1 Introduction

1.1 Purpose

TANZ Ltd provides services through its TANZ eCampus operations. The services include delivery of courses for Institutes of Technology and Polytechnics (ITPs) via a delivery platform with a surrounding community, and may include the provision of other services such as student support, course design and development and professional development.

People participating in the TANZ eCampus Community (staff, students and others) may be employed by or enrolled in a range of institutions and are subject to Privacy Legislation and the policies of their institution.

The purpose of this policy is to ensure a learning environment for all users that respects all community participants and their right to Privacy (under the Privacy Act).

1.2 Scope and Application

  • This policy applies to all users of the TANZ Ltd TANZ eCampus website and participants in the TANZ eCampus community.
  • This policy applies to all personal information collected and/or held by TANZ eCampus about any person, any person using the TANZ eCampus website and, in particular about people registered as students or employed as staff.

1.3 Formal Delegations

TANZ eCampus designated Privacy Officer can assist with interpretation or clarification of this policy and is authorised to make or approve exceptions to the policy.

1.4 Definitions

  • Evaluative Opinion: Material compiled for the purpose of determining the suitability, eligibility, or qualifications of an individual for employment, appointment to office, promotion, continuance in office, removal from employment or office, or the awarding, continuing, modifying, or cancelling  of contracts, awards, scholarships, honours, or other benefits.
  • Information Privacy Principles (IPPs): The Privacy Act sets out the twelve  Information Privacy Principles (IPPs) which form the basis on which all issues of the privacy of personal information are determined. Everyone who has access to the personal information  TANZ collects and/or holds must understand and comply with these basic principles.  The twelve IPPs are summarised in Appendix 1 to this policy.
  • Personal Information: Any information about an identifiable individual (an individual is ‘a natural person other than a deceased natural person’). Personal information includes records of attendance and student marks, assessments, grades, and results.  At TANZ personal information does NOT include a person’s name nor the fact that she or he is or is not currently registered with TANZ.
  • Privacy Act: The Privacy Act 1993 #28 17 May 1993 which came into force on 1 July 1993 and its subsequent amendments.  S2 of the Act lists definitions and s6 sets down the Information Privacy Principles.
  • Privacy Officer: The person identified by the Institute as the Privacy Officer as required by s23 of the Privacy Act.  The responsibilities are set out in the same section.

 

Related  Procedures(indicate if attached to policy or where they can be found)

Attached

Related Policies

TANZ eCampus Community Conduct Policy

Related Legislation or Other Documentation

Privacy Act 1993

Good Practice Guidelines(indicate if attached to policy or where they can be found)
References

A template for an Authority to Disclose Specified Personal Information is available from the Privacy Officer

Notes

2 Principles

  • TANZ eCampus complies with the Privacy Act 1993 and its subsequent amendments.
  • TANZ eCampus will maintain confidentiality on a need to know basis at all times.
  • TANZ eCampus provides education-related services to Tertiary Education Organisations (TEOs). Personal information required for service provision provided to either the enrolling TEO or directly to TANZ ecampus will be collected and used for the purpose for which it has been provided.
  • TANZ eCampus will manage any complaints of interference with privacy fairly, swiftly and effectively in accordance with the relevant current legislation and TANZ eCampus policies.
  • The Privacy Act 1993 sets out twelve Information Privacy Principles (IPPs) which form the basis on which all issues of the privacy of personal information are determined. Everyone who has access to the personal information TANZ eCampus collects and/or holds must understand and comply with these basic principles.
The Information Privacy Principles (IPPS)

Principle One: Purpose of collection of personal information

TANZ  eCampus can only collect personal information which is for a lawful purpose and necessary for us to carry out our functions and activities.

Principle Two: Source of personal information

The personal information must be collected directly from the individual concerned unless that is not reasonably practicable.

Principle Three: Collection of information from subject

The individual must be made aware of the following points:

  • the information is being collected
  • the purpose for which the information is being collected
  • the intended recipients of the information
  • the name and address of the agencies collecting and holding the information
  • the particular law, if any, authorising the collection
  • whether supplying the information is voluntary or mandatory
  • the consequence of not supplying the information
  • the rights of access to and correction of the information held

Principle Four: Manner of collection of personal information

Information must not be collected by unlawful or unfair or intrusive means.

Principle Five: Storage and security of personal information

TANZ eCampus must ensure that there are security safeguards to protect personal information from loss and unauthorised access, use, modification, or disclosure.

Principle Six: Access to personal information

The individual concerned is entitled to know whether or not TANZ eCampus holds personal information about her/him, and, if it does, to have access to the personal information.

Principle Seven: Correction of personal information

The individual concerned is entitled to request correction of information and, if a correction is not made, to have a note attached to the information.

Principle Eight: Accuracy etc of personal information to be checked before use

TANZ eCampus must take reasonable steps to ensure that the information it is using is accurate, up to date, complete, relevant, and not misleading.

Principle Nine: Agency not to keep personal information for longer than necessary

Personal information must not be kept longer than is required for its proper purpose.

Principle Ten: Limits on use of personal information

TANZ eCampus can only use information for the original purpose unless the new use is authorised by the individual concerned.

Principle Eleven: Limits on disclosure of personal information

TANZ eCampus must not disclose personal information to a third party except in strictly limited circumstances.  It is not necessary to comply with IPP11 if:

  • disclosure is one of the stated purposes for which the information was collected
  • the individual concerned authorises disclosure
  • the information is already publicly available
  • the information is anonymous or will only be used for statistical purposes
  • the collection/disclosure is required by a particular law
  • the information is needed for certain legal purposes including prevention, detection, investigation, prosecution, and punishment of offences or the conduct of proceedings before any court or tribunal
  • disclosure is necessary to prevent or lessen a serious and imminent threat to public health or safety, or the life or health of an individual
  • disclosure is necessary as part of the sale of a business

Principle Twelve: Unique identifiers

A “unique identifier” which has been assigned by another agency will not be used.*

*Note that unique identifiers such as student ID numbers and NSIs may be used for specific purposes around delivering educational offerings and services to registered students.

Confirmation of Enrolment or Employment

The fact that a named individual is registered as a student (or not or no longer registered) or employed as a staff member (or not employed or no longer employed) at TANZ eCampus can be disclosed to third parties.  No other personal information can be disclosed except as allowed by the IPPs.

Exceptions

There are sensible, carefully defined exceptions to almost every principle.  The IPPs do not apply where the personal information is collected or held by an individual solely in connection with that individual’s personal, family, or household affairs.  There is special provision to cover “evaluative material” such as references.

Complaints

Any person may make an oral or written complaint to the TANZ eCampus Privacy Officer or their or employing ITP.  Any person may also make a complaint to the Privacy Commissioner or an Ombudsman if she/he believes there has been a breach (“an interference”) of any of the IPPs.

Rules of Thumb

Know and comply with the particular requirements of your position/function.

Know and comply with the Twelve Information Privacy Principles.

  • Don’t pry
  • Don’t gossip
  • Don’t hide behind the Privacy Act
  • If in doubt, check it out.

3 Associated procedures for the TANZ Ltd TANZ eCampus policy on: Privacy

3.1 Application of and Exceptions to the Information Privacy Principles

The twelve Information Privacy Principles (IPPs) form the basis of all decisions on privacy and the handling of personal information.  Everyone who has access to the personal information TANZ eCampus collects and/or holds must understand and comply with these basic principles.

There are sensible (and carefully defined) exceptions to almost every Principle.  There may be no need to comply with the principles on use and disclosure if, for example, TANZ eCampus has stated clearly that the information will be disclosed, or the individual concerned authorises disclosure, or the information is already publicly available, or the information is only in statistical form, or the collection and/or disclosure of the information is required by a particular law.

Nevertheless, the starting point is to apply the principles in full and then decide on, justify, and record the reasons for not complying with any of them.

TANZ eCampus management and administration (and in particular the Privacy Officer) are responsible for ensuring that all the principles are complied with or that there is good reason for not complying.

If in doubt about an issue involving the privacy of personal information about a student or staff member, consult the Privacy Officer.

3.2 TANZ eCampus Compliance

All TANZ eCampus information, forms, systems, and processes which seek, record, or hold personal information must comply with the Information Privacy Principles, especially IPP 3.

3.2.1 TANZ eCampus provides education-related services to Tertiary Education Organisations (TEOs). Personal information required for service provision provided to either the enrolling TEO or directly to TANZ eCampus will be collected and used for the purpose for which it has been provided.

3.2.2 Website, online and other communication

We do collect personal information that you choose to give to us via our websites or by other means such as:

  • phone enquiries and registrations
  • emails, feedback and comments
  • emailing an enquiry to us
  • adding a comment to our blog
  • registering for courses, events, online listings and programmes
  • subscribing to our news feeds
  • subscribing to our newsletter
  • promotional offers, contest and competitions
  • commercial transactions including purchases and other services

We use such personal information for the purpose for which you have provided it. Personal information provided through our websites will be held by the TANZ eCampus.

If you lodge a complaint, make a comment, or give feedback through the site, we collect your email address and sometimes other contact details. We may use your email address to respond to you.

Use and disclosure

We will use personal information that you provide to us through this site for the purposes for which you supplied it or, in exceptional situations, for other reasons permitted under the Privacy Act 1993.

We may use your personal information for the purposes of administering and improving the site, improving our services or communicating with site users.

We generally do not share your personal information with others unless this is necessary for the purpose for which you gave us the information (for instance to investigate a complaint). Occasionally the law may require us to disclose it (for instance to investigate a criminal offence), or there may be safety reasons for disclosing it.

The personal information you provide to us may be shared with third-party contractors to the extent necessary for them to administer and improve the website on our behalf.

Website analytics

We analyse non-identifiable web traffic data to improve our services. We own the data that is generated and it will not be shared with any other party for any other purpose.

We may collect, hold, and use statistical information about visits to help us improve the site, for instance:

  • Your IP address
  • The search terms you used
  • The pages accessed on our site and the links you clicked on
  • The date and time you visited the site
  • The referring site (if any) through which you clicked through to this site
  • Your operating system (eg Windows XP, Mac OS X)
  • The type of web browser you use (eg Internet Explorer, Mozilla Firefox)

The data collected is aggregated and is not personally identifiable. IP addresses are masked so that they cannot be used to identify individuals. Our web analytics will also respect any “do not track” setting you might have set on your browser.

Use of cookies

We use cookies on our site where they are required for particular features to work. We also use tracking cookies to track and analyse non-personally identifiable data about our website usage.

You can choose to opt out of our tracking cookies without affecting your ability to use the site although this may prevent you from taking full advantage of the site.

Links to social networking services

We use social networking services such as Twitter, Facebook, LinkedIn and YouTube to communicate with the public about our work, services, programmes and courses. When you communicate with us using these services, the social networking service may collect your personal information for its own purposes.

These services may track your use of our website on those pages where their links are displayed. If you are logged in to those services (including any Google service) while using our site, their tracking will be associated with your profile with them.

These services have their own privacy policies which are independent of ours.

3.3 Disclosure of Personal Information re Students or Staff to Third Parties

The Fact of Enrolment or Employment

The simple fact that a named individual is registered as a student (or not  or no longer registered) or employed as a staff member (or not employed or no longer employed) can be disclosed in response to any enquiry.  No special authority is required to make this simple disclosure to a third party but all other personal information is protected.

Requests from Agencies Named on Forms

Some requests for personal information about students are covered by the statements on application, registration, and related forms.  Providing the request comes from one of the specified bodies, is in writing, and is clearly related to the purpose for which the information was collected and is held, the information can be disclosed.

Requests from Other Agencies

Enquiries from other agencies normally come with a clear statement that the individual has authorised the request or a clear reference to the enquirer’s statutory right to the information.

If an enquiry of this sort is made verbally (in person or by phone), the enquiry should be accepted but NOT answered immediately.  The name, designation or rank, and contact phone number of the enquirer should be taken and the details of the request and the reference or reason carefully noted. The information can then be researched and further advice sought from the Privacy Officer.

Requests for Addresses or Other Means of Contact

Many requests are from parents, relatives, and friends wanting to get in touch with students.  Addresses and other contact details should NOT be disclosed except in emergencies.  Not all such requests are innocent or well-intentioned; some students have good reason for keeping their contact details private.

General, non-urgent enquiries should be politely declined with a brief explanation that TANZ eCampus policy protects the information requested from casual disclosure.

Specific but non-urgent enquiries from parents, relatives, or friends may be handled by offering to deliver a message asking the student or staff member to contact the enquirer. This is not compulsory and depends on the circumstances. If the offer is made, the procedure is to carefully note the enquirer’s name, a contact phone number or address, and an indication of when the enquirer can be contacted.

The enquirer should be told that it might not be easy or quick to contact the student or staff member and that no guarantee of delivery can be given.

The message should then be conveyed to the student as directly and quickly as possible either in person or in writing.

Emergency Messages

Delivery of genuine emergency, ‘life and death’ messages should be arranged as quickly and calmly as possible through a senior member of staff (for example, the Privacy Officer, Director or Manager).

Requests from Parents and Employers for Progress Reports

Parents or employers often seek reports about their child’s or employee’s attendance or progress.  Parents and employers have no special right to a child’s or employee’s personal information even if they paid the fees or allowed time off.

In keeping with IPP2 and to reduce administrative work, every effort should be made to persuade parents and children and employers and employees to deal directly with each other.   If that is not possible, the student’s authorisation can be sought either by the parent/employer or by TANZ eCampus.  A template is available from the Privacy Officer.

Other Requests from Third Parties

Except for the information referred to in 2.3, all other requests should be politely declined or referred to the Privacy Officer.

3.4 Public Display of Student Assessment Results

Student attendance records and marks, assessments, grades, and results are personal information.  Care must be taken to communicate them only to the individual concerned unless there is explicit written authority to disclose them to an agent (see 2.9 below).  It is a breach of the Information Privacy Principles if such information is displayed, announced, or published whether on paper or by electronic medium in a format which includes a student’s name or any other identifier which could reasonably be expected to be ‘readable’ by a third party.

There are circumstances where individual private notification of results would be administratively very demanding and would cause delays which could disadvantage or inconvenience individual students.  In such circumstances, it is permissible to display or announce or publish students’ marks, assessments, grades, or results publicly providing that:

  • No names or other easily readable/decipherable/identifiable references or codes are used; AND
  • A private student PIN number or other private code is used (for example, the last six digits of the student ID number); AND
  • The order of the results is “shuffled” before publication so that they do not appear in what would be alphabetical order.

Such a display, announcement, or publication would meet the requirements of IPP5 and would not breach IPP11.  Questions about this limited and controlled exception to our standard procedures should be directed to the Privacy Officer.

3.5 Moderation

In order to meet internal and external academic quality assurance requirements, student assignments, tests, and examination results may be used for the purposes of:

  • Internal and external moderation
  • Monitoring and audit
  • Programme review
  • Aegrotat decisions
  • Resolution of academic appeals and complaints

Assessment materials used for these purposes will have any information which could reasonably be expected to identify the individual removed before they are copied and used unless the identity of the student is required for the purpose undertaken.

3.6 Internal and External Audit

From time to time internally and externally appointed auditors select staff appraisal documents, professional development records, student records or other details for inspection to ensure that TANZ eCampus is meeting the expected standards.   Similarly, Audit New Zealand may need to verify payroll and other financial transactions.

Documents selected will be made available to the Auditors on a confidential basis for the restricted purpose of academic or financial auditing by properly authorised auditors.

3.7 References and Evaluative Opinion

References and similar reports and recommendations (including those related to staff promotion/re-grading) are one form of ‘evaluative opinion’.   If the reference or similar report or recommendation has been sought with an explicit or implicit promise that it will be kept confidential, it is protected from disclosure to the individual concerned.   This is discretionary, that is, the person who provided the reference can agree to it being disclosed to the individual concerned.

3.8 Police Requests

The Information Privacy Principles apply to requests from the Police and, in some cases, complex issues under the Bill of Rights Act 1990 ss 5, 21, and 22 may be involved.

Most Police requests are answered because one of the exceptions to IPP11 allows non-compliance when an offence is being prevented, detected, investigated, prosecuted, or punished.

TANZ eCampus also cooperates when the Police ask to contact a student or staff member.  However, the following in-house rules apply:

  • No police officer is to interview a student in a teaching situation.

3.9 Agents

A person seeking personal information may appoint an agent to discuss or action a request.  The agent must have the written authority of the individual concerned.  The authority must be reasonably specific as to the personal information concerned and what rights the agent has been authorised to exercise.

3.10 Compliance

In the event of alleged breaches of this policy please refer to the TANZ eCampus Terms of Service for all users (including Professional responsibilities for staff and student rights and responsibilities).  Infringements will be dealt with under this policy.