Dealing with Personal Information

Clients and individuals have a right to access their information
Only use data for its primary or proper purpose
Store data only in the relevant shared drive
Each matter should have a separate file
Only the staff members working on a particular matter are permitted to access that file
You have additional obligations when working remotely
Notify the Managing Director if there is a suspected breach

Access

If we hold Personal Information about an individual, they have a right to access that information, correct that information and request the destruction of that information. Should you receive any of the above-mentioned requests from an individual, you must comply with that request after consulting the Managing Director.

Use only for Primary Purpose

Personal Information which is collected by us should only be used for:

the primary purpose; or
a purpose related to the primary purpose and which the individual would reasonably expect the Personal Information to be used for.

What is the primary purpose?

This will differ depending on each client and their needs. Where we require Personal Information about an individual, when requesting such information from a client, it must be made clear at the outset why the information is required, and how it will be used.

If the information is disclosed to us by a client without requesting it, we must ensure the information is actually required in order to complete the task we have been engaged for.

If it is not required, we should destroy the information.

Storage

Where Personal Information is held by us, we must ensure the information is stored securely and accurately. Accordingly, information should only be stored on approved Honestally systems and should be saved to a file reserved only for information relating to a certain matter (i.e., each matter should have a separate file). Additionally, only the staff members working on a particular matter are permitted to access that file.

It is up to the staff member(s) delegated to a certain matter to ensure the information is kept up-to-date and accurate. Should you become aware of outdated information, you must update it.

Where Personal Information is held by us and it is no longer required for the purpose it was collected for, you should either securely destroy such information, or de-identify the information.

Privacy Obligations when Working Remotely

The requirements of the Privacy Laws continue to apply when employees work off site or from home. When working remotely and dealing with privacy and/or personal information, employees and contractors must:

avoid working in close proximity to other members of the household or visitors and ensure that video conferences and phone calls are conducted in private spaces;
Where possible, use headphones during work related calls to minimise the information that may be inadvertently overheard;
ensure that their work-related devices are locked and secured when not in use, in accordance with our Code of Conduct and Security Agreement; and
documents containing personal information should not be printed out in hard copy.

What happens if there is a suspected data breach?

Contact the Managing Director
Refer to our Data Breach Response Plan

Continue to next section...

Destruction of Personal Information >

Other Policy Sections For Employees

For Employees

Employee Obligations

Collecting Personal Information

Dealing with Personal Information

Destruction of Personal Information

Data Breach Response Plan