person must be informed in writing as to why there has been an extension and when the information will be provided to the person.

Assessing the privacy request

The Privacy Officer will assign responsibility to the Regional Manager or Team Leader to assess the request and undertake the following prior to releasing any information:

• Consider Principle 6 – Access to personal information in the Privacy Act 2020 and also the principles of the HIPC.
• Verify the person requesting the information is who they say they are.
• Confirm the scope of the request.
• Consider whether any part of the request should be transferred to another agency.
• Check if there is any personal information about another person we support, a relative or a LinkPeople employee that needs to be protected.
• Check if there is any clinical or evaluative information that needs to be considered.
• Consider whether the information should be shared in a specific way and whether any support is required.
• Consider any safety concerns or risks.

Generally, LinkPeople will release the information they hold about a person, unless the release of that information may involve an unwarranted breach of someone else’s privacy or pose a serious threat to someone’s safety.

Once the review has been completed and the information is ready to be released it is important to ensure the information is kept safe until handed over to the person, this includes any paper copies.

6.5. Requests for information about deceased persons

When a person supported by LinkPeople has passed away, we may receive requests from relatives or others to see the person’s file.

The Privacy Act 2020 generally does not apply to personal information about a deceased person. However, if it is health information about a deceased person, the HIPC 2020 applies. As an agency contracted to provide health services, all the information we hold about the people we support is considered health information (HIPC 4(1) and (2)).

The HIPC 2020 allows release of health information to a deceased person’s personal representative, or a person authorised by the deceased person’s personal representative (HIPC rule 11 1(a)(ii) and

2(a)(ii)).

Who is entitled to act as the deceased person’s personal representative?

If there is a valid will

The personal representative is the executor of the person’s will. Before providing information to a person’s executor, LinkPeople staff must sight a copy of the will naming the executor.

If there is no will

If the person died intestate (without a will) the personal representative must be appointed by the courts as an administrator. Generally, the closest ‘next of kin’ will be appointed, but this is not always the case. Before providing information to a person’s administrator, LinkPeople staff must sight and record a copy of the administration certificate issued by the courts naming the administrator.

If there is no personal representative

If the person’s estate is of low value, there may not be a personal representative as it is not required for the purposes of administering the estate. If this is the case, consider whether the information can be disclosed to another individual for one of the following reasons:

• Did the deceased authorise the information to be provided to the individual requesting the information?
• Would the disclosure of the information to the individual requesting the information be one of the purposes for which the information was obtained or directly related to one of the purposes in connection with which it was obtained?
• Is the information to be disclosed by a health care practitioner^[1] to:
• a person nominated by the deceased, or
• to a caregiver, or
• to a near relative of the deceased, and
• in accordance with recognised professional practice, and
• the disclosure is not contrary to the express request of the deceased?

Releasing the deceased’s information may help grieving whānau and close friends to understand what happened and come to terms with the death. Before releasing information to a person who is not the deceased person’s personal representative, LinkPeople staff must check that a  personal representative does not exist. Other things to consider include:

• Who else was close to the deceased – this may be the person’s ‘next of kin’ or it may be some other person who held a particular role of trust with the person – and seek their perspective on the release of the information while being careful not to breach any privacy.

 

• What information has been requested and whether it would be appropriate to release only a part of the information.

Responding to a request for a deceased person’s information

Upon request from a deceased person’s personal representative, or a person authorised by the personal representative (or another individual for one of the reasons as outlined above), LinkPeople staff may provide information about a deceased person previously supported by LinkPeople. Before providing the information, staff must:

• confirm the identify of the person requesting the information and record evidence that the person is the either:
• The personal representative or a person approved by the personal representative to request the information, or
• An individual to whom information can be released for one of the reasons outlined above (where no personal representative exists).
• consult their Regional Manager who will seek direction from the Privacy Officer. The Privacy Officer will make the final decision about whether to release the information requested.

Other things to consider in deciding whether to release the information include:

• Even when the legal representative consents to release of the deceased’s health information, consider whether there is any information that the deceased didn’t want, or you feel wouldn’t have wanted, disclosed. If you choose not to disclose certain information, you should advise the requestor that some information has been withheld and the general reasons for this.
• Consider the reason the person is requesting the information, including whether the person may wish to make a complaint about the care LinkPeople provided to the person.
• Consider whether it would be helpful to offer to meet with the person requesting the information to go through the notes with them and answer any questions they might have.
• Consider whether the disclosure would involve the unwarranted disclosure of information about another individual or of the deceased.
• Consider whether any other reasons exist to not disclose the information.

6.6. Correction or deletion of personal information

People we support have the right to request information held about them is correct and, if it is not, they have the right to request information to be deleted or changed.

All requests for changes should be made in writing to the Privacy Officer in accordance with 6.4 outlining the change required and the reason for the change request.

Such requests will be completed within the time limits specified above in 6.4.

The Privacy Officer will assess the request and make a final decision on the outcome which may include a change to the person’s file, deletion of information or the addition of a note as to the request and the grounds it has been declined.

6.7. Release of information without consent

There are several pieces of legislation including but not limited to the Privacy Act 2020^[2], the Family Violence Act 2018^[3] and the Oranga Tamariki Act 1989⁴ that allow, in some circumstances, for information to be shared without consent. For more information, please refer to the LinkPeople Abuse exploitation and neglect policy or talk with your line manager or the Privacy Officer.

Where staff are considering releasing information without consent, they should consult with their line manager and the LinkPeople Privacy Officer who will make the final decision prior to sharing any information.

6.8. Providing information to funders

LinkPeople is funded by various government agencies to provide our services. Under these contracts we are required to share information identifying the people we work with to our funders, for the purposes of reporting.

This information is shared via secure data transfer systems, on the basis that there is a clear        purpose for the funder receiving the information, and that they will adequately protect it.

During the consent process we must be clear with people we support that their information will be shared with funders, so that we can deliver our services.

6.9. Use of paper-based notes and files

LinkPeople will appropriately and securely manage and dispose of documents and records containing personal information. We will not keep paper files or notes containing an individual person’s information beyond that which is necessary to transcribe or scan these into a client management system, or other secure system.

LinkPeople shall take extreme care when taking paper files or notes off-site and not do this unless necessary. In addition, staff should only print information containing identifiable information when necessary. Staff should print to a secure printer controlled by swipe card or pin number and not leave printing in the view of other staff.

 

6.10. Use of electronic files

LinkPeople, as part of the Wise Group, uses multifactor authorisation for staff to access its computer systems.

LinkPeople uses a client management system called Recordbase for our electronic client recordkeeping. Recordbase is password protected and only approved employees have access.

Occasionally it may be appropriate to keep a person’s file private so that only certain LinkPeople  staff can access it (for example, where a person is a former or current staff member or a relative of a current employee). In these situations, care needs to be taken to balance this increased privacy with the person’s safety.

If a person’s file needs to be locked down, LinkPeople will have clear, documented justification and the regional management will approve the arrangement. The person concerned must also be made aware that certain people will still have access (normally the key worker, their line manager, a person with clinical oversight, the database administrator, and the LinkPeople Privacy Officer), and why.

6.11. Access to information and records

All staff (in frontline, leadership, and national office roles) should have direct access to the paper and electronic files that they require to carry out their work.

Managers will decide which records individual staff will have access to according to their role and the services they are involved in delivering or supporting.

Staff must not view any client file without a work-related reason to do so.

Staff must disclose to their team leader if they know or are related to someone accessing LinkPeople services.

6.12. Security and storage of records

All records should be stored electronically, and all paper versions appropriately and responsibly disposed of.

Wise Group IS systems are secure and can only be accessed with the appropriate permissions and by individual log-in. These layers of protection ensure data is only accessed and used where there is a legitimate reason to do so.

6.13. Use of people’s information in internal correspondence

When sending a person’s information to one another internally it is not necessary to remove identifiers from the information, however it is important to ensure you only send the information that is required to the person/people who require it. Do not unnecessarily copy other staff members into emails who do not need to be made aware of the information within it.

LinkPeople staff will double check email addresses are correct prior to sending any information. This includes when a person’s information is to be scanned and emailed to other staff members.

6.14. Use of people’s information in external correspondence

LinkPeople staff are often required to send information outside of the organisation. When sending people’s information externally, all identifiers must be removed wherever possible. This may include but is not limited to:

• name
• address
• date of birth
• WINZ number

It is permissible to identify a person in an email to people directly involved in the provision of services to a person such as a Community Mental Health Nurse or Work and Income. However, in order to maintain privacy, it is recommended to keep any identifying information brief for example ‘Rachel S’ rather than a full name. Staff who are unsure should consult with their line manager.

Excel spreadsheets that contain bulk data should not be shared without first being password protected.

6.15. Use of de-identified data for research

LinkPeople and the Wise Group may use people’s information for reporting, research, and service improvement purposes. In this instance, all personal information will be de-identified and aggregated with that of others. It will never be published in a form that identifies any individual. LinkPeople staff will ensure people are made aware of this and it will be clearly stated on the LinkPeople Privacy and Consent form.

6.16. Responding to a Privacy breach

If you become aware of any situation where you think someone’s privacy may have been breached or interfered with, even if you aren’t sure, you need to talk it over with your team leader as soon as possible. This will help minimise any harm caused to the affected people and the organisation.

Every privacy breach has a different level of risk and impact. This is why it is important that you discuss with your team leader or regional manager to evaluate and determine the best way to respond to the breach and who needs to be notified.

At LinkPeople it is our policy that all actual or potential privacy breaches or instances of interference with a person’s privacy are reported to the Privacy Officer.

If a privacy breach has occurred, and  it is reasonable to believe it has caused or is likely to cause serious harm, LinkPeople will:

• notify the affected person/people as soon as possible after becoming aware of the breach.
• notify the Office of the Privacy Commissioner within 72 hours of becoming aware of the breach.

Questions to consider when deciding whether to notify the Office of the Privacy Commissioner are:

• How sensitive is the information?
• What have we done to reduce the harm of this privacy breach?
• Have we contained the privacy breach?
• Who has obtained or may obtain the personal information as a result of the breach (if known)?

If there is any uncertainty in answering these questions, LinkPeople should notify the Office of the Privacy Commissioner.

Use the online tool https://privacy.org.nz/privacy–for–agencies/privacy–breaches/notify–us/ to assess whether a breach needs to be reported.

The Privacy Officer will review what actions have been taken and the likelihood of harm arising and will recommend additional actions to be taken if required. The Privacy Officer, will make the decision as to notifying the Privacy Commissioner and any affected individuals if required.

6.17. Retention of information

LinkPeople adheres to the following principles regarding the retention of information:

• Only retain data when there is a legitimate reason to.
• Only use data when there is a legitimate reason to.
• Once there is no longer a legitimate reason to hold the data, the data is deleted.

Legitimate reasons to retain data differ depending on the data being collected and retained, so the timeframes for retention will also differ, for example:

• Financial records must be retained for a minimum of seven years as per IRD requirements. https://www.ird.govt.nz/managing–my–tax/record–keeping.
• Staff/employee personnel files must be retained for a minimum of six years and payroll records a minimum of seven years post the termination of an individual’s employment.

https://www.business.govt.nz/hiring–and–managing/managing–people–day–to–day/what–do–ineed–to–do–when–record–keeping/

• Customer records such as website sign ups, enquiries, newsletter’s, workshop registrations etc.

should be kept either:

• only for the purpose it was collected e.g workshop registration must be archived post workshop attendance/evaluation completion.
• whilst the person is a customer for long-term customers e.g CRM, Marcomms list. When a customer terminates a relationship, customer records should be returned to the customer.
• until the person unsubscribes to newsletters, marcomms etc. (an unsubscribe option must be included on all electronic correspondence)
• People we support (patient) records – The Health (Retention of Health Information) Regulations 1996 say that health agencies must keep any health records they hold for a patient for 10 years from the last time they provided services to that patient.

This is a minimum retention period, there is no defined maximum retention period. Given the vulnerability of the people we support, recent Royal Commissions of inquiry in to abuse in state care including Lake Alice, and the electronic security safeguards of Recordbase it is recommended that we securely archive and retain electronic records indefinitely.

7. Reference documents

External

• Privacy Act 2020
• Health Information Privacy Code 2020
• Family Violence Act 2018
• Oranga Tamariki Act 1989
• Data Protection and Use Policy 2019
• Health (Retention of Health Information) Regulations 1996
• Poster: ‘The 12 principles of the Privacy Act’

Internal

• LinkPeople Complaints policy
• LinkPeople Preserving People’s Rights policy
• LinkPeople Abuse, Exploitation, and Neglect policy
• LinkPeople ‘Addressing Concerns’ brochure
• Privacy Breach Guidance for all LinkPeople staff May 2023
• LinkPeople (and relevant Wise Group) Promapp processes:
• LP – Privacy and Consent
• LP – Responding to a personal information request
• WG – Privacy Breach

Please talk with your manager if you have any questions about this policy.

[1] Registered Occupational Therapist, Nurse or Social Worker

[2] Information Privacy principle 11 (e) i-iv.

[3] Part 2 – Information sharing. ⁴ Sections 66A and 66C.

To help improve services and learn what works best, data about you and the services you receive from LinkPeople may be shared with Stats NZ’s Integrated Data Infrastructure (IDI). This data will be de-identified (meaning your personal information will be removed) and linked with other datasets for research purposes. You will not be identifiable in any research or evaluation reports.

The goal of this is to improve outcomes for New Zealanders by understanding which services work, when, for whom, and at what cost.

The data we provide to the IDI

• Unique identifiers (e.g., NSN, NHI, SWN) for matching purposes only
• Personal information (e.g., name, date of birth, gender) for matching purposes (only if no unique identifier is available)
• Service start and end dates (when you began and finished receiving services)
• Housing start and end dates
• Service interaction details:
  • Date and time of interaction
  • Type of activity
  • Channel of activity (e.g., in person, by phone, online)

How we protect your data

All data shared with the IDI is strictly protected. The IDI uses strict rules and security measures to keep your information safe and confidential. The data is used only in a way that aggregates information at a group level—meaning your personal information is never monitored or tracked individually. For more information on how the IDI protects your data, visit Integrated Data Infrastructure | Stats NZ and Your information in the IDI | Stats NZ.

You have the right to request a copy of the information about you that we have provided to the IDI. If you believe that any of the data is incorrect, you can ask for it to be corrected.

To request access to your data or make corrections, please contact the LinkPeople Privacy Officer by writing to LinkPeople, PO Box 307, Hamilton, or email info@linkpeople.co.nz