The Privacy Commissioner sometimes receives enquiries from voluntary organisations, clubs and societies (we have called these groups “societies” in this paper). These societies ask us how they can protect their members’ privacy.
Sometimes, we also receive complaints that these organisations have breached privacy.
The most common issues are whether societies can collect information about members, whether they can publish membership lists to members or give them to other people, and whether people have a right to access minutes of meetings.
Does the Privacy Act cover societies?
Yes. The Privacy Act applies to any organisation or individual which falls within the definition of “agency”. “Agency” means:
“any person or body of persons, whether corporate or unincorporate, and whether in the public sector or in the private sector …”
So the Privacy Act does apply to a society – whether or not it has been legally incorporated.
What type of information does the Privacy Act cover?
The Privacy Act only applies to “personal information”. This is information about an identifiable, living human being.
Information doesn’t have to be sensitive or “private” to be personal information. Anything about a person is personal information.
So, personal information commonly includes:
• information about members and former members (for example, name, address and phone number, offices held, awards, skills, references and photographs);
• information about people other than members such as individuals to whom service organisations give assistance.
This information can be held in various forms – in minutes of meetings, newsletters and correspondence, and on membership databases, websites and so on.
There may be times when disclosure is a necessary condition of membership – if so, the society should spell that out clearly.
Use and disclosure
As long as the society has told people what the information will be used for, and whom it may be disclosed to, it will generally be able to use and disclose it in those ways without any problem.
From time to time, the society may wish to use or disclose the information in a different way from the way it anticipated when it collected the information. For example, the society may have a new website, and may wish to put photographs on the site. Where the photograph was taken for the purpose of publication – for example, a team photo – putting it on the internet may still technically be within the purpose for which it was taken. However, it is still best, wherever possible, to check that members are happy with this new use of the information. Not everyone wants their photograph or their name on the internet.
The AGM is a good time to discuss such matters, or it can be raised at other meetings, and mentioned in the newsletter so people have a chance to comment.
Many of our enquiries – and some complaints – relate to using member details to pass on information about other products and services. For example, a bowling club may use contact information for the purpose of a competition draw, but if members do not know that those details are also passed to the life insurance company sponsor, so it can approach them for business, then many members may be annoyed. They may even leave the club, and the club’s reputation may suffer too.
There may be times when a society needs to use or disclose information in ways that it did not anticipate, for example, if there is a criminal investigation or a court case. Check principles 10 and 11. They set out when the society will be able to use and disclose the information – even without the member’s consent.
If membership lists or directories are distributed to members, it is useful to include a notice that the information is to be used only in connection with club membership and may not be used for any other purposes such as direct marketing or for soliciting donations to other organisations.
Clubs and societies should also consider who, within the organisation, will be able to see any of the personal information collected and held by the organisation, for example, membership lists.
All societies want to have accurate information to work with. After all, the information isn’t much use unless it is correct.
Principle 8 requires agencies to take reasonable steps to check that personal information is accurate, up to date, complete, relevant, and not misleading before that information is used.
A common way for a society to ensure that it has accurate information is to use annual subscription notices to encourage members to check their details and send in corrections, updates, or changes of address.
Access to information
Most of our complaints about societies arise because a member has asked the society for information about himself or herself, and the society has ignored the request or has kept some information back.
People have a right to access information about themselves. This includes material like:
• references to the person in minutes of a meeting;
• correspondence that the person has had with the society;
• decisions made about the person;
• details of complaints made about the person;
• material from their personal file, if they work for the society.
Problems particularly seem to arise where a society is investigating complaints about a member, or is disciplining a member. It is important that the society does not make an already difficult situation worse by failing to respond properly to requests by members for access to personal information about themselves.
There are certain circumstances in which a request for access can be refused. For example:
• Individuals can only access information about themselves under the Privacy Act, not information about other people. For example, at a committee meeting decisions may have been made about various members. The requester can only get the information that is about him or her. The society can take information about other people out of the document.
• Sometimes, it may be an unjustified breach of another person’s privacy to provide some of the information.
• In employment situations, confidential references can generally be withheld.
Of course, societies need to be familiar with their own rules and constitution. If members have the right under the rules to see unedited minutes of meetings, then a member who requests access to the minutes should always be able to see them.
Storage and security
Under principle 5, agencies such as societies need to have reasonable security safeguards to prevent unauthorised use or unauthorised disclosure of personal information.
For instance, information about members should be stored carefully. Societies should decide who may access information, and for what purposes. They will need to decide how much of the stored information needs to be made available. For instance, an unlisted telephone number or address may not need to be made available to a volunteer whose only role is to keep a record of meeting attendances.
Societies also need to be careful when disposing of personal information such as old membership lists, old computers or old photocopiers that have stored information on a hard drive. If the society has a lot of personal and other information, it may be worth getting a secure bin from a document destruction service. Otherwise, purchase a small shredder, and shred all personal information before throwing it away.
If a computer is being thrown away, destroy the hard drive. If it is being on-sold, get some advice on how to ensure that no information remains on the hard drive.
Retention of information
Principle 9 requires agencies to keep information only for as long as it is required for its lawful purpose. Some laws state that certain information such as accounts must be kept for a certain period of time. Otherwise the society should consider its purpose in holding the information, and decide when that purpose no longer applies. For instance, a society may not have a lawful purpose in maintaining an individual’s details for a contact list once that individual has left the society.
Every society should have at least one person who is reasonably familiar with personal information handling and privacy – or who is tasked with finding out about it. That person is the “privacy officer”. He or she takes responsibility for knowing how the society needs to handle personal information so that it can do its job while protecting privacy at the same time.
We offer training for privacy officers where we can – call us on 0800 803 909 or check our website at www.privacy.org.nz under “Training and Education”.
How the Privacy Commissioner can help
We have an enquiries service: call 0800 803 909 (or in Auckland, 09 302 8655), or email firstname.lastname@example.org.
While we can’t give specific legal advice on individual problems, we are happy to help by giving general advice, for example, about how the Privacy Act works.
Our website has a lot of information that is useful for all agencies. Check us out at www.privacy.org.nz.
People have a right to complain to the Privacy Commissioner if they believe that a society has breached the Privacy Act. If a person does make a complaint, we encourage the person and the society to think about how their dispute can be resolved. If the society has made a mistake, we may be able to give some advice about how to put things right, and to check that the same mistake won’t happen again.
For more information about our complaints processes, check our website or ask our enquiries team for information. See below to download a pdf version of “Information held by Clubs and Societies”.
This guidance material is designed to provide some assistance with queries raised by the Privacy Act. It is not legal advice. If you require more specific information about the Act, please contact this office or seek legal advice. We welcome comments on this guidance material.
Fact Sheets are also available from the Office of the Privacy Commissioner setting out in full the information privacy principles referred to in this paper.