Privacy & security
ESR is committed to respecting the privacy and dignity of people, while balancing these rights with ESR's values of mahi pono (doing the right thing), and the ability of the ESR to carry out its mission to make a difference for Aotearoa New Zealand through science.
Privacy & security
Institute of Environmental Science and Research Limited (ESR) websites have security measures in place to prevent the loss, misuse and alteration of information under our control.
In order to maintain the security of ESR systems and information, ESR systems are subject to ongoing monitoring (including activity logging) analysis and auditing.
ESR is committed to ensuring that your privacy is protected. You can access and browse our website without disclosing your personal information. Any information automatically retrieved during your visit, such as IP address, browser type and pages visited, is anonymous and is used for statistical analysis of the use of this site, and to prevent unauthorised access or attacks or to resolve such events. We may use this information even if you are not involved in such activity.
ESR may use the services from one or more third party suppliers to monitor or maintain the cyber security of its systems and information. These third party suppliers will have access to monitoring and logging information, as well as information processed on ESR websites and other IT systems.
Use of ESR websites and other IT systems implies acceptance of their information being monitored.
What personal information do we collect?
We only collect information that you actively give us by inputting your personal details on to a web form on our site, emailing your personal details to ESR or giving your personal details to a member of our staff. This usually includes your name, job title, organisation, mailing address, email address and phone number.
You may update personal information held by ESR at any time by contacting us.
What will we use your information for?
Once ESR receives any personal information from you, your data will be added to an ESR database. ESR will hold that information securely and will only use such information for the purpose that you gave it to us:
to provide you with publications that you have requested
to notify you when new material that you have expressed interest in is available
to respond to a service or information request
How long will we keep your personal information for?
Periodically we will check that you still want us to retain your information and that it is up-to-date. You can at any time request that your information be removed from our database.
Ngā Kete User Terms and Privacy Statement
Institute of Environmental Science and Research Limited (“ESR”, “we”, “us”, “our”) develops data and analytics across a range of science disciplines, including water and environment, forensics and public health (“Datasets”). Datasets are supplied to a range of partners across both public and private sectors to support informed decision making.
Ngā Kete is ESR’s data analytics platform that enables you, as a user approved by your organisation, to securely access a Dataset that have been developed by ESR for your organisation. In these User Terms, the term Ngā Kete includes the data analytics platform and any other information contained therein. These User Terms form a legal agreement between you and ESR. By clicking “accept” or installing, downloading, accessing or otherwise using Ngā Kete or any Datasets contained therein, you are confirming that you agree to be bound by these User Terms.
Ngā Kete utilises Microsoft Azure AD, a prevalent identity platform, which provides organisations with the ability to federate logins via the Microsoft identity platform using open standards.
The platform provides a standard pattern for authenticating users through single sign-on and identifying the applications relevant to a user’s role based on group memberships. If your organisation does not have Microsoft Azure AD, your access will be supported through a user directory managed by ESR.
ESR hereby grants you a personal, non-transferable, non-exclusive, revocable licence to use Ngā Kete in accordance with these User Terms.
You are permitted to extract, download, and make copies of any Dataset ESR has provided for your organisation in accordance with these User Terms and any agreement between ESR and your organisation relating to that Dataset.
To enable and authorise your access to Ngā Kete, ESR requires your name, email address and the name of your organisation. This information may be collected directly by ESR or supplied to ESR by your organisation. This information is also used to personalise the content that you can view and access in Ngā Kete. This information will be stored in Auth0, an Australian hosted authentication system which has ISO 27001/27018 certification. This information will only be accessed by authorised ESR personnel and will not be shared with anyone else without your consent.
ESR will only keep this information for as long as you require access to Ngā Kete. Your information will be deleted after your access to Ngā Kete has been removed. You have the right to access, correct or delete any information we hold about you at any time – please contact firstname.lastname@example.org to do this.
You may not publicly represent or imply that ESR is participating in, or has sponsored, approved or endorsed the manner or purpose of your use or reproduction of Ngā Kete or any Datasets, without ESR’s prior consent unless it is permitted under any agreement between ESR and your organisation relating to that Dataset.
Download the Ngā Kete User Terms and Privacy Statement as a pdf
COVID-19 Testing & Reporting
ESR Privacy Statement for COVID-19 Testing and Reporting
The Institute of Environmental Science and Research Limited (“ESR” or “we”) has multiple roles in the pandemic response. Two of these roles involve ESR:
operating a national clinical data repository, called Éclair, on behalf of the Ministry of Health, to collect and maintain all positive and negative COVID-19 test results. Information collected and processed includes personal information relating to individuals. This information is used to support the Ministry of Health, District Health Boards and Public Health Units in monitoring and managing the prevalence of COVID-19; and
using Éclair to provide an electronic ordering solution of COVID-19 tests, including the automated distribution of test orders and results designed to assist laboratories to quickly process test results.
This privacy statement sets out how your personal and health information is collected, used, disclosed and protected by ESR (acting as agent on behalf of the Ministry of Health) when you undergo a COVID-19 test, as well as how you can access and correct any personal information we hold about you.
ESR works with a number of laboratories around the country who undertake the physical testing for COVID-19. ESR plays a key co-ordination role in how the testing is undertaken and the information is recorded as part of the testing.
You should also consult the laboratory that completed your test for their specific Privacy Statement which will set out how they manage and distribute the data they hold.
Collecting your information
The following personal and health information about you will be provided by you directly to either your GP, a hospital staff member, a managed isolation quarantine facility staff member or a community testing staff member when you request a test. This information will be securely entered by that person into ESR’s Éclair database:
Your full name, NHI number, recent travel, contact history, surveillance code, symptoms, clinician responsible for order, assessment date, mobile phone number, date mobile number was validated, whether to notify patient of negative result, occupation, employer and workplace address.
If you have requested a test via a community testing centre, that centre may record the first three letters of your car’s license plate so that we can locate your electronic order quickly.
If you have a test at a MIQ facility, your date of isolation, room number, whether you are displaying COVID-19 symptoms and whether you are confined to your room will be recorded.
The laboratory processing your test will collect your NHI number, email address, mobile phone number, test status and test result.
Your patient National Health Index (“NHI”) number and associated data including your full name, current address, email address, phone numbers, date of birth, place of birth, mother’s birth name, residency and citizenship details, ethnicity, language, gender, and usual GP clinic has been securely provided to us by the Ministry of Health and will be linked to the personal information you have provided in our Éclair database. This information is only used for the purposes set out below.
Your test result will be generated as part of the testing process and will be linked to your personal details in our Éclair database.
Your information is collected to enable us and other agencies (please see below) to identify and contact you about your test, and for public health purposes.
How do we use your personal information?
We collect your personal and health information in order to:
Provide information to the laboratory completing your test
Identify you so that you can receive your test result
Provide your information to other government agencies supporting the COVID-19 response – please see the next section below
Provide information to other health agencies – please see the next section below.
Your personal and health information may be used to:
Inform New Zealand’s overall response to COVID-19.
Identity, monitor, and manage COVID-19 clusters.
Facilitate effective contact tracing.
Support the Border Workforce Testing Register.
Provide COVID-19 updates to the public.
Where personal information is not required to be shared for these purposes, it will be either de-identified, anonymised or aggregated.
Who receives my information?
We provide the test request information to the laboratory or laboratories that process your test. Note that multiple laboratories could receive your information
We send your information to the Ministry of Health, Public Health Units and data and analytical teams within the district health board (“DHB”) where the test was undertaken
We may send your results to your enrolled general practice and your GP
Your information may be accessed by our staff who have a need to know such information and are subject to strict security and confidentiality requirements.
We take our role as a custodian of health information seriously and know that privacy is an important component of consumer and provider trust in our services.
How do we store your personal and health information?
We keep your personal information safe by only allowing authorised staff to access it. Your information is only shared for the reasons set out above.
How can you access and/or correct your personal information?
You have the right to access and correct your personal information. Please send an email to the Ministry of Health at email@example.com if you wish to access or correct the personal information we hold about you (and the Ministry of Health will notify us accordingly of any required changes).
How long do we keep your personal information?
We only keep your personal information for as long as we require it, as agreed with the Ministry of Health. Sometimes this requirement will be mandated by law.
How can you make a privacy related complaint?
If you have any concerns about the way we’ve collected, used or shared your health information, or you think we have refused a request for information wrongly, then please let the Ministry of Health know and we’ll try our best to resolve your query. Please email the Ministry of Health at firstname.lastname@example.org.
If we can’t resolve your concerns, you can also make a complaint to the Office of the Privacy Commissioner by:
completing an online complaint form at www.privacy.org.nz
writing to the Office of the Privacy Commissioner, PO Box 10-094, The Terrace, Wellington 6143
Changes to this privacy statement
We may update this privacy statement from time to time, to reflect changes to privacy law or our business operations. Any such changes will be posted here. We recommend that you check back to see any updates or changes. This privacy statement was last updated as of 3 August 2021.
Forensic investigative genetic genealogy
Forensic investigative genetic genealogy privacy & transparency statement
New Zealand Police may request ESR to provide forensic investigative genetic genealogy (FIGG) related services on behalf of and as an agent of New Zealand Police. FIGG involves comparing an unknown individual’s DNA with information held on a public genealogy site to ascertain if there is either a direct match or a close or distant familial genetic match. It is only used as a technique of last resort, for serious unsolved cases.
ESR is committed to protecting the privacy and security of individuals and their genetic data. We understand that the information we handle is sensitive and personal, and we strive to maintain the highest ethical and legal standards in our practices.
FIGG is used to provide information that can help New Zealand Police solve homicide cold cases by assisting to identify person(s) of interest, and also to identify unidentified human remains. FIGG produces intelligence leads for investigations when all other forensic avenues have been exhausted. When New Zealand Police requests ESR to provide FIGG services for a particular case, ESR will generate a DNA profile utilising a crime scene DNA sample relating to the unknown individual. This is completed at ESR’s Auckland site and the DNA sample will not leave New Zealand.
If a partial or full profile is generated, ESR will upload that profile onto GEDmatch PRO to potentially identify (or ‘search for’) any familial relationships. GEDmatch PRO is a genetic database which has the option to be utilised for law enforcement purposes, hosted in the United States. GEDmatch PRO states that it complies with the General Data Protection Regulation in relation to the personal information held on its database. Profiles held in GEDmatch PRO are only available for comparison because the owner of the profile has opted-in to making their profile available for law enforcement purposes. ESR does not use any other genetic databases for matching purposes. ESR adheres to GEDmatch PRO’s terms and conditions of use, ESR has provided additional requirements that seek to safeguard information.
If a familial relationship is identified in the database, a match report from GEDmatch PRO is then provided by ESR to New Zealand Police to help build a family tree using standard genealogy principles and techniques (this is completed by New Zealand Police and its contractors). In most cases, the bulk of the family tree will be built from open source or publicly available information.
After providing a match report to New Zealand Police, ESR will then remove the unknown profile from GEDmatch PRO. If no match is achieved, from time-to-time ESR may be requested by New Zealand Police to reload the profile on GEDmatch PRO to see if any new profiles that have been subsequently loaded match or link to the unknown profile. ESR will use best efforts to ensure that an unknown profile remains on GEDmatch PRO for no longer than 48 hours.
Linking a person of interest to a crime scene will require a DNA reference sample to be matched to a crime scene sample as per standard DNA procedures as described in the Criminal Investigations (Bodily Samples) Act 1995.
We take the privacy and security of the genetic data we hold on behalf of New Zealand Police very seriously. We have implemented robust security measures and procedures to protect the confidentiality of genetic data to prevent unauthorised access, use, or disclosure. Access to FIGG cases is locked down in ESR’s systems and staff involvement is limited to ensure appropriate privacy protections are maintained. Only necessary information is provided to New Zealand Police that is generated from GEDmatch PRO.
All genetic information is stored on secured servers and systems. DNA samples are managed by ESR under current operating protocols and legal obligations as required under the Criminal Investigations (Bodily Samples) Act 1995 and the Privacy Act 2020.
Personal information will only be used and disclosed in connection with the purpose for which it was collected – to identify human remains or a perpetrator of a serious crime. ESR will not use any personal information collected for its own purposes.
We do not share genetic data with third parties other than New Zealand Police or as required by law. We do not use case related genetic data for any purpose other than the specific FIGG service for which it was provided or obtained.
ESR is acting as New Zealand Police’s agent in relation to the FIGG services it performs. All information and privacy requests relating to FIGG should be directed to New Zealand Police.