Privacy Policy

Purpose

This Privacy Policy explains the terms under which personal data is shared with Habitat for Humanity NZ, how that data is used and your rights with respect to understanding and modifying how it will be collected and used.

 

Rationale/issues

The European Union has enacted the General Data Protection Regulations (GDPR) and these have been adopted by HFHI, who has required their adoption by Area Offices and National Offices, for application to personal data collected in relation to the Global Village programme.

The NZ Privacy Act 1993 has been repealed and replaced with the Privacy Act 2020. This brings it into closer alignment with GDPR provisions.

GDPR provisions are considered to be a proxy for Best Practice in the field of Privacy provisions.

This Policy has been formulated to be fully compliant with the requirements of the NZ Privacy Act 2020 for all programmes and concurrently fully compliant with GDPR for the Global Village programme and almost fully compliant for Habitat NZ’s other programmes with exceptions as specifically identified. This has been done to simplify electronic systems and reduce complexity of operating two systems, one for NZ operations and one for Global Village.

This policy has been written in plain English, Question and Answer format so as to be easily understood by the Data Processors (usually Habitat staff) and the Data Subjects (individuals who already have or may provide personal data to Habitat).

Definitions

Habitat: Means Habitat for Humanity New Zealand Limited and each of its Affiliates.

Personal Data: Includes any information or image that relates directly to, and can be identified as being associated, either directly or indirectly with a named individual person.

Sensitive Personal Data: Includes health, dietary, medication, biometric, religious associated, sexual identification, political viewpoints or affiliation information in relation to a named individual person.

Privacy Breach: A Privacy Breach occurs when personal information is accessed, disclosed, altered or destroyed in an unauthorised manner or where personal information is lost or becomes unavailable because of some sort of action.

Notifiable Privacy Breach: Where a Privacy Breach occurs in such a manner that it could have a serious impact on any affected individual or business. In such a case, there is a mandatory requirement to notify the Privacy Commissioner.

Urgent Disclosures: A provision under the Privacy Act 2020 that allows cross-border disclosure of personal information when it is necessary to maintain public health or safety, to prevent a serious threat to life or health or for the maintenance of the law.

 

Guidelines / Policy statements

(a) How does this Privacy Policy apply to you?

This Privacy Policy applies to the personal data you provide to Habitat, including but not limited to, when you:

– Make a donation

– Register for an event

– Sign up for a Newsletter

– Otherwise provide information via the Habitat website or via phone, email, social media, texting, mobile applications, at a special event, face-to-face or in response to a solicitation

We will only collect personal data that we have a need to know in order acknowledge or process a donation or make the necessary arrangements to satisfy your enquiry and/or participation in a Habitat event.

Before we request your personal data, we will advise you what the data is being collected for, how it will be used and ask you to confirm your agreement to these conditions by indicating in the “Tick box” or by signing a statement as appropriate.

You may give Full Consent or Limited Consent. Full Consent enables Habitat to use the data for all the stated purposes and can keep you updated with progress reports, Habitat news and new opportunities. Limited Consent restricts the use of the data to only the primary purpose it was collected for and the data will be deleted after the primary purpose has been completed and there is no remaining functional and legitimate reason for retention of the data.

(b) Why do we hold and process personal data?

Habitat may request from you, or you may volunteer to provide, your contact information, including your name, mailing address, phone number(s), social media handles and email address(es). We hold and process supporters’ personal data for a number of reasons including:

– To keep a record of donations made and actions taken by our supporters and our communications with them

– To comply with any statutory obligations

– To send our supporters marketing information about our projects, fundraising activities and appeals where we have consent or are otherwise permitted to do so

– To fulfil contractual obligations entered into with supporters

– To support volunteers , such as during build or fundraising events

– To support community-based fundraising and campaigning

– To ensure we do not send unwanted information to supporters or members of the public who have informed us they do not wish to be contacted

– To manage supporters’ accounts and provide customer service

– To offer sweepstakes, contests, giveaways or other promotions

– To enforce the website terms of service

– To perform other functions as described at the time Habitat for Humanity collects the information

– To allow urgent disclosures to be made

If you make a donation or otherwise provide us with your information, Habitat for Humanity may contact you from time to time about opportunities to make additional donations or to provide you with information about upcoming programmes.

(c) When will we send you personalized marketing communications?

Habitat may contact you for marketing purposes eg to keep you up to date on our work or to let you know how you can support that work, only where we have your consent or we are otherwise allowed to do so because of your prior engagement with Habitat, as explained further below (see (c) 5“Our reliance on your prior support”)

We will make it easy for you to tell us if you would like to receive marketing communications from us and hear more about our work, and the ways in which you would like to receive this information. We will not send you marketing material if you tell us that you do not wish to receive it. Instructions for how to do so are below (see (j) “How to control what we send you or update your personal information”)

Duration: In respect of the Global Village programme only, where you give us consent to send marketing information, Habitat will presume that your full consent will last for 24 months unless you have chosen the limited consent option. After this time, in order for us to update you, Habitat will seek your refreshed consent. You can update or withdraw your consent at any time. If you have chosen limited consent, your data will be deleted as soon as it is no longer needed.

Habitat will presume a longer period of consent in several situations:

– Where you have committed to making a regular donation. In this situation, unless you withdraw your consent, we will treat consent as ongoing unless you cancel your donation, at which point your consent will be assumed to expire 24 months after the date of your last donation.

– Where you have notified us that you will be leaving a legacy to Habitat.

– Where your name is associated with any financial transactions, that information is required by statute to be retained within our accounting system for 7 years.

– Where your name is associated with any Health and Safety incident, that information is required by statute to be retained within our systems for 10 years

– Our reliance on your prior support: You may also receive marketing material from Habitat if you have previously made a donation to Habitat or agreed to receive newsletters. However, we will not rely on your prior consent if you have opted out of receiving emails, newsletters or other marketing material in your communications with Habitat.

(d) How and when do we obtain information about you?

Habitat may obtain your personal data in the following circumstances:

– When you give it to Habitat when you make a donation, payment, sign up for one of our events or when you make an application for one of the housing programmes we offer.

– When you give it to Habitat indirectly. Sometimes your personal data is collected by an organisation acting on Habitat’s behalf such as a professional fundraising agency. In such cases, the agency is working on our behalf and we are the “data controller” responsible for security and proper processing of your data.

– When you access Habitat’s sponsored social media sites including Facebook, WhatsApp, Twitter or LinkdIn you make personal data available depending upon your settings or the privacy policies of these social media and messaging services.

– When information is publicly available such as in a newspaper or other media coverage and open postings on social media sites. Habitat will not seek such publicly available information on an ongoing basis without consent.

– When we use cookies. Cookies are used to help you interact with our Website and they help us understand the effectiveness of our communications strategies. You can manage the use of cookies in respect of your computer. For more information on cookies, visit www.aboutcookies.com

The Habitat website may contain hyperlinks to websites owned by other organisations. These third-party websites have their own policies on privacy and cookies. Habitat cannot accept responsibility for the privacy practices of such third-party websites.

If you are a child or young person, Habitat will consider the way it collects your personal information to ensure our actions are fair in the circumstances.

(e) What personal information might Habitat collect?

Habitat will only collect personal data about you that is relevant to the type of transaction or project you have engaged in with us. For example, if you have made a donation we may need your name, contact details and bank account details to allow for the proper processing of the donation. Age, travel restrictions, personal building-related skills, health, next-of-kin and passport information will be required if you wish to join an international team.

All personal data is stored on a restricted access system and is only available to staff on a need-to-know basis.

Sensitive personal data. We do not collect your “sensitive personal data”, such as health or dietary information, unless there is a clear reason for doing so. For example, we will have a need to understand any health limitations and also medications being used if you wish to join a Global Village international build project.

Information similar to credit card details will not be stored in house as per Payment card industry data security standards.

All sensitive personal data is stored on a password-protected system to which only a limited number of relevant staff have access. It is deleted when it is no longer needed and is available for you to see and review it should you wish to do so.

(f) How will Habitat use your personal data?

We will advise you when we request your personal data the reasons we wish to collect the data. These reasons could include any one or more of the following or other specified reason:

– For administrative reasons relating to your communications with us and ours with you.

– To confirm and recognize donations made to us

– In relation to correspondence you have entered into with us

– In relation to any statutory obligations we must comply with

– To assist in the event of an emergency that involves you

– For internal record keeping so as to keep a record of your relationship with us

– To implement any instructions you have given us with regard to withdrawing consent to send marketing information

– To use IP addresses to identify location of users and to block disruptive use and analyse geographic spread

– For marketing and fundraising purposes

– To analyse and improve the activities and content offered by the Habitat website to provide you with the most user-friendly navigation experience

(g) What about personal data we provide to other Habitat organisations?

We may share your information with another Habitat Organisation overseas, such as in connection with your participation in a Global Village Build or to enable a National Organisation of a country in which you have expressed an interest, to update you about its programmes and marketing materials.

Before we will share your personal data with another organisation, Habitat requires that the organisation receiving the data maintains security controls that will ensure that your data is securely stored and accessible only by appropriately trained personnel who have a legitimate need to know. In cases where the organisation is overseas, the Privacy Act 2020 provides rules an organisation must follow whenever personal data is sent “across Borders”. Habitat NZ is required by its International parent organisation to comply with the European Union Privacy requirements. These already meet the NZ Privacy Act requirements.

Habitat understands that emails do not have inbuilt security that is sufficiently robust to ensure a high level of data privacy. We therefore discourage you from sending personal data by email and we always provide either on-line forms that can ensure secured data transmission or downloadable forms that you can print off, complete and post to us.

(h) Will we share your information outside the Habitat network?

Facebook and Social Media sites: We may use your email address and phone number to match to your Facebook or other social media account in order to show you Habitat content while you use those services. We only do this where you have consented to receiving marketing emails, either by opting in (where you reside within the European Economic area) or by not opting out (where you reside elsewhere). We may also use your email address and phone number to link to Facebook or other social media sites in order to identify other users of these sites whom we believe would be interested in Habitat.

You can prevent this use of your data by either updating your consent preferences directly with us at Habitat or via the social media sites.

There may also be occasions when Habitat needs to share your personal data with service providers to enable them to deliver their service. An example is when Global Village teams are being organized and a Travel Agent or airline needs to know specific personal information in order to carry out ticketing processes.

We will also comply with requests from third parties where disclosure is required by law or where that disclosure is permitted by law and for a justified reason.

Under some circumstances and in situations involving children, we may share information with third parties as provided for under the Family Violence Act 2018 and recent amendments to the Oranga Tamariki Act 1989 that require that agencies providing Children’s Services consider sharing information upon request from a specified group of other providers of children’s services. Such consideration will take into account:

– Whether the requesting agency is authorized to receive such information and

– Whether the information is being requested for an approved reason and

– Whether the best interests and safety of the child are being served by the information release

In addition, care will be taken to:

– Ensure that information provided is up to date and accurate

– Ensure that sufficient information is given, including background or related information to help achieve the desired outcome, but

– To ensure that information given does not include anything that is not relevant to the purpose for which it was requested and wherever possible, we will seek permission from persons to whom information being considered for release, relates.

(i) How long will Habitat keep your personal information?

We will hold your personal information on our systems only for as long as we have a need for that information or until you withdraw your consent. Personal Information you provide in connection with our Global Village programme will be presumed to expire after 24 months. In some circumstances, we may be required to hold your information beyond these times in order to comply with our legal and regulatory obligations.

If you request that we stop sending you marketing materials, we will keep a record of your contact details and the detail of your request to enable us to comply with your wishes.

Legacy income is vital to the running of the charity. In the event of a legacy contribution, we may keep personal information provided to us indefinitely, in order to carry out legacy administration and communicate effectively with the families of people who have left us legacies.

Some information is required by law or by our external auditors to be retained for specified periods of time and for specified purposes. That information will generally be held on our Accounting system and will not be available for purposes other than what has been specified.

(j) How to control what we send you and update your personal information.

The accuracy of your information is important to us. We want to ensure that we are able to communicate with you in ways that you are happy with and to provide information that is of interest to you.

If you wish to change how we communicate with you, or update the information we hold, then please contact us:

to amend your contact details or preferences for any type of communication, email us: [email protected] including the details of the changes you want.

to stop receiving newsletters and marketing materials either click on the “Unsubscribe” link of a newsletter you have received or email us: [email protected] including your specific request.

In responding to a request to not receive marketing information, we will take all reasonable efforts to meet the following service:

– Emailed communications: 48 hours from receipt of email

– Mailed communications: 28 days from receipt of “do not mail” request. This period is longer than for other channels because of longer production times for mailing campaigns. Mostly, we would expect the change to be made much more quickly.

Under the terms of the General Data Protection Regulations and of NZ Privacy Law, you have the right to request a copy of the personal information we hold about you, to have any inaccuracies corrected and to have personal information deleted from our system. If you wish to request action under the provisions of this clause, please make a formalized request known as a Subject Access Request (SAR). A SAR form is available on our Website. In line with standard guidelines for these requests, we will require you to prove your identity with two pieces of approved identification. We will respond to such requests within 30 days of receipt. Please send any SAR requests, or questions or complaints about our Privacy Policy to: Data Privacy Officer, Habitat for Humanity NZ, PO Box 112 387, Ellerslie, Auckland 1642.

(k) How Habitat keeps your data safe.

We ensure that there are appropriate technical controls in place to protect your personal details. For example, our online forms that ask for personal information are stored on networks that are password-protected, are accessible only on a need-to-know basis and are routinely monitored.

All sensitive personal data is stored on a secure database, to which only a limited number of relevant staff have access. This data is deleted when it is no longer needed by us and is never shared with third parties. It is also available to you at any point should you wish to see it.

Within Habitat, we undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers or contractors.

Where we share your data with a Habitat National Organisation, your information remains secure because the National Organisation is required by Habitat for Humanity International to have similar data protection measures in place as described in this policy.

We may use external companies to collect or possess personal data on our behalf. We do comprehensive checks on these companies before we work with them and in our legal agreements we clearly set out our requirements regarding how they manage the personal data to which they have access.

(l) Privacy Breach

The Privacy Act recognises that there is a possibility of personal data held by organisations being disclosed, altered, lost or destroyed either unauthorized or accidentally (Confidentiality Breach). The Act also refers to an availability breach where personal information cannot be accessed possibly because of a technical issue or a denial-of-service attack (Availability Breach).

Where any such a breach occurs and it has or could have a serious impact on any affected individual or business it becomes mandatory for the details of the breach to be notified to the Privacy Commissioner.

If Habitat discovers any such breach that may have an impact on you, it will:

– Notify you of the breach;

– Investigate how the breach occurred and implement urgent measures to minimize any impact on you and to prevent a recurrence;

– Notify the Privacy Commissioner of the details of the breach and;

– Comply with any additional countermeasures required by the Privacy Commission.

(m) Use of unique identifiers

Habitat will not assign a unique identifier to your personal data.

In a situation where Habitat needs to request you provide a unique identifier provided by a third party (eg National Health Index number) Habitat will take steps to ensure that this data is not misused. Habitat will not require you to provide such a unique identifier unless it is necessary.

(n) Changes to this Privacy Policy

This privacy policy may be updated from time to time.

You may wish to check the policy each time you submit personal information.

If you do not agree with any changes that have been made, please do not continue using the Habitat website to submit personal information to Habitat.

If material changes are made to the Privacy Policy, we will notify you by placing a prominent notice on the website.