PRIVACY POLICY
December 2020
1. POLICY STATEMENT
Restaurant Brands is committed to promoting and protecting individual privacy in accordance with the Privacy Act 2020. This policy sets out the principles used by Restaurant Brands when collecting, storing, using, and disclosing personal information. It also sets out how individuals may make requests in relation to their personal information, and how Restaurant Brands will manage those requests. In relation to employees and contractors, this policy also covers Restaurant Brands’ expectations about how other people’s personal information is managed in the course of their work.
The information collected by RBL must be collected for a lawful purpose connected with a function or activity of RBL and the collection of that information is necessary for that purpose. This information extends to personal health information that relates to any personal injuries or work-related illnesses the employee may have suffered at any time in the past.
Where possible RBL will collect the information directly from the employee concerned.
The information shall be used only for the purposes for which it was collected, or for any other purpose that is permitted under the Privacy Act 2020.
2. SCOPE
This policy applies to all Restaurant Brands New Zealand Limited, Restaurant Brands Limited, and Restaurant Brands’ businesses and subsidiaries including KFC, Pizza Hut, Carl’s Jr., and Taco Bell (together, “Restaurant Brands”), and all individuals whose personal information may be collected by Restaurant Brands. For example, employees, contractors and our customers.
For employees and contractors, this policy applies in two ways. First, it applies to the personal information that Restaurant Brands may hold about you personally.
Secondly, this policy and the Privacy Act must be complied with in respect of other individuals’ personal information which you may collect or have access to as part of your work.
This policy is necessarily high level, and remains subject to the Privacy Act. Privacy Statements may be provided for particular interactions and/or at personal information collection points, and this policy should be read together with any applicable Privacy Statement. This policy is not intended to be legal advice.
3. DEFINITIONS
Personal Information is defined by the Privacy Act 2020. For our business, it means information about an identifiable individual.
4. POLICY PRINCIPLES
The Privacy Act sets out 13 “Information Privacy Principles”. The Privacy Principles and their application within Restaurant Brands’ business, are summarised below.
Purpose of collection
Personal information will only be collected for a lawful purpose connected with Restaurant Brands’ functions or activities, and where the collection of personal information is necessary for that purpose.
If the purpose does not require the collection of identifying information (such as a name or address), Restaurant Brands will not require the individual to provide identifying information.
There are many reasons why Restaurant Brands may collect personal information. By way of example:
· For customers, this may be to process orders for our products, or to administer and deal with any issues you may raise;
· For employees and contractors, Restaurant Brands may need to collect personal information during recruitment in order to assess suitability, and throughout the relationship for administrative purposes and purposes relating to the ongoing relationship.
Source of personal information
Restaurant Brands will collect personal information directly from the individual concerned, except where otherwise permitted by the Privacy Act.
Collection of personal information
Collecting personal information means taking steps to seek or obtain personal information. When collecting personal information, Restaurant Brands will take reasonable steps to ensure the individual is aware of:
· The fact that information is being collected;
· The purpose for which the information is being collected;
· The intended recipients of the information;
· The name and address of who is collecting the information, and who will hold the personal information;
· If collection is authorised or required by law, the particular law, and whether the supply of information is voluntary or mandatory;
· Any consequences for that individual if all or part of the requested information is not provided; and
· The rights of access to, and correction of, personal information.
Restaurant Brands will typically inform individuals of the above information when collecting personal information via a Privacy Statement. Restaurant Brands encourages individuals to read any applicable Privacy Statement before providing personal information.
There are some circumstances in which the Privacy Act permits Restaurant Brands not to inform individuals of the above information. For example, where the information will be used in a form where the individual is not identified, or where doing so would prejudice the purpose of collection.
Individuals should be aware that the principles relating to the collection of personal information do not apply to the receipt of unsolicited information.
Manner of collection
Restaurant Brands will collect personal information by lawful means, and in a way that is fair and does not intrude to an unreasonable extent upon the individual’s personal affairs.
Restaurant Brands will take particular care to ensure the manner of collection is fair and not intrusive where personal information is collected from children or young persons.
Storage and security of personal information
Restaurant Brands will ensure that personal information is secure, and is protected by reasonable security safeguards to prevent loss, unauthorised access, use, modification or disclosure, or other misuse.
We will restrict internal access to personal information to those employees and contractors who need to access this information.
Where cloud computing is used to manage and store information, Restaurant Brands will ensure the cloud computing solutions are assessed, adopted and managed in accordance with the Privacy Act.
Access to personal information
Any individual (or that individual’s representative) may request confirmation of whether Restaurant Brands holds personal information about them, and can request access to their personal information.
Information about how to make an access request, and how Restaurant Brands will respond, is set out in detail in the section “Access to and Correction of Personal Information” below.
Correction of personal information
While Restaurant Brands takes reasonable steps to ensure personal information is accurate and correct, there may be circumstances where an individual wishes to have their personal information corrected. Any individual (or that individual’s representative) whose personal information is held by Restaurant Brands may request that Restaurant Brands correct their personal information.
Information about how to make a correction request, and how Restaurant Brands will respond, is set out in detail in the section “Access to and Correction of Personal Information” below.
Accuracy of personal information
Restaurant Brands will not use or disclose personal information without taking reasonable steps to ensure the personal information is accurate, up to date, complete, relevant and not misleading.
Retention of personal information
Restaurant Brands will not keep personal information for longer than is required for the purposes for which the personal information may be used. In some situations, Restaurant Brands may be required by law to hold personal information for a specific period of time.
Use of personal information
Personal information shall be used for the purpose for which it was collected. It will only be used by Restaurant Brands for another purpose where specifically permitted by the Privacy Act (eg with permission of the person concerned).
Disclosure of personal information
Restaurant Brands will not disclose personal information to any other agency or person unless, on reasonable grounds, Restaurant Brands believes the disclosure is specifically permitted by the Privacy Act.
Disclosure of personal information outside New Zealand
Restaurant Brands will take particular care where personal information is to be disclosed to a foreign person or entity. Restaurant Brands may disclose personal information to such a person where the specific requirements of the Privacy Act are met. These requirements are intended to ensure that personal information disclosed overseas is subject to comparable safeguards, or where that may not be possible, that the individual is fully informed and authorises disclosure.
Unique identifiers
Restaurant Brands may assign unique identifiers to an individual (such as an employee number, account number or other form of individual identification) for use in its operations only if the identifier is necessary to enable Restaurant Brands to carry out one or more of its functions efficiently.
Restaurant Brands will take reasonable steps to ensure that unique identifiers are assigned only to individuals whose identity is clearly established, and the risk of misuse of a unique identifier is minimised (for example, by showing truncated account numbers on receipts or in correspondence).
5. CCTV SURVEILLANCE
Overt CCTV surveillance may be used by Restaurant Brands within its operations. CCTV will be utilised in accordance with the requirements of the Privacy Act.
Employees and contractors should refer to the Surveillance Policy and Covert Surveillance Policy.
Customers should contact privacy@rbd.co.nz
ACCESS TO AND CORRECTION OF PERSONAL INFORMATION
1. RIGHT TO ACCESS STATEMENT
Restaurant Brands recognises an individual’s right to access their personal information, whilst also recognising that other rights and interests may need to be taken into account when considering access requests; for example, to protect against an unwarranted disclosure about another individual. There are some situations where Restaurant Brands may lawfully refuse access to personal information.
2. REQUESTING ACCESS TO PERSONAL INFORMATION
An individual can only ask for access to personal information about themselves. A representative may also request personal information about an individual if they are acting on that individual’s behalf and have been given authority to do so.
To make an access request:
· The access request should be sent to the Privacy Officer, whose details are set out below in “Related Documents and Key Contacts”, or alternatively, to the individual’s usual contact at Restaurant Brands
· It is helpful if the access request sets out the scope of the personal information that is sought. This may be all personal information held by Restaurant Brands about the individual, or it may be limited. For example, to a specified date range or for personal information about the individual relating to a particular topic or issue.
· An individual may ask that their request be treated as urgent, but if so, the reason why the request should be treated as urgent must be stated.
3. How Restaurant Brands will respond to requests to access personal information
Step One – Response
Once an individual makes a request for access to their personal information, Restaurant Brands will ordinarily respond as soon as is reasonably practicable, but not later than 20 working days after the request is received. There are some exceptions to this time limit, for example, if the request is transferred to another agency or where Restaurant Brands extends the time limit in compliance with the Privacy Act.
The purpose of the response is to let the individual know whether the access request is granted or refused. If granted, access to the personal information will typically follow after the response.
In Restaurant Brands’ response to the access request, it will formally notify the individual that either:
· It does not hold any personal information about the individual;
· It does not hold personal information about the individual in a way that enables the information to be readily retrieved;
· It does hold personal information about the individual, and if so, whether access to that information, or some of that information, is granted or refused; or
· It neither confirms nor denies that it holds any personal information about the individual.
If the access request is granted, or partly granted, in Restaurant Brands’ response, it will also formally advise:
· How the personal information will be made available;
· The charge (if any) payable pursuant to the Privacy Act in respect of the request, and whether all or part of that charge is required to be paid in advance;
· That the individual has a right to make a complaint to the Privacy Commissioner about the charge that is payable (if any); and
· That the individual may request correction of that personal information.
If the access request is refused, or partly refused, in Restaurant Brands’ response, it will also formally advise:
· The reason for the refusal, and where required by the Privacy Act, the grounds in support of that reason; and
· That the individual has a right to make a complaint to the Privacy Commissioner about the refusal.
If the access request is granted or partly granted, Restaurant Brands will then follow the next steps.
Step Two – Verify
Restaurant Brands can only provide access to the personal information if it is satisfied that the individual making the request is who they say they are. In order to be satisfied, Restaurant Brands may need to take steps to verify the individual’s identity.
If the access request has been made by the individual’s representative, Restaurant Brands also needs to ensure the representative has written authority to obtain the personal information, or is authorised by the individual to obtain it.
Step Three – Access
The final step is providing the individual with access to the personal information. The Privacy Act permits access in a number of ways. For example, through physically inspecting or viewing the personal information, or via hard copies or electronic copies.
There may be instances where Restaurant Brands has good reason to withhold some of the information in a document. This may be done by redacting or altering the document. Where Restaurant Brands does this, it will formally advise the individual:
· The reason for the decision to withhold certain information, and where required by the Privacy Act, the grounds in support of that reason; and
· That the individual has a right to make a complaint to the Privacy Commissioner in respect of that decision.
4. CORRECTION OF PERSONAL INFORMATION STATEMENT
Restaurant Brands will take reasonable steps to ensure that personal information is accurate, up to date, complete and not misleading. However, an individual (or that individual’s representative) may request Restaurant Brands to correct their personal information.
5. REQUESTING CORRECTION OF PERSONAL INFORMATION
An individual can only request correction of personal information about themselves. A representative may also request correction of personal information about an individual if they are acting on that individual’s behalf and have been given authority to do so.
To make a correction request:
· The correction request should be sent to the Privacy Officer, whose details are set out below in “Related Documents and Key Contacts” below, or alternatively, to the individual’s usual contact at Restaurant Brands (this may be the person who provided access to the personal information).
· It is helpful if the correction request sets out the personal information that the request relates to, and the correction sought.
· An individual may ask that the correction request be treated as urgent, but if so, the reason why the request should be treated as urgent must be stated.
At the time of making the correction request, or at any later time, the individual can also provide Restaurant Brands with a “statement of correction”, and request that Restaurant Brands attach the statement of correction to the information in the event that Restaurant Brands do not make the correction sought.
6. HOW RESTAURANT BRANDS WILL RESPOND TO REQUESTS TO CORRECT PERSONAL INFORMATION
Step One – Verify
In some situations, Restaurant Brands may need to take steps to verify the individual’s identity, to confirm that the individual making the request is who they say they are.
Step Two - Response
Once an individual makes a request for correction of their personal information, Restaurant Brands will ordinarily respond as soon as is reasonably practicable, but not later than 20 working days after the request is received. There are some exceptions to this time limit, for example, if the request is transferred to another agency or where Restaurant Brands extends the time limit in compliance with the Privacy Act.
The purpose of the response is to let the individual know Restaurant Brands’ decision on whether to grant the correction request.
Restaurant Brands will formally notify the individual that either:
· It has corrected, or will correct, the personal information and the action it has taken, or will take, to do so; or
· That it will not correct the personal information.
If the correction request is granted, in Restaurant Brands’ response, it will also formally advise:
· The action it has taken, or will take, to correct the personal information.
If the correction request is refused, in Restaurant Brands’ response, it will also formally advise:
· The reason for the refusal to correct the personal information;
· The individual’s entitlement to provide a “statement of correction” and to request that it be attached to the personal information (if the individual has not done so already); and
· That the individual has a right to make a complaint to the Privacy Commissioner about the refusal to correct the personal information.
If the individual requests, or later requests, a “statement of correction” be attached to the personal information, Restaurant Brands will formally advise the individual whether it has attached the statement to the information and the action it has taken to do so, or if it has not attached the statement to the information that the individual has a right to make a complaint to the Privacy Commissioner about the refusal to attach the statement to the information.
INFORMATION SPECIFIC TO EMPLOYEES AND CONTRACTORS OF RESTAURANT BRANDS
This section applies only to employees and contractors of Restaurant Brands.
Personal information collected and held by Restaurant Brands
When Restaurant Brands recruits employees and contractors, and in the course of the employment relationship or engagement, personal information will be collected by Restaurant Brands. This policy, and the Privacy Act, applies to that personal information.
All personal information supplied to Restaurant Brands must be complete and correct. This includes all information the employee records on their application for employment, employment agreement and any other forms must be complete and correct.
While Restaurant Brands will take reasonable steps to ensure the personal information is correct, employees and contractors must also let Restaurant Brands know in writing of any changes to their personal details. This can be updated on PLATE. This includes (but is not limited to) name, address, phone number, tax code, visa status and emergency contact information. Where access to PLATE is not available, the individual must advise their manager when information has changed.
Complying with this policy and the Privacy Act in the course of your work
All employees and contractors must comply with this policy, and the Privacy Act, in respect of personal information that they might deal with in the course of their work. This personal information could be information about customers or other colleagues which they may process on behalf of Restaurant Brands or need to have access to as part of their work. Breaches will be treated seriously and individuals may be subject to disciplinary action.
MANDATORY REPORTING OF SERIOUS PRIVACY BREACHES
Restaurant Brands is required to notify the Privacy Commissioner and affected individuals if it is aware a notifiable privacy breach has occurred. A privacy breach is notifiable if it is reasonable to believe it has caused serious harm to an affected individual (or individuals) or is likely to do so.
Any employee or contractor who becomes aware of a privacy breach, or potential privacy breach, is required to escalate the matter to the Privacy Officer immediately. The Privacy Officer has responsibility to consider the actual or alleged breach and to make the decision whether or not to notify the Privacy Commissioner.
RELATED DOCUMENTS AND KEY CONTACTS
1. PRIVACY OFFICER AND ADDRESSES
Restaurant Brands’ Privacy Officers are General Manager – Human Resources (currently Brendon Husband) and ER Advisory & Partnering Manager (currently Helen van Druten)
The Privacy Officer’s role and responsibilities include:
· Encouraging compliance with the Information Privacy Principles;
· Dealing with requests made to Restaurant Brands pursuant to the Privacy Act;
· Working with the Privacy Commissioner in relation to investigations; and
· Ensuring compliance with the Privacy Act.
Restaurant Brands’ address is Level 3, Building 7, Central Park, 666 Great South Road, Penrose, Auckland. Any requests, breaches or enquiries should be directed to privacy@rbd.co.nz
2. RELATED DOCUMENTS
Privacy Act 2020
Surveillance Policy
3. REVIEW AND AMENDMENTS
This policy may be reviewed and amended from time to time, which amendments may be implemented by posting on the intranet. Restaurant Brands may also revoke and replace this policy.
