Privacy and information handling policy
This sets out the New Zealand Law Society’s policies and procedures for the collection, use, retention and disclosure of personal information. It is intended to be a resource for Law Society staff and a source of information for members of the public and the legal profession.
A downloadable PDF version is available.
Privacy framework – objectives
a. Maintaining a positive “privacy culture” in which Law Society staff, contractors and appointees are supported and encouraged to adopt good privacy practices;
b. Building trust and confidence with members of the public and the legal profession by:
- ensuring there are clear purposes for collecting personal information;
- good data collection processes;
- transparency in handling personal information;
- risk avoidance - avoiding the potential for security or data breaches;
- meeting access and correction requests;
- ensuring accuracy of personal information;
- proper use and disclosure of personal information; and
- respect for people as individuals rather than “personal identification numbers”.
c. Ensuring legal compliance.
Privacy Act 1993 – rights and obligations
- The Law Society’s information handling policy is informed by its obligations under the Privacy Act 1993 and the Lawyers and Conveyancers Act 2006 (LCA).
- The Law Society is not subject to the provisions of the Official Information Act 1982.
- Parts of the LCA and its associated regulations set out how the Law Society handles personal information.
- Section 7 of the Privacy Act 1993 provides that where other legislation allows or requires personal information to be used in a specific way, this will override the general provisions of the Privacy Act. Section 7 also provides that other statutes which prohibit or restrict the availability of personal information take precedence over the IPPs.
The Law Society has a number of functions established under the LCA. These include regulating the legal profession, monitoring and enforcing the provisions of the LCA and its regulations, and representing its lawyer members.
To carry out these functions, the Law Society is made up of different parts. Each part collects and uses personal information about lawyers and members of the public for different purposes.
The following general guidelines apply to each separate part of the Law Society.
Collection of personal information
Information is collected for purposes associated with the function of the particular part of the Law Society collecting it. Those purposes will be consistent with the provisions of the LCA (e.g. the Lawyers Complaints Service collects information relevant to complaints).
The person providing their personal information to the Law Society will be advised about:
- the purpose for collection and how the information will be used;
- the law under which the information is collected;
- who the information will be disclosed to and held by;
- the person’s right to access their personal information and their right to ask to have the information corrected; and
- the consequences of not providing the information.
This information is contained in the privacy notice (Privacy, copyright and disclaimer) accessible on the Law Society’s webpage and on the forms which are used to collect information.
Information must generally be collected by the Law Society directly from the person concerned. There are some exceptions to this, including but not limited to circumstances where:
- the information is publically available or the person consents to the collection of information from someone else;
- it is necessary to collect information from someone else to avoid prejudice to the maintenance of the law (including the prevention, detection, investigation, prosecution and punishment of offences) or for the conduct of proceedings before any court or tribunal;
- collecting information from the individual concerned would prejudice the purposes of collection;
- it is not reasonably practicable to collect information from the person concerned; or
- collection from someone else is required or permitted by law.
Use and disclosure of personal information
Generally, personal information may only be used by the Law Society for the purposes for which it is collected.
Before using personal information steps must be taken to ensure that the information is accurate, up to date and complete.
Personal information must, in general, not be used by the Law Society for a different purpose or disclosed to anyone other than the person concerned. There are some permitted exceptions to this. For example, the Law Society may use personal information for a purpose other than that for which the information was collected if the information is used in a form in which the individual concerned is not identified or if it is necessary:
- to avoid prejudicing the maintenance of the law (including preventing, detecting, investigating, prosecuting, or punishing offences);
- for the conduct of proceedings before a court or tribunal; or
- to protect public health, public safety, or the life or health of a person.
In addition, information may be used for a different purpose where the purpose for which the information is to be used is directly related to the purpose in connection with which the information was obtained.
The grounds listed above also apply to the disclosure of personal information to third parties. Under the LCA there are also limited situations where information about complaints or trust account inspections may be disclosed to certain agencies or people including members of the police or Serious Fraud Office who are performing their duties.
If a person requests their own personal information from the Law Society there are limited grounds for withholding that information (see below Requests for personal information).
Information collected by one part of the Law Society for a particular purpose will not be shared with another part of the Law Society for a different purpose unless permitted by law. Any part of the Law Society that is considering internally sharing personal information with another part will consult the Law Society Privacy Officer.
Storage and security of personal information
The Law Society has an obligation to securely store the personal information it collects and creates. As part of this, the Law Society has an internal data security policy. Under the Law Society’s policy, personal information is only accessible to authorised staff and is protected by appropriate security measures. Those security measures include limits on access to electronic databases where personal information is stored and ‘password protection’ where appropriate.
Information must only be held by the Law Society as long as the information is needed. Personal information no longer required to be held will be securely destroyed by the Law Society.
Requests for personal information (correction and access)
Under the Privacy Act 1993 a person has the right to request access to their personal information (IPPs 6 & 7). There are limited grounds upon which the Law Society may refuse to disclose personal information. These include situations where the provision of information would prejudice the maintenance of the law (including the prevention, investigation and detection of offences); breach legal professional privilege; where the information is evaluative and was provided in confidence; and where disclosure would lead to the unwarranted disclosure of the affairs of another person or endanger the safety of any individual (see ss 27-29 of the Privacy Act).
If a person believes their personal information is inaccurate then they may request that the material be corrected by the Law Society. If a decision is made not to correct the information then the person’s request must be attached to all available copies of the information.
When the Law Society receives a request for access to or correction of personal information it is referred to the Privacy Officer. The Law Society aims to respond to such requests as soon as possible. The requester will be advised of any extension of time required to respond to the request. The Law Society will ask for clarification if any part of the request is unclear.
The Privacy Act 1993 requires that a response to any request be provided as soon as reasonably practicable and within 20 working days after the day on which the request is received, but an extension of time may be made if appropriate (see s 41 of the Privacy Act 1993). The requester must be advised of the reason for the extension, its length and their right to complain to the Privacy Commissioner about the extension.
If a request is made to the Law Society for personal information held by another agency, the Law Society must transfer the request to that agency within 10 working days and advise the requester.
Once a request has been considered, the Law Society will advise if any information is to be withheld and provide the reasons for withholding any information.
If a person is dissatisfied with the Law Society’s response then they may contact the Privacy Commissioner.
There is a flowchart illustrating the process for responding to a request for access, disclosure or correction of personal information in the PDF of the Information Handling Policy.
How we maintain best privacy practice
The Law Society is committed to maintaining best privacy practice through:
- ensuring all staff understand privacy rights and are kept up to date through training;
- ensuring that requests for disclosure of personal information or new projects involving personal information are referred to the Privacy Officer for review;
- undertaking audits of privacy policies and procedures on at least a bi-annual basis and following up any specific privacy issues which may arise;
- keeping abreast of privacy law developments, technology updates and following best practice guidance from the Privacy Commissioner; and
- responding to privacy concerns and/or complaints in a timely and constructive way.
Action where there is a potential privacy breach
Inadvertent privacy breaches may happen despite good processes and the best of intentions.
Where a potential breach is identified it is important to act quickly and openly.
As soon as a breach is detected, the Law Society personnel are required to advise their Manager and notify the Privacy Officer. The Privacy Officer will work with staff to address any privacy concerns, following the Privacy Commissioner’s guidelines for dealing with privacy breaches available at www.privacy.org.nz.
Who to contact
If you have any questions about this policy or the Law Society’s information handling obligations under the Privacy Act 1993 and the LCA, please contact the Privacy Officer – firstname.lastname@example.org.
Last updated on the 24th September 2018