Data privacy policy

1. Introduction

Overview

This policy sets out the kind of information CORE collects and holds; how we collect, use, disclose and store personal information; the purposes for which this information is collected; how it may be accessed and corrected; how you may complain about a breach of the principles of a privacy and how we will deal with such a complaint.

Types of personal information collected

Information we collect includes, but not limited to:

• names and pseudonyms
• contact information
• job title
• date of birth and (if applicable) date of death
• teacher registration status
• bank account details for electronic funds transfer payments.

Anonymity

We provide the option for individuals to either not identify themselves or to use a pseudonym, when dealing with us. In some circumstances if you choose not to provide requested information we may not be able to provide you with certain services. We do not provide this option in circumstances where it is impracticable to do so or where we are legally required to deal with identified individuals only.

Information on children aged under 13

Data collected for the purposes of education within the school environment will be done so with the consent of the school, data collected for extracurricular activities will be collected with the consent of a verified parental caregiver. We will take appropriate steps to delete any personally identifiable information of persons less than 13 years of age that has been collected on our systems without verified parental/caregiver consent upon learning of the existence of such personally identifiable information.

​2. Why does CORE collect personal information?

CORE collects and holds personal information for the business purposes detailed generally on our systems. These purposes include:

• collecting and distributing payments for uses working with CORE
• identifying and locating customers
• providing services and products to customers
• administering funding applications, prizes and awards
• during recruitment activity, directly by us and through third-parties such as recruitment websites and recruitment agencies
• on behalf of a third party client, when CORE is contracted to manage and operate events and programmes.

Other purposes you might reasonably expect us to apply related to these primary purposes.

3. How does CORE collect personal information?

Data sources

We collect personal information through:

• Data collection activities: surveys and e-reporting
• Organisations that act as an agent for us
• CORE electronic form website enquiries, user portals and interfaces
• Customer electronic form website enquiries, user portals and interfaces
• Email correspondences including Google and Office365 domains
• Backup tools
• Research projects
• Events registration tools
• Lists provided by commercial third parties
• Marketing activities
• Recruitment activities
• Google Analytics
• CRM and other business management applications
• Help Desk
• Online modules
• CORE intranet (Jostle)
• Our library system
• Survey tools including Business Positioning System (BPS), Educational Positioning System (EPS), Selfie, Māori Medium e-Learning Framework (Te Rangitukutuku), e-Learning Planning Framework
• Telephone calls, through notes arising from calls and through recording conversations where callers have been advised the recording is activated

Users should be aware that there are inherent risks in transmitting information across the internet.

Website visitors

CORE uses Google Analytics to collect data about users’ usage and activity on our websites. This is collected for the purpose of improving the websites and is not used by us to personally identify users. All tracked data is anonymously collected in accordance with Google Analytics’ privacy policy. By using our websites you consent to processing of data about you by Google in the manner described here. Further information is available from Google.

Help desk

CORE uses Teamwork software to host our Help Desk. A user provides their name and email address to submit a question via the software to CORE, only data about users’ usage and activity is collected for the purpose of improving our systems and tools and cannot be used by us to personally identify users. By using the help desk you consent to the processing of data about you by us in the manner described. https://www.teamwork.com/legal/privacy-policy/

Online modules

CORE uses a number of learning management systems to host our online modules. Data including user type, organisation name, and the user’s name and email address is collected. By using our online modules you consent to processing of data. https://moodle.org/admin/tool/policy/view.php?policyid=1, https://www.matrixlms.com/info/privacy, https://learningpool.com/privacy-policy/

Google, Microsoft Office 365 business management applications and backups

CORE uses various Google and Microsoft business management applications to obtain, record, and manage personal information obtained through the activities listed here. The information recorded in CORE applications is transmitted and stored securely in the countries in which Google and Microsoft processes data and is subject to the privacy laws of those countries and appropriate privacy policy: https://policies.google.com/privacy?hl=en-US, https://privacy.microsoft.com/en-ca/privacystatement

CORE uses Spanning Backup to backup and restore data in the Google domain: https://spanning.com/privacy-statement/

Events registration tools

CORE uses cVent for event registration and by registering for an event, webinar or function you agree to consent to be cVent privacy Policy: https://www.cvent.com/en/privacy-policy

Marketing activities

CORE uses SurveyMonkey, Twitter, Facebook, Instagram, LinkedIn, YouTube and Mailchimp for marketing purposes. If you join one of CORE’s social media platforms and associate or follow, CORE then you consent to the privacy policies of those tools:

Survey Monkey

Twitter

Facebook

Instagram

YouTube

By joining the CORE Education mailing list using Mailchimp then you consent to the policies of Mailchimp.

4. How does CORE use and disclose personal information?

CORE uses and discloses personal information for the purposes that it was collected, as outlined in this statement and elsewhere on the CORE website, and for associated management purposes. The two most common ways we collect personal information is you have signed up to receive communications or you have registered for an event (webinar, programme, conference).

It may also use and disclose personal information for any other purposes to which you have consented. Subject to privacy policies, CORE may also use and disclose personal information for any other related purpose that you would reasonably expect the information to be used or disclosed.

We may use and disclose your personal information in the following specific circumstances:

• Your participation in events, webinars and other services provided by CORE
• For research or evaluation purposes of CORE’s products and services which may be conducted by a third party
• Your personal information to our independent auditors engaged to audit CORE’s operations
• Your personal information may be disclosed in pursuit of dispute resolution or to external mediators or experts
• CORE may be obliged to disclose personal information to law enforcement bodies, or to a third party if the disclosure is necessary to prevent or lessen a serious and imminent threat to the life, health, or safety of you or another person, and it is unreasonable or impractical to obtain your consent.

CORE will not otherwise use or disclose your personal information without your consent unless required or authorised by law.

Cross-border transfer

Information may be shared outside of New Zealand, as requested by the individual or where the foreign person or entity requesting the data is subject to the other countries legislative requirements and/or appropriate contractual terms.

System hosting

Where CORE is responsible for processing or hosting data on behalf of another organisation the terms and conditions of that organisation sets the policy on how that data may be used. CORE cannot use the data as if it was their own.

Marketing material

CORE may use your personal information to send to you marketing material that we consider will be useful to you, or other material about our activities. We will only do this if we collected the information from you and you would reasonably expect us to use or disclose the information for that purpose, or if you have consented to receiving such communications. If you don’t wish to receive this material from us you can inform us and we will stop sending it to you within a reasonable period of time. From time to time we may provide your email address to a third party for research and evaluation purposes. We will not provide your personal information to third parties for direct marketing purposes.

​5. How does CORE store and secure personal information?

CORE takes reasonable steps to protect your personal information from loss, unauthorised access, modification, disclosure, interference or other forms of misuse.

These steps include electronic access restrictions for electronic data, and securing paper files containing personal information in locked cabinets or off-site secure storage facilities. CORE holds personal information in a number of different formats, including on servers located off-site, databases, filing systems and in offsite backup storage.

CORE only retains personal information for as long as it is required for its business purposes or for as long as required by law, and information no longer required is destroyed securely. We may retain information for data analysis, but if this occurs, it will be retained in a form that does not allow you to be identified from that information.

​6. Can I access and correct my personal information held by CORE?

You may request access to your personal information and to request correction if it is inaccurate, out of date, incomplete, irrelevant or misleading. Such requests should be directed to our Privacy Officer whose details are provided below.

We will take reasonable and practicable steps to provide you access and/or make a correction to your personal information within a reasonable period, unless we consider there is a sound reason under the relevant law to withhold the information, or not to make the changes. If we do not provide you access to your personal information, or refuse to correct your personal information, where reasonable we will provide you with notice including the reasons for the refusal.

​7. Complaints, breaches and concerns

If you have a complaint relating to a breach of the privacy principles outlined in a Privacy Act you should contact our Privacy Officer at the details given below. CORE will investigate your complaint and respond to you within a reasonable time and in accordance with our legal obligations. We will take any necessary corrective actions promptly.

Breach notifications

Where a breach occurs and where the unauthorised or accidental access, or disclosure, loss, alteration or destruction of personal information has caused harm or is likely to cause serious harm CORE will:

• Notify the Privacy Commissioner
• Notify the affected individuals

Serious harm

Serious Harm is defined as having an impact on the individual such as:

• Physical harm or intimidation
• Financial fraud including unauthorised credit card transactions or fraud
• Family violence
• Psychological or emotional harm

Notification of a breach to the Privacy Commissioner

CORE will notify the Privacy Commissioner as soon as practical and describe the breach including:

• The number of people affected
• Identify any person or body suspected of being in procession of the personal information
• Any steps already taken or that are intended to be taken
• If notification to the affected people has not occurred the reason why
• Details of any other agencies advised of the privacy breach including lawyers, insurers, IT Technicians, police

Notification of a breach to the affected parties

CORE will notify the affected parties as soon as practical and describe the breach as soon as practicable directly or by public notice if not. That breach will describe the breach including the below information:

• The number of people affected by the breach
• If the identity of the person or body is known (the identity of any person or body suspected of being in possession of the personal information will not be shared unless it will prevent serious threat)
• Steps taken or intended to be taken
• Recommended steps to migrate or avoid potential loss or harm
• That the privacy commissioner has been notified
• No information about other affected individuals will be shared

When a breach is detected

CORE will take steps to contain the breach and assess what information was lost and will:

• Notify insurers
• Notify the Privacy Commissioner
• Notify the people affected by the breach
• Take steps to prevent another breach including some or all of the following:
• Security Audits
• Process and policy review
• Employee Training

How to contact us

If you have any questions or concerns about how CORE treats your personal information please contact our Privacy Officer directly via email at privacy@core-ed.ac.nz, via telephone on 0800 267 301 or write to the Privacy Officer at:

CORE Education

PO Box 13 678

Christchurch 8141

New Zealand

We reserve the right, at our discretion, to change, modify, add, or remove portions from this policy at any time so you are encouraged to review this policy from time to time. We will, of course, notify you of any changes where we are required to do so.