Good morning Mr Francis

This is to acknowledge receipt of your request under the Official Information Act. We will respond as soon as we can.

Regards

Sharyn

Sharyn Leonard
Executive Assistant (Legal)

Office of the Privacy Commissioner Te Mana Mātāpono Matatapu
privacy.org.nz

NZBN 9429041913161

Privacy is about protecting personal information, yours and others. To find out how, and to stay informed, subscribe to our newsletter or follow us online. Have a privacy question? AskUs

Caution: If you have received this message in error please notify the sender immediately and delete this message along with any attachments. Please treat the contents of this message as private and confidential. Thank you.

show quoted sections

Tçnâ koe Mr Francis

 

We have received your requests of 8 May 2020 under the Official
Information Act 1982 for information about the operation of the Health
Information Privacy Code 1994 (the HIPC). We have addressed these requests
together as they appear to cover the same subject matter.

 

Request 1

You have asked us to: “compare and contrast the differences between the
obligations and legislative responsibilities that each of the following
types of agencies must adhere to when collecting, holding, disclosing, and
sharing medical and health information:

1. New Zealand Public Service Agency

2. New Zealand State Sector Agency

3. New Zealand Health Agency.”

 

Response

The main distinction is whether the agency is a “health agency” or not.
All agencies covered by the Privacy Act 1993 have obligations they must
adhere to when collecting, holding, disclosing and sharing medical and
health information as a type of “personal information”. For example,
certain employers may need to collect health information about their
employees.

 

Agencies providing health or disability services however must comply with
a different set of obligations.

 

Firstly, the Health Act 1956 has provision about the disclosure of health
information by any agency that provides personal health service, public
health services and disability support services (as defined in the New
Zealand Public Health and Disability Act 2000). See sections 22C – 22H of
the [1]Health Act.

 

Secondly, a number of health agencies must also comply with the [2]Code of
Health and Disability Services Consumers’ Rights and their own
professional ethical obligations.

 

Thirdly, the Health Information Privacy Code 1994 also applies to agencies
providing personal or public health or disability services as well as any
agency of a kind listed in clause 4(2) of the HIPC or Schedule 1.

 

The Health Information Privacy Code

 

The Privacy Act gives the Privacy Commissioner the power to issue codes of
practice that become part of the law. These codes may modify the operation
of the Act for specific industries, agencies, activities or types of
personal information to take account of special circumstances which affect
a class of information.

 

The HIPC is one of these codes of practice and takes the place of the
information privacy principles, in respect of health information as well
as any information described in clause 4(1) of the HIPC.

 

The HIPC sets specific rules for agencies covered by [3]clause  4(2) of
the HIPC.

 

Clause 4(2) covers:

o all agencies providing personal or public health or disability
services such as primary health organisations, district health boards,
rest homes, supported accommodation, doctors, nurses, dentists,
pharmacists and optometrists; and
o some agencies that do not provide health services to individuals, but
which are part of the health sector such as ACC, the Ministry of
Health, the Health Research Council, health insurers and professional
disciplinary bodies.

Request 2

You have also asked us to “provide the list of circumstances (if any)
where agencies not listed in Schedule 1 and Schedule 2 of the Health
Information Privacy Code 1994 are permitted to collect and retain medical
and health information:
[4]https://www.privacy.org.nz/assets/Files/...

 

Response

Any agency may collect medical and health information if they comply with
the Privacy Act’s collection principles (principles 1 to 4) unless there
is a statutory restriction or prohibition on doing so.

 

Other statutory authority besides the Privacy Act can also authorise the
collection of health information to do so. For example, the Land Transport
Act requires that health practitioners who have been consulted in respect
of a driver’s license holder provide the New Zealand Transport Agency
notice if they deem the license holder is not fit to drive.

 

If the agency is of a kind listed in clause 4(2) of the HIPC or Schedule
1, they must instead comply with collection rules in the HIPC (rules 1-4).

Schedule 1 is not an exhaustive list of agencies the HIPC applies to, it
clarifies that those particular agencies are covered by section 4(2) of
the HIPC, as well as all the other agencies listed in clause 4(2).

 

Schedule 2 sets out the agencies which can assign the same NHI number to
an individual under [5]rule 12(3).

 

Where health information is held by an agency which is not covered by
section 4(2) of the HIPC the provisions of the Privacy Act will apply.
Therefore, all New Zealand agencies which hold health information are
subject to obligations in terms of collection, storage, use, access and
correction, retention, and disclosure, however those subject to the HIPC
must consider the modifications made by that code.

 

These modifications are contained in rules 2 and 3 regarding who health
information can be collected from and what an agency must tell someone
when they are collecting this information, rule 9 which relates to
retention of health information, rules 10 and 11 which relate to the use
and disclosure of health information, and rule 12 which relates to unique
identifiers.

 

I hope you find this information helpful.

 

Nâku, nâ

 

Natalie Marshall

Rôia / Legal Adviser

 

 

Office of the Privacy Commissioner  Te Mana Mâtâpono Matatapu
PO Box 10094, The Terrace, Wellington 6143

Level 8, 109 Featherston Street, Wellington, New Zealand

E   [6][Privacy Commissioner request email]

privacy.org.nz   

 

[7]25 years logo 30mm x 30mm_Over 25mm_GREYSCALE[8]KKtRM-logo-small

 

 

Privacy is about protecting personal information, yours and others. To
find out how, and to stay informed, [9]subscribe to our newsletter
or follow us online. [10]Description: Description: Description: Small
facebook icon [11]Description: twitter-bird-blue-on-whiteHave a privacy
question? [12]AskUs

 

Caution: If you have received this message in error please notify the
sender immediately and delete this message along with any attachments. 
Please treat the contents of this message as private and confidential.
Thank you.

 

 

References

Visible links
1. http://www.legislation.govt.nz/act/publi...
2. https://www.hdc.org.nz/your-rights/about...
3. https://www.privacy.org.nz/assets/Files/...
4. https://www.privacy.org.nz/assets/Files/...
5. https://www.privacy.org.nz/the-privacy-a...
6. mailto:[Privacy Commissioner request email]
9. http://privacy.org.nz/subscribe/
10. http://www.facebook.com/PrivacyNZ
11. https://twitter.com/NZPrivacy
12. http://www.privacy.org.nz/ask

Tçnâ koe Mr Francis

 

We have received your requests of 8 May 2020 under the Official
Information Act 1982 for information about the operation of the Health
Information Privacy Code 1994 (the HIPC). We have addressed these requests
together as they appear to cover the same subject matter.

 

Request 1

You have asked us to: “compare and contrast the differences between the
obligations and legislative responsibilities that each of the following
types of agencies must adhere to when collecting, holding, disclosing, and
sharing medical and health information:

1. New Zealand Public Service Agency

2. New Zealand State Sector Agency

3. New Zealand Health Agency.”

 

Response

The main distinction is whether the agency is a “health agency” or not.
All agencies covered by the Privacy Act 1993 have obligations they must
adhere to when collecting, holding, disclosing and sharing medical and
health information as a type of “personal information”. For example,
certain employers may need to collect health information about their
employees.

 

Agencies providing health or disability services however must comply with
a different set of obligations.

 

Firstly, the Health Act 1956 has provision about the disclosure of health
information by any agency that provides personal health service, public
health services and disability support services (as defined in the New
Zealand Public Health and Disability Act 2000). See sections 22C – 22H of
the [1]Health Act.

 

Secondly, a number of health agencies must also comply with the [2]Code of
Health and Disability Services Consumers’ Rights and their own
professional ethical obligations.

 

Thirdly, the Health Information Privacy Code 1994 also applies to agencies
providing personal or public health or disability services as well as any
agency of a kind listed in clause 4(2) of the HIPC or Schedule 1.

 

The Health Information Privacy Code

 

The Privacy Act gives the Privacy Commissioner the power to issue codes of
practice that become part of the law. These codes may modify the operation
of the Act for specific industries, agencies, activities or types of
personal information to take account of special circumstances which affect
a class of information.

 

The HIPC is one of these codes of practice and takes the place of the
information privacy principles, in respect of health information as well
as any information described in clause 4(1) of the HIPC.

 

The HIPC sets specific rules for agencies covered by [3]clause  4(2) of
the HIPC.

 

Clause 4(2) covers:

o all agencies providing personal or public health or disability
services such as primary health organisations, district health boards,
rest homes, supported accommodation, doctors, nurses, dentists,
pharmacists and optometrists; and
o some agencies that do not provide health services to individuals, but
which are part of the health sector such as ACC, the Ministry of
Health, the Health Research Council, health insurers and professional
disciplinary bodies.

Request 2

You have also asked us to “provide the list of circumstances (if any)
where agencies not listed in Schedule 1 and Schedule 2 of the Health
Information Privacy Code 1994 are permitted to collect and retain medical
and health information:
[4]https://www.privacy.org.nz/assets/Files/...

 

Response

Any agency may collect medical and health information if they comply with
the Privacy Act’s collection principles (principles 1 to 4) unless there
is a statutory restriction or prohibition on doing so.

 

Other statutory authority besides the Privacy Act can also authorise the
collection of health information to do so. For example, the Land Transport
Act requires that health practitioners who have been consulted in respect
of a driver’s license holder provide the New Zealand Transport Agency
notice if they deem the license holder is not fit to drive.

 

If the agency is of a kind listed in clause 4(2) of the HIPC or Schedule
1, they must instead comply with collection rules in the HIPC (rules 1-4).

Schedule 1 is not an exhaustive list of agencies the HIPC applies to, it
clarifies that those particular agencies are covered by section 4(2) of
the HIPC, as well as all the other agencies listed in clause 4(2).

 

Schedule 2 sets out the agencies which can assign the same NHI number to
an individual under [5]rule 12(3).

 

Where health information is held by an agency which is not covered by
section 4(2) of the HIPC the provisions of the Privacy Act will apply.
Therefore, all New Zealand agencies which hold health information are
subject to obligations in terms of collection, storage, use, access and
correction, retention, and disclosure, however those subject to the HIPC
must consider the modifications made by that code.

 

These modifications are contained in rules 2 and 3 regarding who health
information can be collected from and what an agency must tell someone
when they are collecting this information, rule 9 which relates to
retention of health information, rules 10 and 11 which relate to the use
and disclosure of health information, and rule 12 which relates to unique
identifiers.

 

I hope you find this information helpful.

 

Nâku, nâ

 

Natalie Marshall

Rôia / Legal Adviser

 

 

Office of the Privacy Commissioner  Te Mana Mâtâpono Matatapu
PO Box 10094, The Terrace, Wellington 6143

Level 8, 109 Featherston Street, Wellington, New Zealand

E   [6][Privacy Commissioner request email]

privacy.org.nz   

 

[7]25 years logo 30mm x 30mm_Over 25mm_GREYSCALE[8]KKtRM-logo-small

 

 

Privacy is about protecting personal information, yours and others. To
find out how, and to stay informed, [9]subscribe to our newsletter
or follow us online. [10]Description: Description: Description: Small
facebook icon [11]Description: twitter-bird-blue-on-whiteHave a privacy
question? [12]AskUs

 

Caution: If you have received this message in error please notify the
sender immediately and delete this message along with any attachments. 
Please treat the contents of this message as private and confidential.
Thank you.

 

 

References

Visible links
1. http://www.legislation.govt.nz/act/publi...
2. https://www.hdc.org.nz/your-rights/about...
3. https://www.privacy.org.nz/assets/Files/...
4. https://www.privacy.org.nz/assets/Files/...
5. https://www.privacy.org.nz/the-privacy-a...
6. mailto:[Privacy Commissioner request email]
9. http://privacy.org.nz/subscribe/
10. http://www.facebook.com/PrivacyNZ
11. https://twitter.com/NZPrivacy
12. http://www.privacy.org.nz/ask