Last updated: April 28, 2020
NZCCM relies on the use of personal data to provide services to our members, to achieve our core objectives and to ensure the public can access qualified and competent conservation professionals. To this end, NZCCM processes personal data from members, contractors, members of the public and representatives from other organisations.
This policy sets out how we collect, use, store and disclose your personal data to ensure we comply with our obligations.
This policy applies to NZCCM data subjects. Data Subjects include all living individuals about whom NZCCM holds personal data; for instance, a volunteer or a member. A data subject need not be a NZ national or resident. All data subjects have legal rights in relation to their personal data.
This policy has been approved by NZCCM’s Executive Committee. It may be amended as needed to reflect any changes in legislation, regulatory guidance or internal policy decisions.
Processing of data is any activity that involves use of personal data, whether by automated or other means. It includes but is not limited to:
NZCCM collects personal data for legitimate purposes as a membership organisation for professional conservators. This includes advancing knowledge, practice and standards for the conservation of heritage through publications and conferences. Details of some of these activities are outlined in this section.
Data for Legal Obligations
- NZCCM will use your information to comply with any legal obligations and to establish or exercise or defend our legal rights as a membership organisation for conservators.
Data for Membership
Data for Public Access and Contact
Data for Financial Purposes
Data for Fundraising and Marketing
- NZCCM collects data of non-members to enable the pursuit of fundraising and marketing objectives. This includes names, addresses and email addresses of people the NZCCM might wish to influence, from whom the NZCCM might wish to obtain feedback, or invite to an event. The NZCCM only sends this information where it has been requested by non-members, and so the basis for collecting and processing this data is consent.
- Consent for the processing of personal data related to communication with non-members for the purposes of fundraising and marketing will be documented in explicit written correspondence at the time they agree to receive free communications from NZCCM. In a technical sense, these contacts will be managed via NZCCM’s existing file management system, where the date of consent will also be stored.
- NZCCM will occasionally use or work with contracted data or payment processers, such as WordPress or Paypal. Data processors are contractually obligated to comply with NZCCM’s Data Protection Policy, and to provide data showing how they comply.
NZCCM will not collect more personal data than is necessary for the purpose, nor will it retain data for longer than necessary. This means that the personal data that we hold should be destroyed or erased from our systems when it is no longer needed. If you believe the NZCCM is holding out-of-date or inaccurate personal data, please contact the Secretary NZCCM.
To ensure the NZCCM is always able to confirm the past or present membership status of an individual, and to facilitate the resumption of past membership, details are retained on file for a period of seven years after last contact. After seven years, further information regarding membership will be retained as statistics only (list of names) with no additional personal contact information retained.
Subject Access Rights and Fair Processing of Information
You have a right to know the following regarding the data we collect about you:
You have the right to request a copy of any personal data that NZCCM hold about you, as detailed above (known as subject access rights). There will be no charge for fulfilling this request. If you make the request request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by you. Those wishing to lodge such a request should do so by writing by email to the NZCCM Secretary at email@example.com. Information must be provided within one month of receipt of the request, though we must first ensure we are satisfied as to the identity of the person making the request for the data.
You have the right to have personal data rectified if it is inaccurate or incomplete. In cases where the NZCCM has provided data to third parties, the NZCCM will inform them of the rectification, unless this is impossible or would involve disproportionate effort. You have the right to request that NZCCM restricts the processing of your data in certain circumstances (for example, if you say your data is inaccurate, the processing will be restricted while we check the accuracy of the data).
Individuals wishing to update their personal details should do so in writing by email to the NZCCM Secretary at firstname.lastname@example.org. The NZCCM will normally amend relevant records within 14 days of receipt of the request.
You have the right to have personal data erased and to prevent processing in specific circumstances; although this request may be refused, if the personal data in question is processed:
Individuals wishing to lodge such requests should do so in writing by email to the NZCCM Secretary at email@example.com. The NZCCM will acknowledge to such requests within 14 days of receipt, and normally respond within one month.
NZCCM has a responsibility to ensure that appropriate organisational measures are in place to prevent the unlawful processing of personal data and to protect against accidental disclosure, loss or destruction of data.
Access to personal data processed and stored by the NZCCM is restricted to specific members of the Executive Committee responsible for processing the data.
NZCCM has a responsibility to ensure that appropriate technical measures are in place to prevent the unlawful processing of personal data and to protect against accidental disclosure, loss or destruction of data.
NZCCM’s Executive Committee membership communication is password protected and stored on a cloud based secure server and backed up.
No further access to NZCCM’s membership records is permitted.
There is no obligation for us to make an annual notification to the OPC under the Act, but we will ensure we consult with the OPC where necessary.
We must report breaches (other than those which are unlikely to be a risk to individuals) to the OPC where necessary. We will also notify affected individuals where the breach is likely to result in a risk to the rights and freedoms of these individuals.
To ensure the Executive can fulfil this responsibility, as part of the broader organisational annual reporting cycle an annual data protection report will be provided to the AGM which will include, but not be limited to, the following:
NZCCM will keep a record of our data processing activities, to demonstrate that we are complying with them. These records will include but are not limited to: