New Zealand Law Society - Privacy and information handling policy
This sets out the New Zealand Law Society’s policies and procedures for the collection, use, retention and disclosure of personal information. It is intended to be a resource for Law Society staff and a source of information for members of the public and the legal profession.
A downloadable PDF version is available.
The Law Society is committed to ensuring that it handles personal information following best practice and in a way that respects the privacy rights of individuals. To achieve this the Law Society has established a privacy policy framework.
The objectives of the Law Society’s privacy policy framework may be summarised as:
a. Maintaining a positive “privacy culture” in which Law Society staff, contractors and appointees are supported and encouraged to adopt good privacy practices;
b. Building trust and confidence with members of the public and the legal profession by:
c. Ensuring legal compliance.
The Law Society has a number of functions established under the LCA. These include regulating the legal profession, monitoring and enforcing the provisions of the LCA and its regulations, and representing its lawyer members.
To carry out these functions, the Law Society is made up of different parts. Each part collects and uses personal information about lawyers and members of the public for different purposes.
The following general guidelines apply to each separate part of the Law Society.
Information is collected for purposes associated with the function of the particular part of the Law Society collecting it. Those purposes will be consistent with the provisions of the LCA (e.g. the Lawyers Complaints Service collects information relevant to complaints).
The person providing their personal information to the Law Society will be advised about:
This information is contained in the privacy notice (Privacy, copyright and disclaimer) accessible on the Law Society’s webpage and on the forms which are used to collect information.
Information must generally be collected by the Law Society directly from the person concerned. There are some exceptions to this, including but not limited to circumstances where:
Generally, personal information may only be used by the Law Society for the purposes for which it is collected.
Before using personal information steps must be taken to ensure that the information is accurate, up to date and complete.
Personal information must, in general, not be used by the Law Society for a different purpose or disclosed to anyone other than the person concerned. There are some permitted exceptions to this. For example, the Law Society may use personal information for a purpose other than that for which the information was collected if the information is used in a form in which the individual concerned is not identified or if it is necessary:
In addition, information may be used for a different purpose where the purpose for which the information is to be used is directly related to the purpose in connection with which the information was obtained.
The grounds listed above also apply to the disclosure of personal information to third parties. Under the LCA there are also limited situations where information about complaints or trust account inspections may be disclosed to certain agencies or people including members of the police or Serious Fraud Office who are performing their duties.
If a person requests their own personal information from the Law Society there are limited grounds for withholding that information (see below Requests for personal information).
Information collected by one part of the Law Society for a particular purpose will not be shared with another part of the Law Society for a different purpose unless permitted by law. Any part of the Law Society that is considering internally sharing personal information with another part will consult the Law Society Privacy Officer.
The Law Society has an obligation to securely store the personal information it collects and creates. As part of this, the Law Society has an internal data security policy. Under the Law Society’s policy, personal information is only accessible to authorised staff and is protected by appropriate security measures. Those security measures include limits on access to electronic databases where personal information is stored and ‘password protection’ where appropriate.
Information must only be held by the Law Society as long as the information is needed. Personal information no longer required to be held will be securely destroyed by the Law Society.
Under the Privacy Act a person has the right to request access to their personal information (IPPs 6 & 7). There are limited grounds upon which the Law Society may refuse to disclose personal information. These include situations where the provision of information would prejudice the maintenance of the law (including the prevention, investigation and detection of offences); breach legal professional privilege; where the information is evaluative and was provided in confidence; and where disclosure would lead to the unwarranted disclosure of the affairs of another person or endanger the safety of any individual (see ss 49-53 of the Privacy Act).
If a person believes their personal information is inaccurate then they may request that the material be corrected by the Law Society. If a decision is made not to correct the information then the person’s request must be attached to all available copies of the information.
When the Law Society receives a request for access to or correction of personal information it is referred to the Privacy Officer. The Law Society aims to respond to such requests as soon as possible. The requester will be advised of any extension of time required to respond to the request. The Law Society will ask for clarification if any part of the request is unclear.
The Privacy Act requires that a response to any request be provided as soon as reasonably practicable and within 20 working days after the day on which the request is received, but an extension of time may be made if appropriate (see s 65 of the Privacy Act). The requester must be advised of the reason for the extension, its length and their right to complain to the Privacy Commissioner about the extension.
If a request is made to the Law Society for personal information held by another agency, the Law Society must transfer the request to that agency within 10 working days and advise the requester.
Once a request has been considered, the Law Society will advise if any information is to be withheld and provide the reasons for withholding any information.
If a person is dissatisfied with the Law Society’s response then they may contact the Privacy Commissioner.
There is a flowchart illustrating the process for responding to a request for access, disclosure or correction of personal information in the PDF of the Information Handling Policy.
The Law Society is committed to maintaining best privacy practice through:
Inadvertent privacy breaches may happen despite good processes and the best of intentions.
Where a potential breach is identified it is important to act quickly and openly.
As soon as a breach is detected, the Law Society personnel are required to advise their Manager and notify the Privacy Officer. The Privacy Officer will work with staff to address any privacy concerns, following the Privacy Commissioner’s guidelines for dealing with privacy breaches available at www.privacy.org.nz.
If you have any questions about this policy or the Law Society’s information handling obligations under the Privacy Act and the LCA, please contact the Privacy Officer – privacy@lawsociety.org.nz.