Agency obligations for the holding and disclosure of medical and health information

William T Francis made this Official Information request to Privacy Commissioner

The request was partially successful.

From: William T Francis

Dear Privacy Commissioner,

This request is made under the Official Information Act 1982.

I refer to the Health Information Privacy Code 1994:

https://www.privacy.org.nz/the-privacy-a...

Please compare and contrast the differences between the obligations and legislative responsibilities that each of the following types of agencies must adhere to when collecting, holding, disclosing, and sharing medical and health information:

1. New Zealand Public Service Agency

2. New Zealand State Sector Agency

3. New Zealand Health Agency

Yours faithfully,

William T Francis

Link to this

From: OIA
Privacy Commissioner

Good morning Mr Francis

This is to acknowledge receipt of your request under the Official Information Act. We will respond as soon as we can.

Regards

Sharyn

Sharyn Leonard
Executive Assistant (Legal)

Office of the Privacy Commissioner  Te Mana Mātāpono Matatapu
privacy.org.nz 

NZBN 9429041913161

Privacy is about protecting personal information, yours and others. To find out how, and to stay informed, subscribe to our newsletter or follow us online.  Have a privacy question? AskUs

Caution: If you have received this message in error please notify the sender immediately and delete this message along with any attachments.  Please treat the contents of this message as private and confidential. Thank you.

show quoted sections

Link to this

From: OIA
Privacy Commissioner


Attachment image001.jpg
2K Download

Attachment image002.jpg
2K Download

Attachment image003.jpg
0K Download

Attachment image004.png
0K Download


Tçnâ koe Mr Francis

 

We have received your requests of 8 May 2020 under the Official
Information Act 1982 for information about the operation of the Health
Information Privacy Code 1994 (the HIPC). We have addressed these requests
together as they appear to cover the same subject matter.

 

Request 1

You have asked us to: “compare and contrast the differences between the
obligations and legislative responsibilities that each of the following
types of agencies must adhere to when collecting, holding, disclosing, and
sharing medical and health information:

1. New Zealand Public Service Agency

2. New Zealand State Sector Agency

3. New Zealand Health Agency.”

 

Response

The main distinction is whether the agency is a “health agency” or not.
All agencies covered by the Privacy Act 1993 have obligations they must
adhere to when collecting, holding, disclosing and sharing medical and
health information as a type of “personal information”. For example,
certain employers may need to collect health information about their
employees.

 

Agencies providing health or disability services however must comply with
a different set of obligations.

 

Firstly, the Health Act 1956 has provision about the disclosure of health
information by any agency that provides personal health service, public
health services and disability support services (as defined in the New
Zealand Public Health and Disability Act 2000). See sections 22C – 22H of
the [1]Health Act.

 

Secondly, a number of health agencies must also comply with the [2]Code of
Health and Disability Services Consumers’ Rights and their own
professional ethical obligations.

 

Thirdly, the Health Information Privacy Code 1994 also applies to agencies
providing personal or public health or disability services as well as any
agency of a kind listed in clause 4(2) of the HIPC or Schedule 1.

 

The Health Information Privacy Code

 

The Privacy Act gives the Privacy Commissioner the power to issue codes of
practice that become part of the law. These codes may modify the operation
of the Act for specific industries, agencies, activities or types of
personal information to take account of special circumstances which affect
a class of information.

 

The HIPC is one of these codes of practice and takes the place of the
information privacy principles, in respect of health information as well
as any information described in clause 4(1) of the HIPC.

 

The HIPC sets specific rules for agencies covered by [3]clause  4(2) of
the HIPC.

 

Clause 4(2) covers:

o all agencies providing personal or public health or disability
services such as primary health organisations, district health boards,
rest homes, supported accommodation, doctors, nurses, dentists,
pharmacists and optometrists; and
o some agencies that do not provide health services to individuals, but
which are part of the health sector such as ACC, the Ministry of
Health, the Health Research Council, health insurers and professional
disciplinary bodies.

Request 2

You have also asked us to “provide the list of circumstances (if any)
where agencies not listed in Schedule 1 and Schedule 2 of the Health
Information Privacy Code 1994 are permitted to collect and retain medical
and health information:
[4]https://www.privacy.org.nz/assets/Files/...

 

Response

Any agency may collect medical and health information if they comply with
the Privacy Act’s collection principles (principles 1 to 4) unless there
is a statutory restriction or prohibition on doing so.

 

Other statutory authority besides the Privacy Act can also authorise the
collection of health information to do so. For example, the Land Transport
Act requires that health practitioners who have been consulted in respect
of a driver’s license holder provide the New Zealand Transport Agency
notice if they deem the license holder is not fit to drive.

 

If the agency is of a kind listed in clause 4(2) of the HIPC or Schedule
1, they must instead comply with collection rules in the HIPC (rules 1-4).

Schedule 1 is not an exhaustive list of agencies the HIPC applies to, it
clarifies that those particular agencies are covered by section 4(2) of
the HIPC, as well as all the other agencies listed in clause 4(2).

 

Schedule 2 sets out the agencies which can assign the same NHI number to
an individual under [5]rule 12(3).

 

Where health information is held by an agency which is not covered by
section 4(2) of the HIPC the provisions of the Privacy Act will apply.
Therefore, all New Zealand agencies which hold health information are
subject to obligations in terms of collection, storage, use, access and
correction, retention, and disclosure, however those subject to the HIPC
must consider the modifications made by that code.

 

These modifications are contained in rules 2 and 3 regarding who health
information can be collected from and what an agency must tell someone
when they are collecting this information, rule 9 which relates to
retention of health information, rules 10 and 11 which relate to the use
and disclosure of health information, and rule 12 which relates to unique
identifiers.

 

I hope you find this information helpful.

 

Nâku, nâ

 

Natalie Marshall

Rôia / Legal Adviser

 

 

Office of the Privacy Commissioner  Te Mana Mâtâpono Matatapu
PO Box 10094, The Terrace, Wellington 6143

Level 8, 109 Featherston Street, Wellington, New Zealand

E   [6][Privacy Commissioner request email]

privacy.org.nz   

 

[7]25 years logo 30mm x 30mm_Over 25mm_GREYSCALE[8]KKtRM-logo-small

 

 

Privacy is about protecting personal information, yours and others. To
find out how, and to stay informed, [9]subscribe to our newsletter
or follow us online. [10]Description: Description: Description: Small
facebook icon [11]Description: twitter-bird-blue-on-whiteHave a privacy
question? [12]AskUs

 

Caution: If you have received this message in error please notify the
sender immediately and delete this message along with any attachments. 
Please treat the contents of this message as private and confidential.
Thank you.

 

 

References

Visible links
1. http://www.legislation.govt.nz/act/publi...
2. https://www.hdc.org.nz/your-rights/about...
3. https://www.privacy.org.nz/assets/Files/...
4. https://www.privacy.org.nz/assets/Files/...
5. https://www.privacy.org.nz/the-privacy-a...
6. mailto:[Privacy Commissioner request email]
9. http://privacy.org.nz/subscribe/
10. http://www.facebook.com/PrivacyNZ
11. https://twitter.com/NZPrivacy
12. http://www.privacy.org.nz/ask

Link to this

From: OIA
Privacy Commissioner


Attachment image001.jpg
2K Download

Attachment image002.jpg
2K Download

Attachment image003.jpg
0K Download

Attachment image004.png
0K Download


Tçnâ koe Mr Francis

 

We have received your requests of 8 May 2020 under the Official
Information Act 1982 for information about the operation of the Health
Information Privacy Code 1994 (the HIPC). We have addressed these requests
together as they appear to cover the same subject matter.

 

Request 1

You have asked us to: “compare and contrast the differences between the
obligations and legislative responsibilities that each of the following
types of agencies must adhere to when collecting, holding, disclosing, and
sharing medical and health information:

1. New Zealand Public Service Agency

2. New Zealand State Sector Agency

3. New Zealand Health Agency.”

 

Response

The main distinction is whether the agency is a “health agency” or not.
All agencies covered by the Privacy Act 1993 have obligations they must
adhere to when collecting, holding, disclosing and sharing medical and
health information as a type of “personal information”. For example,
certain employers may need to collect health information about their
employees.

 

Agencies providing health or disability services however must comply with
a different set of obligations.

 

Firstly, the Health Act 1956 has provision about the disclosure of health
information by any agency that provides personal health service, public
health services and disability support services (as defined in the New
Zealand Public Health and Disability Act 2000). See sections 22C – 22H of
the [1]Health Act.

 

Secondly, a number of health agencies must also comply with the [2]Code of
Health and Disability Services Consumers’ Rights and their own
professional ethical obligations.

 

Thirdly, the Health Information Privacy Code 1994 also applies to agencies
providing personal or public health or disability services as well as any
agency of a kind listed in clause 4(2) of the HIPC or Schedule 1.

 

The Health Information Privacy Code

 

The Privacy Act gives the Privacy Commissioner the power to issue codes of
practice that become part of the law. These codes may modify the operation
of the Act for specific industries, agencies, activities or types of
personal information to take account of special circumstances which affect
a class of information.

 

The HIPC is one of these codes of practice and takes the place of the
information privacy principles, in respect of health information as well
as any information described in clause 4(1) of the HIPC.

 

The HIPC sets specific rules for agencies covered by [3]clause  4(2) of
the HIPC.

 

Clause 4(2) covers:

o all agencies providing personal or public health or disability
services such as primary health organisations, district health boards,
rest homes, supported accommodation, doctors, nurses, dentists,
pharmacists and optometrists; and
o some agencies that do not provide health services to individuals, but
which are part of the health sector such as ACC, the Ministry of
Health, the Health Research Council, health insurers and professional
disciplinary bodies.

Request 2

You have also asked us to “provide the list of circumstances (if any)
where agencies not listed in Schedule 1 and Schedule 2 of the Health
Information Privacy Code 1994 are permitted to collect and retain medical
and health information:
[4]https://www.privacy.org.nz/assets/Files/...

 

Response

Any agency may collect medical and health information if they comply with
the Privacy Act’s collection principles (principles 1 to 4) unless there
is a statutory restriction or prohibition on doing so.

 

Other statutory authority besides the Privacy Act can also authorise the
collection of health information to do so. For example, the Land Transport
Act requires that health practitioners who have been consulted in respect
of a driver’s license holder provide the New Zealand Transport Agency
notice if they deem the license holder is not fit to drive.

 

If the agency is of a kind listed in clause 4(2) of the HIPC or Schedule
1, they must instead comply with collection rules in the HIPC (rules 1-4).

Schedule 1 is not an exhaustive list of agencies the HIPC applies to, it
clarifies that those particular agencies are covered by section 4(2) of
the HIPC, as well as all the other agencies listed in clause 4(2).

 

Schedule 2 sets out the agencies which can assign the same NHI number to
an individual under [5]rule 12(3).

 

Where health information is held by an agency which is not covered by
section 4(2) of the HIPC the provisions of the Privacy Act will apply.
Therefore, all New Zealand agencies which hold health information are
subject to obligations in terms of collection, storage, use, access and
correction, retention, and disclosure, however those subject to the HIPC
must consider the modifications made by that code.

 

These modifications are contained in rules 2 and 3 regarding who health
information can be collected from and what an agency must tell someone
when they are collecting this information, rule 9 which relates to
retention of health information, rules 10 and 11 which relate to the use
and disclosure of health information, and rule 12 which relates to unique
identifiers.

 

I hope you find this information helpful.

 

Nâku, nâ

 

Natalie Marshall

Rôia / Legal Adviser

 

 

Office of the Privacy Commissioner  Te Mana Mâtâpono Matatapu
PO Box 10094, The Terrace, Wellington 6143

Level 8, 109 Featherston Street, Wellington, New Zealand

E   [6][Privacy Commissioner request email]

privacy.org.nz   

 

[7]25 years logo 30mm x 30mm_Over 25mm_GREYSCALE[8]KKtRM-logo-small

 

 

Privacy is about protecting personal information, yours and others. To
find out how, and to stay informed, [9]subscribe to our newsletter
or follow us online. [10]Description: Description: Description: Small
facebook icon [11]Description: twitter-bird-blue-on-whiteHave a privacy
question? [12]AskUs

 

Caution: If you have received this message in error please notify the
sender immediately and delete this message along with any attachments. 
Please treat the contents of this message as private and confidential.
Thank you.

 

 

References

Visible links
1. http://www.legislation.govt.nz/act/publi...
2. https://www.hdc.org.nz/your-rights/about...
3. https://www.privacy.org.nz/assets/Files/...
4. https://www.privacy.org.nz/assets/Files/...
5. https://www.privacy.org.nz/the-privacy-a...
6. mailto:[Privacy Commissioner request email]
9. http://privacy.org.nz/subscribe/
10. http://www.facebook.com/PrivacyNZ
11. https://twitter.com/NZPrivacy
12. http://www.privacy.org.nz/ask

Link to this

From: William T Francis

Kia ora Natalie,

Thanks for your reply. You may consider the first question answered.

Further, I asked for a list of circumstances where the information can be collected. If you can present your answer by using real-world scenarios it would be far more useful. For reference, a list is presented as follows:

* Item 1

* Item 2

* Item 3

* and so forth

Based on your avoidant reply, I am current left to assume that agencies can collect and handle personal medical information in any circumstances in which they so desire without any compliance audits being conducted. I am certain you can understand the importance of clearing up this assumption and remediate it by listing the real-world scenarios.

Yours sincerely,

William T Francis

Link to this

From: OIA
Privacy Commissioner


Attachment image001.jpg
2K Download

Attachment image002.jpg
2K Download

Attachment image003.jpg
0K Download

Attachment image004.png
0K Download


Tēnā koe Mr Williams,

 

Thank you for your emails.

 

You have asked us to provide a list of circumstances (if any) where
agencies not listed in Schedule 1 and Schedule 2 of the Health Information
Privacy Code 1994 are permitted to collect and retain medical and health
information. As we indicated, Schedule 1 is a subset of the agencies who
collect and retain health information. Schedule 2 has a different function
and is a closed list of agencies who can assign patients a National Health
Information (NHI) number.

 

It is not possible to answer your question in the format you have
requested as any agency may collect medical and health information if they
comply with  the Privacy Act’s collection principles (principles 1 to 4).
It therefore depends on whether an agency has a lawful purpose to collect
and then retain medical and health information. However, some examples of
agencies outside of Schedule 1 that may collect medical and health
information include:

o The Department of Corrections
o New Zealand Police
o Insurance companies
o Rest homes

 

Any agency that holds personal or medical information has to have
[1]security safeguards which are reasonable in the circumstances. This is
for each agency to determine what is reasonable for their particular
circumstances, and for the Privacy Commissioner to review if there is a
complaint. In relation to health information we would expect robust
safeguards given the sensitivity of the information.

 

In terms of real life scenarios, where these are available, we publish
case notes on our website such as:
[2]https://www.privacy.org.nz/news-and-publ....

 

Under the new Privacy Act (which is currently making its way through
Parliament) agencies will be required to notification our Office of any
privacy breaches which will strengthen incentives to have robust
protections in place. In the event of a breach the Commissioner may ask
what sort of compliance audits the agency had put in place. The new law
will also enable the Privacy Commissioner to issue a compliance notice if
an agency’s security safeguards are inadequate. Here are some of our
guidance materials for the health sector:

[3]https://www.privacy.org.nz/news-and-publ...

[4]https://www.privacy.org.nz/news-and-publ...

 

If you have any further questions about the operation of the HIPC or
Privacy Act you can contact us on [5][email address]. You can
also use the [6]Ask Us function on our website where you can ask our
knowledge base questions.  

 

 

Nāku, nā

 

Natalie Marshall

Rōia / Legal Adviser

 

 

Office of the Privacy Commissioner  Te Mana Mātāpono Matatapu
PO Box 10094, The Terrace, Wellington 6143

Level 8, 109 Featherston Street, Wellington, New Zealand

E    [7][Privacy Commissioner request email]  

privacy.org.nz   

 

[8]25 years logo 30mm x 30mm_Over 25mm_GREYSCALE[9]KKtRM-logo-small

 

 

Privacy is about protecting personal information, yours and others. To
find out how, and to stay informed, [10]subscribe to our newsletter
or follow us online. [11]Description: Description: Description: Small
facebook icon [12]Description: twitter-bird-blue-on-whiteHave a privacy
question? [13]AskUs

 

Caution: If you have received this message in error please notify the
sender immediately and delete this message along with any attachments. 
Please treat the contents of this message as private and confidential.
Thank you.

 

 

show quoted sections

Link to this

From: William T Francis

Dear Natalie,

Thanks for the reply.

Based on the information you have provided, an observer to this OIA request could easily be left to assume that agencies can collect and handle medical information with impunity, and with very few practical and real-world checks and balances within their information systems or upon their staff regarding that collection and handling.

I appreciate this must be a delicate request, but it remains simple. I did not ask for a list of agencies. I asked for a list of scenarios. Therefore, this request is not yet completed.

Perhaps a slight tweaking of the wording will assist: if the circumstances depend on whether an agency has a lawful purpose, please provide the list of lawful purposes.

Yours sincerely,

William T Francis

Link to this

From: OIA
Privacy Commissioner


Attachment ATT05811 1.jpg
2K Download

Attachment ATT48107 2.jpg
2K Download

Attachment ATT87254 3.jpg
0K Download

Attachment ATT27026 4.jpg
0K Download


Tēnā koe Mr Francis,
 
Thank you for your email.
 
We were not able to provide you with a complete list of scenarios as
requested because it would be impossible for us to collate all of these.
As explained the focus when determining whether an agency can collect
health information is on their purpose for doing so, rather than the type
of agency they are. It is also not possible to list the lawful purposes
exhaustively either due to the number of situations where a lawful purpose
for collection will exist.
 
However, I have included some scenarios where non health agencies could
collect medical information based on the examples I gave in my last email.
I hope you find these useful:

* The Department of Corrections – The Department of Corrections Health
Services collect health information from new arrivals in order to
assess, diagnose, and treat prisoners with poor health. The Department
is required under the law to provide treatment which is reasonably
necessary and to the standard equivalent to what is provided to the
public. They would not be able to do so without collecting health
information from prisoners, and so they have a lawful purpose for
collecting this information.
* New Zealand Police – All job applicants for the New Zealand Police
must undergo a two part medical clearance process in support of their
applications. The Police [1]pre-application page explains that “Due to
the highly unpredictable nature of operational activity, constabulary
employees need to be skilled, healthy and functionally able to
undertake operational duties. An operational role can change
dramatically from sedentary screen-based data-entry duties to
exercising “use of force” skills in dangerous circumstances over very
short periods of time. While physically demanding incidents may be
infrequent, they can be intense, critical and even life-threatening.
Having the operational functionality to exercise these skills safely
is essential to a constabulary employee's ability to execute his/her
duties. A constabulary employee is expected to be in a state of
readiness at all times.” On this basis Police would have a lawful
basis for collecting health information from applicants.
* Insurance companies – Insurance companies collect a range of
information from their customers depending on the type of policy the
customer wants. Often, an insurance company will collect medical or
health information such as current or former physical or mental or
medical condition; health status; injury or disability information;
medical procedures performed; personal habits (for example, smoking or
consumption of alcohol); prescription information, and medical
history. This is in order to determine what products a customer will
be eligible for, and whether a policy needs to have exclusions or
premium loadings. Again, an insurance company would have a lawful
purpose for collecting this information in connection with its
functions.

 
In terms of real world checks and balances, our Office does not have a
proactive function in regards to going out and checking information
systems or processes, however we often get the opportunity to examine
these in the context of complaint investigations. We have also published
extensive commentary on information security in the health information
context, including recommendations on suitable security arrangements,
operational security, technical security, destruction, and security plans
(you can find this commentary [2]here from page 38) . It is our
expectation that any agency handling personal health information will take
steps to ensure they have sufficient safeguards in place which is
reflective of the sensitivity of that information.
 
 
Nāku, nā
 
Natalie Marshall
Rōia / Legal Adviser
 
 
Office of the Privacy Commissioner  Te Mana Mātāpono Matatapu
PO Box 10094, The Terrace, Wellington 6143
Level 8, 109 Featherston Street, Wellington, New Zealand
E    [3][Privacy Commissioner request email]
privacy.org.nz   
 
 
 
Privacy is about protecting personal information, yours and others. To
find out how, and to stay informed, [4]subscribe to our newsletter
or follow us online. [5][IMG]   [6][IMG] Have a privacy question?
[7]AskUs
 
Caution: If you have received this message in error please notify the
sender immediately and delete this message along with any attachments. 
Please treat the contents of this message as private and confidential.
Thank you.
 
 
 

show quoted sections

Link to this

From: William T Francis

Dear Privacy Commissioner,

Thanks for the reply. To summarise, it is now clear that agencies practically collect, handle, and disseminate medical information based largely on their own preferences with no proactive audits conducted by the Office of the Privacy Commissioner, and that no nationally agreed list of real-world scenarios exists or can be collated by the Office of the Privacy Commissioner.

It seems pertinent that the Privacy Commissioner or another agency introduce an effective compliance/audit scheme at some point.

Yours sincerely,

William T Francis

Link to this

Things to do with this request

Anyone:
Privacy Commissioner only: