Privacy, Data Security & Data Collection Policy
1. Purpose
This policy outlines the organisation’s commitment to ensuring the privacy, security, and responsible collection of personal information from registrants. It explains how registrant data is collected, managed, stored, used, and shared—including required data sharing with ACC for programme evaluation and the Rider Reward discount system.
It also confirms that, as Pro Rider uses Arlo as its booking and course management system, all data collected through Arlo is handled in accordance with both this policy and the Arlo Privacy Policy: https://www.arlo.co/legal/privacy-policy
2. Scope
This policy applies to all employees, contractors, instructors, administrators, and any approved third-party service providers who handle registrant information on behalf of the organisation. It also covers data collected and managed through our booking system, Arlo, which provides additional privacy and data-security protections that Pro Rider aligns with.
3. Policy Statement
The organisation is committed to complying with the New Zealand Privacy Act 2020. Personal information will only be collected, used, stored, and disclosed for lawful purposes and in accordance with this policy and the Arlo Privacy Policy where applicable.
4. Privacy Requirements
4.1 Privacy Policy Maintenance
– The organisation must maintain an up-to-date Privacy Policy explaining what registrant information is collected, why it is collected, how it will be used, how it will be stored and protected, and with whom it may be shared.
– The Privacy Policy must be reviewed at least annually.
– Because Pro Rider uses Arlo to manage bookings and registrant data, our data-handling practices must remain aligned with the Arlo Privacy Policy.
4.2 Registrant Information Protection
– Privacy agreements, declarations, and Terms and Conditions must clearly outline registrant rights and data-handling practices, including reference to Arlo’s privacy practices.
– Personal information must only be accessible to staff and instructors who require it for operational purposes.
5. Data Security Requirements
5.1 Data Storage
– Personal information must be stored securely using password-protected systems and restricted-access platforms.
– All information stored in Arlo is protected under Arlo’s certified privacy, security, and data-protection standards.
– Physical documents must be stored in locked cabinets or secure locations.
5.2 Data Transmission
– The organisation will take reasonable steps to protect registrant information when transmitting it electronically, in accordance with the New Zealand Privacy Act 2020.
– Email may be used for operational communication and the transmission of registrant information where necessary for service delivery. When email is used, staff must follow approved procedures to minimise privacy risks, including:
- Verifying the recipient’s email address before sending
- Sending only the minimum necessary information
- Using password-protected attachments when transmitting sensitive information, where practicable
- Avoiding inclusion of unnecessary personal information in the email body
– The organisation will not use unapproved personal email accounts or unsecured messaging platforms to transmit registrant information.
– Information transmitted or stored via Arlo is protected under Arlo’s encrypted and secure data-transfer systems.
5.3 Data Retention and Disposal
– Personal information must be retained only as long as necessary for operational or legal purposes.
– Information stored in Arlo is subject to Arlo’s secure data-retention and disposal practices.
– Once no longer required, information must be securely destroyed using approved disposal methods.
6. Data Collection Requirements
6.1 What Data Is Collected
The organisation may collect:
– Registrant name, contact details, and booking information
– Date of birth and licence details
– Training performance, assessment outcomes, and attendance records
– Safety-related information, incidents, or behavioural notes
6.2 Why This Data Is Required
Registrant data is required to:
– Deliver motorcycle training and licensing services
– Confirm eligibility for courses
– Maintain safety standards and meet regulatory requirements
– Provide certificates, assessment outcomes, and course confirmations
– Report information to ACC for programme monitoring and evaluation
– Support any future ACC Rider Reward discount systems
– Manage bookings, payments, and communications through Arlo
6.3 How the Data Will Be Used
Registrant information will be used to:
– Manage course bookings, payments, scheduling, and communication through Arlo
– Deliver training programmes and assessments
– Verify identity and licensing requirements
– Ensure health, safety, and incident management obligations are met
– Report relevant data to ACC for evaluation and programme development
6.4 Who the Data Is Shared With
Registrant information will only be shared with:
– Pro Rider staff and instructors who require access to deliver training or manage operations
– ACC, for required reporting, evaluation, and safety monitoring
– Arlo, as our secure third-party booking system provider that processes and protects data according to Arlo’s Privacy Policy
Data will not be shared with other parties unless required by law or with explicit registrant permission.
7. Data Sharing Requirements
7.1 Sharing Data with ACC
– Personal information may be shared with ACC for programme monitoring, evaluation, safety improvement initiatives, and the Rider Reward system.
– Only required information will be shared using secure methods.
7.2 Registrant Consent
– Registrants consent to the collection, use, and sharing of personal information—including data processed in Arlo and required sharing with ACC—by accepting the organisation’s Terms and Conditions at booking.
– The Terms and Conditions must give registrants access to the Privacy Policy.
– Registrants who do not accept the Terms and Conditions cannot proceed with booking or participation.
8. Roles & Responsibilities
8.1 Privacy Officer
– Oversees compliance with privacy legislation and Arlo-related privacy obligations
– Manages privacy queries and complaints
– Leads breach investigations and notifications
– Maintains the breach register and provides staff training
8.2 All Staff and Instructors
– Must follow this policy and Arlo-aligned privacy expectations
– Must complete privacy and data-security training
– Must report any suspected breaches immediately
9. Data Breach Management
Any actual or suspected privacy breach must be reported to the Privacy Officer immediately, recorded in the Privacy Breach Register, assessed for notifiable breach requirements, and managed in accordance with the organisation’s Data Breach Response Procedure.
Breaches involving Arlo must also follow Arlo’s data-breach protocols.
10. Review
This policy will be reviewed annually or sooner if legislation, ACC requirements, Arlo privacy policies, or organisational processes change.
