- the NMSSA website
- the users who visit the NMSSA website
- the Privacy Act 2020.
The policy operates alongside and subject to any privacy statements or policies that may apply to specific supplies of information made to the Educational Assessment Research Unit (EARU) through its NMSSA website. EARU is a research programme unit of the University of Otago and as such, University privacy provisions also apply.
Collection and use of personal information
EARU records information about users when they visit this website. EARU may use this information for the purposes described below and for system administration functions including assessing compliance with relevant policies and practices.
Where practicable all such personal information is obtained directly from users, or from their nominated agents. If all or any part of the requested information is not provided, users may not be able to access EARU services.
The information collected is of two types:
Automatically captured data - this includes, but is not limited to:
- the internet address of the user’s browser, and the type of browser used
- the address of the user’s server
- the user’s domain name
- the user’s IP and/or MAC address
- the date and time that the user visited the website
- the pages visited and any documents downloaded
- the previous site visited
- access details for restricted sites
- Google Captcha telemetry (to determine if a legitimate user is submitting a form)
This data is used to assess the way in which data is utilised by users on the NMSSA website, in order to inform further development of the NMSSA research programme.
User supplied information
User supplied information may include users’ name and email address, so that they may receive relevant NMSSA programme updates and/or register their interest in joining the project as a teacher assessor. This information may be supplied by users via online forms and/or surveys and/or email. This information may be used for NMSSA programme administration and/or provision of services and/or research and in any other way within the scope of the purposes for which the information was collected. EARU, or staff of EARU, may also use this information to contact teachers and/or schools for the purpose of NMSSA programme-related activities and functions.
EARU will take all reasonable steps to ensure that personal information is accurate, up to date, complete, relevant and not misleading, before using or disclosing it.
Disposal of personal information
Storage of personal information is managed in accordance with the policies and procedures of the University of Otago Cyber Security Framework.
NMSSA paper records of data are scanned and archived. Hard copy originals are then housed in locked storage for a minimum period of five years. After five years the archived documents are logged, sentenced, and disposed of through secure document destruction services.
The University’s Corporate Records team ensure compliance with requirements under the Public Records Act and the New Zealand Universities’ General Disposal Schedule.
Security of personal information
Personal information will be stored on University of Otago files and databases and EARU will take all reasonable steps to keep personal information safe and secure, and to ensure that it is protected against loss or unauthorised access, modification, use or disclosure. In some instances, personal information may be transferred, and held, by service providers in New Zealand and overseas (including, for example, where it is stored using a cloud-based service). Where this occurs, EARU will do everything reasonably within its power to ensure that the service provider also has reasonable security measures in place to protect personal information.
EARU will not transfer personal information to a foreign person or entity (including an overseas-based service provider) unless:
- it reasonably believes that the foreign person or entity has obligations to protect personal information in a way that is comparable to the protections afforded by the Privacy Act 2020; or
- the user authorises the disclosure of their personal information after being expressly informed by EARU that the foreign person or entity may not be required to protect their personal information in a way that, overall, provides comparable safeguards to those in the Privacy Act 2020; or
- it is not reasonably practicable in the circumstances for EARU to comply with 1. and 2., and it believes on reasonable grounds that disclosure of the personal information is necessary as permitted under the Privacy Act 2020.
Disclosure of personal information
Staff members and other personnel within EARU and the University of Otago will have access to personal information for purposes relevant to normal EARU operations.
User supplied personal information will not be disclosed to third parties without the consent of the user unless the use is within the scope of the purposes for which the information was collected. EARU staff may share information where required for their administrative and NMSSA programme-related functions.
EARU works with third parties to provide web services, such as website hosting and maintenance. Website visitor information may be shared with these third parties to the extent necessary for them to provide these services. This information will not include personally identifiable data such as names or addresses but it may include such things as IP and /or MAC addresses, domain names, the pages you accessed, and the date and time you visited our website.
Other than stated above, we do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. EARU has taken steps to ensure that each partner or third party involved treats personal information in accordance with the Privacy Act 2020.
EARU will make personal information held about users available to them upon request and in accordance with the Privacy Act 2020. The Privacy Act 2020 describes the conditions under which some personal information may be withheld.
Users have the right to request correction of personal information held in accordance with the provisions of the Privacy Act 2020. If you would like to do this, please email the Administrator at firstname.lastname@example.org.
If you are concerned your privacy has been breached by EARU through its NMSSA website, you may make a complaint to the Administrator at email@example.com. You also have the right to make a complaint to the Office of the Privacy Commissioner. You can contact the Office of the Privacy Commissioner at www.privacy.org.nz.
EARU will notify you as soon as practicable if there is a privacy breach in relation to your personal information that EARU reasonably believes has caused or is likely to cause you serious harm, unless one of the exceptions under the Privacy Act 2020 applies. The University will also notify the Privacy Commissioner as soon as practicable if there is such a breach.