Your privacy is very important to us.
This policy does not limit or exclude any of your rights under the Act. If you wish to seek further information on the Act, see www.privacy.org.nz
In short, here are a few key privacy messages.
- We only collect personal information where this is necessary to carry out our functions.
- We may collect personal information about you either directly from you or from other people or agencies, and we may generate personal information about you when we carry out our functions.
- We store all our data (including your personal information) on a secure Microsoft Azure cloud platform and we use Microsoft Office 365 applications. We protect our data with all reasonable technical and process controls.
- You can ask us for a copy of your personal information at any time.
- We will only use and share personal information where necessary to carry out the functions for which we collected it, or if required by law.
Effectively engaging with people and providing our services requires us to collect and use some personal information. However, we only collect the personal information you choose to give us, your employer has provided us, or that is required by us to adequately identify you. You can opt out of our communications activities, such as receiving our newsletter, at any time.
We collect information about you from:
- you, when you provide personal information about yourself to us, including via our website and any related service, through any contact with us, or when you use our services or products
- third parties authorised by you to provide personal information or who provide publicly available information
- a third party where this is allowed by law
- if possible, we will collect personal information directly from you.
The information we may collect when you engage with us includes:
- your name, age, gender, and ethnicity
- your contact details, including your email address and/or phone number, your postcode, and country of residence
- professional information such as qualifications, profession, or professional registration, and previous experience with using online CBT
- marketing information such as how you heard about our service
- the content of your enquiry
- any questions or comments you submit via our contact form or social media
- your responses to surveys, research, interviews or focus group discussions (these will usually be captured in a de-identified form)
- your course progress and results of your outcome measures during and after each course
- information that is required for a specific project or programme area
- information about your use of our website (explained further below).
We collect the following information about your use of our website (though please note we make no efforts to associate this with your identity unless you have signed up to our website):
- your IP address
- the search terms you used
- the pages, resources, and files you accessed on our website and the links you clicked on
- the date and time you visited the site
- the referring site (if any) through which you clicked to our website
- your operating system (such as Windows 10)
- the type of web browser you use (such as Mozilla Firefox)
- the type of device you use.
Third party providers
We use some third-party providers to manage some of our engagement processes and services, such as newsletters, events registration, live chat and e-learning. Where we do this, any personal information you provide (such as your email address) may also be collected and stored by this provider and you should also check their privacy statements when using those services. We take steps to ensure that any providers we use protect any personal information they process for us.
We use the following third-party providers.
- Google Analytics (by Google LLC) – to collect web analytics.
- MailChimp (by The Rocket Science Group) – to deliver our subscription-only newsletters.
- Survey Monkey (by Survey Monkey) – to conduct research and evaluation activities.
- Mandrill (by The Rocket Science Group) – to deliver system-generated responses.
- FreshDesk (by Freshworks Inc) – to manage enquiries and support tickets.
- Airbrake (by Airbrake) – to perform error monitoring and reporting.
Links to social networking services
We use social networking services such as Twitter, Facebook, YouTube, Vimeo, LinkedIn and Instagram to communicate with the public about our work. When you communicate with us using these services, the social networking service may collect your personal information for its own purposes.
These services may track your use of our website on those pages where their links are displayed. If you are logged into those services (including Facebook and any Google service) while using our site, their tracking will be associated with your profile with them.
These services have their own privacy statements which are independent of ours. They do not have any access to the personal information we hold on our systems.
Storage, retention, and security
We use third party providers to store and process our data.
We store most of the personal information we collect and generate electronically on Microsoft Azure cloud servers located in Australia, Digital Ocean servers in Singapore and Amazon Web Services servers. We also use Microsoft Office 365 for our email and other office productivity applications. While your information may be stored overseas, we only use providers that have comparable privacy safeguards to New Zealand.
We retain personal information in compliance with the requirements of the Public Records Act 2005.
We take all reasonable steps to ensure any personal information we collect is protected against loss, unauthorised access and disclosure or any other misuse, including meeting the requirements prescribed by the New Zealand Government for the secure handling, storage and disposal of any protectively marked or security classified information.
We take reasonable steps to ensure that our third-party data processors can meet our privacy and security requirements.
What we do with your personal information
How we use it
We will only use the personal information you provide to us for the purposes of delivering the services you have requested (such as registering you for an event, applying for funding) or carrying out our lawful functions.
We may use your personal information to:
- verify your identity
- contact you about your request, query, registration or possible research or evaluation related to a workshop or event you participated in
- ensure the clinical safety and wellbeing of our participants
- provide additional support to ensure a positive end-user experience
- follow up for research or evaluation you have already participated in
- inform research, evaluation and quality improvement
- send you electronic or hard copy newsletters, resources, or information you have requested
- consider and respond to your enquiry
- improve our website and the delivery of our online services
- conduct internal statistical analysis and meet our reporting requirements
- to protect and/or enforce our legal rights and interests, including defending any claim.
When we share it
We do not generally share your personal information with third parties other than third parties which are providing services to us. However, we may share your personal information if necessary, to appropriately respond to your enquiry. We may share your personal information with a third party where the disclosure is authorised by you.
Where you have accepted a prescription from a clinician using Just a Thought, personal details (name and email) and information regarding progress and completion of lessons, as well as outcome measure scores will be shared with the clinician. Should any of your outcome measures exceed a certain predetermined threshold the system will send out automated emails to your clinician and yourself making you aware of the score and offer suggestions for contacting third party services if you are concerned about your immediate safety.
As we are not a clinically monitored service, we cannot follow up your clinical safety and cannot provide crisis support.
We may share personal information if required by law (for example to assist with the investigation of a criminal offence), to prevent or lessen a serious threat to the health and safety of a person or the public, for statistical purposes where you will not be identified, or for any other lawful purpose under the Act. If our staff are threatened or abused, we may refer this to the Police.
Your privacy rights and how to contact us
The Act gives you rights to request access to and correction of the personal information we hold about you. You can take steps to control the ways we use your information (such as opting out of receiving newsletters). You can also complain to us at any time if you think we have misused your personal information.
Contact us to exercise any of these rights, including the right to complain about our privacy practices.
Contact us requesting access to or correction of your personal information
You have the right to request a copy of the personal information we hold about you (whether we have collected from you directly or from a third party). You also have the right to ask us to correct your information if you think it is wrong.
We will process your request as soon as possible, and no later than 20 working days after we receive it.
We will be as open as we can with you, but please note that your right to request personal information may be limited if it breaches another person’s right to privacy or is subject to an overriding national security legislation.
We may occasionally need to withhold personal information under sections 27-29 of the Privacy Act, for example where the information requested is legally privileged. However, we will only ever withhold information where necessary.
You may request a correction of personal information that you consider is inaccurate. Where the correction requested is not able to be made or we dispute the accuracy of the correction, we will make a note on your personal information.
Opting out of certain uses of your information
You can opt out of receiving our newsletter or being included on any other subscription list or news feed by following the unsubscribe link at the end of the email or contacting us.
When you visit the Just a Thought website it will attempt to set cookies on your browser. A cookie is a text file that a website transfers to your browser to remember specific information about your visit or visits. Some of these cookies may remain on your computer after you close your browser. Some of these cookies are from organisations we use to monitor website usage.
You can configure your internet browser not to store cookies and set your browser to ask for your permission before it accepts a cookie.
All staff receive relevant information privacy training to minimise the risk of a privacy breach.
Personal information is only used for the purposes Just a Thought has declared it will be used for. If it is disclosed outside of the purpose, any potential impact on individuals affected is assessed once the incident is discovered. If the impact is likely to cause serious harm our Privacy Officer is notified, so an internal investigation can be carried out and action plan implemented.
If a breach of privacy occurs that is likely to cause affected individuals’ serious harm (guidance on this is available through the Privacy Commissioner’s Notify Us tool on their website), the Privacy Officer will notify the Privacy Commissioner and any affected individuals unless an exemption under the Act applies.
Complaining about our privacy practices
We want to know if you have concerns about our privacy practices, whether these relate to the way we collect or share information about you or our decision on your access request. This allows us to try and put things right for you and helps us to identify and fix any problems with our systems or processes.
In the first instance, let us know about your concerns and we will try our best to resolve it. This could include escalating your concerns to a senior staff member to ensure we have made the right decision and fully considered your concerns.
If we cannot resolve your concerns, then you have the right to complain to the Privacy Commissioner about our actions. In the first instance, please email or write to us at the following address, marking it for the attention of the Privacy Officer.
Contact Just a Thought Privacy Officer
Privacy Officer Just a Thought
PO Box 307, Hamilton,3240
We may change this policy by uploading a revised policy onto the website. The change will apply from the date that we upload the revised policy.
New policy published June 2021