Privacy
Scope
This privacy statement applies to personal information collected by the Government Communications Security Bureau (GCSB)s CERT NZ function.
Purpose
The purpose of this privacy statement is to let users of the CERT NZ service, this website and Own Your Online know when we collect personal information and what we do with it. We do not use, share or disclose personal information collected or received, except as set out in this statement.
Why do we collect personal information?
CERT NZ and Own Your Online collect personal information in order to carry out their functions, which includes receiving reports about cyber incidents from individuals and business, and triaging, analysing, referring and responding to those incidents. For more information about what we do, please visit our About Us page.
Collection, storage and use
You can use this website without disclosing any personal information, subject to the use of website cookies (see Statistical information and cookies).
Voluntary disclosure of personal information
You may choose to voluntarily provide personal information to CERT NZ or Own Your Online, for example to report incidents, or provide feedback. You may also report incidents anonymously (see Collection of personal information). You are not required by law to provide CERT NZ or Own Your Online with personal information, although it may be required in order for CERT NZ to assist you with incidents.
Collection of personal information
CERT NZ and Own Your Online may ask you to provide some personal information when you complete an online form, for example by submitting information to CERT NZ through the site Event Reporting Tool or web form, or a form to subscribe to site updates or news. If you choose not to provide personal information when reporting an incident, CERT NZ and its partner agencies may not take further action in relation to your incident, but the information you provide will be used for statistical and reporting purposes (for example, collect the type of incident you are reporting so CERT NZ can better understand New Zealand’s cyber threats - see Use of personal information).
Holding of information
When you provide personal information, it will be held by CERT NZ. It may be stored or accessed on behalf of CERT NZ by authorised third parties (such as third-party contractors) to the extent that is necessary, for example for them to administrate or work on the site/systems. Restricted access to the CERT NZ incident management system may be provided to partner agencies where this is consistent with our ability to disclose the information to those agencies (see Disclosure of Information). We will store and keep it secure in accordance with the Privacy Act 2020 and agents will be subject to CERT NZ’s information security and privacy requirements.
Your personal information may also be held by a relevant partner agency that deals with your incident (see Disclosure of information). It will be held in accordance with the Privacy Act 2020.
Disclosure of information
CERT NZ will collect through its website information about incidents which should more appropriately be handled by other agencies and organisations ('partner agencies') in accordance with their statutory functions. CERT NZ’s partner agencies are:
- New Zealand Police
- Department of Internal Affairs, and
- Netsafe.
For more information about what our partner agencies do, please visit our partners page.
Our partners
We will share information (including associated personal information) about an incident with these partner agencies if you have provided consent. You will be asked for your consent when you use the CERT NZ Event Reporting Tool or web form.
CERT NZ will not otherwise disclose personal information provided or collected unless you otherwise provide consent (for example, if we contact you to request consent to refer your incident to an appropriate agency) or as required or otherwise permitted by law.
Use of personal information
We will generally only use personal information provided to us for the purpose you provided it (for example, to action or respond to the incident you reported, to administer, evaluate and improve the site, and to improve our services). We may also use personal information provided to us for other reasons permitted under the Privacy Act 2020 (with your consent, for a directly related purpose, or where the law permits or requires it).
The purpose of this privacy statement is to let users of the CERT NZ service, this website and Own Your Online know when we collect personal information and what we do with it. We do not use, share or disclose personal information collected or received, except as set out in this statement.
CERT NZ uses information it collects about incidents, as well as information from other sources, to carry out its functions, which include situational awareness and reporting on trends and data sets. CERT NZ aggregates the information it receives to undertake vulnerability and threat analysis, and to identify and report on trends. This aggregated information is anonymised and does not identify individuals. CERT NZ may share aggregated, anonymised information and reports with its international counterparts.
Records and retention of personal information
CERT NZ and Own Your Online will only retain personal information as long as it is required for the purposes for which the information may lawfully be used.
Public records
Where any information provided — which may include personal information — to or through this site constitute public records, it will be retained to the extent required by the Public Records Act 2005. CERT NZ may also be required to disclose information under the Official Information Act 1982 or to a Parliamentary Select Committee or Parliament in response to a Parliamentary Question.
Call recording
As part of our commitment to providing the best possible service to our customers we record all telephone calls answered in our contact centre. This helps us to identify ways that we can provide you with a better service.
We record calls:
- for staff training purposes, helping us to improve the quality of our customer service and to ensure the information we provide is consistent and accurate
- so we can find ways to simplify our service to you, and
- to ensure we have an accurate record of your call, which may be needed to support any transactions that take place over the phone and/or if there is a dispute.
We understand your personal information is important to you, and we are committed to protecting your privacy. We store the recordings securely for two years and destroy them after this period.
Unless we have lawful reason for withholding this information, it will be made available if you request access to a transcript of your call by emailing the Privacy Officer at [email protected]
Rights of access and correction
Your rights
You have the right to:
- find out from us whether we hold personal information about you
- access that information, and if applicable
- request corrections to that information.
If CERT NZ has a good reason for refusing a request for correction, you are entitled to request that a statement be attached to the information of the correction that was sought but not made.
If you want to check personal information that we hold, please email the Privacy Officer at [email protected]
For more information on the privacy laws in New Zealand and contact details for the Office of the Privacy Commissioner, please visit their website.
Privacy Commissioner External Link
Statistical information and cookies
Statistical information
We may collect statistical information about your visit to help us improve this site. This information is aggregated and non-personally identifying. It includes:
- your IP address
- the search terms you used
- the pages you accessed on our site and the links you clicked on
- the date and time you visited the site
- the referring site (if any) through which you clicked through to this site
- the device you used to access the site
- your operating system (for example, Windows XP, Mac OSX)
- the type of web browser you use (for example, Internet Explorer, Mozilla Firefox), and
- their incidental matters such as screen resolution, the release of your installed Flash version and the language setting of your browser.
The statistical information referred to above will be viewable by site administrators and certain other CERT NZ staff. It may also be shared with other government agencies.
Cookies
Browser or ‘web’ cookies are small text files that are sent by a website and stored on your computer's hard drive. Cookies are generally used to improve your experience of a website (for example, by remembering preferences you have set) and to track site usage.
CERT NZ does not use cookies on this website or Own Your Online to gather any personally identifiable information. We use cookies to gather data about trends in site usage using a tool called Google Analytics.
You can read Google’s privacy statement, and access a Google Analytics opt-out tool, at the Google Privacy Center.
Google Privacy Center External Link
You can manually disable cookies at any time - check your browser's 'Help' to find out how (disabling cookies will not affect your ability to use this website).
Security
CERT NZ and Own Your Online websites have security measures in place to prevent the loss, misuse and alteration of information under our control. In order to maintain the cyber security of CERT NZ systems and information, CERT NZ systems are subject to ongoing monitoring (including activity logging), analysis and auditing. We may use information about your use of our websites and other IT systems to prevent unauthorised access or attacks on these systems or to resolve such events. We may use this information even if you are not involved in such activity. CERT NZ may utilise services from one or more third party suppliers to monitor or maintain the cyber security of its systems and information. These third party suppliers will have access to monitoring and logging information as well as information processed on CERT NZ and Own Your Online websites and other IT systems.
Commercially sensitive information
Disclosure of information
CERT NZ will collect through its website information about incidents which should more appropriately be handled by other agencies and organisations ('partner agencies') in accordance with their statutory functions. CERT NZ’s partner agencies are:
- Department of Internal Affairs
- Netsafe, and
- New Zealand Police
For more information about what our partner agencies do, please visit our partners page.
We will share information (including associated commercially sensitive information) about an incident with these partner agencies if you have provided consent. You will be asked for your consent when you use the CERT NZ Event Reporting Tool or web form.
CERT NZ will not otherwise disclose commercially sensitive information provided or collected unless you otherwise provide consent (for example, if we contact you to request consent to refer your incident to an appropriate agency) or as required or otherwise permitted by law.
Your authorisation to disclose information
If you are reporting on behalf of an organisation, you should be authorised by the organisation to provide information to CERT NZ and to authorise sharing of information (including associated commercially sensitive information) with other agencies.
Official Information Act
Your information and the Official Information Act 1982 (OIA)
You should be aware that information you submit as part of official processes may be subject to an OIA request, and could be supplied to a requestor, with the redaction of details as necessary to protect an individual’s privacy, or to redact commercially sensitive details or other details inappropriate for release, as guided by the OIA. Official information means any information CERT NZ has created or holds, or which is held on our behalf by another person or organisation, and includes information submitted to us by our customers and users.
The purpose of the OIA is to:
- make official information more freely available
- provide for proper access by each person to official information relating to that person
- protect official information to the extent consistent with the public interest and the preservation of personal privacy
- establish procedures for the achievement of those purposes.