Ghella Abergeldie Joint Venture (GAJV) provides the complex infrastructure needed to build the Central Interceptor. GAJV, also referred to as ‘Agency’ in this policy, collects, uses, stores, and potentially discloses personal information of any concerned individual in the workplace such as employees, applicants for employment, contractors, subcontractors, suppliers, client and visitors.
1. AGENCY RESPONSIBILITIES
GAJV will abide by its obligations under the Privacy Act 2020 (‘Act’) which includes responsibility for:
● Informing individuals concerned how GAJV will handle their personal information and for what purposes;
● Collecting personal information from the individual concerned only for a lawful purpose connected with
a function or an activity of the GAJV when the collection of the information is necessary for that purpose;
● Not using or disclosing personal information without taking any steps that are, in the circumstances,
reasonable to ensure that the information is accurate, up-to-date, complete, relevant and not
● Keeping personal information safe and secure from loss and/or unauthorised access, use, modification,
● Investigating potential interferences with or breaches of privacy rights; and
● Notifying the Privacy Commissioner and affected individuals as soon as practicable after becoming aware
of the occurrence of a notifiable privacy breach.
2. INDIVIDUAL RESPONSIBILITIES
Individuals are responsible for:
● Disclosing all relevant personal information about them as requested by the GAJV in line with the privacy
principles listed under the Act;
● Providing GAJV with up-to-date contact information;
● Ensuring the privacy of other employees, customers, clients, agents, contractors or any other person or
entity that has dealings with GAJV is protected and not breached;
● Immediately notifying GAJV of any involvement in or knowledge of any actual or potential interferences
with or breaches of privacy rights.
● Complying with all other obligations set out in this and related policies, and the employment agreement.
3. PROCESS REGARDING COLLECTION, USE, DISCLOSURE AND STORAGE OF INFORMATION
3.1 COLLECTION OF PERSONAL INFORMATION
1. GAJV will only collect personal information for lawful purpose/s in connection with the functions or activities related to the business and as far as is necessary for such purpose/s.
2. GAJV will collect personal information directly from the individual, and it will take reasonable steps to ensure that the individual is informed about the fact of the collection, its purpose, the intended recipients of the collected information, the agencies collecting/holding/using the personal information, the individual’s rights and/or any other relevant matters.
3.2 USE OF PERSONAL INFORMATION
1. GAJV may use collected personal information only for the purpose/s the information has been collected for or any other purposes authorised by the individual concerned.
2. However, GAJV may use the information for other purposes if it believes on reasonable grounds that the use of the information does not identify the individual concerned or is publicly available; or is necessary to avoid prejudice to the maintenance of the law by any public sector agency; or is necessary to prevent or lessen a serious threat to public health or public safety, or the life or health of the individual concerned or another individual; or in any other circumstances allowed by the Act or any other relevant law.
3. GAJV may use personal information from and/or about employees for any purpose that is directly or indirectly related to the employee’s employment unless agreed otherwise. This is inclusive of, without limitation, to verify an individual’s identity; to undertake employment checks in relation to an individual; to conduct any employment-related processes; and any other purposes authorised by the individual and/or the legislation.
4. GAJV will take reasonable steps to ensure that the used personal information is accurate, current,
complete, and not misleading.
3.3 DISCLOSURE OF PERSONAL INFORMATION
1. GAJV will not disclose personal information to any other person and/or agency, unless such disclosure accords with the purpose it has been collected for (or is directly related to such purpose), or the disclosure is authorised by the individual concerned or the information is publicly available, or the individual is not identified by the disclosure.
2. However, GAJV may also disclose the information if it is reasonable to believe that the disclosure is necessary for the purpose of facilitating the sale or other disposition of a business; or avoiding
prejudice to the maintenance of the law by any public sector agency or for the enforcement of a law that imposes a pecuniary penalty, or for the conduct of proceedings before any court or tribunal, or for enabling an intelligence and security agency to perform any of its functions, or for protecting of public revenue; or preventing or lessening a serious threat to public health or public
safety or the life or health of the individual concerned or another individual.
3. Where the disclosure of personal information is being made to a foreign person or entity, GAJV will
carry out necessary due diligence to ensure that it has reasonable grounds to believe that the foreign person or entity meets the criteria that any disclosure of personal information outside of New Zealand will be subject to privacy safeguards that are comparable to those under the Act.
4. GAJV will take reasonable steps to ensure that the disclosed personal information is accurate,
current, complete, and not misleading.
3.4 PROTECTING AND HOLDING PERSONAL INFORMATION
1. GAJV will take reasonable steps to protect personal information from loss, unauthorised access, use and/or disclosure, or any other misuse.
2. GAJV will not retain personal information for longer than is required for the purposes for which the
information has been collected or may be used. In general, however, personnel files will be kept for at least six (6) years (after the ending of the relationship) before it will be safely destroyed.
3. Personal information related to applications for employment with GAJV may be kept for up to one (1) year before it will be destroyed unless otherwise agreed between the parties to retain the information for an extended duration.
3.5 ACCESSING AND CORRECTING PERSONAL INFORMATION
1. Workplace participants and other individuals are entitled to request confirmation from GAJV
whether it holds personal information about them, and they may also request access to and/or correction of their personal information and GAJV will provide reasonable assistance.
2. Requests should be made in writing (email suffices) to the GAJV’s Privacy Officer and should provide evidence of the identity and authority of the requesting person, and details of the request (for example, any specific information that is requested to be accessed and/or provided).
3. GAJV may on a case-by-case basis charge reasonable costs to the requesting individual in relation to the provision of requested personal information, or a correction thereof, or
any assistance in the above respects. GAJV may request the payment of any such costs in advance of processing an individual’s request.
4. If GAJV does not hold the requested information, but believes that another agency holds the requested information, GAJV will ‘transfer’ the request to the other agency within ten (10) working
days after the day it receives the request, unless it has good reasons to believe that the individual does not wish the request to be transferred to such other agency. In either case, GAJV will inform the requesting individual.
5. Except for the event of a transfer, GAJV will respond to a request under this clause within twenty (20) working days after the day it receives the request.
6. With regard to a request for access to personal information, GAJV may refuse access to personal information in accordance with the Act, for example, where a refusal is necessary for the protection of an individual’s health or safety, or where the information is evaluative material or a trade secret.
3.6 NO PRIVACY EXPECTATIONS ABOUT USE OF COMPANY EQUIPMENT
1. GAJV may collect, use and disclose any personal information that has been stored on, or received/sent by any equipment that has been provided to employees, for any employment-related
purpose, or any other purpose related to the protection of GAJV’s legal rights and interests.
2. GAJV provided equipment includes, without limitation, telephones, computers/ laptops, tablets,
other devices, swipe cards, company vehicles, GPS trackers and data, work-email accounts, workphone data, etc. Any information held on such equipment and related data is generally not subject
to an employee’s privacy rights.
3.7 COMPLAINTS PROCESS AND INTERNAL REPORTING OF CONCERNS
1. Workplace participants must immediately inform GAJV’s Privacy Officer, of any involvement in or
knowledge of any (actual or potential) concerns with an individual’s privacy rights, so that GAJV can take steps to investigate, mitigate, and/or resolve such concerns or interferences.
2. Workplace participants are also strongly encouraged to raise any complaint in relation to an interference or breach of their own privacy rights with GAJV’s Privacy Officer. All workplace participants are entitled to seek independent advice and/or complain. More information on this
3. If it is not possible or practicable for workplace participants to inform the GAJV’s Privacy Officer, they must inform their manager or a member of Senior Leadership Team, if necessary.
4. The information provided to GAJV/its Privacy Officer should include all relevant details, i.e. what and when it happened, and who was involved (witnesses, etc.). GAJV may require such information to be provided in writing, and unless the protections of the Protected Disclosures Act 2000 may
apply, the informing itself and the provided information are not subject to confidentiality.
3.8 BREACH RESPONSE PROCESS AND NOTIFICATION
Upon receipt of a privacy-related concern, interference or complaint, GAJV will liaise with the relevant parties to investigate the matter in order to ascertain whether such concern, interference or complaint may be substantiated, and whether any further steps may be warranted.
1. GAJV may be required to notify the Privacy Commission and any affected individuals, and potentially the public, of particular privacy breaches (‘notifiable privacy breaches’).
2. A privacy breach that needs to be notified is any unauthorised or accidental access to, disclosure,
alteration, loss or destruction of personal information, or an action that prevents GAJV from accessing the information, which has caused or is likely to cause ‘serious harm’ to affected
3. In order to assess whether or not such privacy breach may have occurred, and whether the GAJV’s obligation to notify the Privacy Commission and any affected individuals is triggered, workplace participants must immediately inform the Privacy Officer. Failure of an employee to notify GAJV of any involvement in or knowledge of an actual or potential privacy breach, may constitute serious misconduct and may potentially result in disciplinary action up to and including termination of employment.
4. The assessment of whether a privacy breach may be notifiable rests exclusively with GAJV who will
consider the following factors as part of its assessment:
o Whether any action has been taken to reduce the risk of harm following the breach;
o Whether the personal information is sensitive in nature;
o The nature of the harm, if any, that may be caused to affected individuals;
o The entity that has obtained or may obtain information as a result of the breach (if known);
o Whether the personal information is protected by a security measure; and
o Any other relevant matter.
5. GAJV will notify the Privacy Commission as soon as practicable once aware of a breach.
6. GAJV will notify affected individuals as soon as practicable after being aware of a notifiable breach, unless it can decide not to notify or delay notification due to a belief that notification would likely:
o Endanger the safety of any person; or
o Prejudice the security or defence of New Zealand or the international relations of the Government of New Zealand; or
o Prejudice the maintenance of the law by any public sector agency, including the prevention, investigation, and detection of offences, and the right to a fair trial; or
o Reveal a trade secret.
3.9 PRIVACY OFFICER FUNCTIONS
7. GAJV has a Privacy Officers to assist with its obligations and functions under the Act.
8. The functions of the Privacy Officers are delegated to the incumbent of the positions of Human Resources Manager and Contract Specialist. GAJV may, at its sole discretion, delegate the functions
of the Privacy Officer to one or more other individuals within the company, or any external provider.
9. Requests for access to personal information, or correction thereof, or any complaints in respect of privacy matters, or information and/or concerns regarding actual or potential interferences with or breaches of privacy rights must be made to the Privacy Officers: email@example.com. Should this not be possible or practicable, requests/complaints should be made to the Human Resources
3.10 FURTHER INFORMATION
● Privacy Act 2020: http://www.legislation.govt.nz...
● Privacy Commissioner: https://www.privacy.org.nz/the...
This policy is communicated to our employees as part of our onboarding process and it is reviewed annually
during management system reviews.
This policy statement applies to all Central Interceptor workplaces and will be regularly reviewed in light of
development, including changes to legislation, our understanding of best practice and the organisational
structure of the GAJV team.
Issue Date: 01/12/2020