12 Principles of the Privacy Act in New Zealand (2019)

shutterstock_730538191__1_PRIVACY ACT (1993)

Q.  What is the Privacy Act and what does it do? 

A. The Privacy Act provides rules for the collection, use and disclosure of personal information. It regulates the handling of personal information.

Twelve principles form the Privacy Act, covering the following:

§ Collection of personal information

§ Storage and security of personal information 

§ Request for access to and correction of personal information

§ Accuracy of personal information

§ Retention of personal information

§ Use and disclosure of personal information

§ Using unique identifiers

For a full breakdown of the twelve principles visit https://bit.ly/2Fvw23o

The OPC (Office of the Privacy Commissioner) is the independent body responsible for investigating privacy complaints.

1) Collection

By definition: - the action or process of collecting someone or something e.g. “the collection of data”

Requests for information come from other medical providers, ACC, insurance companies and law enforcement agencies.  The request should be specific and have signed consent from the individual (or authorised representative). 

You are required to provide information to the Police if a search warrant or production order is presented.  The following link provides a detailed outline of your responsibilities when disclosing personal information to the Police: -  https://bit.ly/2LZt7RR

Examples of methods used for the collection of medical information.

§ Patient collects medical records

§ GPGP (electronic transfer within PMS)

§ Fax 

§ Courier/Post

§ Third Parties (Insurance companies, law enforcement)

2) Use

By definition: - the action of using something or the state of being used for a purpose

The use of personal medical information should be clear from the agency or person(s) requesting the information.

An example of this would be a request from ACC for further information regarding a patient claim.To make the decision for cover a request for further information to the treatment provider is sent.  In their request they reference the relevant claim number as well as requesting the notes taken by the treatment provider at the time.

3) Disclosure

By definition: - the act of making new or secret information known

Disclosure results in the satisfaction of the request and use of the information sought. 


The Police or law enforcement agencies do not need to explain why they are seeking information through a voluntary request rather than by a search warrant or production order. However, they do need to provide enough information to justify the disclosure. This explanation should not prejudice the investigation or make an unwarranted disclosure of personal information. 

My Recommendations

To manage the multiple requests for information from any agencies, person(s) or representatives, I recommend having clear guidelines for all staff concerned including the following process to manage the paperwork. 

Scan all requests (non-electronic) to patient records including any responses sent and annotate when processed for future reference and audit requirements. 


Useful links for further clarification on releasing patient information: - 



Stay connected
Read my first LinkedIn article 
Read my staff bio 
Book a time 

Debbie Cripps

Graeme Rawlings
“Customer service is not a department, it’s everyone’s job”

Graeme Rawlings
Think I.T. Team


Are your employees up to date on their security awareness?

Cyberwarfare is a part of a new reality as evidenced by the distributed denial-of-service (DDoS) attacks targeting the websites of the Ukrainian defence ministry, army, and two of the country’s largest banks several days before the Russian invasion. These were the most significant attacks of this kind the country has ever faced, according to government officials. The U.S....  more...