Under the Privacy Act 2020, ākonga and kaimahi have the right to ask for their personal information that OP holds. 

Ākonga can request their information by referring to the Privacy and Personal Information section of the Student Rights & Responsibilities guide.

Kaimahi can make a request for information by emailing the Information Management team at Inforequests@op.ac.nz.

OP will respond to your request within 20 days.  In limited circumstances this timeframe can be extended but if this is the case you will be informed why and when the information will be provided.

OP can withhold information from you in limited circumstances, but you will be informed why.

If you think the information is wrong, you can ask for a correction.  If OP declines the correction, you will be informed why, and you can attach a statement of correction to your records.

What is a Privacy Breach?
A privacy breach occurs when a person's personal information is lost, stolen, accessed without consent or an organisation may be prevented from accessing information they hold. Workplace gossip can also be a platform where privacy breaches can happen.

Common examples include:

• theft of documents or devices
• computer hacks
• employee browsing
• emails being sent to the wrong recipient

What is a near miss?

This is an event that had or has the potential to be a privacy breach but didn’t breach anyone’s privacy. This can occur in all of the same ways that a full breach can. It is important to notify the privacy officer if you believe there has been a serious near miss as this could be a potentially recurring risk that needs to be looked at and mitigated.

Harm

A loss or misuse of personal information can cause people harm and damage the organisation's reputation.

If the breach has caused, or may cause serious harm, the Otago Polytechnic Privacy Officer will need to notify the Privacy Commissioner.

'Harm' can include:

• loss, damage, or disadvantage
• loss of a benefit or right
• emotional harm, such as significant humiliation or loss of dignity

Non-notification could see the organisation subjected to fines of up to $10,000.

What to do in the event of a privacy breach?

If you believe there has been a privacy breach or a near miss then you should contact the Privacy Officer - Euan Kyle euan.kyle@op.ac.nz, as soon as possible.

Under the Privacy Act 2020, kaimahi and ākonga have the right to ask for the personal information that Otago Polytechnic holds about them. 

Disclosure of Personal Information

​​​​​​​Any disclosure of personal information must be strictly in accordance with the purposes for which it was collected and be limited to only what is permitted to be disclosed. 

Kaimahi must not disclose any personal information relating to any ākonga or OP colleague, to any person or agency (other than authorised members of OP).  This includes parents, partners and employers of the ākonga or kaimahi unless:

1. They are required to by law
2. Have written consent of the learner or kaimahi concerned

Kaimahi and ākonga must not divulge personal information when using social media.

When a kaimahi receives a request for personal information they must consult with their Formal Leader. The Formal Leader will consult with the Otago Polytechnic Privacy Officer if they are unsure whether to disclose that information.

Access to Personal Information

1. Access to student management system learner records
Kaimahi may access learner's personal information only if it is necessary for their employment responsibilities.
No person may remove a learner file from where it is held unless required to by law or have written approval from their Formal Leader.

2. Access to kaimahi files
Each kaimahi has the right to access their own file. Kaimahi can request permission to access their personal file by emailing PeopleandCulture@op.ac.nz or their P&C Business Partner.
Kaimahi may request a copy of any document or extract from their file or ask for it to be corrected if they think it is wrong by emailing PeopleandCulture@op.ac.nz or their P&C Business Partner.
Kaimahi must not remove or alter any information from their file.

Maintaining Personal Information

Otago Polytechnic kaimahi must ensure that their name and personal contact details provided to OP are correct and current. You must notify OP when any changes occur, either directly to an administration colleague or by emailing PeopleandCulture@op.ac.nz

Other than correction to current name and contact details, colleagues may at any time request corrections to their personal information by contacting PeopleandCulture@op.ac.nz  

CCTV Images

CCTV is used on all OP campuses to provide protection and improve safety for individuals and prevent crime.
All reasonable steps will be taken to check CCTV images are accurate, complete, relevant and not misleading before they are used.
Images collected with CCTV cameras will only be used or disclosed for the original purpose they were collected.
Images collected using CCTV will not be disclosed publicly without the consent of the individual(s) shown in the footage or after consultation with the Police

For more information refer to Otago Polytechnic CCTV Policy

What information can I share about my learners to other parties?

You may only share information about a learner if: 

• the learner has provided their written consent to do so
• they are a dual enrolment AND they are under 18 years old - you can share information about attendance and progress with the school and parents/guardians
• they are part of the Work Skills programmes
• you have been required to by law

Is information about a student's disability automatically communicated to their lecturers?

When a learner discloses information about their disability on their enrolment form, this information is only disclosed to Disability Services. It is up to the learner if they choose to disclose this information with their lecturers. 

Can I share information about a learner's Individual Support Plan?

If a learner has an Individual Support Plan to support their success in the classroom, the information on the learner's Support Plan may only be shared with others who are directly involved in supporting the learner if the learner consents to it being shared.

Class Recordings

Ensure all learners are aware the class will be recorded prior to recording - for online classes they may want to turn off their camera.
Shortly after recording is stopped, the recording automatically appears in Teams and a notification is sent to those involved in the meeting. Please see our documentation on Accessing recordings for more information.

Class Registers

When marking a class register do so in a manner that other people in the room cannot see your monitor to ensure that our learners' attendance information is kept confidential.

Entering Results and Handing back Assessments

Learner results must be kept confidential at all times.  When entering results in EBS ensure no one else is able to see your screen as you are doing it.  Hand back marked assessments to learners in a way that ensures their privacy is being kept.

Otago Polytechnic has implemented a Privacy Impact Assessment (PIA) process. A PIA is a tool that we use to identify and mitigate privacy risks within new processes, systems and products. 

If you are introducing a new system, tool or process to the Polytech and you know it will involve the collection, use or storage of personal information then you should engage with the PIA process. To do this simply send an email to inforequests@op.ac.nz to discuss the next steps.

The process is straightforward and involves filling out an initial questionnaire and then a quick follow up meeting to discuss the project. Once we have gathered the information a report is written identifying any privacy concerns and what will need to be done to mitigate those risks.

Emails

More than ¼ of all privacy breaches reported to the Privacy Commissioner since the Privacy Act 2020 came into force were the result of email errors. Here are some tips to help reduce privacy breaches when emailing:

• Check the list of recipients
• Check you’ve attached the correct attachments or where possible use links instead of attachments as you can always remove access at a later date if there was a mistake
• For mass emails, include individual emails in the ‘Bcc’ section rather than ‘Cc’ field where possible
• Think about who needs to see your response to an email:
  • All recipients of the email - then use Reply All
  • Just the person who sent the email - use Reply
• Always think about the information already contained in previous emails when you add people to an existing email chain and whether they should have access to that information

Security and Confidentiality

Only talk or share personal information with colleagues on a need-to-know basis, don’t discuss/gossip about people with friends/family, or colleagues.

Maintain good physical security procedures – locking cabinets, don’t leave work laptops unattended, be careful when leaving documents in cars or on shared printers.

Printing/Copying Confidential Material

As our printers on all campuses are shared and used by multiple people, when copying or printing confidential information be sure to wait until it is copied/printed so no one else can read the material or accidentally pick it up off the tray with their printing.

If you have released your confidential print job from the queue at the printer and the printer is not working for some reason, check the paper feed and refill. If it is still not working, contact Service Desk at servicedesk@op.ac.nz or phone 0800 765 948.

Kaimahi can access the free Online Privacy Courses from the Office of the Privacy Commissioner:
https://tuhono.op.ac.nz/hub/news/item/7198

The Privacy 101 and Privacy ABC modules cover key concepts and are highly recommended for all kaimahi to complete.  

For more information about privacy, refer to the Policy and Procedures, or contact the Privacy Officer at inforequests@op.ac.nz.