In today’s rapidly evolving health sector, the intersection of technology, ethics, and law has created a complex landscape for privacy. As health services become increasingly digitised, questions arise about who health providers owe duties to, what those duties entail, and how they can be effectively discharged. At the heart of these concerns lies the fact that health information is deeply personal, and its protection is essential to maintaining trust between providers and patients.
Privacy Fundamentals: Transparency and Consent
- The privacy law in New Zealand is built on two foundational principles: transparency and consent. These principles apply across all sectors but take on heightened importance in health and disability services. Under the Privacy Act 2020, individuals must be informed of:
- Why their information is being collected;
- How it will be used;
- Who is collecting it;
- Who may access it.
These obligations ensure that individuals retain autonomy over their personal data and stay informed on its disclosure. In the health context, this means that patients must understand not only the purpose of data collection but also the scope of its use—especially when shared among multidisciplinary care teams.
The Health Information Privacy Code 2020 (HIPC)
Recognising the sensitive nature of health data, the Health Information Privacy Code 2020 (HIPC) supplements the general privacy principles with 13 specific rules tailored to health providers. These rules align with the Privacy Act but impose additional obligations that reflect the unique vulnerabilities of health information.
Key requirements under the HIPC include:
- Mandatory privacy policies for all providers, regardless of size.
- Disclosure of team-based care, informing patients that their information may be shared with a wider group of professionals involved in their treatment.
- Verification of key data, requiring providers to ask patients to update or confirm critical information.
- Retention of health records for a minimum of 10 years.
These rules are not merely formalities—they are essential safeguards designed to prevent misuse.
Notifiable Privacy Breaches: What Happens When Things Go Wrong
Despite best efforts, privacy breaches can and do occur. A breach is defined as any unauthorised access, disclosure, alteration, loss, or destruction of personal health information. It also includes situations where individuals are unable to access their own data due to technical failures or systemic issues.
Under the HIPC, providers are required to notify both the Office of the Privacy Commissioner and affected individuals if the breach is likely to cause serious harm. The threshold for serious harm is intentionally broad, encompassing:
- Physical, psychological, or emotional harm;
- Financial fraud; or
- Family violence.
A notable example is the case of Tai Rakena v Chief Executive, Department of Corrections. [1] Mr Rakena, an inmate at Rimutaka Prison, requested access to his own medical records. Although the Health Centre complied, his records were mistakenly delivered to another prisoner due to a cell transfer. While the breach was unintentional and the records were returned in a timely manner, the incident highlighted the importance of having robust delivery protocols.
Telehealth and the Digital Frontier: New Risks in a Connected World
The COVID-19 pandemic accelerated the adoption of telehealth across New Zealand, breaking down barriers to care and enabling flexible service delivery. However, this shift also introduced new privacy challenges. Digital platforms, while convenient, can be vulnerable to misuse—especially when access controls are poorly enforced.
In Nursing Council of New Zealand v T, [2] a nurse employed as a remote triage officer used the Medical Application Portal (MAP) to access the medical records of friends, colleagues, and former patients without clinical justification. Her actions breached both the HIPC and her professional obligations under the Health Practitioners Competence Assurance Act. The Tribunal found that her conduct amounted to malpractice and brought the nursing profession into disrepute.
This case serves as a lesson that even well-intentioned professionals can cross ethical boundaries when systems lack adequate oversight. It also underscores the need for continuous training, ethical awareness, and technological safeguards.
Looking Ahead: Building a Culture of Privacy
As New Zealand’s health sector continues to embrace digital innovation, the challenge will be to balance the practical benefits of accessibility with the accountability that is necessary to protect the privacy of individuals. Privacy is not just a legal requirement—it is fundamental to building patient trust in individual providers but also the healthcare industry.
To meet this challenge, health providers should:
- Invest in privacy training for all staff, including non-clinical personnel;
- Conduct regular audits of data access and usage; and
- Foster a culture of ethical responsibility, where privacy is seen as integral to care.
Ultimately, protecting health information is about more than compliance—it’s about compassion. When patients share their stories, symptoms, and struggles, they entrust providers with their most intimate truths. Safeguarding that trust is not just good practice—it’s the essence of good care.
We specialise in regulatory compliance and legal training for clinicians, offering tailored support to help your organisation stay ahead of legal obligations and industry standards.
Have questions or want to explore how we can help your team? Get in touch with our Data Protection and Privacy team.
Disclaimer: The content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.
