Request for specific policies

Amy S Van Wey Lovatt made this Official Information request to Waikato District Health Board

Response to this request is long overdue. By law Waikato District Health Board should have responded by now (details and exceptions). You can complain to the Ombudsman.

From: Amy S Van Wey Lovatt

Dear Waikato District Health Board,

I am a NZ Citizen writing to request the following policies:

Consumer Feedback and Complaint Policy;
Informed Consent Policy;
Disclosure of Health Information Policy; and
All policies pertaining to the Ministry of Health Standards, HISO 10029:2015 Health Information Security Framework, clause 8.2.

I ask that these policies be submitted to in searchable electronic form, to ensure public access to the information. Alternatively, if Waikato DHB would prefer to upload these policies to their "Transparency" or "Policies" web pages, a link to the policies will suffice.

Yours faithfully,

Link to this

From: Amy S Van Wey Lovatt

Dear Waikato District Health Board,

This is a reminder that you have not met the legislative framework, which requires a response to my request within 20 working days (see section 15(1)(a)), nor has your organization requested an extension within the legislated time frame (see section 15A(3)). I trust that the requested information will be provided by the end of the week.


Amy S Van Wey Lovatt

Link to this

Amy S Van Wey Lovatt left an annotation ()

The following complaint was submitted to the Ombudsman today, 5 March 2021.

Dear Ombudsman,

On 25 January 2021 I made an OIA request for a few specified documents from Waikato DHB. I did not receive a response or a notification of delay as required under sections 15 and 15A of the OIA. Thus, on 24 February 2021, I followed up to request the documents by the end of that week. [Please see attached evidence or go to I still have not received a response through, as I had requested.

I note that according to the DHB's publicly available policy titled Management of Policies and Guidelines [ the policies I have requested are held electronically (4.11-4.12) and are thus, readily accessible, in accordance with the Electronic Transactions Act.

I note that the DHB had made a commitment to ensure compliance with HISO 10029 in their 2019/2020 Annual Plan. which was signed on 23 October 2019 by Health Commissioner Poutasi, Deputy Health Commissioner Wilson, and former CE, Neville Hablous [

You will note that I have made multiple complaints to the Ombudsman for the failure of Waikato DHB to provide information. Waikato DHB's complete disregard for their legal obligations under the OIA , Privacy Act and Health and Disability Commissioner (Code of Health and Disability Services Consumers' Rights) Regulations 1996 is inexcusable.

Kind regards,

Amy S. Van Wey Lovatt, PhD

Link to this

From: Christine Chandler
Waikato District Health Board

Attachment Response Cover Letter 20210322.pdf
1.3M Download View as HTML

Attachment Consumer Feedback and Complaints Policy.pdf
345K Download View as HTML

Attachment Health Information Privacy Policy.pdf
1.1M Download View as HTML

Attachment Informed Consent Policy.pdf
2.2M Download View as HTML

Good morning Amy


Please find attached the response to your information requests, including
the requested policy documents.




Christine Chandler | Consumer Engagement Manager | Quality and Patient
Safety | Waikato District Health Board| Hamilton | New Zealand  Ph 07 839
8899 ext 92252 | Mobile (021) 839 441


This electronic message, together with any attachments is confidential and
may be privileged. If you are not the intended recipient: not copy,
disclose or use the contents in any way. 2.please let me know by return
email immediately and then destroy the message. Waikato DHB is not
responsible for any changes made to this message and/or any attachments
after sending by Waikato DHB. Before opening or using attachments, check
them for viruses and effects. Waikato DHB takes no responsibility for
affected attachments. Click on link to
view the company policy website. If you are not redirected to the company
policy website then copy and paste the URL into a new browser window.

Link to this

Amy S Van Wey Lovatt left an annotation ()

On 23 March 2021 I submitted the following complaint to the Ombudsman, HDC, Privacy Commissioner, HRC, and the MoH.

Dear Commissioners, Minster Andrews, and Director-General Bloomfield,

RE: Complaint against Waikato DHB - refusal of policies required under HISO 10029 (clause 8.2)

I am writing to you today because of the refusal of the DHB to provide me with copies of policies which the Ministry of Health has mandated all DHBs have [HISO 10029:2015, clause 8.2]. The mandate, under clause 8.2, is very specific and requires a Connections policy, Information transfer policy, and Information protection policy.

Information transfer policy
The organisation has formally documented:
• the minimum technical standards for packaging and transmission of health information
• the tools to be used for the transmission of information between organisations or sections/business units of the organisation
• how personal health information exchanged over a network is protected from interception, incorrect routing and/or loss
• how personal health information exchanged on physical media is protected from unauthorised access, misuse or corruption
• agreed requirements with external parties, relating to transferred personal information
• responsibilities and liabilities in the event of information security incidents • incident notification requirements
• labelling for sensitive data
• use of security controls such as Cryptography and cryptographic key management (see section 15). Information protection policy [Emphasis Added]

On 25 January 2021, I requested a few specific Waikato DHBs policies through My fourth request was:
All policies pertaining to the Ministry of Health Standards, HISO 10029:2015 Health Information Security Framework, clause 8.2.

When I did not receive a response within the legislative time, I reminded the DHB of their legal obligation. When I still received no response, I complained to the Ombudsman.

On 22 March 2021, the DHB denied my request for the policies mandated under HISO 10029:2015 Health Information Security Framework, clause 8.2. The DHB stated:
Request 4 is not a valid request under the Official Information Act as it does not specify the information sought with due particularity.

Referencing HISO 10029:2015 Health Information Security Framework, clause 8.2 is very particular. The standards clearly state what specific policies each DHB must have and the information which must be included in them. Thus, I believe we would all agree that the DHBs statement was inaccurate and irrational.

Moreover, the DHBs refusal is not a ground for refusal under the OIA, and thus her response was wrong, or a mistake of law.

Ombudsman - Breach of OIA 1982:
In refusing my request, without assisting, the DHB had failed to uphold their legislative duty under section 13 of the Act. In refusing me access to policies, which are internal rules which would have informed decisions made about me (the interception of my personal communications), the DHB has breached sections 21-23 of the OIA.

Privacy Commissioner - Breach of PA 2020:
Under IPP 3 of the Privacy Act 2020, the DHB has a legal obligation to provide information to patients prior to obtaining personal information. The DHB has not made their policies available to me or the public prior to collecting personal information, and is therefore in breach of IPP3.

It is clear that the interception of my personal communications without my consent, or the consent of the intended recipients, is consistent with section 216B of the Crime Act 1961, which comes under section 9A Crimes against personal privacy, and thus is a breach of IPP 4. Providing inaccurate information, as the DHB has, is a breach of IPP 8.

Purpose of this Act
The purpose of this Act is to promote and protect individual privacy by—
(a) providing a framework for protecting an individual’s right to privacy of personal information, including the right of an individual to access their personal information, while recognising that other rights and interests may at times also need to be taken into account; and
(b) giving effect to internationally recognised privacy obligations and standards in relation to the privacy of personal information, including the OECD Guidelines and the International Covenant on Civil and Political Rights.

Article 17 of the International Covenant on Civil and Political Rights, states:
1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

2. Everyone has the right to the protection of the law against such interference or attacks.

Ms C has been interfering with my correspondence. I have a right to be protected against such interference, and thus Ms C and the DHB have breached their legal obligations under this Act.

Human Rights Commissioner - Breach of NZ Bill of Rights 1990:
Section 21 of the NZ Bill of Rights affirms that I am to be protected from search and seizure by government agencies, which includes communications. The interception of my personal communications, by Ms C, is a breach of my rights and the DHBs obligations under NZBORA. I have attached a copy of my submission to the Ombudsman, which provides a summary of the facts, as well as links to the supporting evidence for my complaint against the DHB for unlawful search and seizure.

In Hamed v R [2011] NZSC 101, Justice Elias stated:

[10] ...Section 21 protects personal freedom and dignity from unreasonable and arbitrary State intrusion. Whether such intrusion is unreasonable or arbitrary is objectively assessed according to the standard of what limitation on personal freedom can be “demonstrably justified in a free and democratic society”.[20] The right protects privacy but, more fundamentally, it holds a constitutional balance between the State and citizen by preserving space for individual freedom and protection against unlawful and arbitrary intrusion by State agents.[21] It describes a “right to be let alone”.[22] Police investigation which invades such private space constitutes search within the meaning of s 21. It may be undertaken through remote technology or through in person observation. I therefore take the view, differing from that expressed by Blanchard J,[23] that s 21 guarantees reasonable expectations of privacy from State intrusion.

[17] The New Zealand Bill of Rights Act provides protection for human rights and fundamental freedoms against unreasonable State intrusion. Under s 21 of the Act, everyone has “the right to be secure against unreasonable search or seizure, whether of the person, property, or correspondence or otherwise”. As the White Paper which preceded enactment of the legislation stressed, citing the Canadian Supreme Court case of Hunter, the list of interests protected is not exhaustive: s 21 “guarantees a broad and general right”.[32] While freedom from unauthorised search on private property has long been protected at common law,[33] the former property-based protection expands with human rights values to protect the public interest in “personal freedom, privacy and dignity”.[34] Section 21 protects “people, not places”.[35] Moreover, security from unreasonable State intrusion will often be a necessary condition of other freedoms, such as freedom of conscience, freedom of expression, freedom of movement, and freedom of association.[36]

[18] Section 21 gives effect to art 17 of the International Covenant on Civil and Political Rights. Article 17 provides that no one is to be subjected to “arbitrary or unlawful interference with his privacy, family, home or correspondence”. The United Nations Human Rights Committee, in General Comment on Article 17, has said that art 17 applies to “[s]urveillance, whether electronic or otherwise”, as well as “interceptions of telephonic, telegraphic and other forms of communication, wire-tapping and recording of conversations”.[37] All such are treated as prohibited except to the extent authorised by “relevant legislation”, complying with the obligations under art 17.[38] The term “unlawful” is interpreted to mean that “no interference can take place except in cases envisaged by the law”:[39]

[37] ..., I consider that the policies and principles of the Bill of Rights Act compel the courts to insist on lawful authority for interference with personal freedom ...

[44] ... it would be unacceptably destructive of human rights if the reasonableness of search turned only on ex post facto consideration of “the governmental interest in carrying out a given search”.[88] The purpose of protecting individuals from unjustified intrusions on their privacy requires statutory authority for authorisation in advance to prevent unjustified searches before they happen.[89]

In this case, the Supreme Court justices unanimously agreed, the "surveillance was unlawful because not authorised by legislation". There is no legislation which authorizes Ms C or the DHB to surveille my correspondence.

Breach of MoH Standards:
Their refusal to provide policies, in order to obtain informed consent, is a breach of mandates set out under MoH standard HISO 10064:2017. This standard also provides for the patient to determine who may and may not access their medical information. When Ms C intercepted personal communications, intended for my physicians, the DHB did not meet their ethical and legal obligation to uphold my rights to informed consent, confidentiality and autonomy.

If the DHB does not have policies, as required under HISO 10029, clause 8.2, then the DHB has breached this MoH standard as well. It is clear that the interception of my personal communications, without my consent or the consent of the intended recipient, is contrary to both of these standards.

Breach of MCNZ Standards:
The medical council of NZ also provides standards for good medical practice and informed consent. Intercepting my communications, without my consent or the consent of the intended recipient, is a breach of standards for informed consent and confidentiality of medical information.

HDC - Breaches of Code of Consumer Rights:
Any breach of the Privacy Act 2020, as outlined above, is a breach of Right (1)(2). Failing to meet legal, professional and ethical standards, (as those outlined above) is a breach of Right (4)(2). Failing to provide information, which is necessary for informed consent, is a breach of Right 7. The interception of communications, which prohibits a patient from complaining directly to the persons who have provided services is a breach of Right 10, as well as Rights 1(2), 4(2) and 7.

I have cc'ed in HealthShare Ltd. As the authorized independent third party who has a legislative duty to ensure compliance with these HISO standards. it was their legal obligation to ensure that the DHB was compliant with the HISO 10064 and 10029. Thus, if they have done their due diligence, these policies must exist. If they have not done their due diligence, and the policies I have requested do not exist, then please accept this email as a formal complaint against HealthShare Ltd.

I trust that your agencies will start holding the DHB to account.

Amy S. Van Wey Lovatt, PhD

Link to this

Things to do with this request

Waikato District Health Board only: