Skip to content

The NZ Privacy Act (2020)

Hero Privacy Principles

Hero Privacy Principles in Relation to the NZ Privacy Act (2020)

The New Zealand Privacy Act 2020 has 13 privacy principles that govern how you should collect, handle and use personal information.

Principle 1

NZ Privacy Commissioner

"You can only collect personal information if it is for a lawful purpose and the information is necessary for that purpose. You should not require identifying information if it is not necessary for your purpose."

Hero Logo

"Personal information is only collected in Hero for the use of the school, the schools decide what information to collect in conjunction with the requirements of the Ministry of Education. Personal information is not used by Hero for any other purpose."

Principle 2

The source of personal information

NZ Privacy Commissioner

"You should generally collect personal information directly from the person it is about. Because that won’t always be possible, you can collect it from other people in certain situations. For instance, if:

  • The person concerned gives you permission collecting it in another way would not prejudice the person’s interests.
  • Collecting the information from the person directly would undermine the purpose of collection.
  • You are getting it from a publicly available source."
Hero Logo

"Personal information is only collected in Hero for the use of the school, the schools decide what information to collect in conjunction with the requirements of the Ministry of Education. Personal information is not used by Hero for any other purpose."

Principle 3

Why information is being collected

NZ Privacy Commissioner

"When you collect personal information, you must take reasonable steps to make sure that the person knows:

 

• Why it’s being collected

• Who will receive it

• Whether giving it is compulsory or voluntary

• What will happen if they don’t give you the information

 

Sometimes there may be good reasons for not letting a person know you are collecting their information – for example, if it would undermine the purpose of the collection, or if it’s just not possible to tell them."

Hero Logo

"Schools advise caregivers or students what information is being collected through their enrolment process. It is the responsibility of the school to let caregivers know if additional information is being collected or recorded for the students or caregivers. Hero affords the option for schools to create their own fields for data collection."

Principle 4

How information is collected

NZ Privacy Commissioner

"You may only collect personal information in ways that are lawful, fair and not unreasonably intrusive. Take particular care when collecting personal information from children and young people."

Hero Logo

"The collection of data is through the school’s enrolment form or other methods that they choose to employ to gather information and record this in Hero."

Principle 5

How the information is stored

NZ Privacy Commissioner

"You must make sure that there are reasonable security safeguards in place to prevent loss, misuse or disclosure of personal information. This includes limits on employee browsing of other people’s information."

Hero Logo

"Hero databases store information such as accounts, student details, posts, goals, attendance and assessment data and pupil billing information. These are replicated to separate servers so that redundancy is always maintained. Daily snapshots are taken, which are maintained for seven days.

 

All files are stored on Azure Blob Storage, which is managed by Microsoft Azure. This is designed to be highly available with a 99.99% uptime guarantee. This data store is configured to be replicated to 3 different servers within the same datacenter, with geo-replication enabled in the event of a localised disaster at our primary datacenter.

 

Outside of this, an additional backup process is run every night with the same storage configuration, that is, locally and geo-replicated to data centres in NSW (AUS) and Victoria (AUS). All services are stateless, load-balanced, and redundant."

Principle 6

Right to request access

NZ Privacy Commissioner

"People have a right to ask you for access to their personal information. In most cases you have to promptly give them their information. Sometimes you may have good reasons to refuse access. For example, if releasing the information could:

  • Endanger someone’s safety
  • Create a significant likelihood of serious harassment
  • Prevent the detection or investigation of a crime
  • Breach someone else’s privacy."
Hero Logo

"Hero is the custodian of the data. Any requests for access to information must be made to the individual school as they are the legal entity responsible for the data."

Principle 7

NZ Privacy Commissioner

"A person has a right to ask an organisation or business to correct their information if they think it is wrong. Even if you don’t agree that it needs correcting, you must take reasonable steps to attach a statement of correction to the information to show the person’s view."

Hero Logo

"The school can update information within Hero upon request."

Principle 8

Accuracy of information

NZ Privacy Commissioner

"Before using or disclosing personal information, you must take reasonable steps to check it is accurate, complete, relevant, up to date and not misleading."

Hero Logo

"Schools are responsible for the accuracy of information stored within Hero."

Principle 9

Length of time data is stored

NZ Privacy Commissioner

"You must not keep personal information for longer than is necessary."

Hero Logo

"Data is stored for seven years in accordance with the requirements of the Ministry of Education."

Principle 10

Limits of use

NZ Privacy Commissioner

"You can generally only use personal information for the purpose you collected it. You may use it in ways that are directly related to the original purpose, or you may use it another way if the person gives you permission, or in other limited circumstances."

Hero Logo

"Hero will not use the data for any other reason than making it available to the school. Individuals can actively consent to Hero using the information for other, specified reasons. The school may choose to use the information in other ways and would be responsible for informing students and caregivers if this is the case."

Principle 11

Limits of disclosure

NZ Privacy Commissioner

"You may only disclose personal information in limited circumstances. For example, if:

  • Disclosure is one of the purposes for which you got the information
  • The person concerned authorised the disclosure
  • The information will be used in an anonymous way
  • Disclosure is necessary to avoid endangering someone’s health or safety
  • Disclosure is necessary to avoid a prejudice to the maintenance of the law."
Hero Logo

"Hero will only disclose data if verified permission has been obtained from the person concerned."

Principle 12

NZ Privacy Commissioner

"You can only send personal information to someone overseas if the information will be adequately protected. For example:

  • The receiving person is subject to the New Zealand Privacy Act because they do business in New Zealand
  • The information is going to a place with comparable privacy safeguards to New Zealand
  • The receiving person has agreed to adequately protect the information – through model contract clauses, etc. If there aren’t adequate protections in place, you can only send personal information overseas if the individual concerned gives you express permission, unless the purpose is to uphold or enforce the law or to avoid endangering someone’s health or safety."
Hero Logo

"Hero will not send personal information overseas except for storage within the Microsoft Azure and AWS data centres in Australia. These servers are secure, protected and not accessible by unauthorised users."

Principle 13

NZ Privacy Commissioner

"A unique identifier is a number or code that identifies a person in your dealings with them, such as an IRD or driver’s licence number. You can only assign your own unique identifier to individuals where it is necessary for operational functions. Generally, you may not assign the same identifier as used by another organisation. If you assign a unique identifier to people, you must make sure that the risk of misuse (such as identity theft) is minimised."

Hero Logo

"Unique identifiers are required for the operation of the Hero platform. We use the UUID (universally unique identifiers) for all our identifiers. These are therefore not able to be used by other organisations for the same person."

Under the Act, if Linc-Technologies becomes aware of a privacy breach within its organisation that has caused (or is likely to cause) serious harm, it will need to notify the Office of the Privacy Commissioner and the affected individuals as soon as possible.

Not all privacy breaches are notifiable, Linc-Technologies must consider whether the breach is notifiable on a case by case basis including the type and sensitivity of information lost, whether actions have been taken to reduce the risk of harm to the individual and the nature of the harm that could arise.