Last updated 27 February 2023
This privacy statement explains how we handle the information that we collect, including personal information, and how we comply with the requirements of applicable privacy laws, including the New Zealand Privacy Act 2020 (Privacy Act). We may use personal information provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.
In this privacy statement, ‘SLS’, ‘we’, ‘us’, and ‘our’ is a reference to Streamlined Litigation Support Limited carrying on business in New Zealand. References to ‘you’ and ‘your’ is used to refer to the individual who is the subject of the personal information.
SLS may modify this privacy statement at any time by publishing an updated version on this webpage.
1. Collection and use of personal information
1.1 Personal information we collect
Personal information (or personal data) is any information about an identifiable individual. Processing is how we sometimes refer to the handling, collecting, protecting or storing of personal information.
We collect, hold and process personal information from actual and prospective clients, suppliers, employees, job applicants, contractors and other individuals. We collect and hold this information for our necessary business purposes.
The type of personal information we collect, hold and process includes, but is not limited to:
- Contact details (e.g. names, addresses, telephone numbers, email addresses and job titles).
- Professional details (e.g. job and career history, educational background and professional memberships, published articles, social media details).
- Family and beneficiary details for emergency contact purposes, insurance and planning services (e.g. names and dates of birth).
- Financial information (e.g. tax, payroll, investment interests, superannuation, assets, bank details, insolvency records).
- Identification documents (e.g. passport, driver’s licence, tax file number or other government-issued identification numbers) and additional information required to verify your identity (e.g. where you ask us to provide a service that is a designated activity under applicable anti-money laundering laws and regulations).
- General user information and location-based data such as internet protocol addresses, browser type and internet service provider details and other technical information when you visit our website.
- In relation to employees and prospective employees, health information (e.g. doctor details, current health status including any medications and health conditions, and medical history including any chronic diseases, disabilities, and mental health).
We generally do not intend to collect, and we ask you not to submit, any special categories of personal information. Special categories of personal information includes information about an individual’s race or ethnic origin, political opinions or affiliations, religious or philosophical beliefs, trade union membership, genetic data, biometric data that uniquely identifies someone, sexual orientation and criminal records.
If you choose to provide special categories of personal information about yourself to us for any reason, the act of doing so constitutes your explicit consent (where such consent is necessary and where obtaining such consent in such manner is permitted under applicable law), for us to collect and use that information as necessary in the ways described in this privacy statement or as described at the point you choose to disclose this information.
Due to the nature of our business, it is generally impracticable for us to deal with individuals on an anonymous basis or through the use of a pseudonym, although sometimes this is possible (e.g. when seeking client or staff feedback generally).
1.2 Lawful reasons for processing personal information
We may rely on the following lawful reasons when we collect and use personal information to operate our business and provide our products and services:
- Contract– We may process your personal information in order to perform our contractual obligations to the relevant individuals.
- Legitimate interests– We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced. These may include:
- Delivering services to you and our other clients– To deliver the professional services our clients have engaged us to provide including to provide access to relevant software and provide information on new products and services.
- Maintaining the security of our and our client’s data, our IT systems and physical security – To prevent fraud, criminal or other unlawful activity, protect our and our client’s data, our IT systems and premises including providing software logins.
- Corporate responsibility– To comply with our corporate and corporate social responsibility commitments, such as inclusion and diversity and managing our supply chain.
- Legal obligations– We may process personal information in order to meet our legal and regulatory obligations or mandates, as reasonably necessary, such as assisting a law enforcement agency or an agency responsible for national security in the performance of their functions, or to enforce or protect our legal rights, or those of our clients and others.
- Public interest – Where permitted by law, we may process personal information in order to perform a specific task in the public interest.
- Vital interests– We may process personal information to protect the vital interests of the individual or another natural person, such as to prevent or lessen a serious threat to the life or health of the person.
- Legal claims – We may process personal information where it is necessary for us to establish, exercise or defend a legal claim.
- Employment and social protection law – We may process data to carry out our obligations and exercise our or your rights in the field of employment and social protection law.
- Consent– Where no other processing condition is available or where specifically required by applicable law, if you have agreed to us processing your personal information for the relevant purpose.
1.3 Why we need personal information
We aspire to be transparent when we collect, hold and process personal information and tell you why we need it, which typically includes the following primary purposes:
- Providing professional services to you and understanding how you use our professional services to ensure that our software, systems and materials remain relevant. Our services may include reviewing client files for quality assurance purposes, which may involve processing personal information for the relevant client.
- Facilitating access to and the operation of our hosted software applications, including collecting personal information for software logins.
- Promoting our professional services, products and capabilities to existing and prospective clients.
- Sending invitations and providing access to guests attending our events and webinars or our sponsored events.
- Personalising online landing pages and communications we think would be of interest, based on interactions with us and any related entity.
- Security, quality and risk management activities – We have security measures in place to protect our information and information systems and our client’s information (including personal information), which involves detecting, investigating and resolving security threats. This may include:
- Automated scans to identify harmful emails.
- Monitoring the services provided to clients for risk and quality purposes, which may involve processing personal information stored on the relevant client file.
- Carrying out conflict and risk searches to ensure there are no issues that would prevent us from working with a particular client (such as sanctions, criminal convictions, conduct or other reputational issues).
- Authenticating registered users to certain areas of our sites.
- General management and reporting activities, such as invoicing and account management.
- In relation to the employment of our personnel, providing internal services to our staff, seeking qualified candidates, and assessing the suitability of candidates.
- Providing technical and other service support, administrative messages, reminders, technical notes, updates and information to you and your authorised third parties.
- Processing online requests, including responding to communications from individuals or requests for proposals and quotations.
- Complying with any requirements of law, regulation or a professional body of which we are a member.
- Compiling health and safety data (directly or indirectly) following an incident or accident. Indirect data can take many forms including an incident report, first aider report, witness statements and CCTV footage.
- Collecting health data to assess, monitor and control spread of infectious diseases and to provide a safe environment for our employees, clients and suppliers.
- For other purposes related to our business.
Your personal information will not be used for other purposes unless we obtain your consent to the secondary use, or the secondary use is required or permitted by law.
If you choose not to provide us with personal information which we have requested from you, we may be unable to fulfil any of the above purposes, including providing professional services to you, responding to your requests, paying your invoices or processing your application for employment.
1.4 How we collect personal information
- Directly– We obtain personal information directly from individuals in a variety of ways, including from individuals who provide us with their business cards, complete our paper and online forms, communicate with us via telephone or email, register for webinars, attend meetings or events we host, visit our offices or for recruitment purposes. We may also obtain personal information directly when, for example, we are establishing a business relationship, performing professional services through a contract, or through our hosted software applications.
- Indirectly – In some instances, we may obtain your personal information indirectly from a variety of sources, including publicly available sources, our clients, recruitment, third-parties or other related entities:
- Public sources – Personal information may be obtained from public registers, government agency publications, news articles, sanctions lists, internet searches and social media sites.
- Our clients – Our clients may engage us to perform professional services which involves sharing personal information they control as part of that engagement. Our services may also include processing personal information under our clients’ control on our hosted software applications, which may be governed by different privacy terms, policies and notices.
- Service providers and other third parties – We may obtain personal information from our service providers such as recruitment and credit reference agencies and other third parties such as previous employees, previous employers, law enforcement agencies, banks, other financial institutions and screening providers who assist us with our legal obligations to conduct anti-money laundering, sanctions screening and regulatory checks.
- Personal information about others – Where you provide personal information to us about other people (such as your customers, directors, officers, shareholders, beneficial owners or employees), you must ensure that you have a lawful basis to make such disclosure.
SLS understands the importance of protecting the privacy of children, especially in an online environment.
Our website is not intentionally designed for or directed at children under the age of 16. It is our policy never to knowingly collect or maintain information about anyone under the age of 16, except as part of an engagement to provide professional services.
2. Sharing and transfer of personal information
2.1 Transfers to KPMG
We may share your personal information with KPMG, the New Zealand partnership (KPMG), and other entities in the KPMG global network where necessary for administrative purposes (e.g., for insurance purposes, performing client conflict checks or identity verification checks (where required)), and to meet our legal and regulatory obligations within New Zealand.
2.2 Sharing with third parties
The information you provide to us may be shared with third-parties to the extent necessary to carry out our professional and business needs, to complete your requests, where we are required to disclose that information by law or for safety reasons, with your consent or as otherwise stated in this privacy statement.
Examples of this might include:
- Sharing with our service providers – We work with reputable service partners and agencies to meet our business needs, as well as to assist in our delivery of services to you. We may share your personal information with these providers where, and to the extent that, it is required in the provision of the services you have asked that we provide (such as hosting services), or to use their applications and APIs. Some applications may enable or require you to interact with us through APIs in a way that requires you to log in or otherwise provide personal information. SLS will only share personal information with providers who have met our standards on the processing of data and security.
- Sharing with professional advisers – We may share your personal information with our professional advisers, including lawyers and insurers.
- Sharing for internal and compliance purposes –The disclosure of your personal information might be necessary for crime prevention, anti-money laundering compliance, sanctions screening, data privacy or security audits, other audits required by local legislation, client conflicts and independence checks, or where we are required to investigate or respond to a complaint or a security threat.
- Sharing as required under applicable laws, regulations or professional standards– There may be occasions where courts, tribunals, regulatory or professional standards bodies or other third parties require SLS to share information with them, or it may be prudent for SLS to comply with such requests, in accordance with applicable law, regulations, professional standards or national and international sanctions.
- Sharing in the event of sale or transfer –In the event SLS or the business of the website is sold, transferred, merged or assigned, disclosure might be necessary for that sale, transfer, merger or assignment, or as a result of the sale, transfer, merger or assignment.
- Sharing with payment, marketing and recruitment service providers – We may share your personal information with payment, marketing and recruitment service providers.
- Sharing with health government bodies and external service providers – We may share your personal information with health government bodies and external service providers (health, facilities, estate management) to assess, monitor and control the spread of infectious diseases.
In some cases, the third parties we share your personal information with may be located overseas, in particular, in the United States of America, the United Kingdom, the European Economic Area (including the Netherlands, Ireland and Germany), Australia, Singapore, Hong Kong, Japan, Argentina, Cook Islands, India, and those countries in which member firms of the KPMG global organisation are located. We require these third-parties to take appropriate measures to protect and restrict how they use that information, in accordance with our contractual obligations and applicable privacy laws.
We may also share non-personal, de-identified and aggregated information for research or promotional purposes. At no time will SLS sell your personal information to any third parties or transfer your personal information to any third parties for their direct marketing use.
3. Security and retention of personal information
SLS has security policies and procedures in place to protect our information and client information (including personal information) from loss, unauthorised access, use, modification, disclosure or misuse. Despite our best efforts, security cannot be guaranteed against all threats. To the best of our ability, access to your personal information is limited to those who need to know. Those individuals who have access to the data are required to maintain the confidentiality of the information. We may apply pseudonymisation, de-identification and anonymisation techniques in efforts to further protect your personal information.
We retain personal information to provide our services, stay in contact with you and to comply with applicable laws, regulations and professional obligations that we are subject to. We retain personal information for as long as is necessary for the processing purposes for which the information was collected, and any other permissible, related purpose. The criteria we use to determine the retention periods also include:
- whether there are contractual or legal obligations that exist that require us to retain the personal information for a period of time;
- whether you have interacted with us recently; and
- whether any applicable law, statute, regulation or professional standard allows for a specific retention period
Unless a different time frame applies as a result of business need or specific legal, regulatory or contractual requirements, where we retain personal information in accordance with these purposes, we retain such personal information for up to ten years or where the personal information relates to a staff member, we retain such personal information for a term equal to the length of the relevant staff member’s employment plus ten years.
Where we are unable to destroy or delete information (e.g., login information shared with software providers), we will disable the user data when the staff member leaves SLS, when we stocktake a client’s users or on your instructions, and request the relevant software provider to cease processing your personal information.
4. General Data Protection Regulation
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018 and, depending on where you are located, it may apply to your personal information. Following the United Kingdom’s exit from the European Union, the GDPR is also retained in domestic law in the United Kingdom. Under the GDPR, the term ‘Personal Data’ is used in the place of ‘Personal Information’.
Where the GDPR applies, you have additional rights under the GDPR in respect of your personal information, subject to applicable law. These include rights in certain circumstances to:
- Access – Access your personal information.
- Correction – Have inaccurate personal information rectified.
- Erasure – Erase your personal information (right to be forgotten).
- Processing restrictions – Restrict our use of your personal information (including preventing processing for the purpose of direct marketing).
- Data portability – Request that your personal information be transmitted (in a structured, commonly used, and machine-readable format) directly to another company if it is technically feasible.
- Automated individual decision-making – Request review of any decisions made about you which we made solely based on automated processing, including profiling.
- Withdrawal of consent – Withdraw your consent that you have previously given to one or more specified purposes to process your personal data (without affecting the lawfulness of any processing carried out before you withdraw your consent).
- Complaints – Lodge a complaint with your local data protection authority.
If you have any questions or you would like to discuss or exercise such rights, please email [email protected].
5. Links to other sites
SLS’s website may contain links to other sites. These sites will be governed by a privacy statement that relates to that entity’s jurisdiction. We encourage users to review the privacy statement of each website before disclosing any personal information.
6. Your privacy rights
Where we hold personal information about you:
- you have the right to access that information where it can be readily retrieved, except in the limited circumstances in which it is permitted for us to withhold this information; and
- if that information is incorrect, you may ask that we correct it.
You can make requests to access personal information by emailing [email protected]. In most instances, we will require you to provide some form of identification (such as a driver’s licence or passport) so we can verify that you are the person to whom the information relates.
Please visit the Office of the Privacy Commissioner’s website for further information about your rights.
7. Our controller and processor status
Where we process or hold personal information solely on behalf of another organisation, or to provide services to you, we do as an “agent” under the Privacy Act and to the extent applicable, a data processor under the GDPR. Where we process, use or disclose personal information for our own purposes, for purposes related to our business, or where professional standards regulations apply, we will be an agency governed by the Privacy Act and to the extent applicable, a data controller under the GDPR. You should bring this notice to the attention of your relevant individuals.
8. How to contact us
If you have a query about this privacy statement or the privacy of your information, or if you would like to enforce your privacy rights, please contact SLS as follows:
Streamlined Litigation Support Limited
PO Box 105253, Auckland 1143
Email: [email protected]
Or contact us via our website: https://sls.net.nz/contact/
9. Changes to this privacy statement
SLS may modify this privacy statement at any time by publishing an updated version on this webpage. So you know when we make changes to this privacy statement, we will amend the revision date at the top of this statement. The newly amended privacy statement will apply from that revision date, and will apply to personal information previously received from you. We encourage you to review this privacy statement periodically to stay informed about how we are protecting your information.
Any amended privacy statement will apply between us whether or not we have given you specific notice of any change.