12 Principles of the Privacy Act in New Zealand (2019)

shutterstock_730538191__1_PRIVACY ACT (1993)

Q.  What is the Privacy Act and what does it do? 

A. The Privacy Act provides rules for the collection, use and disclosure of personal information. It regulates the handling of personal information.

Twelve principles form the Privacy Act, covering the following:

§ Collection of personal information

§ Storage and security of personal information 

§ Request for access to and correction of personal information

§ Accuracy of personal information

§ Retention of personal information

§ Use and disclosure of personal information

§ Using unique identifiers

For a full breakdown of the twelve principles visit https://bit.ly/2Fvw23o

The OPC (Office of the Privacy Commissioner) is the independent body responsible for investigating privacy complaints.

1) Collection

By definition: - the action or process of collecting someone or something e.g. “the collection of data”

Requests for information come from other medical providers, ACC, insurance companies and law enforcement agencies.  The request should be specific and have signed consent from the individual (or authorised representative). 

You are required to provide information to the Police if a search warrant or production order is presented.  The following link provides a detailed outline of your responsibilities when disclosing personal information to the Police: -  https://bit.ly/2LZt7RR

Examples of methods used for the collection of medical information.

§ Patient collects medical records

§ GPGP (electronic transfer within PMS)

§ Fax 

§ Courier/Post

§ Third Parties (Insurance companies, law enforcement)

2) Use

By definition: - the action of using something or the state of being used for a purpose

The use of personal medical information should be clear from the agency or person(s) requesting the information.

An example of this would be a request from ACC for further information regarding a patient claim.To make the decision for cover a request for further information to the treatment provider is sent.  In their request they reference the relevant claim number as well as requesting the notes taken by the treatment provider at the time.

3) Disclosure

By definition: - the act of making new or secret information known

Disclosure results in the satisfaction of the request and use of the information sought. 


The Police or law enforcement agencies do not need to explain why they are seeking information through a voluntary request rather than by a search warrant or production order. However, they do need to provide enough information to justify the disclosure. This explanation should not prejudice the investigation or make an unwarranted disclosure of personal information. 

My Recommendations

To manage the multiple requests for information from any agencies, person(s) or representatives, I recommend having clear guidelines for all staff concerned including the following process to manage the paperwork. 

Scan all requests (non-electronic) to patient records including any responses sent and annotate when processed for future reference and audit requirements. 


Useful links for further clarification on releasing patient information: - 



Stay connected
Read my first LinkedIn article 
Read my staff bio 
Book a time 

Debbie Cripps

David Johnston
"Successful business is a result of interconnecting partnerships all working in synergy for a common goal. Our job is to ensure the efficiency and effectiveness of the strands that link it all together."

David Johnston
Think I.T. Team


Critical recall of some Zebra printer power supply units

It has come to our attention that Zebra has initiated a critical recall of some label printer power supplies manufactured between 2006 and 2012. There have been cases where these power supplies have caught fire putting people and property at risk.As you may have obtained Zebra printers from other sources, and we may not be able to accurately identify printers sold by us prior to October...  more...