Tag Archives: Privacy

GDPR and UC – privacy practices: your need to know info

You may have heard about the EU’s General Data Protection Regulations (GDRP) come into effect today. The GDPR enshrines data protection principles for EU citizens, even if their data is being managed by a firm outside the EU. This will have far reaching implications for privacy practices across the globe, including some limited activities at UC.

The Information and Records Management Team has been working to bring UC practices into alignment with the requirements of the GDPR.  Currently, we operate under the Privacy Act 1993, and we are also expecting the changes in the current Privacy Bill. These changes will be incorporated into the University’s Privacy Policy, and to the Student Declaration.  

We have generated a brief FAQ for those who are concerned about how this will affect UC.

  • Who does this new regulation relate to?
    Technically, this will only apply to a small proportion of UC’s activities. This will relate to departments who seek or use the personal information of EU residents. If your department is likely to be specifically affected, the IRM team will contact you to provide guidance. Although the GDPR will not apply to most UC activities, the principles within it are something we should be aiming for, and we hope to apply them as much as is possible for all staff and students, regardless of their citizenship.
  • What are the risks to UC?
    There are few additional risks to UC. Most of the requirements of the GDPR have already been incorporated into UC practices either through the Privacy Bill, or independently as we seek to align ourselves with best practice. If you have any concerns about your specific activities, please contact the Records team at records@canterbury.ac.nz.
  • What does this new legislation involve?
    The GDPR aligns with many of the principles already within our Privacy Act. Key differences include:
  • A strengthened requirement for organisations using personal information to demonstrate a lawful basis for this (such as contract, legal obligation or public interest) or consent of the individual
  • Clear regulations regarding seeking consent from individuals. Consent must be freely given, informed, specific and unambiguous, as well as clear and intelligible. Consent can also be withdrawn.
  • The right to be forgotten allows individuals the right to have their data erased in specific circumstances, including where the individual withdraws their consent. In New Zealand, this will be limited by other factors such as the Public Records Act.
  • Increased rights for individuals wishing to access or transfer their personal information.

For more information on the GDPR contents, the Privacy Commissioner has some guidance resources available on their site. If you would like more information or guidance as to how this will affect UC, please contact the IRM team.

Privacy and consent – photographs and video

Given the rise of social media and sharing of data on a global scale, privacy issues are now more complex. As UC staff you have an obligation to adhere to the Privacy Act when dealing with information that is collected and used for UC purposes.

This includes photographs of individuals which are considered ‘personal information’. This is less of a worry if you are taking shots in a public space or general group scenes. As a rule of thumb you should make it clear to those present that photos are being taken, and tell them precisely what they will be used for. If you are taking photographs of individuals, particularly close ups, to use in Social Media or in publications/marketing, you must get consent from the subject.

If you intend to store and use the photograph or video again in future, or for other purposes, you should make this clear.

Written consent is best. Verbal is okay; but is limited. You cannot collect consent for one purpose and then use the image for another. You need to have processes to capture what the consent covers.

The Privacy Act does not define ‘age’ as a requirement to manage one’s personal information. Therefore, even minors have a right to their own privacy. You must get consent from the minor directly, (or their guardian – if it is part of a school-related form-signing process). Various consent forms can be found here, and there is a template in the back of the Privacy Policy also.

Read the Privacy Management Guide and Privacy Policy for more information. Email records@canterbury.ac.nz for advice.