top of page

Privacy Policy

Your privacy is important to us, and we have a Privacy Policy that governs our collection, use and disclosure of your personal information.

Te Toi Mahana - Privacy Policy  


Te Toi Mahana holds a large amount of information about people. How we manage this personal information has implications for how Te Toi Mahana is perceived internally and externally. Ensuring we are trusted custodians of our data is good service and good business. 

This policy outlines the expectations on employees and contractors to ensure that we: 

a) Comply with our obligations under the Privacy Act 2020 and 

b) Demonstrate best practice in our management of tenant and employee personal information. 

Te Toi Mahana recognises data as taonga for Māori and will follow best practice in relation to Māori Data Sovereignty.  



Personal information is any information about a living identifiable individual. The information does not need to name the individual, if they are identifiable in other ways, such as their home address. Information about an organisation, such as a company or a trust, is not personal information 

The Privacy Act 2020 is New Zealand’s main privacy legislation, it is concerned with the content of personal information. Personal information comes in many forms, including notes, emails, recordings, photos, and scans, in hard copy or electronic form. 


Policy Statements  

1. Privacy Principles  

  • The Act contains 13 ‘Information Privacy Principles’ relating to the collection, security, storage, use and disclosure of information about individuals, and access by an individual to information relating to them which is held by Te Toi Mahana. 

2. Collection of Information  

  • Te Toi Mahana will only collect information where it is necessary for purposes linked to our organisational functions. We will make people aware of the collection of information, our purposes for doing so, who the information will be shared with, and their rights to access and correct that information 

  • We will collect it directly from the individual concerned unless one of the reasonable grounds applies 

  • We will be fair, reasonable, and transparent in our collection of personal information, and only use lawful means. Where information is collected from children, particular care will be taken in the manner of collection. 

3. Storage and Security 

  • Our infrastructure and systems are protected from external attack 

  • Access is appropriate and role specific and audited and reviewed to ensure access remains. appropriate 

  • Data is backed up 

  • Cloud computing solutions are accessed, adopted and managed in accordance with legislative obligations, the privacy principles and Te Toi Mahana business needs 

  • There are processes for recording access to sensitive personal information 

  • All reasonable care is taken when the information is taken off site 

  • The information is only copied if required and due care is taken with all copies.  

4. Access and Correction  

  • Te Toi Mahana commits to providing individuals with access to their personal information, where appropriate, and respects the individual’s right to seek amendment of factually incorrect information 

  • The Trust will acknowledge and respond to requests for personal information held by Te Toi Mahana to the individual concerned within 20 working days of the request being made unless sections 27 to 29 of the Privacy Act 2020 apply 

  • As required by the Privacy Act 2020 where an individual is given access to personal information, the individual shall be advised that, under principle 7, the individual may request the correction of that information 

  • Where a person seeks correction of personal information held by Te Toi Mahana, we will first respond to that request, informing them of resulting action. This may be in the form of correction of factual and verifiable information, or attaching a statement provided by that individual of the correction requested. 


  • Te Toi Mahana commits to taking reasonable steps to ensure the accuracy of personal information held including: 

  • We will check the accuracy of information directly with our tenants during interactions. 

  • Personal information will be held in a centralised location such as Whakahui (tenancy management system) where possible as duplication is more prone to inaccuracy 

  • Where the same personal information is held in multiple locations, and that information changes, there are systems in place to update the information in each location it is held 

  • IT systems are adequately tested to ensure they preserve the integrity of the data they hold. 

6. Retention  

  • Te Toi Mahana commits to ensuring that it does not hold personal information for longer than is required for the purposes for which the information may lawfully be used.  

7. Use and Disclosure  

  • Te Toi Mahana will only use or disclose personal information for a purpose that is consistent with the original purpose of collection. We will comply with the information privacy principles when sharing or disclosing information. 

8. Incidents 

  • A privacy incident is any event where the Trust becomes aware that it may not have complied with its obligations under the Privacy Act 2020 

  • All incidents should be managed using the Privacy Incident Response Procedure which includes reporting the incident to the General Manager Corporate, who is the Privacy Officer, to agree on appropriate follow up.  

9. Managing Change 

  • We will only assign unique identifiers where it is absolutely necessary. 

10. Third Parties  

  • Te Toi Mahana partners and contracts with a variety of other organisations to deliver services. Te Toi Mahana commits to taking reasonable efforts to ensure any personal information is appropriately transferred, held and used by the partner organisation  

  • Where personal information is to be shared or provided to an overseas based organisation, Te Toi Mahana commits to taking all reasonable efforts to ensure the organisation receiving the information is subject to privacy safeguards that are similar to those in New Zealand.  

Roles and Responsibilities

All staff 

  • Understanding and applying this policy 

  • Understanding and applying the privacy principles in the Privacy Act 

  • Using personal information for legitimate purposes only. 

People managers 

  • Identifying any privacy risks within the business unit and putting in place appropriate mitigations 

  • Ensuring that all new staff undertake required privacy training 

  • Ensuring that staff are aware of their obligations regarding personal information 

  • Advising the Privacy Officer of privacy incidents 

  • Modelling good privacy awareness 

  • Providing updates to staff on privacy awareness 

  • Ensuring significant system and process changes are assessed to ensure privacy risks are well managed. 

General Manager, Corporate/Privacy Officer  

  • Managing and implementing the Te Toi Mahana Privacy Programme 

  • Providing guidance in complying with the Privacy Act 

  • Conducting tailored privacy training as required 

  • Keeping privacy guidance up to date and relevant 

  • Monitoring and reporting to the Executive Leadership Team on: 

  • Privacy complaints/investigations 

  • Privacy incidents 

  • Privacy impact assessments 

  • Privacy training 

  • Providing input and advice where consulted about a complaint 

  • Coordinating responses to complaints from the Office of the Privacy Commissioner 

  • Approving all correspondence to the Privacy Commissioner in relation to notified complaints from the Office of the Privacy Commissioner. 

  • Advising and assisting in relation to requests for access to or correction of personal information for employees 

  • Advising and assisting in relation to investigations into complaints involving employees 

  • Providing legal advice on the Privacy Act where required. 


Data sharing between Te Toi Mahana and Wellington City Council (WCC) 

Te Toi Mahana and WCC will need to share data between the organisations to support the effective operation of the delivery partnership that will exist between the two entities.  Details on how this sharing will be managed are set out in the Lease Agreement and Relationship and Reporting Agreement that have been agreed by Te Toi Mahana and WCC.  


Policy Review  

This policy can be reviewed at any time, at the Chief Executive’s discretion and must be reviewed within two years of the policy's approval.  

bottom of page