Employee privacy
1. Introduction
We employ over 5,400 academic and professional staff to support over 41,000 students making us one of New Zealand’s largest employers.
It is our intention to create an environment in which highly talented people can flourish. We know that our people will not flourish if they do not trust us to treat their personal information with care and respect. This privacy statement explains what information we collect about our prospective and current employees and how we process it. If you are a contractor of the University, read more about how we use your personal information in our Contractor Privacy Statement.
People from all over the world come to New Zealand to work, research or learn with us, and so we collect and process personal information about people from many countries. For this reason, we have chosen to adhere to a few privacy concepts that underpin all privacy regimes:
- Data minimisation – we will collect and retain only the personal information we really need to meet our lawful purposes
- Transparency – we will always be open with our people about the personal information we collect and how we process it
- Security – we take all reasonable steps to ensure that personal information is protected against loss or unauthorised processing
- Use limitation – we use and share personal information only in the ways we say we will, and only where necessary to meet our lawful purposes as an employer
- Rights focused – we will make sure that our people can exercise their important privacy rights, including to access and correct their information
This privacy statement is about the practices of the University. We are the data controller, which means that we determine the purposes for, and ways in which, we collect and use personal information. We also use third party data processors. We explain more about this below.
Personal information we collect about our employees
- Information we collect from you directly
- Information we collect from third parties
- Information generated during your employment
How we process personal information about our employees
- Using your information
- Sharing your information
How we store and protect your personal information
- Storage and retention
- Security
Accessing and controlling your personal information
- Getting a copy of your information
- Correcting your information
- Making a complaint
2. Personal information we collect about our prospective and current employees
When you apply to work with us, and when you are employed with us, we collect personal information from you directly (for example, when you complete an application for employment), we collect personal information from third parties (for example, from your nominated referees), and personal information will be generated during your employment (for example, where your manager creates a development plan for you).
We need to collect this information in order to meet our obligations to you as an employer and to meet our legal obligations in respect of health and safety and employment practice.
2.1 Information we collect from you directly
The personal information we collect from you directly will include:
- contact information, including your name, address, email and phone number
- education, experience and work history information and any other information you provide to us in your CV
- health information, including information about any disabilities or other conditions that might impact on your employment or on our workplace health and safety obligations
- personal and health information when using University recreation services
- psychometric testing information, where this is relevant to your employment
- information about your immigration status and your right to work
- information about any criminal convictions or pending criminal charges relating to you
- your gender and racial or ethnic origin, for statistical purposes and promotion of equity and diversity
- your trade union membership information, to ensure that you are employed on the correct employment agreement
- your declaration of any conflicts of interest
- your driver licence number, where this is relevant to your employment
- payroll information, including your tax number and any bank account numbers you provide to us, your tax code details and details about any savings or superannuation schemes you are a part of
- your date of birth, marital status and country of birth
- whether you have a spouse or relative working for the University
- emergency contact information and details about your next of kin, and
- your passport details, where necessary to facilitate travel or for banking purposes
2.2 Information we collect from third parties
The personal information we collect from others with your consent will include:
- criminal conviction information, or Police vetting information, where this is relevant to your employment
- information related to anti-money laundering, including a credit check, where this is relevant to your employment
- any information provided by your nominated referees
- confirmation of your academic qualifications, where this is relevant to your employment, and
- health information from your medical practitioner, including any changes to your health or medical conditions that might impact on your employment or leave entitlements or on our workplace health and safety obligations
We may also collect personal information you have made public on any social media platforms you use, where this may be relevant to our decision to employ you, particularly when we are recruiting for senior academic and professional roles.
2.3 Information generated during your employment
The personal information that may be generated during your employment will include:
- interview notes (if you are shortlisted and interviewed)
- your photograph
- salary and benefit information
- information about your employment status and terms of employment
- information about your professional development and training
- information about your teaching and research activities, if you are an academic employee, including research awards, research outcomes and reaching evaluation outcomes
- information about the questions you ask the University's virtual assistants (find out more about our use of AI assistants)
- performance information, including information generated during your performance reviews and on an ad hoc basis
- information about disciplinary action, complaints or personal grievances
- leave information, including leave taken and ongoing leave entitlements, and
- information generated by your employment activities (addressed in more detail below)
2.4 Information generated by your employment activities
At times, you will generate personal information as you go about your duties as an employee. It may not always be apparent to you that this information is being generated or collected.
Lecture recording
All teaching activities timetabled in University lecture recording-enabled rooms are recorded. Lecture recordings are usually audio-only, or audio and visual with the visual component capturing lecture slides, not individuals. Recordings are automatically released to students through Canvas after an agreed period of time for staff to edit recordings as necessary. Some teaching activities may be exempt from this requirement.
Email, internet and system use
We may monitor email, internet and system use to ensure that employees adhere to the requirements of our IT and security related suite of policies. There should be no expectation of privacy in respect of the use of University devices or systems. Any information relating to your personal affairs is stored, shared or discussed using University devices or systems at your own risk.
Location information
You may be required to use technology that is capable of generating location information, such as mobile phones, tablets and laptops, and company vehicles. We do not generally collect or use the location information these devices generate. However, we may collect and use location information for the purposes of ensuring your health and safety or investigating incidents, particularly while you are travelling.
Information relating to safety, security and sustainability of University campuses
Where CCTV cameras are in use at a University campus, we may collect still or video footage of your activities for safety and security purposes. We will normally let you know if CCTV cameras are in use at a campus. Where we require the use of access cards for entry to a University building, we will collect information about your use of this access card for safety and security purposes. We also use sensors on many University desks to assist us to operate sustainably (the sensors tell us if a desk is occupied, so we can allocate resources efficiently and manage lighting and heating requirements), however the data collected from these sensors will not identify you unless you are using an assigned desk.
Information about your use of University websites
We collect and process personal information about users of our websites and web-based services for the primary purposes of delivering any services or functionality requested by users and for improving the online experience for our users. For more information about this read Privacy at the University of Auckland. We also collect personal information when you use our wi-fi network.
2.5 Information we collect as part of talent research
Our internal recruiters collect and use publicly available contact and other information about senior academics, senior managers and other professionals who we might want to employ in the future. We may also collect non-public personal information about potential senior professionals from sources such as SEEK Talent Search. We use this contact information to stay in touch with these people. We provide the opportunity to opt out of this within the communications we send.
3. How we process personal information about our prospective and current employees
Our lawful bases for processing personal information about prospective and current employees are to meet our obligations to you as an employer, to meet our legal obligations in respect of health and safety and employment practice, and to meet our legitimate interests, including finding and attracting the best people.
3.1 How we use your information
We will use your personal information in the ways set out below. Where we need to use information in a way we have not anticipated here, we will only do so if required or permitted by law.
We may use your personal information to:
- decide on your employment application, including verifying your qualifications and experience with referees and third parties
- determine and process your pay and other entitlements
- correspond with you
- inform you about the range of facilities, services and benefits available to staff
- inform you about opportunities to engage with and support the University (you can find out more about the ways we use and share personal information to manage our alumni and friends)
- administer your employment, including administration of ACC requirements
- determine your development and training requirements and provide any training needed
- manage your performance, including conducting performance reviews
- provide assistance to employees with disabilities on request
- provide associated services such as security, parking, information technology and sport and recreation services
- investigate any disciplinary issues or complaints about you or another employee
- ensure the health and safety of any employee, and assist you in the event of an emergency
- manage risks to the University's integrity as an employer and tertiary institution, including relating to conflicts of interest, fraud and the commission of criminal offences
- comply with legislative reporting and recordkeeping requirements and our obligations under the Official Information Act
- conduct benchmarking, analyses, quality assurance and planning activities, including statistical and management reporting
- set budgets, including research budgets for the purposes of making research funding applications, and
- contact you, after your employment with the University ceases, to seek your feedback in relation to benchmarking, analyses, quality assurance and planning activities
3.2 How we share your information
In order to meet the purposes set out above, and use it in the ways we’ve outlined, we must share your personal information internally with people who have a legitimate role in the recruitment, management, administration and safety of employees or the compiling of management information. We’ll only share your information when, and to the extent, it is necessary to achieve our purposes. Where we need to share information in a way we have not anticipated here, we will only do so if required or permitted by law.
People who may have access to your personal information include:
- human resources staff, for the purposes of managing the recruitment and employment process
- professional staff, for the purposes of compiling and generating internal and external management information
- senior managers (who may not be your manager), for the purposes of conducting employment benchmarking and analysis
- budget holders (who may not be your manager), for the purposes of research funding applications for research you are involved in
- your manager and their manager
- contracted service providers which the University uses to perform services on its behalf (such as recruitment and course administration, banking, mailing house services, logistics and IT service providers), within and outside New Zealand (see more below)
- University owned or related entities, such as Auckland UniServices Limited where you use the services they provide, and
- the University's legal advisers or other professional advisers and consultants engaged by the University
We may also need to share your personal information with external people or agencies as part of managing your employment. Where possible, we will seek your consent to disclose your personal information to third parties (for example, where we’re approached for a reference by another agency). Where this is not possible, we’ll only disclose your personal information if we have a lawful basis to do so we may share your personal information with:
- your nominated financial institution for payment of your salary
- your Kiwisaver or other superannuation scheme
- government agencies, such as the Inland Revenue Department, the Ministry of Education, the Tertiary Education Commission, the Ministry of Social Development, the Ministry of Foreign Affairs and Trade, the Ministry of Business, Innovation and Employment (including Immigration New Zealand), and the Accident Compensation Corporation
- agencies involved in quality assurance and planning for higher education, such as the Academic Quality Agency for New Zealand Universities
- agencies involved in funding research or other projects (though we will endeavour to aggregate personal information shared for this purpose where possible)
- agencies that provide salary packaging benefits to eligible and participating staff members, such as gymnasiums, childcare, car parking permits and novated leasing
- agencies that provide staff benefits including automated payments for services (e.g. health insurance providers, union fees, professional body membership fees), and
- in the event of an emergency, police, medical or hospital personnel, civil emergency services, your legal representative or nominated emergency contact person, or any other person assessed as necessary to respond to the emergency
If we need to share your information with a third party that is overseas, such as another tertiary education provider, we will ensure that this complies with principle 12 of the Privacy Act. If the third party is not located in a country that has comparable privacy laws to ours, we will require them to agree to protect your information to New Zealand standards.
4. How we store and protect your personal information
4.1 Storage and retention
We may use third-party service providers to store your personal information and provide us with services. This means that we may transfer personal information, or access it from, countries other than New Zealand.
We recognise that we are accountable for your personal information wherever it is in the world. Where we can, we will send personal information only to countries that have adequate privacy laws in place (such as New Zealand, Australia or the EU). However, where we cannot do this, we take reasonable steps to ensure that any third-party service providers we use can meet our privacy and security expectations.
We retain your personal information only for as long we need it to perform our contractual obligations or meet our legitimate interests, or to comply with our legal obligations, including the requirement to retain information in accordance with the Tax Administration Act, Employment Relations Act and Public Records Act.
We generally retain personal information about unsuccessful applicants for professional staff positions for 2 years, and unsuccessful applicants for academic staff positions for 7 years. We retain this information to enable us to keep in touch with them in case other suitable roles become available. We also retain personal information about temporary staff, contractors and teaching assistants for this purpose.
4.2 Security
Wherever your personal information is stored, we take reasonable steps to ensure that it is protected against loss or unauthorised access, modification, use or disclosure. For example:
- University systems are protected by firewalls and modern encryption standards
- University systems are password protected, and access is monitored and audited
- credit card details for recurring payments or donations in a secure, encrypted format within a PCI compliant system
- All employees are required to adhere to the University’s IT and Security related suite of policies
- Access to the personal information we store is limited to those staff members who have a legitimate business requirement to use it
- We make privacy and information security training available to employees
- We have a data breach management procedure in place, and
- Information is backed up regularly, and backups are encrypted ad held in secure storage facilities
5. Accessing and controlling your personal information
You have some important privacy rights as an employee, including the right to know what information we hold about you and the right to correct it.
If you are a current employee, you should contact your manager in the first instance and they will assist you with your request. If you do not feel comfortable contacting your manager about an issue, or you are not a current employee (for example, you are an unsuccessful candidate for a role), you can exercise any of these rights by:
- Emailing us at privacy@auckland.ac.nz
- Writing to The Privacy Officer, The University of Auckland, Private Bag 92019, Auckland 1142, New Zealand
Please note that we need to take steps to make sure you are authorised to make requests about personal information, so we may need to verify your identity or authority before responding to your request (particularly if you are not a current employee). Once we’ve verified who you are, we’ll try and respond to your request or query as soon possible, and no later than 20 working days after we receive it.
5.1 Getting a copy of your information
You have the right to request a copy of your personal information. We’ll be as open as we can with you but sometimes we might need to withhold personal information, for example where the information is legally privileged, relates to references provided to us in confidence or includes personal information about other people. If we need to withhold information, we’ll tell you why.
5.2 Correcting your information
If you think any of the personal information we hold about you is wrong, you can ask us to correct it. If we cannot correct your information (for example, where we don’t agree that it’s wrong), we’ll tell you why. You can ask us to attach your correction request to the information as a statement of correction.
5.3 Making a complaint
If you have any concerns about the way we’ve collected or processed your personal information, let us know, so we can try to put the matter right. If we can’t resolve your concerns, you can also make a complaint to the Office of the New Zealand Privacy Commissioner by:
- Calling us on +64 9 373 7999
- Completing an online complaint form at www.privacy.org.nz
- Writing to the Office of the Privacy Commissioner, PO Box 10-094, The Terrace, Wellington 6143, New Zealand