At Makerble, protecting personal information is central to how we build and operate our platform. This article explains how Makerble supports compliance with the New Zealand Privacy Act 2020 and what your organisation needs to do to use the platform responsibly under that framework.

Please note: This article provides general guidance only and is not legal advice. For advice specific to your organisation's situation, consult a qualified New Zealand privacy lawyer or the Office of the Privacy Commissioner (OPC). For questions about Makerble's practices, contact data.security@makerble.com.

What is the Privacy Act 2020?

The Privacy Act 2020 came into force on 1 December 2020, replacing the Privacy Act 1993. It governs how organisations collect, use, store, correct, disclose and give access to personal information. It applies to all agencies - public and private, commercial and non-commercial - that handle personal information in New Zealand, including overseas organisations working in the country.

The Act is organised around 13 Information Privacy Principles (IPPs) and introduced several important changes compared to the previous law, including mandatory breach notification and stronger enforcement tools for the Privacy Commissioner.

1. Data security and encryption (IPP 5)

IPP 5 requires agencies to protect personal information by such security safeguards as are reasonable in the circumstances against loss, access, use, modification, disclosure or other misuse.

Makerble's security measures include:

At rest: All data stored within Makerble is encrypted using AES encryption.

In transit: All data transmitted between users and the platform is protected using SSL/TLS encryption.

Additional safeguards: Cloudflare and Wazuh firewall protection, Grafana and Loki for real-time monitoring and logging, internal VPNs for secure access, and six-monthly security audits covering access controls, encryption standards, incident response, and physical security.

2. Access controls

Makerble restricts access to personal information through:

Two-Factor Authentication (2FA): Available for all user accounts.

Role-based access controls: Administrators can limit which team members can access which records and features within the platform.

These controls support IPP 5 by ensuring that personal information is accessible only to authorised individuals within your organisation.

3. Overseas disclosure (IPP 12)

Makerble is hosted on Microsoft Azure in Ireland (EU). When your organisation uses Makerble, personal information is stored and processed in the European Union.

IPP 12 restricts the disclosure of personal information to overseas recipients unless the recipient is either subject to the New Zealand Privacy Act, subject to privacy laws that provide comparable safeguards, or has agreed contractually to protect the information in comparable ways.

Ireland is subject to the EU's GDPR which is one of the most robust data protection frameworks in the world, providing safeguards that are comparable to or stronger than those required under the New Zealand Privacy Act. The New Zealand Privacy Commissioner has published guidance confirming that transfers to jurisdictions with comparable privacy frameworks satisfy IPP 12.

Importantly, where Makerble holds or processes your organisation's personal information as your agent (which is the nature of the relationship between us and you) this is generally not treated as an overseas disclosure under the Act. Makerble does not use your organisation's data for its own purposes. We act solely under your instruction.

We recommend that your organisation:

• Documents this arrangement in its privacy policy
• References Makerble's EU-hosted infrastructure when describing how personal information may be held

4. Breach notification

The Privacy Act 2020 introduced mandatory breach notification requirements. Where a privacy breach occurs that has caused, or is likely to cause, serious harm to any affected individual, your organisation must notify the Privacy Commissioner and the affected individuals as soon as reasonably practicable.

Makerble has an incident response process in place including automated monitoring, a dedicated cybersecurity response team, and clear communication procedures. In the event of a security incident affecting your organisation's data, we will notify you promptly with the information you need to assess your notification obligations under the Act.

5. Data subject rights (IPPs 6 and 7)

IPP 6 gives individuals the right to access their personal information. IPP 7 gives individuals the right to request correction of personal information that is inaccurate, misleading or out of date. Your organisation, as the agency holding the data, is responsible for responding to these requests.

Makerble supports this through:

• Contact record management: Administrators can locate, view, edit and delete individual records
• Data export: Contact and survey data can be exported in CSV format at any time, enabling efficient responses to access requests

6. Purpose and collection limitations (IPPs 1-4)

IPPs 1–4 govern why and how personal information is collected. Personal information may only be collected for a lawful purpose connected to your organisation's functions or activities, and only if collection is necessary for that purpose. Individuals must be made aware that information is being collected, for what purpose, and what rights they have.

When configuring Makerble, your organisation should:

• Only create fields for information you actually need - in other words, don't collect data simply because it might be useful later
• Notify participants of the purpose of data collection at the point of sign-up, intake, or survey completion
• Use Makerble's access controls to ensure data is visible only to those who need it for programme delivery

What your organisation needs to do

To use Makerble in compliance with the Privacy Act 2020:

• Update your privacy policy to name Makerble as a platform on which personal information is held, and to describe the overseas hosting arrangement in Ireland
• Notify individuals at the point of collection of the purpose for which their information is being collected and that it is processed on a platform hosted in the EU
• Configure your platform to collect only the personal information necessary for your organisation's activities
• Respond to access and correction requests using Makerble's contact management and export tools
• Prepare a breach response process that includes Makerble in the notification chain, so that if an incident occurs, you can respond to the Privacy Commissioner promptly

For questions about Makerble's security and data practices, contact data.security@makerble.com. For guidance on the Privacy Act 2020, visit the Office of the Privacy Commissioner.

‍