Privacy Policy

DEFINITIONS

‘TradeWindow’ or ‘we’ refers to Trade Window Limited, its subsidiaries and affiliates 

‘TradeWindow Users’ are Directors, employees and contractors of TradeWindow, as well as any third parties who process personal information on behalf of TradeWindow. 

‘Information Privacy Principles’ are the privacy principles, rules and guidelines TradeWindow adheres to when processing personal information. 

‘OPC’ Office of the Privacy Commissioner. 

‘Privacy Act’ refers to the Privacy Act 2020 effective from 1 December 2020. 

‘Personal Information’ is any information which tells us something about a specific individual. The information does not need to name the individual, as long as they are identifiable in other ways, like through their home address. 

‘Privacy Breach’ is an event where personal information is either inappropriately: disclosed, altered, lost, or accessed. Loss includes either the destruction of information or the temporary inability to access information. 

TradeWindow’s Privacy Officer’ is the person responsible for all privacy related matters across TradeWindow on behalf of the leadership team, monitoring compliance, acting as the contact for the Office of the Privacy Commissioner for breach notification, complaints and other enquiries and to ensure TradeWindow complies with the provisions of the Privacy Act. 

 

1. PURPOSE

TradeWindowLimited (“TradeWindow”) considers the protection of privacy to be of utmost importance and this Privacy Policy (“Policy”) is an essential part of ensuring TradeWindow promote an individual’s confidence that  their  personal  information  is  protected  and  will  be  treated  properly. Managing  personal  information  is important to TradeWindow in building trust and confidence with individuals while also maintaining compliance with the requirements of the Privacy Act.

The purpose of this policy is to provide a privacy framework, including how TradeWindow will collect, store, use, disclose and dispose of personal information (the “Information Privacy Principles”).

 

2. SCOPE

TradeWindow complies with the New Zealand Privacy Act 2020 and any other privacy and data protection laws where applicable.

This policy applies to all Directors, employees and contractors of TradeWindow, as well as any third parties who process personal information on behalf of TradeWindow(collectively known as “TradeWindowUsers”).

This policy covers all personal information regardless of whether it relates to:

  1. Customers
  2. Employees
  3. Contractors
  4. Members of the public.

 

3. INFORMATION PRIVACY PRINCIPLES

3.1 Collecting Personal Information

We will only collect the minimum personal information necessary for its business purposes. We will not collect information where it is not necessary.
We will endeavour to collect personal information:

  1. Directly from the individual it is about.
  2. In a way that is fair in the circumstances.
  3. In a way that does not intrude to an unreasonable extent on the personal affairs of the individual whose information is being collected

We  will  take  reasonable  steps  to  inform  individuals  about  what  information  we  are  collecting,  why  and  key details about how we will treat it (in the form of a “Privacy Notice”) prior to collection. The privacy notice will include the consequence for not providing the personal information and information about the individuals rights to access and correct personal information.

3.2 Storage and Retention of Personal Information

TradeWindow’s users must take all reasonable steps to protect personal information from loss, unauthorised access, disclosure, or misuse. 

We will not store personal information for longer than is necessary for a lawful or business purpose and will dispose of it when it is no longer needed. Information should be maintained consistently in accordance with our Information Management Retention Policy and Disposal Schedule.

3.3 Access to Personal Information

Individuals have the right to access information about themselves. A request can come from a customer, an employee, or any other individual. They do not need to cite the Privacy Act for it to be an appropriate request. Any request for personal information must be notified to TradeWindow’s Privacy  Officer as soon as it is received. TradeWindow’s Privacy Officer can guide the request and advise you  on appropriate withholding grounds if they apply in accordance with the Privacy Act Access and Correction Request Process.

As a general principle, unless  there are valid reasons why we would not disclose that information,  we will provide access to personal information we hold about any individual if they request that information. 

All employee personal information requests should also be notified to the Human Resources Manager by email at hr@tradewindow.io.  If you want to access your own personal information you should make the request to your manager or to the Human Resources Manager at hr@tradewindow.io

All requests for access must normally be completed within 20 working days unless they are extended  by TradeWindow’s Privacy Officer.

3.4 Correction of Personal Information

Individuals also have the right to correct personal information about themselves.  These requests can  be  of simple facts (for example, an address) or more complex issues (such as a file note saying a customer was aggressive). In any instance we need to consider the request to correct the information and take appropriate action. If we do not agree that the information is incorrect, we do not need to correct it, but we must clearly note the individual’s view that the information is incorrect prominently next to the contentious information.

All correction requests must be made in accordance with the Privacy Act Access and Correction Request Process.

3.5 Use and Disclosure of Personal Information

We will not use personal information without first considering whether it is reasonably accurate, up-to-date, and complete.

We  will  only  use  personal  information  where  it  is  lawful  to  do  so.  Primarily  this  will  be  where  we  are  using personal information for the reason it was initially collected.

We will not use an individual’s personal information for training or for system testing purposes.

We will not disclose personal information unless we have a reasonable basis for believing doing so is lawful. This  will  usually  be  where  the  disclosure  is  for  the  purpose  the  information  was  collected  or  because  it  is authorised by the individual. Other exceptions apply and if you are uncertain you should discuss these with TradeWindow’sPrivacy Officer.

We will not disclose personal information overseas unless it is protected by equivalent safeguards to in New Zealand.  For  guidance  on  any  overseas  disclosure  of  personal  information  you  should  consult  with TradeWindow’sPrivacy Officer.

 

4. PRIVACY BREACHES

We have clear, consistent processes for reporting, managing and escalating privacy incidents. For  any suspected privacy breach, you must immediately follow the Privacy Breach Process.

A privacy breach is when personal information is either inappropriately: disclosed, altered, lost, or accessed. Loss includes either the destruction of information or the temporary inability to access information.

You must report any suspected privacy breach to the Privacy  Officer. TradeWindow’s Privacy Officer  will confirm that there has been a privacy breach, and if they believe it may have caused or could cause serious harm.

All privacy breaches or suspected privacy breaches must be recorded in a central privacy breach log.

 

5. THIRD PARTIES

Where we contract with a third-party to outsource the processing of personal information you must ensure that the personal information is protected by equivalent safeguards to when it was managed by us. 

Agreements must require the contracted party to meet our privacy requirements for example:

  1. Notify us of any privacy breach.
  2. Notify us of any privacy act access or correction requests made by an individual.
  3. Maintain security safeguards.
  4. Only retain information for a specified period.
  5. Not sub-contract the processing to a lower standard than is agreed in the contract.

The Third-Party Assessment Policy details how we assess and manage third parties from a privacy perspective.

 

6. CUSTOMER MANAGEMENT

Where we are acting as a third-party or service provider for a customer, it is still the customer’s responsibility to ensure personal information is protected by equivalent safeguards to when it is managed by themselves.Therefore, where TradeWindow holds or processes personal information on behalf of its customers we must ensure that personal information is protected in accordance with the customers agreement.

Customers are also responsible for the likes of notifying the Office of the Privacy Commissioner and individuals affected in the event the privacy breach is ‘notifiable’ and responding to an individual’s Privacy Act access or correction  request. It is vital we inform customers as soon as practically possible of  breaches, individual’s requests, or other privacy related matters.

All customer agreements should include the following privacy requirements at minimum:

  1. Notifying the customer of any privacy breaches involving personal information. 
  2. Transfer of privacy act access or correction requests.
  3. Maintain security safeguards.
  4. Only retain information for a specified period.

The Privacy Officer is responsible for communicating privacy related matters to customers unless otherwise agreed or stated in the customer agreement.

 

7. COMPLAINTS

Where you become aware of a complaint about privacy or the management of personal information you must immediately notify TradeWindow’s Privacy Officer in accordance with the Privacy Complaints Process.

 

8. PRIVACY IMPACT ASSESSMENTS

If you are considering a new process, policy, product, service, or system that changes how we collect, use, store, disclose or dispose of personal information you must consider the privacy impacts and risk.

To initiate this, you should contact TradeWindow’s Privacy Officer outlining the proposal and any anticipated risks. TradeWindow’s Privacy Officer may ask that you undertake a Privacy Impact Assessment.

To initiate this, you should contact TradeWindow’s Privacy Officer outlining the proposal and any anticipated risks. TradeWindow’s Privacy Officer may ask that you undertake a Privacy Impact Assessment.

 

9. TRAINING AND EDUCATION

We will train those employees and contractors working with personal information as well as ensuring that all employees undertake regular training on privacy risk areas specific to their business area, as well as broader privacy best practices.  

 

10. PROCESS REVIEW

We commit to retaining up to date privacy processes. Our business processes relating to the collection, access and correction, use and disclosure, storage and disposal of personal information will be regularly reviewed, at least annually.

 

11. ACCOUNTABILITIES AND RESPONSIBILITIES

The Board is committed to managing personal information by:

  1. Setting clear expectations regarding privacy and protection of personal information, and communicating them to the leadership team.
  2. Holding the leadership team accountable for meeting those expectations.
  3. Ensuring that effective privacy risk management is fully embedded within TradeWindow’s overall risk management activities.
  4. Employing high-quality monitoring and information management practices.

TradeWindow’ Privacy Officer, on behalf of the leadership team, is accountable for:

  1. Promoting privacy and proactively assessing and manage privacy risk within TradeWindow.
  2. Monitoring compliance and to assist with access and correction requests.
  3. Monitoring and advising on Privacy Impact Assessments.
  4. Being  the  point  of  contact  for  the  Office  of  the  Privacy  Commissioner  for  breach  notification, complaints and other enquiries.
  5. Responsible for privacy breaches or any complaints raised about privacy.
  6. Ensuring that TradeWindow complies with the provisions of the Privacy Act.
  7. Ensure employees are aware of and recognise the importance of their role in privacy, are compliant with the Privacy Policy and the Privacy Act.
  8. Ensure new employee induction includes privacy training.

TradeWindow Users have individual responsibility to:

  1. Maintain best practice privacy behaviours.
  2. Report all privacy breaches and near misses to the Privacy Officer.
  3. Promote privacy at work.
  4. Comply with all privacy policies and guidelines.
  5. Actively participate in privacy training.
  6. Identify privacy risks.

 

12. MONITORING AND GOVERNANCE

Our privacy policies and guidelines have been established to comply with the Privacy Act 2020. The monitoring and oversight of privacy follows a three lines of defence model to provide assurance that  privacy risks are being managed effectively under different situations:

  1. The first line of defence is formed by managers and employee responsible for identifying and managing risks as part of their duties.
  2. The second line of defence is formed by privacy and internal governance policies, frameworks, tools and techniques to support privacy to be maintained.
  3. The third line of defence is formed by internal and external audits ensuring that the first two lines of defence are operating effectively and identifying opportunities for improvement.

 

13. NON-COMPLIANCE

Non-compliance of the terms of this policy may result in disciplinary action or dismissal.

 

14. CONTACT

Any privacy related concerns or requests for information should be initially directed to your manager.

Where required you can also contact TradeWindow’sPrivacy Officer, at privacy@tradewindow.io.

 

15. APPROVAL

This Privacy Policy has been approved by the Board of Directors of TradeWindow on 25 November 2020:

Signed
CEO/Director
Date 25 / 11 / 2020

 

16. REVIEW OF POLICY

TradeWindow’s Privacy Officer is responsible for maintaining this policy.

This policy is reviewed annually and is approved by theBoard.

Date of this Policy:

25 November 2020

Next Review of this Policy

25 November 2023