Privacy in New Zealand GP practices: law, trust, and everyday decisions
Privacy in general practice is best understood as part of clinical governance, patient safety, and practice risk management. For GPs, the main issue is rarely whether health information is sensitive; that is assumed. The more useful question is whether the practice’s everyday systems (such as enrolment, recalls, inbox management, referrals, portal use, family communications, staff access, third-party requests, and breach response) are consistent with the relevant legal and professional standards.
This means that privacy risk is not just an individual issue—it is fundamentally a governance and systems issue for practice owners. Indeed, the importance of privacy governance should not be overlooked by practice owners. Under the Privacy Act, a breach by an employee is treated as a breach by both the employee and the employing medical practice.
At its core, privacy law for health information reflects a simple structure: collect only what is needed, be transparent about its use, protect it in practice, and use or disclose it only for proper purposes. This article sets out how that framework operates across the lifecycle of health information, and where the main risks tend to arise.
The legal framework for GP privacy
The general privacy statute is the Privacy Act 2020 (Act), which establishes a framework governing how personal information is collected, stored, used, and disclosed by agencies in New Zealand, and provides individuals with rights of access to, and correction of, that information.
In the health context, these general protections are supplemented by the Health Information Privacy Code 2020 (“Code”), which applies specifically to health agencies such as GP practices. The Code imposes more detailed obligations reflecting the heightened sensitivity of patients’ personal and medical information.
These legal obligations are reinforced by patient rights and professional standards. Patients have a corresponding right to privacy under the Code of Health and Disability Services Consumers’ Rights (Right 1(2)). In parallel, the Medical Council of New Zealand’s standards (including Good Medical Practice) require doctors to respect patient privacy and confidentiality and are used by disciplinary bodies as benchmarks for assessing professional conduct.
Collection: purpose, necessity, and clear notice
The collection of health information is governed by principles of purpose and necessity. Under rule 1 of the Code, health information should only be collected where it is necessary for a lawful purpose connected with the functions or activities of the practice. In a general practice setting, the provision of care and treatment will ordinarily be the primary purpose of collection. However, the Privacy Commissioner recognises that information may also be collected for related purposes such as administration, training and education, and quality assurance activities.
The manner of collection is also significant. As a general position, information should be collected directly from the patient wherever practicable (Rule 2 of the Code). This supports transparency, promotes accuracy, and enables patient participation in the clinical record.
Finally, the Code emphasises the importance of informing patients about the collection of their information. Patients should be made aware of why their information is being collected, who it may be shared with, where it will be held, and that they have rights of access to, and correction of, their information (Rules 6 and 7 of the Code). These requirements ensure that patients are able to understand and exercise meaningful control over their personal health information.
Indirect collection: Rule 3A
IPP3A is a new requirement under the Act, as of 1 May 2026, dealing with indirect collection, meaning collection of personal information from someone other than the individual concerned.
Where a health agency collects health information about a person from someone other than that person or their representative, the agency must take reasonable steps, unless an exception applies, to ensure the person or their representative is aware of the collection, its purpose, intended recipients, the collecting and holding agencies, any legal authority for collection, and their access and correction rights (Rule 3A(1) of the Code).
This matters in general practice because indirect collection is common. Examples include information received from hospitals, specialists, laboratories, pharmacists, family members, schools, employers, insurers, support workers, aged-care facilities, and patient portals.
The practical task is not to create a separate notification for every ordinary clinical document. The Privacy Commissioner states that Rule 3A obligations may often be met through accessible privacy policies, statements, and notices, but health agencies need to know what they collect directly and indirectly and tailor their notices accordingly (see link).
A routine hospital discharge summary or laboratory result may sit comfortably within expected care pathways. However, a family member’s unsolicited report about a patient’s mental health, for example, may require more careful judgement about notification, documentation, and whether an exception applies.
Use and disclosure of private information
Rule 11 of the HIPC prohibits disclosure of health information unless an exception applies.
Disclosure is permitted where the patient (or their representative) has authorised it, or where it is for a purpose directly related to the reason the information was collected. For example, where a GP collects information to facilitate treatment, sharing it with a specialist does not require separate consent, provided the patient was made aware this would occur.
For general practitioners, the key distinction is between disclosures for care and disclosures to third parties. Sharing information with other health providers will usually fall within the original purpose of collection. By contrast, disclosure to employers, insurers, family members, or other non-treating parties will generally require a separate basis.
Limited disclosure to family or caregivers may be permissible where it is not practicable or desirable to obtain the patient’s authorisation, and the disclosure is consistent with professional practice and not contrary to the patient’s wishes.
The “serious threat” exception is also available, but narrow: disclosure must be necessary to prevent or lessen a serious threat to public health or safety, or to an individual’s life or health, and must be made to someone able to act on that threat.
A helpful working rule is: disclose the minimum relevant information to the right recipient for the identified purpose, and document the reason where the disclosure is outside routine care.
Security, record access, and breach response
Rule 5 of the Code requires health agencies to take reasonable security safeguards to protect health information against loss, unauthorised access, use, modification, or disclosure. This obligation is ongoing and requires agencies to actively assess and manage risk.
The Privacy Commissioner emphasises a practical, risk-based approach: agencies should identify the risks to the information they hold, implement appropriate safeguards, and ensure those safeguards are consistently applied. In a general practice setting, this encompasses electronic security, operational controls, and physical protection of records.
Access control is a key issue. The fact that a staff member can technically access a patient record does not mean they are entitled to do so. Access must be justified by a legitimate clinical or administrative need, with role-based restrictions and clear internal policies supporting this.
Following a privacy incident, agencies must assess the risk of serious harm and, where that threshold is met, notify the Privacy Commissioner. The Privacy Commissioner has indicated that “serious harm” may include physical harm or intimidation, financial fraud, identity theft, psychological or emotional harm, employment disadvantage, blackmail, or threats to personal safety.
Case examples: what goes wrong in real clinics
Receptionist disclosure at a family gathering. In a 2019 Privacy Commissioner case, a medical centre receptionist disclosed at a family gathering that a couple, who were friends of one of the attendees of the family gathering, had attended the clinic for a sexual health test. This engaged Rules 5 and 11, which require safeguards against unauthorised disclosure and prohibit disclosure unless permitted. The case illustrates that confidentiality obligations extend to all staff, including reception and administrative roles, and must be reinforced in situations where informal conversation or social pressure may arise. This also reinforced that under the Act, a breach by an employee is treated as a breach by both the employee and the employer medical practice (Case Note 298757 [2019] NZPrivCmr 9).
A referral letter sent to the wrong address. In a 2016 case, a GP practice sent a counselling referral letter referring to past abuse to the wrong address, where it was opened by a neighbour. The Commissioner found breaches of Rules 5, 8, and 11, including failures in secure handling and accuracy checking. The case highlights how routine administrative processes such as addressing correspondence or selecting recipients can create significant privacy risks if not carefully managed (Case Note 270745 [2016] NZPrivCmr 10). That risk is even more pronounced now, with email communication having become the default in general practice. With email communications, the same type of error can occur even more easily, through autofill, selecting the wrong contact, or working too quickly under pressure. From a governance perspective, this is a foreseeable risk, and the expectation is that practices have systems, training, and safeguards in place to minimise it.
Failure to verify identity before release. In a 2010 case, a medical centre released sensitive family and mental health information to a person it mistakenly believed to be the patient. The Commissioner found breaches of Rules 5 and 11 due to inadequate identity verification and the absence of a lawful basis for disclosure. The decision underscores the importance of verifying identity before release, particularly in contexts involving family conflict or potential misuse of information (Case Note 210870 [2010] NZPrivCmr 24).
Improper access to electronic records. In a Health Practitioner Disciplinary Tribunal case, a medical practitioner employed by a District Health Board was found to have accessed clinical records of individuals not under her care, including for personal reasons, and to have disclosed patient information to a former friend. The Tribunal described this as a serious ethical breach, likening it to browsing physical files without justification. The case reinforces that access to clinical systems must be tied to a legitimate professional purpose, not mere technical ability (Med20/501P).
Conclusion
Privacy in general practice is governed by a clear but demanding framework. The Act, Code, and professional standards work together to regulate how health information is collected, handled, and disclosed. While the principles are straightforward, the case examples show that risk arises in everyday clinical and administrative decisions. In practice, compliance depends less on knowing the rules in the abstract, and more on consistently applying them in context. Attention to routine processes, clear judgment about purpose and disclosure, and a disciplined approach to handling information are central to maintaining patient trust and meeting legal obligations.
Special thanks to Special Counsel Simone Tune and Solicitor Anna Yu for preparing this article.
Disclaimer: The content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.
