This Privacy Policy explains how Scarlatti collects, uses, stores, shares and protects personal information.
In this policy, “Scarlatti”, “we”, “us” and “our” means Scarlatti Limited, of 615 New North Road, Morningside, Auckland, New Zealand.
Our Privacy Officer can be contacted at:
Privacy Officer
Scarlatti
615 New North Road, Morningside, Auckland 1021, New Zealand
privacy@scarlatti.co.nz
This policy applies to personal information we collect through our website, contact forms, email and other communications, research and evaluation projects, client work, events, recruitment, supplier relationships, and any Scarlatti research panels or participant databases.
Some research projects, surveys, interviews, workshops or panels may have their own participant information sheet, consent form, project notice or client privacy notice. Those project-specific notices apply as well as this policy. If a project-specific notice gives more detailed or stricter requirements, we will follow the more specific or stricter requirement.
Personal information is information about an identifiable person. It can include information that identifies you directly, such as your name or email address, and information that may identify you indirectly, such as your role, location, survey response, recording, image or IP address.
We only collect personal information where it is connected with a lawful Scarlatti function or activity and where the information is reasonably necessary for that purpose.
Depending on how you interact with us, we may collect:
We may collect sensitive personal information where it is necessary for a specific purpose and appropriate in the circumstances. Sensitive information may include information about health, wellbeing, ethnicity, cultural identity, workplace experiences, employment circumstances, financial circumstances, or other matters that could cause harm if misused or disclosed. We apply additional care to sensitive information, including limiting access and using project-specific notices, consent processes, confidentiality arrangements or ethics requirements where appropriate.
We usually collect personal information directly from you. This may happen when you:
Sometimes we collect personal information from another source. For example, we may receive information from a client, project partner, employer, industry body, public source, referee, colleague, recruitment provider, survey platform, CRM system, analytics tool, payment provider, IT service provider, or another person or organisation that you have authorised.
Where we collect personal information about you from another source, we will take reasonable steps to make sure you are aware of the collection, the purpose, the intended recipients, who is collecting and holding the information, and your access and correction rights, unless an exception under the Privacy Act applies. In some cases, a client or project partner may provide this notice to you on our behalf, but we will still take reasonable steps to ensure the notice is appropriate.
We collect and use personal information for purposes connected with our work, including to:
We will not use personal information for a new unrelated purpose unless we have a lawful basis to do so, such as your authorisation, a directly related purpose, a research/statistical purpose where individuals will not be identified in published outputs, or another basis allowed by the Privacy Act.
Much of Scarlatti’s work involves research, evaluation, consultation, analysis and reporting. We take care to protect the confidentiality of research participants and contributors.
Unless a project-specific notice says otherwise, we usually report research findings in an aggregated, summarised or de-identified form. This means we aim to present findings in a way that does not reasonably identify individual participants.
Sometimes a quote, case example or response may be useful in a report or presentation. We will only use identifiable quotes or examples where this is explained in the project notice, you have authorised it, or another lawful basis applies. Where possible, we remove or change details that could identify a person, unless identifying the person is part of the agreed purpose.
Some research involves small groups, specialist roles, locations or unique experiences. In those cases, complete anonymity may not always be possible, even if names are removed. Project-specific notices will explain any material identification risks where relevant.
We may keep de-identified or aggregated research information for longer than identifiable personal information, including for longitudinal analysis, quality assurance, internal learning, benchmarking, publications or future research, provided individuals are not reasonably identifiable.
If you join a Scarlatti research panel, participant database or future-contact list, we may use your contact details and profile information to invite you to relevant research opportunities.
Joining a panel or future-contact list is voluntary. You can ask to update your details, opt out of particular invitations, or be removed from the panel or list.
We will not add identifiable information from a previous project to a panel profile unless this has been explained to you and authorised by you, is directly related to the original purpose, or is otherwise allowed by the Privacy Act.
In most cases, providing personal information to Scarlatti is voluntary. Where information is mandatory, we will say so in the relevant form, contract, project notice, consent form or other collection notice.
If you choose not to provide some information, we may not be able to:
In research projects, you can usually choose not to answer particular questions unless the project notice says a response is required for eligibility, safety, payment or another stated purpose. You may also be able to withdraw from a project, but withdrawal may not always remove information that has already been anonymised, aggregated, analysed, reported or relied on.
We may share personal information where it is necessary for the purposes described in this policy, where you have authorised it, where it is directly related to the purpose for which it was collected, or where it is otherwise allowed or required by law.
We may share personal information with:
We do not sell personal information.
Where we use service providers, we require them to protect personal information and to use it only for the services they provide to us, unless another lawful basis applies.
We use cloud-based systems and vendor-hosted applications to operate our business and deliver services. These may include systems for Microsoft 365, email, SharePoint, OneDrive, Teams, Power BI, CRM, payroll, surveys, analytics, transcription, project management, data analysis and other business functions.
Some service providers may store or process information outside New Zealand. Where a provider stores or processes information for us, we remain responsible for taking reasonable steps to protect that information.
If we disclose personal information to an overseas person or organisation, we will take steps required by the Privacy Act. Depending on the circumstances, this may include checking that the overseas recipient is subject to the New Zealand Privacy Act, is subject to comparable privacy laws, is required by contract to protect the information with comparable safeguards, or that you have authorised the disclosure after being told that comparable protections may not apply.
Project-specific notices may include more detail about overseas storage, processing or disclosure for particular projects or platforms.
Our website may use cookies and similar technologies to operate the site, improve functionality, understand how visitors use the site, measure performance, protect security and improve our services.
Cookies and analytics tools may collect information such as your IP address, browser type, device information, operating system, pages visited, links clicked, referring website, date and time of visit, approximate location, and cookie or device identifiers.
Some cookies are necessary for the website to work. Others help us understand and improve the website. You can control or disable cookies through your browser settings. If you disable cookies, some parts of the website may not work properly.
Our website may link to third-party websites or social media platforms, such as LinkedIn or Facebook. Those third parties are responsible for their own privacy practices.
We use technical, administrative and physical safeguards that are reasonable in the circumstances and appropriate to the sensitivity of the information.
Our safeguards may include:
No method of transmission or storage is completely secure, but we take reasonable steps to protect personal information against loss, unauthorised access, unauthorised use, unauthorised disclosure, modification and other misuse.
We keep personal information only for as long as it is needed for the purposes for which it may lawfully be used.
Retention periods vary depending on the type of information, the sensitivity of the information, the purpose of collection, project requirements, client contracts, research ethics requirements, legal and accounting obligations, audit requirements, complaint or dispute risks, and operational needs.
In general:
When personal information is no longer required, we will take reasonable steps to delete it, securely destroy it, de-identify it, or archive it in a controlled way.
You have the right to ask whether we hold personal information about you and to request access to that information.
You also have the right to ask us to correct personal information we hold about you if you think it is wrong, incomplete, out of date or misleading. If we do not make the correction you request, you may ask us to attach a statement of correction to the information.
To make an access or correction request, contact our Privacy Officer at privacy@scarlatti.co.nz.
We may need to verify your identity before responding. We will respond to access and correction requests within the timeframe required by the Privacy Act, usually within 20 working days. In some cases, the Privacy Act allows us to refuse a request or withhold information, for example where release would affect another person’s privacy, breach legal privilege, create a serious safety risk, or otherwise meet a withholding ground.
You can also ask us to delete personal information. The Privacy Act does not always require deletion on request, but we will consider deletion requests and will delete or de-identify information where it is appropriate and we no longer need to keep it.
We may send you newsletters, updates, event invitations or other communications where you have asked to receive them, where they relate to services or projects you are involved in, or where we otherwise have a lawful basis.
You can unsubscribe from marketing or general update emails at any time by using the unsubscribe link, replying to the email, or contacting us at privacy@scarlatti.co.nz.
We may still send you service, project, contract, research participation, security, legal or administrative messages where needed.
We have processes for identifying, reporting, responding to and learning from privacy and security incidents.
If a privacy breach has caused, or is likely to cause, serious harm, we will notify the Office of the Privacy Commissioner and affected individuals as required by the Privacy Act. We will do this as soon as practicable and, where required for notification to the Privacy Commissioner, within 72 hours.
If you have a privacy concern or complaint, please contact our Privacy Officer first so we can try to resolve it.
Privacy Officer
Scarlatti
615 New North Road, Morningside, Auckland 1021, New Zealand
privacy@scarlatti.co.nz
If you are not satisfied with our response, you can complain to the New Zealand Office of the Privacy Commissioner.
We may update this Privacy Policy from time to time to reflect changes in our work, systems, legal obligations or privacy practices.
The latest version will be published on our website with the date it was last updated.