COVID-19 SERVICES UPDATE: Information for all alert levels, Waka Kotahi services and more

SCAM ALERTS: Report a phishing scam or learn about the latest phishing emails

ONLINE SERVICES: We currently have an issue with receiving some payments and are working to resolve this issue as quickly as possible. We apologise for any inconvenience.

EASTER WEEKEND – PLAN AHEAD: Heading away for the long weekend? Check our holiday journeys tool(external link)

SCAM ALERTS: Refund email and Vehicle licence (rego) renewal phishing emails

Privacy guide for suppliers and service providers

Waka Kotahi NZ Transport Agency deals with the personal information of a large number of people and engages with a wide range of people and organisations who may handle personal information on its behalf.

Managing personal information appropriately is important to us and to the people whose personal information we hold. As an organisation who handles personal information on our behalf, we expect that you will also manage personal information appropriately and that if any issues arise (such as unauthorised access to or disclosure of personal information, whether accidental or deliberate), you will work with us to resolve them.

What is personal information?

Personal information is information about an identifiable individual. Any information which tells us something about a specific individual is personal information. The information does not need to name the individual, as long as they are identifiable in other ways, like through their home address.

Personal information is not limited to information about an individual’s private or family life. This can include information about an individual’s business or work activities. Personal information can range from sensitive and confidential information to information that is publicly available. At Waka Kotahi, we also generally treat motor vehicle registration plate numbers as personal information.

Your obligations under the Privacy Act

All organisations have obligations to comply with the Information Privacy Principles set out in the Privacy Act (the Act). The Act covers the life-cycle of personal information and requires all organisations to have a Privacy Officer to oversee their compliance with the Act and to investigate any privacy complaints they may receive.

What we expect of you as our supplier/service provider

If you’re working with us, you have responsibilities when handling our customers’ information. In particular, we expect you to have the following in place:

  • privacy policies that cover the life-cycle of personal information;
  • a privacy incident management process that involves notifying us when you discover a privacy incident, whether that be a privacy breach or near-miss;
  • training programmes to ensure that staff who handle personal information are aware of the Information Privacy Principles and privacy policies and processes;
  • processes to proactively identify and monitor privacy risks and report on these;
  • processes to ensure that personal information is appropriately protected, i.e. by only giving access to personal information to the staff who need it in the course of their duties. This extends to managing the access rights when staff change roles or cease employment, or when systems change.

Managing and responding to privacy incidents

Privacy incidents can happen through complacency, inadequate security, poor procedures or by accident. Privacy incidents are often simple mistakes that only take a second to make but result in damage that can be serious and long-lasting. Proper incident management is critical, as it can help to minimise the harm to the individuals affected, your organisation, and Waka Kotahi.

What is a privacy incident?

We classify privacy incidents into two types:

  • privacy breaches, and
  • near-misses.

A privacy breach is an incident where personal information is accessed by an unauthorised person, or is collected, used or disclosed without authorisation (for example, where personal information is used or disclosed for a different purpose to that for which it’s been collected, or a person not authorised to see that information accesses it. Failure to store personal information securely is also a privacy breach.

A near-miss is an incident that had the potential to become a privacy breach but was prevented before it could happen.

What you should do if you discover a privacy incident?

If you or any of your staff identify a privacy breach or near-miss resulting from your mis-management or mis-handling of personal information on Waka Kotahi’s behalf, you must immediately notify your Waka Kotahi contract or relationship manager. Together we will work to assess the incident and identify the best actions necessary to manage it appropriately and minimise the harm to the individual concerned.

More information

The Office of the Privacy Commissioner has comprehensive guidance and training on its website for agencies and organisations that deal with personal information. Some useful links are provided below.

Privacy for agencies – your obligations(external link)
Protecting personal information – the PADLOCK card(external link)
Data safety toolkit(external link)
Online privacy training (free)(external link)

If you would like to talk to someone at Waka Kotahi, please get in touch with your contract or relationship manager.