Introduction
This Policy aims to help BBCL manage personal data and breaches effectively. BBCL holds Personal Data about our clients, employees, suppliers and other individuals for a variety of business purposes.
BBCL is committed not only to the letter of the law but also to the spirit of the law and places a high premium on the correct, lawful and fair handling of all Personal Data, respecting the legal rights, privacy and trust of all individuals and clients with whom it deals.
A data breach generally refers to the unauthorized access and retrieval of information that may include corporate and / or personal data. Data breaches are generally recognized as one of the more costly security failures of organizations. They could lead to financial losses, and cause clients and employees to lose trust in BBCL.
The regulations across the various jurisdictions in which BBCL operates require BBCL to make reasonable security arrangements to protect all the personal data that we possess or control, to prevent unauthorized access, collection, use, disclosure, or distribution errors.
Scope
This policy applies to all staff. You must be familiar with this policy and comply with its terms. This policy supplements our other policies relating to internet and email use. We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted
As our Data Protection Officer, Nicole Diaz has overall responsibility for the day-to-day implementation of this policy.
Training
All staff will receive training on this policy. New staff will receive training as part of the induction process. Further training will be provided whenever there is a substantial change in the law or our policy and procedures.
Applicable Legislation.
Privacy Act 2020 http://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23223.html
Personal Data that BBCL collects
According to common definition Personal Data is: “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, contact information, tax status or a computer’s IP address.” and may include individuals’ contact details, educational background, marital status, nationality, job titles etc.
While some data will always relate to an individual, other data may not, on its own, relate to an individual. Generic information that does not relate to a particular individual may also form part of an individual’s Personal Data when combined with Personal Data or other information to enable an individual to be identified.
Business Data that BBCL collects
BBCL gathers business data for several purposes, to identify properties, related parties, owners, committees, and information to use in internal systems and operations.
Business Data for Body Corporate purposes relates to identifiable individual owners, tenants and may include:
- Owners information such as Full name, Driver’s Licence, Date of Birth, Mobile telephone number, personal email addresses and financial information.
- Tenant information similar to the above.
- Associated parties to the above such as lawyers, contractors, building managers, trustees, etc.
- Correspondence between BBCL staff and any of the above.
We will take all reasonable steps to ensure that the personal and business information we collect, use or disclose is accurate, complete, up to date and stored in a secure environment protected from unauthorised access, modification or disclosure.
All personal and business data held within BBCL and associated companies is to be considered confidential and treated accordingly.
Causes of Privacy Data Breaches
Data breaches may be caused by employees, parties external to the organization, or computer system errors.
Human Error causes include:
- Loss of computing devices (portable or otherwise), data storage devices, or paper records containing personal data.
- Disclosing data to the wrong recipients.
- Handling data in an unauthorized way (e.g. downloading a local copy of personal data)
- Unauthorized access or disclosure of personal data by employees (e.g. sharing a login)
- Improper disposal of personal data (e.g. hard disk, storage media, or paper documents containing personal data sold or discarded before data is properly deleted)
Malicious Activities causes include:
- Hacking incidents / Illegal access to databases containing personal data
- Theft of computing devices (portable or otherwise), data storage devices, or paper records containing personal data
- Scams that trick BBCL staff into releasing personal data of individuals
Computer System Error causes include:
- Errors or bugs in BBCL Systems or access.
- Failure of cloud services, cloud computing or cloud storage security / authentication / authorization systems
Reporting a Breach
All members of BBCL staff have an obligation to report actual or potential data protection compliance failures. This allows BBCL to:
- Investigate the failure and take remedial steps if necessary
- Maintain a register of compliance failures
- Notify the owners of such data that a breach has occurred and what remedial steps are being taken.
Any breach or risk of a breach must be reported to Nicole Diaz immediately by email with as much of the following information as is available.
- Extent of the data breach
- Type and volume of personal data involved
- Whether the breach has been rectified.
- Cause or suspected cause of the breach
Responding to a Data Breach
BBCL will notify any affected parties without undue delay after becoming aware of a personal or business data breach
BBCL’s data breach management and response plan are.
- Confirm the breach
- Contain the breach
- Assess risks and Impacts
- Report the Incident to the Executive Committee
- Evaluate the response & recovery to prevent future breaches
- Register all breach details and actions for the record
- Report the incident to the appropriate authority if considered serious
Monitoring
After steps have been taken to resolve the data breach, BBCL should review the cause of the breach and evaluate if existing protection and prevention measures and processes are sufficient to prevent similar breaches from occurring, and where applicable put a stop to practices which led to the data breach.
- How was management involved in the management of the data breach?
- Was there a clear line of responsibility and communication during the management of the data breach?
All staff must observe this policy.
We take compliance with this policy very seriously. Failure to comply puts both our clients, you and BBCL at risk.
Nicole Diaz will review and monitor this policy regularly to make sure it is effective, relevant, and adhered to.
If you have any questions or concerns about anything in this policy, do not hesitate to contact the Data Protection Officer.
