Act as a steward in a way that is understood and trusted by New Zealanders.
Recognise you are a kaitiaki, rather than an owner of data and information
- Being a kaitiaki is about working in the service of, and being accountable to, New Zealanders around the collection, use and sharing of their data and information, and ensuring that it is valued and respected.
- Those who collect, use, share and store data and information are stewards and caretakers, not owners, of that data and information.
- A kaitiaki recognises the importance of people being able to access their information and helps them do that.
Be open and transparent; support people’s interest or need to understand
- Building trust, being inclusive, respecting a wide range of views, and working in partnership all rely on open conversations about the collection, use and sharing of data and information and the reasons for doing these things.
- It's important to explain things in an accessible and easy to understand way, and in a manner that matches people's needs and interests. Different types, formats and levels of detail about data and information use will match different interests, levels of comprehension, context and needs of different groups.
Keep data and information safe and secure and respect its value
- Use data management practices that are safe and secure, bearing in mind the nature of the information and data, and how it is being collected, used, shared, analysed and reported.
- Those who collect data and information (often frontline workers) need easy-to-use tools and processes for accurately and efficiently collecting, using and sharing information.
- Treat data as a valuable asset. Store and maintain it so that it is accessible and reliable. Only retain it for as long as it remains useful, relevant and necessary.
- Those who hold people's information are in a position to grow its value. They may do this by creating and sharing insights, or by returning collective, non-personal data back to the people and community it came from for their use. In all cases they must take care to comply with the law, protect people's privacy and maintain people's trust and confidence.
If there’s a privacy breach, act quickly and openly
- If a privacy breach occurs, recognise its potential significance to people, address it quickly, and be accountable for it.
- If serious harm has occurred or is likely to occur, notify the Privacy Commissioner and affected service users in accordance with the Privacy Act.
- Even if serious harm has not occurred and is not likely to occur, consider whether to notify affected service users.
- Take steps to make amends, to avoid similar breaches in the future, and to maintain or restore trust and confidence.