Privacy Policy — Operational Summary
How we collect, use, share, protect, and retain personal information in ICT Professional & Managed Services
Document control
| Owner | Privacy Lead (CEO) |
|---|---|
| Approved by | CEO |
| Version / date | v1.2 / 25 Sep 2025 — review by 01 Oct 2027 |
| Applies to | All staff, contractors, and client work |
| Distribution | Public |
Document hierarchy (how this fits)
- Tier 1 — Privacy Policy (this summary): Operational commitments, contacts, and how we handle personal information.
- Tier 2 — Policies & Methods: Information Security Statement, Incident Response Plan (privacy breach section), DPIA approach, Records & Retention schedule.
- Tier 3 — Procedures & Templates: DSR intake form & log, Processor due‑diligence checklist, Cross‑border assessment, Breach log.
- Tier 4 — Registers & Evidence: Processing register (mini‑ROPA), training, audits, decisions and notifications.
Change control: This controlled summary links to detailed procedures/templates; superseded versions are archived.
1. Scope & definitions
This summary applies to personal information we handle when providing ICT Professional Services and Managed Services, our public websites, and work undertaken for clients.
Personal informationProcessingData Subject Request (DSR) Terms are used in plain English consistent with New Zealand law.
2. Principles & lawful basis (NZ)
- Purpose & collection: collect only what is necessary; be open and fair.
- Use & disclosure: use for the purpose collected (or as permitted by law); avoid undisclosed profiling.
- Security & retention: safeguard information; keep only as long as needed then dispose securely.
- Access & correction: enable access/correction requests and respond as soon as practicable.
- Lawful basis: contract performance, legitimate interests, legal obligations, and consent where required.
3. Roles & contacts
| Privacy Lead | privacy@virtusgroup.co.nz • After‑hours: 0800 847 887 (VIRTUS) |
|---|---|
| Alternate | compliance@virtusgroup.biz |
| Submit a DSR | Email privacy@virtusgroup.co.nz with “DSR” in the subject |
4. Information we process (mini‑ROPA)
Examples below are indicative; specific client SoWs may add or constrain processing.
| Purpose | Categories | Systems / processors | Lawful basis | Retention | Recipients |
|---|---|---|---|---|---|
| Client engagement & delivery | Contact details; project communications; work artefacts | Microsoft 365 (Exchange, SharePoint/OneDrive); PSA/ticketing | Contract | 7 years (tax/audit); project artefacts per SoW | Client; approved processors |
| Security monitoring | Telemetry/logs tied to work assets (may be pseudonymous) | M365 Defender; SIEM/XDR; firewall/flow logs | Legitimate interests / contract | 12–24 months (per system) | N/A |
| Billing & compliance | Identity/contact details; billing records | Finance system; bank/payment providers | Legal obligation / contract | 7 years (tax) | Auditors; tax authorities as required |
| Supplier & subcontractor management | Contact details; due‑diligence records | Vendor management register | Legitimate interests | While active + 7 years | N/A |
5. Collection & use
- Collect directly where possible; if indirect, record source and purpose.
- Provide fair notice; do not conduct undisclosed profiling.
- No targeted services to children; if encountered, apply heightened care.
6. Storage, security & retention
- Data stored in enterprise cloud platforms with encryption in transit/at rest; access is role‑based and logged.
- Backups follow immutability controls; restore tests are performed on a scheduled basis.
- Retention follows SoW, legal, or policy requirements; disposal uses secure deletion with records kept.
7. Sharing, processors & cross‑border transfers
- Processors are vetted and bound by confidentiality, security safeguards, breach notices, and flow‑down obligations to sub‑processors.
- Cross‑border transfers are assessed and documented; appropriate transfer mechanisms and additional safeguards are applied.
- DPIA triggers: new high‑risk processing, new cross‑border transfers, or significant changes to purpose or scale.
8. Data Subject Requests (DSR)
- Intake: submit via privacy@virtusgroup.co.nz; we log type (access/correction/deletion/objection/complaint).
- Verify identity: reasonable steps appropriate to the request.
- Locate data: search relevant systems/processors using the register above.
- Respond: as soon as practicable; if complex, send a holding note with next steps.
- Refusals: if declined on lawful grounds, explain why and how to complain to the OPC.
- Recordkeeping: request, decision, approver, closure date retained per policy.
9. Privacy incidents & breaches
- We triage and contain incidents under our Incident Response Plan.
- If a breach is likely to cause serious harm, we notify affected individuals (where appropriate) and the Office of the Privacy Commissioner as soon as practicable.
- We maintain a breach log and supporting evidence.
10. Cookies & telemetry
Our public websites may use limited analytics and session cookies for performance and security. Where required, we provide notices and choices.
11. Review, audit & training
- Quarterly operational checks and an annual policy review.
- Privacy induction for new starters and periodic refreshers.
- Audit trail: decisions, DSRs, DPIAs, and breach log retained per policy.
Related policies & templates
- Information Security Statement; Incident Response Plan (privacy section)
- DPIA approach (template); DSR intake form; Processor due‑diligence checklist; Breach log
Legislative references (NZ)
- Privacy Act 2020 — legislation.govt.nz
- Office of the Privacy Commissioner — privacy.org.nz