12 Principles of the Privacy Act in New Zealand (2019)

shutterstock_730538191__1_PRIVACY ACT (1993)

Q.  What is the Privacy Act and what does it do? 

A. The Privacy Act provides rules for the collection, use and disclosure of personal information. It regulates the handling of personal information.

Twelve principles form the Privacy Act, covering the following:

§ Collection of personal information

§ Storage and security of personal information 

§ Request for access to and correction of personal information

§ Accuracy of personal information

§ Retention of personal information

§ Use and disclosure of personal information

§ Using unique identifiers

For a full breakdown of the twelve principles visit https://bit.ly/2Fvw23o

The OPC (Office of the Privacy Commissioner) is the independent body responsible for investigating privacy complaints.

1) Collection

By definition: - the action or process of collecting someone or something e.g. “the collection of data”

Requests for information come from other medical providers, ACC, insurance companies and law enforcement agencies.  The request should be specific and have signed consent from the individual (or authorised representative). 

You are required to provide information to the Police if a search warrant or production order is presented.  The following link provides a detailed outline of your responsibilities when disclosing personal information to the Police: -  https://bit.ly/2LZt7RR

Examples of methods used for the collection of medical information.

§ Patient collects medical records

§ GPGP (electronic transfer within PMS)

§ Fax 

§ Courier/Post

§ Third Parties (Insurance companies, law enforcement)

2) Use

By definition: - the action of using something or the state of being used for a purpose

The use of personal medical information should be clear from the agency or person(s) requesting the information.

An example of this would be a request from ACC for further information regarding a patient claim.To make the decision for cover a request for further information to the treatment provider is sent.  In their request they reference the relevant claim number as well as requesting the notes taken by the treatment provider at the time.

3) Disclosure

By definition: - the act of making new or secret information known

Disclosure results in the satisfaction of the request and use of the information sought. 


The Police or law enforcement agencies do not need to explain why they are seeking information through a voluntary request rather than by a search warrant or production order. However, they do need to provide enough information to justify the disclosure. This explanation should not prejudice the investigation or make an unwarranted disclosure of personal information. 

My Recommendations

To manage the multiple requests for information from any agencies, person(s) or representatives, I recommend having clear guidelines for all staff concerned including the following process to manage the paperwork. 

Scan all requests (non-electronic) to patient records including any responses sent and annotate when processed for future reference and audit requirements. 


Useful links for further clarification on releasing patient information: - 



Stay connected
Read my first LinkedIn article 
Read my staff bio 
Book a time 

Debbie Cripps

Norman Johnston
"The most powerful motivating factor for employees is seeing tangible progress whilst performing meaningful work. Effective information Technology achieves this objective."

Norman Johnston
Think I.T. Team


SCAM ALERT: COVID-19 Maps Used to Deploy Malware and Scrape Credentials

Scam linked to COVID-19 infographic map used to invade your computer and steal your data. Recently Cybersecurity company Reason labs released a threat analysis report, detailing a new attack that takes advantage of internet users’ increased appetite for information about the novel coronavirus, COVID-19, that has now been categorised as a pandemic worldwide. This...  more...