Last Updated: 23 September 2021
- Introduction and how to contact us
2. Privacy, Personal Information, Personal Data and Employee Records
4. Scope and Applicability
7. Privacy Principles Governing the Handling of Personal Information
8. Complaints, Enquiries and Access to Information Requests
9. How to make a Complaint, Enquiries and Access to Information Requests
10. Skill, Diligence, Care
12. Governing Law
13. Company Information
14. Representative for data subjects in the EU and UK
- Introduction and how to contact us
Heart and Brain Works Limited (Heart and Brain Works) is a privately held entity which provides mental health audits and training for workplaces, universities and schools wanting to understand and promote positive mental health. Based in New Zealand, Heart and Brain Works provides services and solutions internationally.
Heart and Brain Works applies the science of work design to assess psychosocial hazards, and psychometrically validated tools to assess indicators of employee mental health. Heart and Brain Works products and services include tools and resources for self-development and risk mitigation.
Under the New Zealand Privacy Act 2020 and Health Information Privacy Code 2020 (Privacy Act) 'health service' includes any activity that involves assessing, maintaining, improving or managing a person's physical or psychological health, as such, Heart and Brain Works (We, Us, Our) is subject to the Privacy Act, and because Heart and Brain Works provides services and solutions internationally, We must also comply with privacy-related laws in other countries.
Data protection law in certain jurisdictions differentiates between the “Controller” and “Processor” of information. For the purposes of the GDPR, Heart and Brain Works is the Controller of your Personal Data. Heart and Brain Works is a company registered in New Zealand and our New Zealand Business Number is 9429048932189. Our head office and address is Orchard Street, Avondale, Auckland, 1026 New Zealand.
How to contact us
You can contact us by emailing: [email protected]
Our Data Protection Officer
- Privacy, Personal Information, Personal Data and Employee Records
Heart and Brain Works processes identifying PI and also special categories of PI involving physical or mental health and other conditions (Sensitive PI).
We make no distinction between employee records and other sources of PI. Neither do we discriminate between different formats of PI (electronic records, paper records, voice files etc.), nor whether the information or opinions are true or not. All PI that We process and hold (where We have possession or control of a record), or use and disclose (where the information is outside of Our possession or control) is treated with the same respect, security and high standards.
The purpose of this Policy is to inform You about the personal information that We ‘process’ (hold, collect, record, organise, structure, store, adapt, alter, retrieve, consult, use, disclose, transmit, disseminate or make available, align, combine, restrict, erase, destroy and profile) about You, how We handle it, and inform You about Your choices.
- Scope and Applicability
This scope of this Policy extends to all personal information that We process in the course of providing our services, in complying with law and managing risk.
In providing the service, this Policy extends to Our business activities which include our client relationships, internal operations (management, employees, temporary staff, contractors) and external operations (third parties such as business partners and service providers).
The scope of this Policy extends to our external client-facing activities such as Our online presence at www.heartbrainworks.org and to the personal information that is collected through Our Websites and the use of email for general communications and marketing purposes.
This Policy is written in simple language so that it is easy to understand. If something is not clear, We invite You to contact Us so that We can provide assistance. Our contact details are provided in section 13 below. They will also be provided every time that We make contact with, an individual.
This Policy outlines the current personal information handling practices of Heart and Brain Works. We will update this Policy when Our information handling practices change and We will publish updates on Our Website and through Our email distribution lists.
In all cases where consent is required, whether it be express consent (verbal, in writing, click-wrap tick box) or implied consent (browse-wrap without a tick-box and other behaviour which indicates consent through continued use), it must be voluntary, current, specific and based upon adequate information about the circumstances and choices available to You as an individual. Naturally, You must have the capacity to understand, to give (for example be 18 years or older) and communicate consent. If you are unable to provide consent you must not access our Services until a parent or guardian is able to consent on your behalf. Individuals who are not sure about giving consent are encouraged to contact Us. See section 13 for contact details.
- Privacy Principles Governing the Handling of Personal Information
Heart and Brain Works is committed to making every reasonable effort to manage personal information in an open and transparent way and in compliance with the Privacy Act and any other privacy-related laws in other countries which relate to the services provided by Heart and Brain Works.
7.1 Open and Transparent Management of Personal Information
To support this commitment, We have implemented practices, procedures and systems to align Our handling of personal information with principles that have been derived from New Zealand privacy law, relevant international law, international standards and best practice.
These practices, procedures and systems are intended to regulate Our internal and external business operations through the use of administrative, technical and physical controls. The legal notices published on Our Website are examples of Our administrative controls. Technical and physical controls are generally not made publicly available for security reasons (security through obscurity).
7.2 Anonymity and Pseudonymity
As an individual, You will remain anonymous when completing surveys related to our services. If enrolled in the Wellbeing Protocol or other programs, or volunteer to participate in focus group or individual interviews, your name and email will be required in order to set up your password and access to the platform or the interview meeting.
Other examples of circumstances where We Will need to know the identity of the person that We are dealing with relate to the provision of the Heart and Brain Works services, where identification is required or authorised by law, where a refund is requested, for dispute resolution, where access to information is requested for correction and where cost becomes excessive or impractical without knowing the identity of an individual We are dealing with.
7.3 Collection of Solicited Personal information
Information we generally collect
We are committed to collecting personal information by lawful and fair means and wherever possible only collecting it directly from the individual concerned.
We collect personal information from individuals where the information is reasonably necessary for one or more of the Heart and Brain Works functions, activities and legal obligations relating to the services that We provide.
In providing Heart and Brain Works services to individuals We collect “Sensitive PI”. This Sensitive PI is provided by the individual themselves, or, by an organisation, partner or other stakeholders such as a university. Where We collect Sensitive PI, We always ask for prior consent in “writing”, where writing includes electronic forms of writing including, but not limited to email and ticking a box in an online form.
Broadly, we collect and process PI and Sensitive PI such as name, age, email address, location (city and country), sex and other demographic data that is applicable to the workplace or school context.
Our services contain surveys that collect different levels of information. This includes employees’ perceptions of their work experiences, related outcomes and general wellbeing. Our services offer surveys that clients can customise to their organisation’s context. The aim of these (and possible future) online survey(s) is to provide a periodic assessment of well-being and social/environmental determinants of wellbeing.
For internal human resourcing, We also collect sensitive personal information, such as religious beliefs, trade union memberships and health information when it is required for employment reasons, or by law. We may solicit or request personal information from a third party such as an employment agency or referees in the context of employment.
In most instances, even for non-sensitive PI where We collect personal information, We only do so after a direct request to, and with the consent of the individual to whom the information relates.
In exceptional circumstances and for human resourcing, or when authorised or required by law, We may collect personal information from some source other than the individual themselves.
Where We provide Heart and Brain Works training to an organisation, such as The Wellbeing Protocol We do solicit personal information in the form or name and work email address from the organisation about an individual. This is so they may get secure access to our platform.
Billing details: If you use a credit card for billing, our credit card processor may collect information such as the cardholder’s name, billing address, email address, credit card number, expiry date and credit card security code.
7.4 Dealing with Unsolicited Personal information
Personal information is sometimes provided to Us in circumstances where We have not requested it. In these circumstances, where the information is unsolicited, We will examine whether it could have been collected under in circumstance under section 7.3 above. We will then apply Our minds and decide whether this unsolicited information should be retained, de-identified or destroyed. Having made that decision, We will implement the decision within a reasonable time.
7.5 Notification of the Collection of Personal Information
This Policy, other legal notices published on Our website and Our internal practices, procedures and systems (administrative controls) are Our way to ensure that individuals know about the personal information that Heart and Brain Works collects.
We are committed to making all reasonable efforts to inform individuals about the personal information We collect before We collect it, for example by making this Policy and Our other Legal Notices publicly available. We will also inform individuals about collection at the time We collect personal information, for example when workplaces engage Us to provide Heart and Brain Works services, through website activity and other forms of communication such as email.
In exceptional circumstances where this does not happen, for example, when We receive unsolicited personal information from a third party which We decide to retain, We will inform individuals as soon as reasonably possible after the collection of personal information.
Through this Policy and other legal notices published on Our Website, We seek to ensure that individuals are informed about the reasons for the collection, and that they know how to contact Heart and Brain Works. See section 13 below for details.
7.6 Use or Disclosure of Personal Information
Where We hold personal information about an individual that was collected for a particular purpose (the primary purpose) We will not use or disclose the information for another purpose (a secondary purpose) unless required or authorised by law, the individual has consented, or the individual would reasonably expect Us to use or disclose it for a related purpose. An example of a related purpose in these circumstances might be disclosure to a next-of-kin or health care provider in the case of an employee.
In some circumstances, for example, where We believe that the Heart and Brain Works service may be improved through new technologies such as data science (analytics), or where We see a benefit to individuals, We may use personal information that has been provided to Us by the individual themselves or received from third parties for a purpose that is different from the purpose for which it was given to Us in the first place. Where We do this, We will use and/or disclose the personal information in a de-identified format.
Broadly speaking, We use (process, handle and manage) personal information internally for 2 reasons:
- To provide Heart and Brain Works services: Examples include: Name, address (email and Internet Protocol address), telephone numbers and, cookies; and
- For internal human resourcing: Examples include: Name, address (physical, postal, email and Internet Protocol), health information, medical service provider and counselor details, next-of-kin, spouse or partner, banking details, tax, photo identity, trade union membership, religious beliefs, gender, cultural and ethnic identity, qualifications, training and the like.
We do not collect biometric forms of personal information such fingerprints.
We also use and retain personal information records which are required to be retained for legal, business and evidential reasons. Sometimes these come from external sources and third parties.
Broadly speaking We disclose personal information (release it outside of Our possession or control) for the same primary reasons listed above, providing the service, for human resourcing and where there is a legal obligation to do so.
7.7 Direct Communications
When We provide a service to individuals and to workplaces, We ask for consent to communicate directly with the individuals concerned in order to provide the service.
Whenever We do, We allow individuals to opt-out of receiving direct communications. When individuals request Us to stop communicating with them, We will comply with that request. However, we will still need to send certain account-related emails, such as requests for password resets to fulfil Our service provision obligations.
We would also like to send you information about our Services that we think may be relevant to you. If you have agreed to receive marketing, you may always opt-out at a later date.
If an individual requests information about how We came to have their personal information, We will respond, and provide the source of an individual’s personal information wherever possible. We will respond to these requests within a reasonable time (thirty (30) business days).
We do not disclose, sell or share personal information with third parties for direct marketing purposes unless the individual opts into receiving such information from third parties.
7.8 Cookies and tracking technologies
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. When you visit our websites or use our Services, We may collect information from you automatically through cookies or similar technology.
We and our marketing partners or service providers, use technologies such as cookies, to analyse trends, administer our Website, track users’ movements around the Website, and to gather demographic information about our user base. We may receive data based on the use of these technologies by these companies on an individual and aggregated basis. We may share some limited aspects of this data with third parties for advertising purposes. We may also share online data collected through cookies with our advertising partners. This means that when you visit another website, you may be shown advertising based on your browsing patterns on our Website.
7.9 Cross-border Disclosure of Personal Information
Heart and Brain Works operates from offices in New Zealand and may add additional locations as the business grows. These operations include all aspects of internal operations that support the service that We provide as well as the provision of ‘live’ services (where personal information travels over telecommunications lines) and the storage of static personal information in data warehouses and on information systems.
Heart and Brain Works clients are located in New Zealand, Australia, the European Union (EU), Philippines, United States of America (USA), Canada, and the United Kingdom (UK). Over time we will extend the services to other jurisdictions with the result that personal information flow (is exported and imported) between these countries. Upon request, we can arrange for your data to be stored in the sovereign region of your choice, note this may incur an additional charge. There may be times when your Personal Information may be transferred, disclosed, or processed in another country. For example, if you contact our support team, any information you provide us in the support request (including personal information such as your name and email address) will be processed and hosted in New Zealand or Philippines due to the location of our support team.
Because information systems enable Our services, Personal information collected or used by Us may be located or disclosed in transit and in a static format in countries outside New Zealand, in the countries mentioned above, or elsewhere. Wherever reasonably possible, we meet international best practice standards and employ recognised mechanisms such as contractual clauses and other agreements.
We employ ‘Cloud’ technology services, and these too meet international best practice standards and employ recognised mechanisms such as contractual clauses.
Heart and Brain Works relies on various third-party service providers such as telecommunications providers, and Internet Service Providers. These are based in New Zealand, Australia, and USA.
Our operations include all aspects of internal and external business that support Our services such as (where personal information travels over telecommunications lines) and the storage of static personal information in data warehouses and on information systems.
7.10 Quality of Personal Information
We are committed to taking such steps as are reasonable in the circumstances to ensure that the personal information We collect, hold, use and disclose (process) is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.
To do this, We ask individuals to assist Us. We provide various technical means, including email notifications and user registration access where individuals can access, verify and update personal information records that We hold. We ask individuals to participate by ensuring their information is accurate, up-to-date, complete and relevant. We can be reached by email at [email protected]
7.11 Security of Personal Information
We are committed to taking reasonable steps to protect personal information that We hold from misuse, (wrong or improper use) interference (access even where the content is not necessarily modified) and loss (accidental, inadvertent, misplaced personal information).
We are also committed to securing personal information from unauthorised access (by someone that is not permitted access the information), modification (alteration by someone that is not permitted to do so, or who acts beyond the scope of their authority to modify personal information) and unauthorised disclosure (where personal information is released from Our effective control without authority).
To comply with law and manage risk, Our practices, procedures and systems aim to protect the confidentiality, integrity and availability of Our information systems and information, especially the personal information that We collect, hold, use and disclose.
Where there is no legal obligation to retain records and evidence, and in circumstances where We no longer need personal information to provide Heart and Brain Works services or for any purpose for which the information may be used or disclosed under New Zealand law, We take reasonable steps to destroy the information or to ensure that the information is de-identified.
Our information security and privacy practices include circumstances where Our data handling practices are outsourced to third parties. Because of this We endeavour wherever possible to bind third party service providers through appropriate legal agreements. We also endeavour to monitor their privacy and security practices where possible
7.12 Access to Personal Information
Where We hold, or have the right and power to deal with personal information (for example, where it is stored by one of Our third party service providers), We will, on request by an individual, normally give that individual access to their information.
We do this so that individuals know what information We hold on them and because it assists Us to ensure that the personal information that We hold is up-to-date, complete and relevant.
In considering a request for access to personal information by an individual, We will require identification. We reserve the right not necessarily to give access to an individual to their personal information in circumstances, for example, where provided for in law, in instances of commercial sensitivity and where a third party may be negatively affected.
We will respond to an individual’s request for access to their information within a reasonable time (thirty (30) business days), and We will consider reasonable requests for access to be given in a particular format, for example, through user registration login, by facsimile, email and postal services. As a matter of courtesy, We will provide reasons for the refusal if access is refused.
No charge will apply when an access to information request is received. We do however reserve Our rights to charge a fee where We incur costs, for example, for photocopying, postage and costs associated with using an intermediary if one is required.
7.13 Correction of Personal Information
Where We hold personal information, We will take reasonable steps to correct it to ensure that, having regard to the purpose for which We hold it, it is accurate, up-to-date, complete, relevant and not misleading.
You, as an individual may request that We correct personal information that We hold about You in circumstances where You believe that the information is inaccurate, out of date, incomplete, irrelevant or misleading.
In considering a request for the correction of personal information that We hold, We will require identification of the requesting individual. We reserve the right not necessarily to effect the changes sought, but undertake to consider reasonable requests and to associate a statement to the record reflecting Our refusal to correct the failed request for correction if We consider refusal the appropriate action.
We will respond to a request to change information within a reasonable time (sixty (60) business days) although changes sought may take longer, for example, because We may need to contact and notify other organisations and individuals about the request.
No charge applies for making a request, correcting personal information or associating a statement for refusal to change a record.
As a matter of courtesy, We will provide reasons for the refusal if correction is refused, and also a reminder of the complaint process available to individuals that feel aggrieved by the refusal.
7.14 Additional Data Protection Rights
In addition to 7.12 and 7.13 we would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:
Right to erasure: You have the right to request that We erase your personal data, under certain conditions
Right to restrict processing: You have the right to request that We restrict the processing of your personal data, under certain conditions
Right to object to processing: You have the right to object to Our processing of your personal data, under certain conditions
Right to data portability: You have the right to request that We transfer the data that we have collected to another organisation, or directly to you, under certain conditions
In considering a request to exercise data protection rights by an individual, We will require identification. We reserve the right to refuse an individual’s request in circumstances, for example, where provided for in law, in instances of commercial sensitivity and where a third party may be negatively affected. As a matter of courtesy, We will provide reasons for any such refusal.
We will respond to an individual’s request regarding their data protection rights within a reasonable time (sixty (60) business days).
7.15 Retention Period
Our Company will keep your Personal Information for up to one (1) year after the cessation of any Services provided that includes the processing of PI. Once this time period has expired, we will delete or de-identify your data.
In some circumstances, for example, where We believe that the Heart and Brain Works service may be improved through new technologies and techniques such as predictive analytics, or where We see a benefit to individuals, We may use personal information that has been provided to Us by the individual themselves or received from third parties for a purpose that is different from the purpose for which it was given to Us in the first place. Where We do this, We will use and/or disclose the personal information in a de-identified format and retain this data for an indefinite period
- Complaints, Enquiries and Access to Information Requests
In most circumstances, the New Zealand Privacy Commissioner will not investigate a complaint if an individual has not first raised the matter with Us. For this reason, We ask individuals to agree to submit all complaints relating to this Policy to Us first, so that We have an opportunity to resolve complaints before they proceed to any relevant authority. Individuals are asked to direct all complaints and enquiries to Us at [email protected] and to see sections 9 and 13 below for further details.
Should you wish to report a complaint that you feel that Heart and Brain Works has not addressed your concern in a satisfactory manner, you may contact the New Zealand Privacy Commissioner.
- How to make a Complaint, Enquiries and Access to Information Requests
Individuals wanting to lodge a complaint can make general enquiries, request access to their information and complain to Us in writing. This includes email communications but excludes text and social media.
We will respond to complaints within a reasonable time (thirty (30) business days). As in the case of requests to change information, a longer response time may be needed, for example, because We may need to contact and notify other organisations and individuals affected by the complaint. In this case We will endeavour to respond within sixty (60) business days.
Should you wish to report a complaint that you feel that Heart and Brain Works has not addressed your concern in a satisfactory manner, you may contact the New Zealand Privacy Commissioner.
- Skill, Diligence, Care
Heart and Brain Works will exercise reasonable skill, diligence and care as may reasonably be expected from a similar service provider.
If, and when, Heart and Brain Works suspects, or becomes aware of a breach of its network or information systems resulting in unauthorised access to, or unauthorised disclosure of personal information likely to result in serious harm to any individuals to whom the information relates; or where information is lost in circumstances that may lead to unauthorised access to, or unauthorised disclosure of personal information, Heart and Brain Works will:
- Take remedial action;
- notify the individuals concerned, and notify the New Zealand Privacy Commissioner (Commissioner): and
- Work with the individuals concerned and the Commissioner to protect everyone and everything concerned.
If You suspect or become aware of a breach or an impending breach, please contact us as a matter of urgency on [email protected]
- Governing Law
- Company Information
Heart and Brain Works Ltd
Physical address and the address for receipt of legal service of documents
Orchard Street, Avondale, Auckland, 1026