2. • Privacy is not secrecy or
confidentiality
• Privacy is wider than
security
• Privacy is about
control
What is Privacy?

3. • Tool for preserving peoples
control over their
information…
• in the face of technology
that tends to lessen that
control
What is Privacy?

4. Health Information Privacy Code 1994:
What is it?
• Code of practice issued by the
Privacy Commissioner
• Focus is on purpose not consent
• Modifies 12 information privacy
principles into 12 rules
• Purpose and openness

5. Who and what is covered
• Health information about identifiable
individuals
Medical history, services provided, results, incidentals
Some exceptions around the Cervical Screening
Programme
• Health agencies
People and organisations who provide health and
disability services, insurers
• Limits
Health Code does not override any other law that
authorises or requires collection, use or disclosure of
information

6. Health Information Privacy Code
1994: Summary
1) Only collect the information you need
2) Get it from the person concerned
3) Tell them what you're doing
4) Be nice when you're doing it
5) Take care of the information once you've
got it
6) They can see it if they want to
7) They can correct it if it's wrong
8) Make sure it's accurate before you use it
9) Get rid of it when you're done with it
10) Only use it for the purpose you got it for
11) Only disclose it if that's why you got it
12) Be careful with unique identifiers

7. Health Information Privacy
Code: rule 11(1)
Rule 11: Health information must not be
disclosed unless one of the exceptions
applies.
Disclosure is allowable if it is:
• To the individual or their representative, or
authorised by them
• One of the purposes for which it was obtained
• Originally from a publicly available source
• General information about presence, location,
condition of patient in hospital

8. some exceptions rule 11(2)
An agency may also disclose, if it
believes on reasonable grounds that
disclosure is:
• for a directly related purpose, or statistical or research
purposes
• necessary to prevent or lessen a serious and imminent
threat to public health or safety or the life or health of
the individual or another
• necessary to avoid prejudice to maintenance of law or
conduct of proceedings

9. Section 22F Health Act 1956
requires disclosure unless withholding
grounds apply, eg. Rule 11(4) HIPC, ss27-
29 Privacy Act.
Who can make request under 22F
• Person/agency who is providing or is to
provide health or disability services to
individual
• The individual’s representative

10. Section 22F Health Act 1956
Upon request the holder of health
information must disclose to:
Individual
Representative
Healthcare Provider
Treat as Rule 6, ss27-29
of Privacy Act apply
Agency may refuse if:
individual doesn’t want
disclosure or there is a
lawful excuse not to
disclose
Rule 11(4)(b) agency
may refuse if:
contrary to individual’s
interests or patient veto,
or ss27-29 Privacy Act
apply

11. Representatives
• Where a person is dead – their personal
representative (executor or administrator)
• Where a person is under 16, dead or alive
– a parent or guardian
• Where a person cannot give consent or
exercise rights – a person lawfully acting
on their behalf or in their best interests

12. Access & Correction Rules 6 and 7
If health information is readily
retrievable people have a
right to:
• confirmation whether the
agency holds information about
them
• have access to the information
• ask for it to be corrected

13. Withholding Grounds Rule 6
Good reasons to withhold
information from an
individual; ss 27-29 of the
Privacy Act
• 27(1)(c) - prejudice maintenance of law
• 27(1)(d) - endanger safety
• 29(1)(a) - unwarranted disclosure
• 29(1)(c) - prejudice physical / mental health
• 29(2) - not readily retrievable / cannot be found / does
not exist

14. Correction Rule 7
Individuals have a right to request correction;
or have a statement of correction added.
Agency must either:
make the change attach statement
inform the individual and any
recipients of the information

15. Policy and Privacy in Health
• Privacy isn’t just the Privacy Act
• Complexities arise from
relationship between:
– Ethical confidentiality and privacy
– Biological material and health
information
– Electronic records and physical
records
– “Opt-in” vs “Opt-out”
– Informed consent vs notification

16. Function Creep

17. Collection some implications
• Collection is where you find the key
legal obligation of transparency
• Falls on agency initially collecting
data
• In health context, places heavy
weight on primary care
• Practical need for ‘upstream’ users of
data to take some of that load
• Benefits in trust, openness and
willingness of health consumers to
have their information used
• Also benefit of increased trust from
‘downstream’ health agencies

18. Wider context
• Records can be owned, information
cannot
• Agencies have obligations (purpose
and openness)
• Individuals have rights (access and
correction)
• Also, privacy law focuses on
awareness rather than consent
• However both consumers and
clinicians can have a valuable sense
of ownership over information about
them – don’t want it misused
• Trust is harder to regain than it is to
lose

19. Competing interests
“The Commissioner shall have
due regard for the protection of
important human rights and social
interests that compete with
privacy, including the general
desirability of a free flow of
information and the recognition
of the right of government and
business to achieve their
objectives in an efficient way”

20. Competing Interests
Can be quite compelling:
–Patient wellbeing
–Research
–New uses for information
–Profit
–Easier better processes

21. How are these managed?
• Complaints and enquiries process
in Privacy Act
– Relies on people making complaints
– Requires ‘harm’
– Legalistic
• Ethics committees for research
– Circular definitions
• Privacy Commissioner comment
on new laws and proposed
schemes
– Limited resources
• Public and practitioner outrage
– Potent but unreliable!

22. •Patients come to their
doctors because they trust
them.
•Good privacy is good
business
•Our role is not to prevent
change, but to make sure
people know what they’re
getting into
•“Road maps, not road
blocks”
Ultimately…

23. Don’t blame the Privacy Act!Act!
enquiries hotline 0800 803 909
www.privacy.org.nz
sml@privacy.org.nz