PRIVACY & INFORMATION SECURITY POLICY

Introduction

General and Travel Investigations Limited (GTI) conducts factual investigations as instructed by our clients to assist them in carrying out their lawful business activities and meeting their obligations under various legislation. GTI also conduct investigations to assist clients in managing human resource issues, grievances, allegations of misconduct, and suspected fraud or potentially illegal behavior.

To support these activities, GTI collects, uses, stores, and discloses Personal and Sensitive Information in accordance with applicable privacy and information security requirements.

GTI is committed to protecting the confidentiality, integrity, and availability of all information it holds.

GTI adopts a risk-based approach to information security, proportionate to the nature of its investigative activities and the sensitivity of the information handled.

Application

This policy applies to:

  • All employees, contractors, and Agents engaged by GTI

  • All systems, devices, and records used in the course of GTI operations

  • All Personal and Sensitive Information collected or processed by GTI

Why GTI Collects Personal Information

To provide these services, GTI may collect Personal Information and Sensitive Information about individuals.

Personal Information refers to information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) Whether the information or opinion is true or not; and
(b) Whether the information or opinion is recorded in a material form or not.

GTI need to collect this information to properly investigate matters referred to us by our clients and provide them with the facts, evidence, and information they require to carry out their lawful functions.

GTI may also use Personal Information relating to our clients and service providers to conduct research, better understand client needs, provide information about our services, and engage in business development and marketing activities.

GTI are committed to protecting the privacy and security of all Personal and Sensitive Information that GTI collect. Our Privacy Policy complies with the Privacy Act 2020 (New Zealand) and the Privacy Act 1988 (Australia), including the New Zealand and Australian Privacy Principles.

Types of Information GTI Collects

To carry out our functions, GTI may collect and hold the following types of personal information:

  • Name, date of birth, gender, and contact details.

  • Information relevant to a claim or complaint under investigation, including:

    • Employment history and current employment details

    • Underwriting information such as insurance claims history, criminal and traffic records

    • Financial information such as assets, liabilities, and bank account details

    • Sensitive information such as medical history (where relevant to an investigation)

    • Video footage of individuals and their activities

Additionally, GTI collects necessary information from our service providers, including:

  • Name, address, contact details, and business/company details

  • Licensing details

How GTI Collects Information

GTI may collect information about individuals in various ways, including:

  • From our instructing clients

  • Directly from individuals via phone, email, or interview

  • By means of covert surveillance, where permitted by law and relevant to the investigation

  • From publicly available sources such as the internet, including social media

  • From third parties, including witnesses, complainants, and other involved parties

  • From entities or individuals overseas where relevant to the investigation

  • By formal information requests to government agencies such as the Police and other authorities

Where reasonable and practicable, GTI will collect Personal Information directly from the individual. Before conducting an interview or statement, our investigator will introduce themselves, explain whom they represent, and state the purpose of their inquiry.

Investigators will seek consent to collect, use, and disclose personal information and will record this consent in the statement or interview.

There may be circumstances where GTI must collect information from other sources or third parties. In such cases, GTI will only use lawful and fair means to collect information.

How GTI Uses and Discloses Personal Information

GTI only collect information that is directly relevant to the purpose for which GTI are collecting it, as well as related purposes that individuals would reasonably expect. Personal and Sensitive Information is used only for the investigation of claims or complaints and is not disclosed to unauthorized parties or used for any other purpose unless required by law.

All collected information is treated as strictly confidential and is generally only disclosed to the instructing client or, where authorized, to their legal representation.

Other parties GTI may disclose Personal Information to include:

  • Service providers or consultants engaged to conduct specialist tasks (e.g., forensic accountants)

  • Government, statutory, regulatory, or enforcement bodies, where required by law

  • Legal advisors or consultants

Information Security Controls

GTI implements proportionate technical and organisational controls to protect Personal and Sensitive Information from unauthorised access, disclosure, alteration, or loss.

GTI use physical and information technology security measures, such as multi-factor authentication (MFA) to protect the information GTI hold. Access to Personal Information within GTI is appropriately limited to prevent misuse or unlawful disclosure.

Access to Personal Information within GTI is restricted to authorised personnel only.

Employees receive training on New Zealand and Australian Privacy Principles. Employees and contractors engaged by GTI are contractually bound to comply with these principles and to keep all information secure.

Access Control

  • Access to systems and information is restricted to authorised personnel only

  • Individual user accounts are required; shared accounts are not permitted unless formally approved

  • Access is granted based on operational necessity (least privilege principle)

  • Access is removed or modified promptly when personnel change roles or cease engagement

Authentication & Account Security

  • Multi-factor authentication (MFA) is implemented on core systems where available

  • Strong password practices are enforced

  • Credentials must not be shared or stored insecurely

Device Security

Devices used to access or store GTI information must be secured with:

  • Password, PIN or biometric protection

  • Automatic screen locking

  • Encryption where supported

  • Loss or theft of devices must be reported immediately

Data Storage & Handling

  • GTI primarily utilises Microsoft 365 for secure storage and management of operational data.

  • Use of personal storage locations (e.g. personal drives, USB devices) is restricted unless authorised

  • Sensitive information is handled in a manner appropriate to its classification and risk

Transmission Security

  • Reasonable steps are taken to protect information during transmission, including use of secure communication channels where practicable

  • Sensitive information is not transmitted via unsecured methods unless operationally necessary and risk-assessed

Monitoring & Logging

  • GTI maintains system-generated records of access and activity where supported by systems in use

  • Unusual or unauthorised access may be investigated

Employees and contractors:

  • Receive training on applicable privacy principles

  • Are contractually bound to maintain confidentiality and security

  • Must comply with this policy and associated procedures

Ownership

  • Overall responsibility for information security rests with the Director, supported by the Privacy Officer.

Data Handling & Classification

GTI applies a risk-based approach to handling information:

Sensitive Information: (e.g. medical, financial, surveillance material)

  • Restricted access

  • Higher handling and storage controls

Confidential Information: (e.g. investigation files, reports)

  • Limited to authorised personnel and clients

General Information:

  • Managed in accordance with standard business practices

All personnel are expected to handle information in accordance with its sensitivity and the purpose for which it was collected.

Transfer of Data Overseas / Third Party Providers

GTI may engage third-party providers to support investigations or business operations. In doing so, GTI may disclose Personal Information to overseas entities where necessary for the investigation of a claim or complaint. For example, if instructed to investigate an overseas incident, GTI may disclose information to a local service provider to conduct inquiries.

Where this occurs:

  • Providers are selected based on suitability and reliability

  • GTI takes reasonable steps to ensure compliance with New Zealand and Australian privacy laws

  • Reasonable steps are taken to ensure they handle information securely

  • Where appropriate, contractual obligations are used to enforce privacy and security requirements

Incident Management

GTI maintains a structured approach to identifying and responding to information security incidents.

Definition

  • An incident includes:

  • Unauthorised access or disclosure

  • Loss or theft of devices or information

  • Suspected data breach or compromise

Response

  • Incidents must be reported to the Director or Privacy Officer as soon as practicable

  • GTI will assess the nature and impact of the incident

  • Containment and remediation actions will be taken

Notification

  • Where required by law or contractual obligation:

  • Affected clients (including SCTI) will be notified

  • Relevant regulatory bodies will be informed

Business Continuity & Data Protection

Dependence on Cloud Services

GTI utilises Microsoft 365 as its primary platform for email, document storage, and operational systems. As such, availability of these services is dependent on Microsoft’s infrastructure and uptime.

While Microsoft provides enterprise-grade resilience and redundancy, a widespread service outage may temporarily impact GTI’s ability to access systems and data.

In such circumstances, GTI will:

  • Continue operations using available offline information where possible

  • Maintain communication with clients via alternative channels where required

  • Resume full operations promptly upon restoration of service

Data Retention

Personal Information is retained only for as long as necessary for the investigation or as required by law. Once no longer required, information is securely destroyed or de-identified.

Access to Personal Information

Individuals may request access to their Personal or Sensitive Information by contacting us at Privacy@GTI.co.nz

Requests for access will be handled in accordance with the Privacy Principles of the requester's country of origin.

Access to Motor Vehicle Register (MVR) Information

General & Travel Investigation (GTI) advises that, in certain circumstances, a registered person’s name and address may be obtained from the New Zealand Motor Vehicle Register (MVR).

Authority
GTI’s access is authorised under section 241 of the Land Transport Act 1998 via the New Zealand Gazette authorisation for Members of the New Zealand Institute of Private Investigators Incorporated (NZIPI) who hold a current private investigator licence and are authorised by Waka Kotahi NZ Transport Agency.

When this may occur / what it will be used for
GTI may obtain a registered person’s name and address from the MVR only where necessary for one or more of the following authorised purposes:

  1. Preparing evidence related to criminal offences;

  2. Detection and investigation of suspected fraud;

  3. Enforcing Court orders and judgments; and/or

  4. When acting as a contracted agent on behalf of government agencies with law enforcement functions, to assist in carrying out those functions.

Opt-out / withholding instruction
 Any person can notify the Registrar of Motor Vehicles (Waka Kotahi NZ Transport Agency) that they do not wish to have their name(s) and address(es) made available under an authorisation.

GTI Contact
Privacy Officer – Nigel Rundle (Director) - General & Travel Investigation (GTI)
Email: nigel@gti.co.nz
Phone: +64 21 918 865

Complaints Process

If you believe GTI has handled your Personal Information inconsistently with the New Zealand or Australian Privacy Principles, you may submit a written complaint, including details and supporting evidence, to:  

Privacy@GTI.co.nz.

GTI will:

  • Acknowledge receipt of your complaint.

  • Investigate the matter and determine necessary actions.

  • Provide a response upon completion of our investigation.

If you are unsatisfied with our response, you may escalate your complaint to the Office of the Privacy Commissioner (New Zealand) or the Office of the Australian Information Commissioner (OAIC).


Approved by: Brook Ballantyne
Published: 1st Feb 2025