Current as at 17 February 2015
TANZ Ltd provides services through its TANZ eCampus operations. The services include delivery of courses for Institutes of Technology and Polytechnics (ITPs) via a delivery platform with a surrounding community, and may include the provision of other services such as student support, course design and development and professional development.
People participating in the TANZ eCampus Community (staff, students and others) may be employed by or enrolled in a range of institutions and are subject to Privacy Legislation and the policies of their institution.
The purpose of this policy is to ensure a learning environment for all users that respects all community participants and their right to Privacy (under the Privacy Act).
1.2 Scope and Application
- This policy applies to all users of the TANZ Ltd TANZ eCampus website and participants in the TANZ eCampus community.
- This policy applies to all personal information collected and/or held by TANZ eCampus about any person, any person using the TANZ eCampus website and, in particular about people registered as students or employed as staff.
1.3 Formal Delegations
TANZ eCampus designated Privacy Officer can assist with interpretation or clarification of this policy and is authorised to make or approve exceptions to the policy.
- Evaluative Opinion: Material compiled for the purpose of determining the suitability, eligibility, or qualifications of an individual for employment, appointment to office, promotion, continuance in office, removal from employment or office, or the awarding, continuing, modifying, or cancelling of contracts, awards, scholarships, honours, or other benefits.
- Information Privacy Principles (IPPs): The Privacy Act sets out the twelve Information Privacy Principles (IPPs) which form the basis on which all issues of the privacy of personal information are determined. Everyone who has access to the personal information TANZ collects and/or holds must understand and comply with these basic principles. The twelve IPPs are summarised in Appendix 1 to this policy.
- Personal Information: Any information about an identifiable individual (an individual is ‘a natural person other than a deceased natural person’). Personal information includes records of attendance and student marks, assessments, grades, and results. At TANZ personal information does NOT include a person’s name nor the fact that she or he is or is not currently registered with TANZ.
- Privacy Act: The Privacy Act 1993 #28 17 May 1993 which came into force on 1 July 1993 and its subsequent amendments. S2 of the Act lists definitions and s6 sets down the Information Privacy Principles.
- Privacy Officer: The person identified by the Institute as the Privacy Officer as required by s23 of the Privacy Act. The responsibilities are set out in the same section.
|Related Procedures(indicate if attached to policy or where they can be found)
TANZ eCampus Community Conduct Policy
|Related Legislation or Other Documentation
Privacy Act 1993
|Good Practice Guidelines(indicate if attached to policy or where they can be found)|
A template for an Authority to Disclose Specified Personal Information is available from the Privacy Officer
- TANZ eCampus complies with the Privacy Act 1993 and its subsequent amendments.
- TANZ eCampus will maintain confidentiality on a need to know basis at all times.
- TANZ eCampus provides education-related services to Tertiary Education Organisations (TEOs). Personal information required for service provision provided to either the enrolling TEO or directly to TANZ ecampus will be collected and used for the purpose for which it has been provided.
- TANZ eCampus will manage any complaints of interference with privacy fairly, swiftly and effectively in accordance with the relevant current legislation and TANZ eCampus policies.
- The Privacy Act 1993 sets out twelve Information Privacy Principles (IPPs) which form the basis on which all issues of the privacy of personal information are determined. Everyone who has access to the personal information TANZ eCampus collects and/or holds must understand and comply with these basic principles.
The Information Privacy Principles (IPPS)
Principle One: Purpose of collection of personal information
TANZ eCampus can only collect personal information which is for a lawful purpose and necessary for us to carry out our functions and activities.
Principle Two: Source of personal information
The personal information must be collected directly from the individual concerned unless that is not reasonably practicable.
Principle Three: Collection of information from subject
The individual must be made aware of the following points:
- the information is being collected
- the purpose for which the information is being collected
- the intended recipients of the information
- the name and address of the agencies collecting and holding the information
- the particular law, if any, authorising the collection
- whether supplying the information is voluntary or mandatory
- the consequence of not supplying the information
- the rights of access to and correction of the information held
Principle Four: Manner of collection of personal information
Information must not be collected by unlawful or unfair or intrusive means.
Principle Five: Storage and security of personal information
TANZ eCampus must ensure that there are security safeguards to protect personal information from loss and unauthorised access, use, modification, or disclosure.
Principle Six: Access to personal information
The individual concerned is entitled to know whether or not TANZ eCampus holds personal information about her/him, and, if it does, to have access to the personal information.
Principle Seven: Correction of personal information
The individual concerned is entitled to request correction of information and, if a correction is not made, to have a note attached to the information.
Principle Eight: Accuracy etc of personal information to be checked before use
TANZ eCampus must take reasonable steps to ensure that the information it is using is accurate, up to date, complete, relevant, and not misleading.
Principle Nine: Agency not to keep personal information for longer than necessary
Personal information must not be kept longer than is required for its proper purpose.
Principle Ten: Limits on use of personal information
TANZ eCampus can only use information for the original purpose unless the new use is authorised by the individual concerned.
Principle Eleven: Limits on disclosure of personal information
TANZ eCampus must not disclose personal information to a third party except in strictly limited circumstances. It is not necessary to comply with IPP11 if:
- disclosure is one of the stated purposes for which the information was collected
- the individual concerned authorises disclosure
- the information is already publicly available
- the information is anonymous or will only be used for statistical purposes
- the collection/disclosure is required by a particular law
- the information is needed for certain legal purposes including prevention, detection, investigation, prosecution, and punishment of offences or the conduct of proceedings before any court or tribunal
- disclosure is necessary to prevent or lessen a serious and imminent threat to public health or safety, or the life or health of an individual
- disclosure is necessary as part of the sale of a business
Principle Twelve: Unique identifiers
A “unique identifier” which has been assigned by another agency will not be used.*
*Note that unique identifiers such as student ID numbers and NSIs may be used for specific purposes around delivering educational offerings and services to registered students.
Confirmation of Enrolment or Employment
The fact that a named individual is registered as a student (or not or no longer registered) or employed as a staff member (or not employed or no longer employed) at TANZ eCampus can be disclosed to third parties. No other personal information can be disclosed except as allowed by the IPPs.
There are sensible, carefully defined exceptions to almost every principle. The IPPs do not apply where the personal information is collected or held by an individual solely in connection with that individual’s personal, family, or household affairs. There is special provision to cover “evaluative material” such as references.
Any person may make an oral or written complaint to the TANZ eCampus Privacy Officer or their or employing ITP. Any person may also make a complaint to the Privacy Commissioner or an Ombudsman if she/he believes there has been a breach (“an interference”) of any of the IPPs.
Rules of Thumb
Know and comply with the particular requirements of your position/function.
Know and comply with the Twelve Information Privacy Principles.
- Don’t pry
- Don’t gossip
- Don’t hide behind the Privacy Act
- If in doubt, check it out.
3 Associated procedures for the TANZ Ltd TANZ eCampus policy on: Privacy
3.1 Application of and Exceptions to the Information Privacy Principles
The twelve Information Privacy Principles (IPPs) form the basis of all decisions on privacy and the handling of personal information. Everyone who has access to the personal information TANZ eCampus collects and/or holds must understand and comply with these basic principles.
There are sensible (and carefully defined) exceptions to almost every Principle. There may be no need to comply with the principles on use and disclosure if, for example, TANZ eCampus has stated clearly that the information will be disclosed, or the individual concerned authorises disclosure, or the information is already publicly available, or the information is only in statistical form, or the collection and/or disclosure of the information is required by a particular law.
Nevertheless, the starting point is to apply the principles in full and then decide on, justify, and record the reasons for not complying with any of them.
TANZ eCampus management and administration (and in particular the Privacy Officer) are responsible for ensuring that all the principles are complied with or that there is good reason for not complying.
If in doubt about an issue involving the privacy of personal information about a student or staff member, consult the Privacy Officer.
3.2 TANZ eCampus Compliance
All TANZ eCampus information, forms, systems, and processes which seek, record, or hold personal information must comply with the Information Privacy Principles, especially IPP 3.
3.2.1 TANZ eCampus provides education-related services to Tertiary Education Organisations (TEOs). Personal information required for service provision provided to either the enrolling TEO or directly to TANZ eCampus will be collected and used for the purpose for which it has been provided.
3.3 Disclosure of Personal Information re Students or Staff to Third Parties
The Fact of Enrolment or Employment
The simple fact that a named individual is registered as a student (or not or no longer registered) or employed as a staff member (or not employed or no longer employed) can be disclosed in response to any enquiry. No special authority is required to make this simple disclosure to a third party but all other personal information is protected.
Requests from Agencies Named on Forms
Some requests for personal information about students are covered by the statements on application, registration, and related forms. Providing the request comes from one of the specified bodies, is in writing, and is clearly related to the purpose for which the information was collected and is held, the information can be disclosed.
Requests from Other Agencies
Enquiries from other agencies normally come with a clear statement that the individual has authorised the request or a clear reference to the enquirer’s statutory right to the information.
If an enquiry of this sort is made verbally (in person or by phone), the enquiry should be accepted but NOT answered immediately. The name, designation or rank, and contact phone number of the enquirer should be taken and the details of the request and the reference or reason carefully noted. The information can then be researched and further advice sought from the Privacy Officer.
Requests for Addresses or Other Means of Contact
Many requests are from parents, relatives, and friends wanting to get in touch with students. Addresses and other contact details should NOT be disclosed except in emergencies. Not all such requests are innocent or well-intentioned; some students have good reason for keeping their contact details private.
General, non-urgent enquiries should be politely declined with a brief explanation that TANZ eCampus policy protects the information requested from casual disclosure.
Specific but non-urgent enquiries from parents, relatives, or friends may be handled by offering to deliver a message asking the student or staff member to contact the enquirer. This is not compulsory and depends on the circumstances. If the offer is made, the procedure is to carefully note the enquirer’s name, a contact phone number or address, and an indication of when the enquirer can be contacted.
The enquirer should be told that it might not be easy or quick to contact the student or staff member and that no guarantee of delivery can be given.
The message should then be conveyed to the student as directly and quickly as possible either in person or in writing.
Delivery of genuine emergency, ‘life and death’ messages should be arranged as quickly and calmly as possible through a senior member of staff (for example, the Privacy Officer, Director or Manager).
Requests from Parents and Employers for Progress Reports
Parents or employers often seek reports about their child’s or employee’s attendance or progress. Parents and employers have no special right to a child’s or employee’s personal information even if they paid the fees or allowed time off.
In keeping with IPP2 and to reduce administrative work, every effort should be made to persuade parents and children and employers and employees to deal directly with each other. If that is not possible, the student’s authorisation can be sought either by the parent/employer or by TANZ eCampus. A template is available from the Privacy Officer.
Other Requests from Third Parties
Except for the information referred to in 2.3, all other requests should be politely declined or referred to the Privacy Officer.
3.4 Public Display of Student Assessment Results
Student attendance records and marks, assessments, grades, and results are personal information. Care must be taken to communicate them only to the individual concerned unless there is explicit written authority to disclose them to an agent (see 2.9 below). It is a breach of the Information Privacy Principles if such information is displayed, announced, or published whether on paper or by electronic medium in a format which includes a student’s name or any other identifier which could reasonably be expected to be ‘readable’ by a third party.
There are circumstances where individual private notification of results would be administratively very demanding and would cause delays which could disadvantage or inconvenience individual students. In such circumstances, it is permissible to display or announce or publish students’ marks, assessments, grades, or results publicly providing that:
- No names or other easily readable/decipherable/identifiable references or codes are used; AND
- A private student PIN number or other private code is used (for example, the last six digits of the student ID number); AND
- The order of the results is “shuffled” before publication so that they do not appear in what would be alphabetical order.
Such a display, announcement, or publication would meet the requirements of IPP5 and would not breach IPP11. Questions about this limited and controlled exception to our standard procedures should be directed to the Privacy Officer.
In order to meet internal and external academic quality assurance requirements, student assignments, tests, and examination results may be used for the purposes of:
- Internal and external moderation
- Monitoring and audit
- Programme review
- Aegrotat decisions
- Resolution of academic appeals and complaints
Assessment materials used for these purposes will have any information which could reasonably be expected to identify the individual removed before they are copied and used unless the identity of the student is required for the purpose undertaken.
3.6 Internal and External Audit
From time to time internally and externally appointed auditors select staff appraisal documents, professional development records, student records or other details for inspection to ensure that TANZ eCampus is meeting the expected standards. Similarly, Audit New Zealand may need to verify payroll and other financial transactions.
Documents selected will be made available to the Auditors on a confidential basis for the restricted purpose of academic or financial auditing by properly authorised auditors.
3.7 References and Evaluative Opinion
References and similar reports and recommendations (including those related to staff promotion/re-grading) are one form of ‘evaluative opinion’. If the reference or similar report or recommendation has been sought with an explicit or implicit promise that it will be kept confidential, it is protected from disclosure to the individual concerned. This is discretionary, that is, the person who provided the reference can agree to it being disclosed to the individual concerned.
3.8 Police Requests
The Information Privacy Principles apply to requests from the Police and, in some cases, complex issues under the Bill of Rights Act 1990 ss 5, 21, and 22 may be involved.
Most Police requests are answered because one of the exceptions to IPP11 allows non-compliance when an offence is being prevented, detected, investigated, prosecuted, or punished.
TANZ eCampus also cooperates when the Police ask to contact a student or staff member. However, the following in-house rules apply:
- No police officer is to interview a student in a teaching situation.
A person seeking personal information may appoint an agent to discuss or action a request. The agent must have the written authority of the individual concerned. The authority must be reasonably specific as to the personal information concerned and what rights the agent has been authorised to exercise.
In the event of alleged breaches of this policy please refer to the TANZ eCampus Terms of Service for all users (including Professional responsibilities for staff and student rights and responsibilities). Infringements will be dealt with under this policy.