PŪ MANAAKI KAHURANGI 

NEW ZEALAND CONSERVATORS OF CULTURAL MATERIALs


PRIVACY POLICY



Last updated: April 28, 2020

Introduction

This privacy policy applies to the New Zealand Conservators of Cultural Materials, hereafter referred to as NZCCM. The policy is committed to the protection of the privacy of individuals in compliance with good practice, the New Zealand Privacy Act 1993 (hereafter referred to as the Act) and related data protection and privacy legislation in New Zealand. The NZCCM is also committed to any international privacy regulations that may relate to its members such as the General Data Protection Regulation (GDPR).

NZCCM relies on the use of personal data to provide services to our members, to achieve our core objectives and to ensure the public can access qualified and competent conservation professionals. To this end, NZCCM processes personal data from members, contractors, members of the public and representatives from other organisations.


Scope and Purpose

This policy sets out how we collect, use, store and disclose your personal data to ensure we comply with our obligations.

This policy applies to NZCCM data subjects. Data Subjects include all living individuals about whom NZCCM holds personal data; for instance, a volunteer or a member. A data subject need not be a NZ national or resident. All data subjects have legal rights in relation to their personal data.

This policy has been approved by NZCCM’s Executive Committee. It may be amended as needed to reflect any changes in legislation, regulatory guidance or internal policy decisions.

Processing of data is any activity that involves use of personal data, whether by automated or other means. It includes but is not limited to:

    • collecting, storing, retrieving, disclosing, disseminating, and erasing.


Reason for Data Collection

NZCCM collects personal data for legitimate purposes as a membership organisation for professional conservators. This includes advancing knowledge, practice and standards for the conservation of heritage through publications and conferences. Details of some of these activities are outlined in this section.

Data for Legal Obligations

  • NZCCM will use your information to comply with any legal obligations and to establish or exercise or defend our legal rights as a membership organisation for conservators.


Data for Membership

      • NZCCM collects data in order to provide services to our paying members. Personal details are required to deliver membership benefits, including NZCCM’s newsletter, and regular email bulletins, sent to the member’s registered email address. Phone numbers are required to resolve routine membership issues such as returned post or email bounce backs.
      • NZCCM collects data to assess the professional skills of applicants who apply to become members of the organisation. This includes but us not limited to; your employment context, professional specialism, employment history, educational background, examples of previous work, and details on supporting individuals. These details are required to enable an assessment to be made to determine whether the applicant has reached the membership level applied for within NZCCM’s member structure.
      • To ensure the NZCCM retains sufficient documentation to address questions of feedback, or to respond to a potential challenge of the outcome of a Full Member assessment or other dispute, these details are retained on file for 7 years from expiry of membership.
      • For membership application assessments, the lifetime of the consent will not extend beyond the processing timeframes required to assess the application.
      • NZCCM collects personal data to administrate our membership rates. Members applying for the affiliate or student rates are required to provide proof of their status. Supporting evidence could include but is not limited to confirmation from your academic program on business letterhead certifying your status.
      • As applicants apply to become members and are under no obligation to do so, the basis for collection and processing of membership data is consent. If consent were to be withdrawn by a data subject, the subject’s application for membership would be invalidated. In accordance with retention guidelines, this consent is then stored on file for 7 years from expiry of membership.


Data for Public Access and Contact

      • NZCCM processes data to enable members of the public to contact and commission the services of professional conservators through our directory – but only where members have requested for their details to be provided in this way. In this case, details provided by the NZCCM include but are not limited to; names, email address, and details of accreditation or other memberships, provided as part of a searchable public directory.
      • As details are provided beyond what is published in accordance with the legitimate interest of the organisation, and only at the discretion of the member who requested the listing, the basis for the processing of this data is consent.
      • If consent for the provision of a directory listing were to be withdrawn by a member, the member’s directory listing would be removed.


Data for Financial Purposes

      • NZCCM collects data in order to collect annual subscription fees, conference fees and course fees as well as data to reimburse members for expenses incurred during their work on behalf of the organisation. This includes names, address, bank details to facilitate expenses payments, and evidence of personal activities such as receipts for train travel, sustenance and hotel stays needed to verify any expense claim.
      • NZCCM sometimes collect personal data to facilitate payment of external contractors and sole traders, who use their home contact details to administrate their business. These details are then used to raise and pay invoices submitted both by NZCCM and by the contractor.
      • As financial documents, these data are retained on file for seven years in compliance with auditing guidelines. As it is in the legitimate interests of the NZCCM to receive funds and to reimburse the expenses of members and volunteers, the basis for the collection and processing of this personal data is consent.


Data for Fundraising and Marketing

  • NZCCM collects data of non-members to enable the pursuit of fundraising and marketing objectives. This includes names, addresses and email addresses of people the NZCCM might wish to influence, from whom the NZCCM might wish to obtain feedback, or invite to an event. The NZCCM only sends this information where it has been requested by non-members, and so the basis for collecting and processing this data is consent.
  • Consent for the processing of personal data related to communication with non-members for the purposes of fundraising and marketing will be documented in explicit written correspondence at the time they agree to receive free communications from NZCCM. In a technical sense, these contacts will be managed via NZCCM’s existing file management system, where the date of consent will also be stored.
  • NZCCM will occasionally use or work with contracted data or payment processers, such as WordPress or Paypal. Data processors are contractually obligated to comply with NZCCM’s Data Protection Policy, and to provide data showing how they comply.



Data Retention

NZCCM will not collect more personal data than is necessary for the purpose, nor will it retain data for longer than necessary. This means that the personal data that we hold should be destroyed or erased from our systems when it is no longer needed. If you believe the NZCCM is holding out-of-date or inaccurate personal data, please contact the Secretary NZCCM.

To ensure the NZCCM is always able to confirm the past or present membership status of an individual, and to facilitate the resumption of past membership, details are retained on file for a period of seven years after last contact. After seven years, further information regarding membership will be retained as statistics only (list of names) with no additional personal contact information retained.


Your Data and Transparency

Subject Access Rights and Fair Processing of Information

You have a right to know the following regarding the data we collect about you:

  • type of information that we are collecting
  • who is holding your information in the NZCCM and their contact details
  • rationale why we collect the information and what we intend to do with it
  • the legitimate interest or legal basis for collecting the data
  • the statutory or contractual obligation to provide the data and
  • the consequences if the data is not provided
  • the period for which the data is stored
  • who we will share that data with

You have the right to request a copy of any personal data that NZCCM hold about you, as detailed above (known as subject access rights). There will be no charge for fulfilling this request. If you make the request request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by you. Those wishing to lodge such a request should do so by writing by email to the NZCCM Secretary at secretary.nzccm@gmail.com. Information must be provided within one month of receipt of the request, though we must first ensure we are satisfied as to the identity of the person making the request for the data.

You have the right to object to the processing of personal data where this processing is based on Legitimate Interests. The NZCCM will inform individuals of their right to object at the first points of communication, and in this published Privacy Policy.

You have the right to have personal data rectified if it is inaccurate or incomplete. In cases where the NZCCM has provided data to third parties, the NZCCM will inform them of the rectification, unless this is impossible or would involve disproportionate effort. You have the right to request that NZCCM restricts the processing of your data in certain circumstances (for example, if you say your data is inaccurate, the processing will be restricted while we check the accuracy of the data).

Individuals wishing to update their personal details should do so in writing by email to the NZCCM Secretary at secretarynzccm@gmail.com. The NZCCM will normally amend relevant records within 14 days of receipt of the request.

You have the right to have personal data erased and to prevent processing in specific circumstances; although this request may be refused, if the personal data in question is processed:

    • to exercise the right of freedom of expression and information.
    • to comply with a legal obligation for the performance of a task in the public interest or in the exercise of official authority.
    • to exercise or defend legal claims.

Individuals wishing to lodge such requests should do so in writing by email to the NZCCM Secretary at secretarynzccm@gmail.com. The NZCCM will acknowledge to such requests within 14 days of receipt, and normally respond within one month.


Security and Your Data

NZCCM has a responsibility to ensure that appropriate organisational measures are in place to prevent the unlawful processing of personal data and to protect against accidental disclosure, loss or destruction of data.

Access to personal data processed and stored by the NZCCM is restricted to specific members of the Executive Committee responsible for processing the data.

All external providers are contractually obligated to act in accordance with NZCCM’s Privacy Policy as a condition of their engagement, and the contract with them is compliant with the requirements of the Act and the GDPM. Compliance is reviewed annually as part of the broader organisational annual reporting cycle.

NZCCM has a responsibility to ensure that appropriate technical measures are in place to prevent the unlawful processing of personal data and to protect against accidental disclosure, loss or destruction of data.

NZCCM’s Executive Committee membership communication is password protected and stored on a cloud based secure server and backed up.

No further access to NZCCM’s membership records is permitted.


Notification and Reporting to OPC

There is no obligation for us to make an annual notification to the OPC under the Act, but we will ensure we consult with the OPC where necessary.

We must report breaches (other than those which are unlikely to be a risk to individuals) to the OPC where necessary. We will also notify affected individuals where the breach is likely to result in a risk to the rights and freedoms of these individuals.

NZCCM’s Executive Committee is responsible for reviewing the organisation’s annual data audit, Privacy Policy annually.

Ultimately, the responsibility for overseeing compliance with this Privacy Policy rests with the President NZCCM. This includes the approval of the Privacy Policy in each annual reporting cycle, and the management of risks associated with the implementation of the Policy.

To ensure the Executive can fulfil this responsibility, as part of the broader organisational annual reporting cycle an annual data protection report will be provided to the AGM which will include, but not be limited to, the following:

    • identifying who we have given personal data to
    • details of arrangements with these external recipients to ensure compliance with our Privacy Policy
    • details on any compliance issues with external contractors
    • updated notices stipulating designated members of Executive with responsibility for collecting and processing personal data


Record Keeping

NZCCM will keep a record of our data processing activities, to demonstrate that we are complying with them. These records will include but are not limited to:

    • the purpose of processing
    • categories of personal data
    • evidence of consent
    • retention periods of personal data


Powered by Wild Apricot Membership Software