- PURPOSE
- To ensure that Silverfin protects the personal information of clients, and to ensure appropriate internal protocols are in place to manage a privacy breach.
- Silverfin’s Privacy Officer is the Compliance Manager.
- COLLECTION OF PERSONAL INFORMATION
- Personal information is information about an identifiable living individual, or information with the capacity to identify an individual.
- Examples of personal information include:
- an individual’s name
- signature
- address
- telephone number
- date of birth
- bank account details
- email address
- IRD number
- investment history and funds invested.
- Silverfin only collects personal information necessary to record and maintain the registry of its Schemes including information required to comply with AML laws.
- Any disclosure of personal information to a third party without the necessary approvals (see Principle 11 – Limits on disclosure of personal information) or the use by Silverfin of personal information for purposes other than that for which the information was original collected or directly related purposes (see Principle 10 – Limits on use of personal information) is deemed a privacy / data breach.
- DEFINITION OF A PRIVACY / DATA BREACH
- A privacy breach is unauthorised or accidental access to, or disclosure, alteration, loss or destruction of personal information, or an action that prevents Silverfin from accessing the information on either a temporary or permanent basis.
- A data breach occurs if the information is confidential or commercially valuable information.
Examples of how a privacy/data breach can occur include:
- Employee mistakenly discloses information e.g. incorrect email or address;
- Employee intentionally discloses information to a third party without client authorisation;
- a Silverfin database is hacked or illegally accessed;
- Employee is a victim of Phishing where an external party gains access to client or corporate information by deceit; or
- Employees are influenced by an email scam requesting information on a client.
- PROCEDURE IN THE EVENT OF A PRIVACY BREACH
- The employee who first recognises a privacy/data breach (and near-misses) must immediately report the breach (or near miss) to Silverfin’s Privacy Officer (or, in his/her absence, the Chief Executive Officer)
- The Privacy Officer must record the breach in the Privacy Policy Register
- The Privacy Officer will evaluate and take the steps necessary to contain the privacy breach.
- The Privacy Officer will report all privacy breaches to the Board
- The Privacy Officer (or, in his/her absence, the Chief Executive Officer) will assess whether the privacy/data breach is notifiable to the regulator, and the affected individual(s). A notifiable privacy breach is a privacy breach which has or is likely to cause serious harm. Whether assessing serious harm, the Privacy Officer must consider as a minimum the:
- actions already taken by Silverfin to reduce the risk of harm;
- sensitivity of the Personal Information;
- nature of the harm that may be caused;
- identity of the person/body who has obtained the personal information; and
- security measures used to protect the Personal Information.
The Privacy Officer must also consider any other relevant factors such as the number of individuals affected, the duration of the breach, etc.
Notifiable breaches are to be reported by the Privacy Officer to the Office of the Privacy Commissioner and to the affected individuals. Use the NotifyUs tool for notifications to the Office of the Privacy Commissioner.
Ensure the notification to the affected individuals includes the below information. Notice to the affected individuals should be direct e.g. by email, letter etc. wherever possible. However if the Privacy Officer considers that direct notification could cause further harm, is too expensive or if Silverfin does not have a means to contact a number of affected individuals, the breach may be notified by posting on Silverfin’s website. It is best practice to notify in more than one way.
Notice to Affected Individuals |
Describe the breach: including whether Silverfin has identified a person or body which it suspects may be in possession of the Affected Individual’s personal information (without including particulars which could identify that person or body unless doing so is necessary to prevent or lessen a serious threat to the life or health of an individual); and without including particulars about any other affected individuals. |
Explain the steps that Silverfin has taken or intends to take in response to the breach. |
Where practicable, set out the steps which the affected individual can take to mitigate or avoid potential loss or harm. |
Confirm that the Privacy Commissioner has been notified. |
State that the affected individual has the right to make a complaint to the Privacy Commissioner. |
Provide the details of a contact person within Silverfin such as the Privacy Officer for inquiries. |
- INFORMATION PRIVACY PRINCIPLES
The Privacy Act 2020 controls how Silverfin collects, uses, discloses, stores, and gives access to personal information. Silverfin must ensure that relevant employees who handle personal information are aware of the Principles and follow the Principles. The Privacy Principles are:
Principle 1 – Purpose of collection of personal information
Silverfin will only collect personal information if:
- the information is collected for a lawful purpose connected with a function or activity of Silverfin;
- the collection of the information is necessary for that purpose.
Silverfin will not collect identifying information where doing so is not required for a particular purpose.
Principle 2 – Source of personal information
Silverfin may collect personal information:
- directly from the individual concerned;
- from a person that has been authorised by the individual concerned to supply personal information;
- from a person(s) that the individual concerned has authorised Silverfin to collect the information from;
- any publicly available information source; or
- in another way that does not prejudice the individual’s interests.
Principle 3 – Collection of information from subject
When collecting personal information from any individual, Silverfin must advise the individual concerned:
- that the information is being collected;
- why the information is needed (that is, the purpose(s));
- that Silverfin will use, hold and store the information;
- what Silverfin plans to use the information for;
- whether the information will be cross checked with other sources of information regarding the person;
- the intended recipients of the information (particularly if in addition to Silverfin);
- if the information’s collection is authorised or required by or under law;
- the consequences (if any) for the person if all or any part of the requested information is not provided; and
- rights of the individual to request access to, and correction of, personal information.
Silverfin may not need to comply with the above in limited circumstances, including where non-compliance would not prejudice the individual’s interests, where compliance would prejudice the purposes of the collection, where the information will be used in a de-identified form, etc.
Consent for collection can be obtained by:
- incorporating into Silverfin terms of agreement, contract or application signed by the individual; and/or
- referring to the Silverfin’s website which contains a Privacy Statement; and/or
- verbal confirmation, where written notes of the confirmation is held.
Principle 4 – Manner of collection of personal information
Silverfin may collect personal information only:
- by lawful means; or
- by means that, in the circumstances is fair and does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.
Principle 5 – Storage and security of personal information
- Personal information needs to be kept secure and the potential for loss, unauthorised access, use, modification, disclosure or other misuse limited.
- Silverfin remains responsible for information held by other parties on its behalf for safe custody or processing, e.g. cloud storage providers.
- Personal information about employees or clients stored in physical copy should not be taken outside Silverfin’s premises without good reason. Good reasons would include:
- taking a current client file to an off-site meeting with the client;
- supplying information for the purpose of Silverfin obtaining legal or other professional advice for, on behalf of, or regarding an employee or client;
- utilising off-site archival storage facilities for closed employee and client information and files; and
- disaster recovery to temporary or new premises.
- Any particularly sensitive personal information must be stored in a locked cabinet or area overnight and on the weekends when not in use.
- Where personal information is stored on shared access drives, permissions must be restricted to only those who need to know.
- Silverfin should, from time to time, review its information storage methods and security protocols to ensure that they support Silverfin’s continued compliance with the Privacy Act 2020.
Principle 6 – Access to personal information
- Silverfin must hold personal information in such a way that it can readily be retrieved, and the individual concerned shall be entitled:
- To obtain confirmation of whether or not Silverfin holds such personal information; and
- To have access to that information.
- Silverfin must respond for the request to access personal information within 20 working days.
- Disclosure of the information may be refused where it is:
- of a commercially sensitive and/or confidential nature to Silverfin;
- legally privileged;
- likely to prejudice the security of the New Zealand government;
- likely to prejudice the maintenance of the law, including the prevention, investigation and detection of offences, and the right to a fair trial; or
- likely to endanger the safety of any individual;
- the information does not exist or, despite reasonable efforts to locate it;
- cannot be found;
- the request is frivolous or vexatious, or the information requested is trivial.
- If there is uncertainty about whether access to the information be allowed, please check with Silverfin’s Privacy Officer.
- In the event that a decision is made by Silverfin to not provide access or disclosure, the reason for this decision will be provided to the person seeking the access or disclosure.
Principle 7 – Correction of personal information
- Every individual has the right to request correction of their personal information.
- If an individual advises Silverfin that the information they hold about them is wrong, Silverfin is to correct it if possible.
- In the event there is a difference of opinion about whether the information is right, then Silverfin is not required to amend the information held but is to attach a statement or note of the correction sought but not made.
- Where a correction is made or a statement is attached to certain information, Silverfin must inform each party to whom the (personal) information has been disclosed.
- Silverfin must also inform the person concerned of the action taken as a result of the person’s request to correct.
- If a person seeks a copy of the (personal) information held about them, care is required to ensure that no personal information regarding any other person is disclosed. This may involve blanking out references to these details.
Principle 8 – Accuracy of personal information to be checked before use
- Silverfin must only use personal information if it has taken reasonable steps to ensure that it is accurate, complete and up to date, relevant and not misleading.
Principle 9 – Silverfin must not keep personal information for longer than necessary
- Information must not be kept for any longer than is required for the purpose(s) for which it is collected, unless that information is required by law to be retained for a minimum period.
- At the point in time when the information is no longer required and any relevant legal retention period has expired, the personal information must be disposed of safely and appropriately. The manner of disposal chosen must avoid unintended or inadvertent disclosure of the information.
Principle 10 – Limits on use of personal information
Purpose(s)
- Generally, Silverfin may only use the information for the purpose(s) for which it was collected or a directly related purpose.
- If the information is later required for other unrelated purposes, Silverfin needs to advise the person who the information is about and obtain their consent to the additional purpose(s).
- Silverfin may not need to comply with the above in limited circumstances including where the information will be de-identified before use, used for statistical or research purposes (provided the information will be de-identified if published), the information is publically available and it would not be unfair or unreasonable to use the information in the circumstances, etc.
Access
- Personal information held by Silverfin should only be used in relation to a Silverfin’s business-related activity.
- It must not be accessed for any non-business reason or purpose.
Principle 11 – Limits on disclosure of personal information in New Zealand
- Personal information held by Silverfin should in the first instance only be used by the business or support area/unit that collected that information.
- Any information sharing with or disclosure to external third parties can only be done if it is required or allowed by law or:
- the individual has consented; or
- if the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained; or
- the information is publicly available and it would not be unfair or unreasonable to disclose the information in the circumstances; or
- it is necessary to prevent or lessen a serious threat to public safety or the life or health of the individual concerned; or
- the information used in a way that an individual cannot be identified or it is to be used for statistical purposes and will not be published unless de-identified.
- Any external third parties must agree to use, store and/or disclose (as the case may be) the personal information in accordance with the Privacy Act 2020.
Principle 12 – Disclosure of personal information overseas
- Other than where required by law or necessary to prevent serious threat to public safety or the life or health of the individual, Silverfin may only disclose personal information to a person or agency overseas where:
- it believes on reasonable grounds that the overseas person or agency is subject to privacy laws or contractual agreements that provide comparable
safeguards to New Zealand’s privacy legislation; or
- the individual concerned has authorised the disclosure after being expressly informed by Silverfin that the overseas person or agency may not be required to protection the information that provides the same comparable safeguards.
Principle 13 – Unique Identifiers
- A unique identifier means an identifier that is assigned to a person by a business or an organisation for operational purposes and uniquely identifies that individual (but
does not include an individual’s name).
- Silverfin must not assign a unique identifier to a person or a person’s information unless:
- the assignment is necessary to enable it to carry out its functions efficiently; and
- the person’s identity has been clearly established.
Complaints
Silverfin Capital has a formal complaints resolution procedure. If you have a complaint about Silverfin or one of our representatives please contact Miles Brown, Chief Executive Officer, on 09 216 8626, miles@silverfin.nz, info@silverfin.nz or via post to:
Miles Brown
Chief Executive Officer
Silverfin Capital Ltd
PO Box 105527
Auckland 1143
Silverfin is registered with Financial Dispute Resolution Services, www.fdr.org.nz.
Last updated: March 2023