Introduction
CLL Corp. Services Limited (CLL) is committed to protecting your privacy and any personal information in
relation to your use of our products and services, and as such, fully complies with the New Zealand Privacy Act
2020. This Privacy Policy applies to our web site and governs all forms of Personal Information and related
data collection and usage by us. The CLL Privacy Policy is to be read in conjunction with the CLL Website Terms
of Use, which is available to be accessed online at www.cll.net.nz.
CLL are governed by New Zealand’s Privacy Principles (NZPP’S) contained in the Privacy Act 2020. For ease of
reference, the Principles are featured at the end of this Policy. CLL ensures that all its staff members adhere
to the NZPP’s to safeguard your Personal Information.
CLL have also adopted the EU General Data Protection Regulation (GDPR) guidelines covering data protection
for all businesses transferring data to the European Union.
By using our website, or otherwise supplying your personal information to us, you consent to the data
practices described in this Privacy Policy. This Privacy Policy also needs to be read in conjunction with our web
site terms of use, as displayed on our website.
CLL may review and update this Privacy Policy on occasion, (for example to reflect changes to the Privacy Act),
any revision or update will be published on the CLL web site.
This Privacy Policy does not seek to limit or exclude the individual rights of any individual, as prescribed under
the Privacy Act 2020, which can be accessed at www.nzbt.co.nz/resources
What is Personal Information? Why do we collect it?
Personal Information is information or an opinion that identifies an individual personally. Most of the Personal
Information that CLL may collect about you, will be voluntarily provided by you, or your authorised
representative, when you engage with us, to allows us to operate our wider operations and to deliver the
products and services that you have requested.
Examples of Personal Information we collect may include;
• An individual’s name (including that of your authorised representative, if applicable),
• An individual’s contact details, including your residential and work addresses, email addresses, phone
and facsimile numbers.
• Bank details or Credit Card information relating to the payment of services.
• Publicly available information relating to you.
• Any documents or other information that you provide to us as part of our provision of services
including drivers licence or passport verification.
This Personal Information can be captured in many ways including (interviews, correspondence, by telephone,
by email, via our website www.cll.net.nz, from your website, from media and publications, from other publicly
available sources, from cookies, and from third parties.
Disclosure
CLL will only disclose your information as authorised by you, as required by law or where required for us to
provide our services. CLL will not, share, sell, rent or lease any client list or information to third parties without
due authorisation.
CLL may also disclose Personal Information to other agencies where it believes on reasonable grounds that it
falls within one of the exceptions to NZPP 11.
Security
Your Personal Information is stored electronically in a manner that reasonably protects it from misuse and
loss from unauthorised access, modification or disclosure. All of the Personal Information CLL hold is stored
electronically rather than as a hard copy.
Personal information held or provided to us in electronic form is held on servers controlled by third parties
under contractual arrangements with CLL. CLL uses a combination of physical security, password protection
and other measures that ensure that Personal Information stored in electronic form is protected from misuse,
interference and loss: and from unauthorised access, modification and disclosure. However, it is not possible
for any organisation (including ours), to state that 100% security can be guaranteed.
Retention
When your Personal Information is no longer needed for the purpose for which it was obtained, we will take
reasonable steps to destroy or permanently de-identify your Personal Information. However, most of the
Personal Information is or will be stored in client files (electronic or hard copy) which will be securely retained
by us for a minimum of 7 years.
Access
You have the right to request a copy of the Personal Information we hold about you and to update and/or
correct it, subject to certain exceptions, if you think it is incorrect.
If you wish to access your Personal Information, please submit your request to CLL’s Privacy Officer (please
see Privacy Policy Complaints and Enquiries) in writing. CLL will acknowledge your request as soon as possible,
and will respond to the request no later than 20 working days after we receive your request (unless extended
under the Privacy Act 2020.)
CLL will not charge any fee for your access request but may charge an administrative fee for providing a copy
of your Personal Information.
In respect of a request for correction, if we think the correction is reasonable, justified and we are reasonably
able to amend the Personal Information, we will make the correction.
In order to protect your Personal Information, we will require identification and if relevant, proof of
authorisation from you before releasing the requested information.
Third Parties
Where reasonable and practicable to do so, we will collect your personal information only from you. However,
in some circumstances we may be provided with information by third parties.
Where CLL enters into arrangements with associated contractors and third parties that involve the use or
management of Personal Information that is held by CLL, appropriate provisions will be included to protect
that Personal Information.
Maintaining the Quality of your Personal Information
It is important to us that your Personal Information is up to date. CLL will take reasonable steps to make sure
that your Personal Information is accurate, and this may require individuals being contacted directly.
Use of Cookies
The CLL website uses cookies. A cookie is a small element of data that our web site may send to your device
(computer or mobile device). A cookie is typically stored on your computer’s hard drive and permits our web
site to recognise you when you return, to our website. Our use of cookies helps us to provide you with a better
experience during your use of our website by allowing us to understand what areas of the site are of interest
to you. You may configure your web browser to not accept cookies, although you may experience a loss of
functionality as a result of this action.
Role of the Privacy Officer
CLL have appointed a Privacy Officer in accordance with the requirements of the Privacy Act 2020. As part of
their role, the CLL Privacy Officer needs to ensure that CLL’s internal policies and procedures are fully
compliant with requirements under the Privacy Act 2020, NZPP and GDPR. The CLL Privacy Officer will ensure
that all CLL staff and associated contractors understand their commitments under the Privacy Act, NZPP’s and
the GDPR.
The CLL Privacy officer is the focal point for all privacy matters relating to CLL business. This contact may be
from CLL Clients, CLL staff or associated contractors, or the Privacy Commission/Commissioner.
CLL’s Privacy Officer is also responsible for ensuring this Privacy Policy is reviewed regularly and maintains
CLL’s compliance to the most up-to-date version of the Privacy Act, NZPP’s and the GDPR.
Privacy Policy Complaints and Enquiries
CLL want to know if you have any concerns about our privacy practices., whether these relate to the way we
collect or share information about you or our decision on your access request. If you do have any concerns at
all, please contact our Privacy Officer and they will endeavour to resolve any issues. The CLL Privacy Officer’s
contact details are recorded below.
The CLL Privacy Officer’s contact details are;
Name: Lisa Smith
Landline: 09 412 7048
Mobile: 021 123 7444
Email: lisa@cll.net.nz
Privacy Principles
Principle 1
Purpose of collection of personal information
Personal information shall not be collected by any agency unless.
(a)The information is collected for a lawful purpose connected with a function or activity of the agency.
(b)The collection of the information is necessary for that purpose.
Principle 2
Source of personal information
(1) Where an agency collects personal information, the agency shall collect the information directly from
the individual concerned.
(2) It is not necessary for an agency to comply with sub clause 1 of this principle if the agency believes,
on reasonable grounds,
(a) That the information is publicly available information, or
(b) That the individual concerned authorises collection of the information from someone else, or
(c) That non-compliance would not prejudice the interests of the individual concerned, or
(d) That non-compliance is necessary-
(i) To avoid prejudice to the maintenance of the law by any public sector, including prevention,
detection, investigation, prosecution, and punishment of offences, or
(ii) For the enforcement of a law imposing a pecuniary penalty, or
(iii) For the protection of public revenue, or
(iv)For the conduct of proceedings before any court or tribunal (being proceedings that have been
commenced or are reasonably in contemplation), or
(e) That compliance would prejudice the purposes of the collection, or
(f) That compliance is not reasonably practicable in the circumstances of the case, or
(g) That the information
(i) Will not be used in a form in which the individual concerned is identified, or
(ii) Will be used for statistical or research purposes and will not be published in a form that could
reasonably be expected to identify the individual concerned, or
(h) That the collection of the information is in accordance with the authority granted under section
54 of this Act.
Principle 3
Collection of information from subject
(1) Where an agency collects personal information from the individual concerned, the agency shall take
such steps (if any) as are, in circumstances, reasonable to ensure that the individual concerned is
aware of,
(a) The fact that the information is being collected, and
(b) The purpose for which the information is being collected, and
(c) The intended recipients of the information, and
(d) The name and address of,
(i) The agency that is collecting the information, and
(ii) The agency that will hold the information, and
(e) If the collection of the information is authorised or required by or under law,
(i) The law by or under which the collection of the information is so authorised or required and
(ii) Whether or not the supply of the information of the information by that individual or voluntary
or mandatory, and
(f) The consequences (if any) for that individual if all or any part of the requested information is not
provided, and
(g) The rights of access to, and correction of personal information provided by these principles.
(2) The steps referred to in sub clause (1) of this principle shall be taken before the information is collected
or, if that is not practicable, as soon as practicable after the information is collected.
(3) An agency is not required to take the steps referred to in sub clause (1) of this principle in relation to
the collection of information from an individual if that agency has taken those steps in relation to the
collection, from that individual, of the same information or information of the same kind, on a recent
previous occasion.
(4) It is not necessary for an agency to comply with sub clause (1) of this principle if the agency believes,
on reasonable grounds
(a) That non-compliance is authorised by the individual concerned, or
(b) That non-compliance would not prejudice the interests of the individual concerned, or
(c) That non-compliance is necessary
(i) To avoid prejudice to the maintenance of the law by any public sector agency, including the
prevention, detection, investigation, prosecution, and punishment of offences, or
(ii) For the enforcement of a law imposing a pecuniary, or
(iii) For the protection of the public revenue, or
(iv) For the conduct of proceedings before any court or tribunal being that proceedings that have
been commenced or are reasonably in contemplation, or
(d) That compliance would prejudice the purpose of the collection, or
(e) That compliance is not reasonably practicable in the circumstances of the case, or
(f) That the information
(i) Will not be used in a form in which the individual concerned is identified, or
(ii) Will be used for statistical or research purposes and will not be published in a form that could
reasonably be expected to identify the individual concerned.
Principle 4
Manner of collection of personal information Personal information shall not be collected by an agency-
(a) By unlawful means, or
(b) By means that, in the circumstances of the case
(i) Are unfair, or
(ii) Intrude to an unreasonable extent upon the personal affairs of the individual concerned.
Principle 5
Storage and security of personal information
An agency that hosts personal information shall ensure,
(a) That the information is protected by such security safeguards as if is reasonable in the circumstances
to take against,
(i) Lost, and
(ii) Access, use, modification or disclosure, except with the authority of the agency that holds the
information, and
(iii) Other misuse, and
(b) That if it is necessary for the information to be given to a person in connection with the provision of a
service to the agency, everything reasonably within the power of the agency is done to prevent
unauthorised use or unauthorised disclosure of the information.
Principle 6
Access to personal information
(1) Where an agency holds personal information in such a way that it can be readily retrieved the
individual concerned shall be entitled-
(a) To obtain from the agency confirmation of whether the agency holds such personal information,
and
(b) To have access to that information.
(2) Where, in accordance with sub clause (1)(b) of this principle, an individual is given access to personal
information, the individual shall be advised that, under principle 7, the individual may request the
correction of that information.
(3) The application of this principle is subject to the provisions of parts iv and v of this Act.
Principle 7
Correction of personal information.
(1) Where an agency holds personal information, the individual concerned shall be entitled
(a) To request correction of the information, and
(b) To request that there be attached to the information a statement of the correction sought but not
made.
(2) An agency that holds personal information shall, if so requested by the individual concerned or on its
own initiative, take such steps (if any) to correct that information as are, in the circumstances,
reasonable to ensure that, having regard to the purposes for which the information may lawfully be
used, the information is accurate, up to date, complete, and not misleading.
(3) Where an agency that holds personal information is not willing to correct that information in
accordance with a request by the individual concerned, the agency shall, if so requested by the
individual concerned take such steps (if any) as are reasonable in the circumstances to attach
information, in such a manner that it will always be read with the information, any statement provided
by that individual of the correction sought.
(4) Where the agency has taken steps under sub clause (2) or sub clause (3) of this principle, the agency
shall, if reasonably practicable, inform each person or body or agency to whom the personal
information has been disclosed of these steps.
(5) Where an agency receives a request made pursuant to sub clause (1) of this principle, the agency shall
inform the individual concerned of the action taken as a result of the request.
Principle 8
Accuracy etc, of personal information to be checked before use
An agency that holds information shall not use that information without taking such steps (if any) as are, in
the circumstances, reasonable to ensure that, having regard to the purpose for which the information is
proposed to be used, the information is accurate up to date, complete, relevant and not misleading.
Principle 9
An agency that holds personal information shall not keep that information for longer than is required for the
purposes for which the information may be lawfully used.
Principle 10
Limits on use of personal information
An agency that holds personal information that was obtained in connection with one purpose shall not use
the information for any other purpose unless the agency believes on reasonable grounds-
(a) That the source of the information is a publicly available publication, or
(b) That the use of the information for that other purpose is authorised by the individual concerned, or
(c) That non-compliance is necessary
(i) To avoid prejudice to the maintenance of the law by any public sector agency, including the
prevention, detection, investigation, prosecution, and punishment of offences, or
(ii) For the enforcement of a law imposing a pecuniary penalty, or
(iii) For the protection of the public revenue, or
(iv) For the conduct of proceedings before any Court or Tribunal (being proceedings that have been
commenced or are reasonably in contemplation) or
(d) That the use of the information for that other purpose is necessary to prevent or lessen a serious and
imminent threat to-
(i) Public health or public safety, or
(ii) The life or health of the individual concerned or another individual, or
(e) That the purpose for which the information is used directly related to the purpose in connection with
which the information was obtained, or
(f) That the information, or
(i) Is used in a form in which the individual concerned is not identified, or
(ii) Is used for statistical or research purposes and will not be published in a form that could reasonably
be expected to identify the individual concerned, or
(g) That the use of the information is in accordance with an authority granted under section 54 of this
Act.
Principle 11
Limits on disclosure of personal information
An agency that holds personal information shall not disclose the information to a person or body or agency
unless the agency believes, or reasonable grounds-
(a) That the disclosure of the information is one of the purposes in connection with which the information
was obtained or is directly related to the purpose in connection with which the information was
obtained, or
(b) That the source of the information is a publicly available publication, or
(c) That the disclosure is to the individual concerned, or
January 2021 QA218 – Ver 01 Authorised by: QAC
Next review: August 2023 Page 7 of 8
(d) That the disclosure is authorised by the individual concerned, or
(e) That non-compliance is necessary-
(i) To avoid prejudice to the maintenance of the law by any public sector agency, including the
prevention, investigation, prosecution, and punishment of offences, or
(ii) For the enforcement of the law imposing a pecuniary penalty, or
(iii) For the protection of public revenue, or
(iv) For the conduct of proceedings before any Court or Tribunal (being proceedings that have been
commencement or are reasonably in contemplation), or
(f) That the disclosure of the information is necessary to prevent or lessen a serious and imminent threat
to-
(i) Public health or public safety, or
(ii) The life or health of the individual concerned or another individual, or
(g) That the disclosure of the information is necessary to facilitate the sale or other disposition of a
business as a going concern, or
(h) That the information-
(i) Is to be used in a form in which the individual concerned is not identified, or
(ii) Is to be used for statistical or research purposes and will not be published in a form that could
reasonably be expected to identify the individual concerned, or
(i) That the disclosure of the information is in accordance with an authority granted under section 54 of
this Act.
Principle 12
Disclosure of Personal Information outside of New Zealand
(1) An agency (A) may disclose Personal Information to a foreign person or entity (B) in reliance on IPP 11
(a), (c), (e), (f), (h), or (i) if;
(a) The individual concerned authorises the disclosure to B after being expressly informed by A that
B may not be required to protect the information in a way that, overall, provides comparable
safeguards to those in this Act; or
(b) B is carrying on business in New Zealand and, in relation to the information, A believes on
reasonable grounds that B is subject to this Act; or
(c) A believes on reasonable grounds that B is subject to privacy laws that, overall, provide
comparable safeguards to those in this Act; or
(d) A believes on reasonable grounds that B is a participant in a prescribed binding scheme; or
(e) A believes on reasonable grounds that B is subject to privacy laws of a prescribed country; or
(f) A otherwise believes on reasonable grounds that B is required to protect the information in a way
that, overall, provides comparable safeguards to those in this Act (for example, pursuant to an
agreement entered into between A and B.)
(2) However, subclause (1) does not apply if the personal information is to be disclosed to B in reliance
on IPP 11 (e) or (f) and it is not reasonably practicable in the circumstances for A to comply with the
requirements of subclause (1).
(3) In this IPP; “prescribed binding scheme” means a binding scheme specified in regulations under
section 213 and “prescribed country” means a country specified in regulations made under section
214.
Principle 13
Unique identifiers
(1) An agency shall not assign a unique identifier to an individual unless the assignment of that identifier
is necessary to enable the agency to carry out any one or more of its functions efficiently.
(2) An agency shall not assign to an individual a unique identifier that, to that agency’s knowledge, has
been assigned to that individually by another agency, unless those two agencies are associated
persona within the meaning of section 8 of the Income Tax Act 1976
(3) An agency that assigns unique identifiers to individuals shall take all reasonable steps to ensure that
unique identifiers are assigned only to individuals whose identity is clearly established.
(4) An agency shall not require an individual to disclose any unique identifier assigned to that individual
unless the disclosure is for one of the purposes in connection with which that unique identifier was
assigned or for a purpose that is directly related to one of those purposes.
QA218 – Ver 01
Next review date: August 2024