Privacy Policy for CadetNet

Privacy Policy for CadetNet



PDF version of Privacy Policy For CadetNet


Almost any organisation that holds personal information is required to comply with the Privacy Act. This includes the New Zealand Cadet Forces (NZCF). This memorandum contains privacy information for cadets and other members of the NZCF in the form of a proposed public-facing Privacy Statement that individuals will be required to agree to as a condition of membership. It also includes privacy information for staff, split into a ready reference poster from the Office of the Privacy Commissioner and a detailed breakdown of the principles and their application to the NZCF.

Privacy Statement

The following brief statement is intended for inclusion in the NZCF 2A, CadetNet sign-up and other enrolment documentation collecting personal information.

New Zealand Cadet Forces’ Privacy Statement

We need certain personal information from you in order to operate. You must agree to us having this information to join NZCF. In collecting and storing this information, we are bound to look after it as per the Privacy Act 1993.

Information we collect includes:

Information we collect includes:
We need this so:

Basic information about you such as your full name, date of birth, gender and school
We can identify you.

Your service history with the NZCF
We can manage your progression through the organisation and manage issues that are ongoing, disciplinary or otherwise.

Your National Student Number
We can award any credits you earn through NZCF.

Your address and contact details
We can contact you and return you home in an emergency.

Address and contact details for your primary caregiver and an alternative next of kin.
We can contact your parent or caregiver, or a next of kin in an emergency or we require parent/caregiver permission for you to attend an activity.

Any dietary requirements.
We can ensure you get the food you need.

Illnesses or medical conditions you are suffering from, and medication that you are taking.
We can effectively manage risk on activities by ensuring we don’t endanger you or anyone else. In the event of a medical emergency we can give responders all necessary info.

Your bank account details, tax code and IRD number.
We can pay you (only collected if you staff a paid Authorised Activity).

This information can be stored in personal files which are secured by lock, on permission slips for activities which will be kept by responsible officers and destroyed afterwards, and on the CadetNet database which uses reasonable electronic security. The last five items are treated as “staff-in-confidence”, which means extra care is taken in keeping the information confidential. We will only disclose that information to NZCF staff (Officers, Under Officers and Supplementary Staff) who work at your unit, headquarters or on an activity you are attending.

You may request to see and correct personal information held about you at any time. Once you leave, the NZCF undertakes to destroy any personal information about you within three years. The NZCF will not disclose this information to third parties unless we have a good reason (such as a medical emergency).

Basics of Privacy Principles


Breakdown of NZCF Privacy Obligations

The New Zealand Cadet Forces (“NZCF”) is defined as an agency (being “any person or body of persons, whether corporate or unincorporate, and whether in the public sector or the private sector”) within the Privacy Act 1993 (“the Act”). Consequently, the NZCF is bound by the information privacy principles outlined in Part 2 of the Act. This breakdown outlines the principles and how the NZCF can ensure it complies with them.

Any questions or concerns about your privacy obligations as a staff member of NZCF can be directed to the Executive Officer of NZCF who acts as the organisation’s Privacy Officer, advising on compliance with obligations under the Act.

The Information Privacy Principles

Section 6 of the Act contains the 12 Privacy Principles with which compliance is required.

Principle 1

Principle 1 requires that personal information shall not be collected unless for a lawful purpose connected with a function or activity of the agency, and that the collection of the information be necessary for that purpose.

The NZCF collects personally identifiable information comprised of cadets’ full name, date of birth, gender, contact details (phone number, email address, residence address), medical conditions, educational institution, employer, next of kin/guardian details (name, contact details, relationship with the cadet, employer), swimming ability, involvement in sports and other organisations and service history with the NZCF.

This information is collected for the purpose of the individual’s membership in the NZCF. Officers of the NZCF (and to a lesser extent, NZDF staff posted to NZCF) are bound under the Care of Children Act 2004 and other relevant legislation, as well as the common law doctrine of in loco parentis (commonly applied to teachers), with a legal duty of care over the individual as most are under the age of 18, and need access to this information in order to execute this duty.

Medical information is traditionally regarded as being at the high end of the spectrum in terms of confidentiality, but disclosure is necessitated by this legal duty and the adventurous, higher-risk nature of some of the activities carried out by NZCF (e.g. tramping, gliding, sailing, target shooting).

Contact details of the individual are necessary to keep them informed about NZCF activities, and of the next of kin/guardian both for provision of said information and fulfillment of the legal duty (for example, an NZCF officer may need to contact a cadet’s next of kin/guardian in the event of a medical incident). Involvement in sports and other organisations and service history with the NZCF (including course performance reports and other internally-generated documents) are collected for the purpose of managing the individual’s involvement and progression in the NZCF.

Principle 2

Principle 2 requires that personal information be collected directly from the individual concerned.

The information is sourced directly from the individual upon their application for membership in the NZCF in the application form (electronic or hard copy). Where certain information such as internally generated documents (course performance reports) is not sourced directly from the individual concerned, or is supplied by one NZCF officer to another (or NZDF staff posted to NZCF), it falls under the exceptions in paragraphs (b) and (c), as it is a condition of membership that the individual authorises sharing of the information within NZCF between NZCF officers (and with NZDF staff posted to NZCF), and the generation and sharing of course reports with the same, and this does not prejudice the interests of the individual concerned.

Principle 3

Principle 3 requires that the NZCF take a number of steps that are reasonable in the circumstances when collecting the personal information directly from the individual.

Upon application, individuals are required to fill out the aforementioned ‘Cadet Enrolment Form – NZCF2’ (or electronic equivalent). At the time, they are informed of necessary details, through the privacy policy statement on the CadetNet site or in person by the NZCF officer providing the form. These details include the purpose of collection (stated under Principle 1 above), intended recipients as NZCF officers, an overview of the NZCF as the collecting and holding agency and the address of their unit as the local branch, the consequences of refusal to provide (membership is conditional upon provision), and that they have the right to view and request correction of that personal information. This privacy policy statement remains available to read on the CadetNet site at any time.

Principle 4

Principle 4 requires that information is not collected by unlawful means or in circumstances that are unfair or intrude to an unreasonable extent upon the personal affairs of the individual concerned.

The NZCF has taken steps to ensure that it and its agents (NZCF Officers and NZDF Staff posted to the NZCF) collect personal information in accordance with its legal obligations under the Privacy Act 1993, including the provision of this memorandum and the privacy policy statement on the CadetNet site. All collection of information is upfront and in good faith, and all information requested is justifiable for the purposes of the individual’s membership in the NZCF.

Principle 5

Principle 5 requires that the information is protected by security safeguards that are reasonable in the circumstances against loss; unauthorised access, use, modification or disclosure; other misuse; and that when providing it to a person in connection with the provision of a service to the NZCF, everything reasonably within the power of the NZCF is done to prevent unauthorised use or unauthorised disclosure of the information.

The NZCF has robust policies to ensure the security and avoidance of unauthorised disclosure of personal information. All NZCF Officers and NZDF Staff posted to the NZCF are authorised to access the held personal information of any member of the NZCF as a condition of membership of the NZCF. Furthermore, members of the NZCF holding the rank of Under Officer and a relevant administrative appointment in the individual concerned’s unit are also authorised to access their personal information. This is disclosed to the individual upon application to join the NZCF as detailed above. Personal information is classified as “Staff-in-Confidence” which is recorded upon any documentation containing it or electronic equivalent, and as a matter of policy only the authorised personnel listed above and the individual concerned may view such documentation or electronic record.

Documentation is required to be stored in filing cabinets within secured (lockable) offices. Information stored on the CadetNet site is only accessible by the authorised personnel and the individual concerned through their individual logins and appropriate electronic security measures (authentication, firewalls, etc.) are used. Other members of the NZCF not being officers, NZDF staff posted to the NZCF or Under Officers holding a relevant administrative appointment in the individual concerned’s unit are prohibited from accessing “Staff-in-Confidence” information and any contravention is regarded as a serious breach and dealt with through an appropriate disciplinary procedure. The security safeguards around the storage of such information and good supervision by NZCF officers prevents such breaches.

Principle 6

Principle 6 requires that readily retrievable information is available to the individual on request. When such a request is made, the individual must be advised that they may request correction of it.

NZCF units should seek to update personal files at least annually in consultation with individuals. It is strongly recommended that permission slips incorporating a medical disclosure be required for all planned activities outside of parade nights (NZCF 8s or variants of), so that up to date medical information is obtained and can be checked against any information already held. These permission slips should be destroyed as soon as practicable after the activity.

Individuals should be reminded that they may request to see and/or correct personal information at any time, and where such a request is made, it should be accommodated as soon as practicable.

Principle 7

Principle 7 requires that individuals can request correction of any held personal information to ensure it is accurate, up to date, complete, and not misleading.

NZCF units should seek to update personal files at least annually in consultation with individuals and incorporate permission slips including medical disclosures for activities outside of parade nights (NZCF8s or variant), as detailed above. Checking them against any information already held also gives individuals an opportunity to correct personal information.

Principle 8

Principle 8 requires that steps that are reasonable in the circumstances are taken to ensure that information used is accurate, up to date, complete, relevant, and not misleading.

NZCF units should seek to update personal files at least annually in consultation with individuals and incorporate permission slips including medical disclosures for activities outside of parade nights (NZCF 8s or variant), as detailed above.

Checking them against any information already held also gives individuals an opportunity to correct personal information.

Principle 9

Principle 9 requires that personal information not be kept for longer than is required for the purposes for which it may lawfully be used.

As stated above, the information is generally collected for the purpose of the individual’s membership in the NZCF. Termination of an individual’s membership in the NZCF will therefore have the effect of terminating that lawful purpose. The NZCF needs to promulgate a clear policy on the maximum length such information is retained (e.g. one year) – which may extend beyond their membership for the purpose of allowing them access to records (e.g. course reports) for CV/career reasons – after which NZCF units must destroy it (preferably by shredding).

HQNZCF may operate a procedure whereby certain personal information relating to an individual’s career and achievements in the NZCF are retained beyond this window in a quarantined digital space only accessible by a restricted category of staff for the purpose of supplying CV-supporting info to former cadets or easily re-enrolling returning cadets as staff.

Principle 10

Principle 10 requires that personal information is used for the purpose for which it was obtained, unless there is a valid reason for doing otherwise. This can include the information being publicly available, such use being authorised by the individual, such use being required by law, or the information being anonymised such that the individual is not identifiable.

NZCF units must ensure they implement robust procedures to ensure personal information they hold is not accessible by unauthorised personnel or used for any other purpose than genuinely that detailed under Principle 1.

This can include:

  • Enforcement of Staff-in-Confidence restrictions on all medical disclosures, contact details, course reports and personal files (including disciplinary or performance management information);
  • Policies restricting access to said personal information to staff members who have a bona fide reason e.g. running an activity, staffing a course, involved or consulting on a disciplinary investigation, unit staff;

Principle 11

Principle 11 requires that personal information is not disclosed unless permitted on certain grounds, as detailed above in principle 10.

NZCF units must ensure they implement robust procedures to ensure personal information they hold is not accessible by unauthorised personnel or used for any other purpose than genuinely that detailed under Principle 1.

If NZCF staff are uncertain as to whether disclosure would be in compliance with privacy obligations, they should refer up the chain of command to the NZCF Privacy Officer (Executive Officer).

Principle 12

Principle 12 requires that unique identifiers (an identifier other than the individual’s name, assigned by an agency) aren’t assigned to individuals unless necessary to carry out the organisation’s function.

NZDF assigns service numbers to individual members of NZCF staffing authorised activities for the purpose of pay and other functions as casual employees. These should be protected as any other personal information.

There is no need for NZCF staff to assign unique identifiers to members, who should only ever be identified by their name and rank.