1. Introduction
2. Purpose
The purpose of this policy is to ensure the proper handling of personal data, minimize risks related to cyber threats, and establish procedures for dealing with data breaches
3. Scope
This policy applies to all employees, contractors, and third-party service providers who process or have access to personal data or sensitive company information. It also governs the use of our internal systems, networks, and data, including cloud-hosted services and outsourced network providers
4. Collection of Personal Data
Types of Data Collected: We collect various types of data including names, contact details, business information, financial records, and technical data related to civil engineering and project management services.
Purpose of Data Collection: Data is collected for purposes such as service delivery, fulfilling contractual obligations, legal compliance, and improving our services.
Consent: We ensure that data subjects provide informed consent before their data is collected unless exempt under the law.
5. Data Security Measures
We implement robust measures to ensure the confidentiality, integrity, and availability of data. These include:
Firewalls and Antivirus Software: We use licensed firewalls and antivirus systems on all network endpoints.
Password Protection: All devices and accounts require secure passwords, and multi-factor authentication (MFA) is enforced.
Data Encryption: Sensitive data is encrypted at rest and in transit to prevent unauthorized access.
Access Controls: Access to data is restricted based on role and responsibility within the company.
Backup Systems: Regular backups are made to ensure that data can be recovered in the event of system failure or cyberattack.
6. Data Retention
Personal data is only retained as long as necessary for the purposes for which it was collected or to comply with legal obligations. After this period, data is securely deleted or anonymized.
7. Third-Party Access
We may engage third-party service providers to process data on our behalf, ensuring that all vendors comply with relevant data protection standards. Data shared with third parties will be limited to what is necessary for the fulfillment of services and under strict contractual obligations.
8. Incident Response and Breach Notification
In the event of a cyber incident, such as unauthorized access, data loss, or a data breach, the Company will:
- Notify affected individuals and relevant authorities within the legal timeframe.
- Follow internal and legal procedures for breach notification.
- Investigate the root cause of the breach and take corrective actions.
- We maintain a dedicated Cyber Incident Management Team to handle such events, in accordance with our obligations under our Cyber Liability Insurance policy.
9. Employee Responsibilities
All employees are required to:
- Follow the company’s data protection guidelines.
- Immediately report any suspicious activities or potential breaches to the IT department.
- Complete regular training on data security best practices.
10. Data Access and Rights
Individuals have the right to:
- Request access to the personal data we hold about them.
- Request corrections to inaccurate or incomplete data.
- Withdraw consent for data processing, where applicable.
11. Compliance
Our practices comply with the New Zealand Privacy Act 2020 and other applicable laws. Regular audits are conducted to ensure compliance and identify potential risks.
12. Policy Updates
This policy will be reviewed annually or when there are significant changes in our business practices or relevant laws. We will notify stakeholders of any substantial changes.
Contact Information
For any questions or concerns regarding this policy, please contact us at: