Climate Club Aotearoa

High-impact climate action for busy people

Donate

Climate Club Aotearoa Privacy Policy

  1. Introduction 

The Privacy Act 2020 came into force effective 1 December 2020. It is an extension of the previous Act and builds on the previous principles-based approach. There are now 13 Principles which are detailed in Annexure 1, Privacy Principles

  1. Personal Information that is collected

Climate Club Aotearoa (CCA) collects personal information from subscribers to its regular and one-off newsletters; and from regular and one-off donors to CCA. CCA may also collect information from attendees at the various educational workshops that it might run to and in conjunction with companies, regional councils etc. 

CCA collects personal information directly from the client/subscribers concerned and/or their authorised representative.  The information collected can include name, address, and contact details.

The CCA newsletter publication uses Substack as a platform for hosting and distributing content. Substack’s privacy policy can be found at the following link. Readers should be aware that Substack collects and processes data related to subscriptions, email addresses, and content interactions. This can include email addresses of subscribers, data on content clicks, payment details in accordance with their privacy policy.

CCA only collects personal information for lawful purposes connected with the CCA’s functions and activities, and only where the collection of such information is necessary for those purposes.

Clients/subscribers can choose not to provide their personal information to the CCA. However, this will limit the services CCA can provide to the client. If clients do not provide CCA with necessary personal information, CCA may have to refuse or cease to provide the client with products or services.

  1. Method of collection of personal information

CCA will only collect personal information by lawful and fair means and not in a way that may be unreasonably intrusive.  Wherever possible, CCA collects personal information directly from the subscriber/client when the subscribers/clients provide information to CCA. CCA may also collect personal information from third parties where the client has authorised the relevant collection such as any authorised representatives.  CCA may also collect personal information from publicly available sources. 

Subscribers/clients will give consent to use their personal information.  Prior to giving consent CCA will ensure that the request for consent is given in an intelligible and easily accessible form and includes the purpose for the data processing.

CCA will take reasonable steps to ensure that the client is aware that the:

  1. information is being collected;
  2. purpose for which the information is being collected;
  3. intended recipients of the information;
  4. name and address of the agencies that are collecting and holding the information;
  5. collection of the information is authorised or required by or under law, and if so
  1. the particular law; and
  2. whether the supply of information is voluntary or mandatory;
  1. consequences of not providing the information; and
  2. rights of access to and correction of information
  3. Purposes of collecting, holding, using and disclosing personal information

CCA maintains a subscriber/client database which is used for mailing and record keeping purposes. This is limited to name, address, contact details and where applicable notes of relevant meetings and interaction. 

This is kept for the following types of clients, and in order for CCA to maintain high levels of service:

  1. Subscribers to its regular newsletters
  2. Donors to CCA
  3. Attendees of CCA events and workshops. 
  1. Disclosure of personal information

CCA will not disclose information except in accordance with the Privacy Act.  

CCA may, from time to time, request clients’ (or their personal representatives’) consent for CCA to use and/or disclose personal information for specified purposes. A request for consent will be given in an easily understandable and accessible form and includes the purpose for the data processing.

  1. Protection of personal information

CCA uses such security safeguards as reasonable in the circumstances to protect information from misuse, interference and loss, and from unauthorised access, modification or disclosure.  CCA takes precautions including:

  1. restricting access to personal information stored on CCA’s servers;
  2. imposing confidentiality requirements on its employees;
  3. imposing confidentiality requirements on its fund manager clients (where a marketing contract and agreement is in place);
  4. requiring that its contractors and agents take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure;
  5. implementing electronic security systems, such as firewalls;
  6. ensuring that servers containing client information have security measures such as password protection; and
  7. controlling access to CCA’s office
  8. taking reasonable steps to protect “unique identifiers” from being misused.  (Unique identifiers are individual’s numbers, names or other forms of identification allocated to people by organisations, such as IRD numbers, bank client numbers, driver’s licence and passport numbers). As appropriate. 

CCA stores data mainly on the Cloud, on Google Drive. Some data is stored on desktop devices as a back-up. Our publication is hosted on Substack, and Substack captures and stores data as described in 2 above. 

Note also that CCA’s website uses Cookies. A cookie is a small data file that a website may write to your hard drive when you visit it. A cookie file can contain information, such as a user ID, that the website uses to track the pages you have visited. The only personal information a cookie can contain is information you personally supply. A cookie cannot read data off your hard disk or read cookie files created by other websites. CCA may use cookies (without further notice to you) to track user traffic patterns and to better serve you when you visit the website. You can set your browser to notify you when you receive a cookie, providing you with the opportunity to either accept or reject it. You can also refuse all cookies by turning them off in your browser, however doing so may limit your ability to use CCA’s website.

  1. Accuracy of personal information

CCA aims to ensure that the personal information kept is accurate, up-to-date, complete, relevant and not misleading

  1. Access and correction of personal information

Clients have a right to access and seek correction of personal information that CCA holds about the client, in accordance with the Privacy Act

Where information is held in such a way that it can be readily retrieved by CCA, CCA will, on request, provide information to the client, in accordance with the Privacy Act.

CCA may recover from the client reasonable costs of supplying the client with access to personal information.  However, CCA will not charge the client for the making of the request or to correct or update the personal information.

If the client would like to access or correct personal information, the client may contact CCA’s Privacy Officer via the contact details listed below.  CCA will respond to the request within 20 working days.  CCA may decide to grant or refuse access to or correction of personal information.  If CCA refuses to provide access to or correct the information, it will notify the client of the reasons for refusal to the extent of CCA’s legal obligations.  CCA may also add a statement of correction to the client file that clearly shows that the individual asked to have the information changed or corrected. 

  1. Retention of information

CCA will not keep client information for longer than it is required for the purposes for which the information may be lawfully used.   If personal information is no longer required, or for any reason authorised under NZ law, it will be destroyed. Clients can request at any stage for the information kept by CCA to be deleted (please refer to 9. below).  

  1. Disclosing Information Overseas (“cross-border disclosure”)
    1. Due Diligence

Personal information may only be disclosed to an overseas agency if that agency has a similar level of protection to New Zealand, or the individual is fully informed and authorised the disclosure.

CCA must undertake the necessary due diligence of overseas agencies before making a cross-border disclosure of personal information.

CCA may only participate in a cross-border disclosure if the offshore agency meets the following criteria:

  1. Is subject to the Privacy Act because the agency does business in New Zealand; or
  1. Is subject to privacy laws that provide comparable safeguards to the Privacy Act, or they agree to protect the information in such a way e.g. by using model contract clauses; or
  1. Is covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand Government.

If none of the above criteria apply, CCA may only make a cross-border disclosure with the permission of the person concerned.  The person must be expressly informed that their information may not be given the same protection as provided by the New Zealand Privacy Act.

  1. Cloud Storage

CCA may send information to an overseas organisation to hold or process on their behalf as their ‘agent’. This will not be treated as a disclosure under the Privacy Act. E.g. an overseas company providing cloud-based services for a New Zealand organisation. CCA will be responsible for ensuring that their agent – the overseas company – handles the information in accordance with the New Zealand Privacy Act

  1. Urgent Disclosures

CCA may need to make a cross-border disclosure in certain, urgent circumstances where it would not otherwise be allowed. Information privacy principle 12 (IPP 12) allows cross-border disclosure when it is necessary to maintain public health or safety, to prevent a serious threat to someone’s life or health, or for the maintenance of the law.

  1. Privacy Complaints

If the client believes CCA has breached the Privacy Act or a registered code that binds CCA, the client may contact CCA’s Privacy Officer via the contact details listed below.  CCA may request that the client puts the complaint in writing.  CCA will endeavour to resolve the complaint in a reasonable time frame (usually within 20 working days) and may contact the client in order to obtain further details in order to provide the client with a full and complete response.  

If the client is not satisfied with the manner in which CCA has handled the complaint, the client can lodge a complaint with the Office of the Privacy Commissioner at www.privacy.org.nz.

  1. Breaches

If CCA has a privacy breach that has caused serious harm to someone (or is likely to do so), CCA must notify the Office of the Privacy Commissioner as soon as practicable.  Breaches must be lodged via NotifyUs at www.privacy.org.nz.

If a notifiable privacy breach occurs, CCA should also notify any person that is affected as soon as possible after the breach occurs, unless relying on permitted exceptions set out in s116 of the Privacy Act.

When assessing whether a privacy breach is likely to cause serious harm in order to decide whether the breach is a notifiable privacy breach, CCA must consider the following:

  1. any action taken by CCA to reduce the risk of harm following the breach:
  2. whether the personal information is sensitive in nature:
  3. the nature of the harm that may be caused to affected individuals:
  4. the person or body that has obtained or may obtain personal information as a result of the breach (if known):
  5. whether the personal information is protected by a security measure:
  6. any other relevant matters.

Any privacy breaches, whether notifiable or not, will be recorded in the Breach Register (Refer to Annexure 2). 

  1. Criminal Offence

It is now a criminal offence (maximum fine per offence is $10,000):

  • for a person to mislead CCA by impersonating someone, or pretending to act with that person’s authority, to gain access to their personal information to have it altered or destroyed.
  • for CCA to destroy a document containing personal information, knowing that a request has been made for that document.
  1. Privacy Officer Contact Details

To access or correct personal information, to notify CCA of an alleged breach of the Privacy Act or a registered code or if there is any privacy related inquiry, please contact:

Privacy Officer 

Climate Club Aotearoa

101 Pakenham Street West

Auckland CBD 1010

New Zealand

Email: contact@climateclub.nz

Annexure 1 – Privacy Principles

Privacy Principles

  • Principle 1 – You can only collect personal information if it is for a lawful purpose and the information is necessary for that purpose. You should not require identifying information if it is not necessary for your purpose. 
  • Principle 2 – You should generally collect personal information directly from the person it is about. Because that won’t always be possible, you can collect it from other people in certain situations. For instance, if:
    • the person concerned gives you permission 
    • collecting it in another way would not prejudice the person’s interests
    • collecting the information from the person directly would undermine the purpose of collection
    • you are getting it from a publicly available source.
  • Principle 3 – When you collect personal information, you must take reasonable steps to make sure that the person knows:
    • why it’s being collected
    • who will receive it
    • whether giving it is compulsory or voluntary
    • what will happen if they don’t give you the information.

Sometimes there may be good reasons for not letting a person know you are collecting their information – for example, if it would undermine the purpose of the collection, or if it’s just not possible to tell them. 

  • Principle 4 – You may only collect personal information in ways that are lawful, fair and not unreasonably intrusive. Take particular care when collecting personal information from children and young people.
  • Principle 5 – You must make sure that there are reasonable security safeguards in place to prevent loss, misuse or disclosure of personal information. This includes limits on employee browsing of other people’s information.
  • Principle 6 – People have a right to ask you for access to their personal information. In most cases you have to promptly give them their information. Sometimes you may have good reasons to refuse access. For example, if releasing the information could:
    • endanger someone’s safety
    • create a significant likelihood of serious harassment
    • prevent the detection or investigation of a crime 
    • breach someone else’s privacy.
  • Principle 7 – A person has a right to ask an organisation or business to correct their information if they think it is wrong. Even if you don’t agree that it needs correcting, you must take reasonable steps to attach a statement of correction to the information to show the person’s view. 
  • Principle 8 – Before using or disclosing personal information, you must take reasonable steps to check it is accurate, complete, relevant, up to date and not misleading.
  • Principle 9 – You must not keep personal information for longer than is necessary.
  • Principle 10–  You can generally only use personal information for the purpose you collected it. You may use it in ways that are directly related to the original purpose, or you may use it another way if the person gives you permission, or in other limited circumstances. 
  • Principle 11 – You may only disclose personal information in limited circumstances. For example, if:
    • disclosure is one of the purposes for which you got the information
    • the person concerned authorised the disclosure
    • the information will be used in an anonymous way
    • disclosure is necessary to avoid endangering someone’s health or safety
    • disclosure is necessary to avoid a prejudice to the maintenance of the law. 
  • Principle 12 – You can only send personal information to someone overseas if the information will be adequately protected. For example:
    • the receiving person is subject to the New Zealand Privacy Act because they do business in New Zealand 
    • the information is going to a place with comparable privacy safeguards to New Zealand 
    • the receiving person has agreed to adequately protect the information – through model contract clauses, etc. 

If there aren’t adequate protections in place, you can only send personal information overseas if the individual concerned gives you express permission, unless the purpose is to uphold or enforce the law or to avoid endangering someone’s health or safety. 

  • Principle 13 – A unique identifier is a number or code that identifies a person in your dealings with them, such as an IRD or driver’s licence number. You can only assign your own unique identifier to individuals where it is necessary for operational functions. Generally, you may not assign the same identifier as used by another organisation. If you assign a unique identifier to people, you must make sure that the risk of misuse (such as identity theft) is minimised.