Contractor privacy

1. Introduction

This privacy statement is about the personal information the University of Auckland collects and processes about contractors and suppliers. If you are an employee of the University, read more about how we use your personal information in Employee Privacy.

We are the data controller, which means that we determine the purposes for, and ways in which, we collect and use personal information. We also use third party data processors. We explain more about this below.

2. Personal information we collect about contractors and suppliers

When you are engaged to provide us with contracted services, we collect information from you directly, we collect information from third parties, and information will be generated during your engagement. If we engage you as a limited liability company, then some of this information will not be personal information. In all cases, some information we collect – such as vetting checks, CCTV footage or health information – will be personal information about you or your employees.

We need to collect this information in order to meet our contractual obligations to you as a contractor, to meet our legal obligations in respect of health and safety, and to meet our legitimate interests.

2.1 Information we collect from you directly

The personal information we collect from you directly may include:

  • identity and contact information, including your name, address, email and phone number
  • health information, including information about any disabilities or other conditions that might impact on your engagement or on our workplace health and safety obligations
  • details of and evidence that you hold any qualifications and/or professional registrations, licences, memberships or other permits required for your engagement
  • your driver licence number, where this is relevant to your engagement
  • financial information, including your tax number and any bank account numbers you provide to us
  • emergency contact information, and
  • your experience and work history and other information you provide to us in your CV or during an interview with you.

2.2 Information we collect from third parties

The personal information we may collect from others with your consent will include:

  • criminal conviction information, or Police vetting information, where this is relevant to your engagement, such as where it is required under the Children’s Act or the Education and Training Act
  • information from your referees
  • information from any professional organisations or licensing or registration authorities that you are a member of or licenced or registered with
  • information related to anti-money laundering, including a credit check where this is relevant to your engagement, and
  • information from your employer that is relevant to your engagement.

2.3 Information generated during your engagement

The personal information that may be generated during your engagement will include:

  • your photograph, if required for your engagement
  • payment information
  • information about your terms of engagement
  • information about your induction activities and status
  • information about the activities you undertake for us as part of your engagement, and
  • information generated as you undertake your engagement activities (addressed in more detail below).

2.4 Information generated by your engagement activities

At times, and depending on the nature of your engagement, you will generate personal information as you undertake your engagement activities. It may not always be apparent to you that this information is being generated or collected.

Email, internet and system use

We may monitor email, internet and system use to ensure that contractors adhere to the requirements of our IT and security related suite of policies. There should be no expectation of privacy in respect of the use of University devices or systems. Any information relating to your personal affairs is stored, shared or discussed using University devices or systems at your own risk.

Location information

You may be required to use technology that is capable of generating location information, such as site safety applications, mobile phones, tablets and laptops, and company vehicles. We collect and use location information for the purposes of ensuring your health and safety or investigating incidents, particularly while you are working on our sites.

Information relating to safety, security and sustainability of University campuses

Where CCTV cameras are in use at a University campus, we may collect still or video footage of your activities for safety and security purposes. We will normally let you know if CCTV cameras are in use at a campus. Where we require the use of access cards for entry to a University building, we will collect information about your use of this access card for safety and security purposes.

Information about your use of University websites

We collect and process personal information about users of our websites and web-based services for the primary purposes of delivering any services or functionality requested by users and for improving the online experience for our users. We also collect personal information when you use our wi-fi network. For more information about this read Privacy at the University of Auckland.

3. How we process personal information about contractors

Our lawful bases for processing personal information about contractors are to meet our contractual obligations to you as a contractor, to meet our legal obligations in respect of health and safety, and to meet our legitimate interests.

3.1 How we use your information

We will use your personal information in the ways set out below. Where we need to use information in a way we have not anticipated here, we will only do so if required or permitted by law.

We may use your personal information to:

  • process your invoices
  • correspond with you
  • administer your engagement with us
  • provide associated services such as security, parking and information technology
  • ensure the health and safety of you and any other person, and assist you in the event of an emergency
  • manage risks to the University's integrity as a tertiary institution, including relating to fraud and the commission of criminal offences
  • complete vetting procedures such as safety checks under the Children’s Act and Police vet and risk assessments under the Education and Training Act, and
  • comply with legislative reporting and recordkeeping requirements and our obligations under the Official Information Act.

3.2 How we share your information

In order to meet the purposes set out above, we may need to share your personal information, both internally and externally. We’ll only share your information when, and to the extent, it is necessary to achieve our purposes. Where we need to share information in a way we have not anticipated here, we will only do so if required or permitted by law.

We may share your personal information with:

  • the University’s professional staff, for the purposes of compiling and generating internal and external management information
  • the staff member you report to as part of your engagement
  • contracted service providers which the University uses to perform services on its behalf (such as recruitment and course administration, banking, mailing house services, logistics and IT service providers), within and outside New Zealand (see more below)
  • University owned or related entities, such as Auckland UniServices Limited, UoA Foundations where you may use the services they provide
  • the University's legal advisers or other professional advisers, auditors and consultants engaged by the University
  • the University’s insurers
  • government agencies, such as the Inland Revenue Department, the Accident Compensation Corporation, and WorkSafe New Zealand
  • your nominated financial institution for payment of your invoices
  • your employer where required for the purposes of your engagement, or to meet our legitimate interests, and
  • in the event of an emergency, police, medical or hospital personnel, civil emergency services, your legal representative or nominated emergency contact person, or any other person assessed as necessary to respond to the emergency.

If we need to share your information with a third party that is overseas, we will ensure that this complies with principle 12 of the Privacy Act. If the third party is not located in a country that has comparable privacy laws to ours, we will require them to agree to protect your information to New Zealand standards.

4. How we store and protect personal information

4.1 Storage and retention

We may use third-party service providers to store your personal information and provide us with services. This means that we may transfer personal information, or access it from, countries other than New Zealand.

We recognise that we are accountable for your personal information wherever it is in the world. Where we can, we will send personal information only to countries that have adequate privacy laws in place (such as New Zealand, Australia or the EU). However, where we cannot do this, we take reasonable steps to ensure that any third-party service providers we use can meet our privacy and security expectations.

We retain your personal information only for as long we need it to perform our contractual obligations or meet our legitimate interests, or to comply with our legal obligations, including the requirement to retain information in accordance with the Tax Administration Act and Public Records Act.

4.2 Security

Wherever your personal information is stored, we take reasonable steps to ensure that it is protected against loss or unauthorised access, modification, use or disclosure. For example:

  • University systems are protected by firewalls and modern encryption standards
  • University systems are password protected, and access is monitored and audited
  • Credit card details for recurring payments or donations in a secure, encrypted format within a PCI compliant system
  • All employees are required to adhere to the University’s IT and Security related suite of policies
  • Access to the personal information we store is limited to those staff members who have a legitimate business requirement to use it
  • We make privacy and information security training available to employees
  • We have a data breach management procedure in place, and
  • Information is backed up regularly, and backups are encrypted ad held in secure storage facilities

5. Accessing and controlling your personal information

If you are an individual, or we have collected personal information about you (as distinct from your company), you have some important privacy rights, including the right to know what information we hold about you and the right to correct it.

You can exercise these rights by:

  • Emailing us at privacy@auckland.ac.nz
  • Writing to The Privacy Officer, The University of Auckland, Private Bag 92019, Auckland 1142, New Zealand

Please note that we need to take steps to make sure you are authorised to make requests about personal information, so we may need to verify your identity or authority before responding to your request. Once we’ve verified who you are, we’ll try and respond to your request or query as soon possible, and no later than 20 working days after we receive it.

5.1 Getting a copy of your information

You have the right to request a copy of your personal information. We’ll be as open as we can with you but sometimes we might need to withhold personal information, for example where the information is legally privileged or includes personal information about other people. If we need to withhold information, we’ll tell you why.

5.2 Correcting your information

If you think any of the personal information we hold about you is wrong, you can ask us to correct it. If we cannot correct your information (for example, where we don’t agree that it’s wrong), we’ll tell you why. You can ask us to attach your correction request to the information as a statement of correction.

5.3 Making a complaint

If you have any concerns about the way we’ve collected or processed your personal information, let us know, so we can try to put the matter right. If we can’t resolve your concerns, you can also make a complaint to the Office of the New Zealand Privacy Commissioner by:

  • Calling us on +64 9 373 7999
  • Completing an online complaint form at www.privacy.org.nz
  • Writing to the Office of the Privacy Commissioner, PO Box 10-094, The Terrace, Wellington 6143, New Zealand