Category: MIL-OSI

Source:

Updated by our Guidance team in March 2025.

Under rule 6 of the Health Information Privacy Code, people have the right to see their health records, but when you visit your doctor how often do you see your records? Digital healthcare information is a relatively common thing now, but many people’s health records may still be kept in paper form.

This was the case when a longstanding patient of a GP requested access to all his health records. The man, in his 70s, had been seeing the same GP for 40 years, and had also been extremely diligent in communicating with the other agencies he’d attended consultations with. As a result, those agencies had been able to forward his health information to the GP, and the man’s health records now filled two large archive boxes as well as files in the GP’s digital records system.

The reality was that his request represented many hours of collation and work.

Withholding grounds

Health agencies must provide individuals with access to their health information, unless there is a good reason not to. These withholding grounds are outlined in sections 49-53 of the Privacy Act. If an individual is denied access to their information and they believe it’s unfair, they can complain to the Privacy Commissioner who can look at the material and review the decision.

Clarifying the request

A quick phone call to the man allowed the GP to explain the logistical barriers to assessing and copying his full medical file, and how, due to time restraints, it could actually take several weeks to provide him with his records.
It turned out that the man only wanted to find out about a course of medication he’d taken 50 years ago. When the GP offered to find the relevant material he was delighted. He was also happy to have the information emailed to him.

Three years, rather than 70

Clarifying the man’s request meant the GP was able to focus on a date-range of three years rather than 70. The GP found the information he was interested in, checked it quickly for anything that wasn’t about him (in case something had found its way into his records over the years that could breach another person’s privacy), scanned it, and securely emailed it to him. Once the information was scanned, the scanned data could be added to his digital file as an attachment. A thick wedge of paper was replaced with a single file-divider indicating that three years of his medical information had been digitised. The paper records were offered to the patient, who ended up giving his permission to securely destroy them.

Had the patient asked for his entire file, the GP would have needed to consider the request in full. While it can be inconvenient and time-consuming for busy medical centres to respond to these types of requests, it should be worked into their business processes. 

You can find more information on clarifying the scope of an access request in our guidance on responding to requests and complaints well.

Health resources online

OPC has some online resources to help health agencies develop good policies to handle these requests:

• We have free online training modules that cover all your rights and legal obligations when handling health information: privacy.org.nz/e-learning
• If in doubt, contact the Office of the Privacy Commissioner – 0800 803 909 or enquiries@privacy.org.nz. We’re happy to help.

Health Information Privacy Code, health, information sharing, enquiries

Back

Source:

Last week’s decision of Clifford J in the Wellington High Court found that in the context of the Evidence Act, Nicky Hager was a journalist in relation to the publication of Dirty Politics, and was therefore entitled to assert privilege under s.68 of the Evidence Act 2006. 

The High Court decision to classify Hager as a journalist echoes my office’s decision to do the same, in a complaint made against him by blogger Cameron Slater. This is important because the Privacy Act only applies to agencies – and the definition of “agency” excludes “ in relation to its news activities, any news medium.”  Journalists working in their capacity in the news media do not come under my office’s remit. 

However, if we accorded Hager the news media protection, why did we flip-flop in another case and deny it to journalist John Roughan?

We don’t usually make public comment on cases that we have investigated. But apparent inconsistencies in approach have been picked up by parties and questioned. Those questions are legitimate, and important, so I’m happy to try and explain, by discussing elements of the complaints to our office that have been placed into the public domain by the parties.

There are three other relevant cases, all with familiar parties:

Dotcom v Attorney-General

The Crown (being sued by Kim Dotcom) asked the Court to force Kim Dotcom to produce documents held by a journalist (David Fisher), who he’d fully co-operated with when Mr Fisher wrote the biography The Secret Life of Kim Dotcom. This is a process called discovery. Usually, one party can ask the other party to give up all relevant information that is within their control. If a third party has information relevant to the proceedings, there is a special process by which they can be compelled to produce information for the proceedings as well. This is called “third party discovery”.

The Crown argued that because Kim Dotcom had a right under the Privacy Act to access personal information held by an agency, any such information was within his control, and therefore he should exercise his right to procure and produce it.

David Fisher was, they said, an agency under the Privacy Act, and Kim Dotcom could get all the information held by him. The Court considered whether David Fisher was an agency, given he was a journalist, working for a major NZ daily newspaper, who had regularly written news articles about Kim Dotcom. 

Then Chief High Court Judge, Justice Winkelmann concluded that in David Fisher’s capacity as an author of a book, he was not “news media” as the definition refers to “articles”, not “books”. The result seemed to be that Mr Fisher would not be subject to the Privacy Act for an article published in the New Zealand Herald, but if a collection of such articles were published as a book, he would be.

Cameron Slater v Nicky Hager

Nicky Hager received a hard drive from an unnamed source with a significant amount of personal correspondence to and from blogger Cameron Slater. He then used that information as source material for his 2014 book Dirty Politics.

Mr Slater made a complaint to my office that the means by which Mr Hager obtained his private communications, and then subsequently published them, breached his privacy

The matter the High Court was addressing in Dotcom v Attorney-General was based on an individual’s right of access (that is, information privacy principle 6). The question we faced in the Slater v Hager complaint was about the means by which an investigative journalist collected and disseminated information (that is information privacy principles 1-4, and 11), so there were differences in the basic facts of the case.

We, and others found the High Court decision in Dotcom troublesome from a number of perspectives, not the least being that it effectively puts my office in the position of having to form a view on what information parties are entitled to have access to for court proceedings, but I have no power to order the production of the information. If the Privacy Act is to be the means for providing third party discovery there will be significant delays in cases before the courts as parties come through my office, and then on to the Human Rights Review Tribunal before going back to the court hearing their dispute.

When lawyers find a precedent case inconvenient, they seek to “distinguish” it from the facts of other cases it might otherwise apply to.

In determining whether Mr Hager was ‘news media’ for the purposes of the publication of a book, my senior investigating officer decided the facts of the complaint were quite different from those in the Dotcom case. He was obliged to take into account s.14 of the Privacy Act which requires that in performing functions under the Act, we have to have due regard for the protection of important human rights and social interests that compete with privacy. 

And he had to think about s.6 of the New Zealand Bill of Rights Act 1990 (NZBORA)  which provides “Wherever an enactment can be given a meaning that is consistent with the rights and freedoms contained in this Bill of Rights, that meaning shall be preferred to any other meaning“. 

Section 14 of the NZBORA provides for “freedom of expression, including the freedom to seek, receive, and impart information and opinions of any kind in any form”. 

And so we made the decision that the writing and publication of Dirty Politics was the collection and dissemination of news, by a journalist, and that as such we had no jurisdiction to consider a complaint that its publication or research that lead to it, was a breach of the Privacy Act. 

Roughan v Prime Minister John Key

So if Nicky Hager is a journalist when he writes a book, why isn’t John Roughan when he does? 

Mr Roughan wrote a book about Prime Minister John Key.  Lawyers for Bradley Ambrose, the cameraman suing Mr Key for defamation as a result of the “teapot tapes” events asked the Prime Minister for discovery, including material held by his biographer John Roughan. They were asking him to exercise his right under the Privacy Act to access personal information about him, so it could be produced to the Court. Lawyers for the Prime Minister obliged and made the request of Mr Roughan, who refused on the basis that he was a journalist. 

Here, we had a case that was “on all fours” with the earlier decision of Justice Winkelmann. A journalist working for New Zealand Herald writes a book about a well known individual who is a party to legal proceedings. I made the decision that as a statutory officer faced with a case with identical facts to those directly ruled on by a senior judicial officer, I was bound by that precedent. There was simply no “wiggle room”. 

Privacy, freedom of press and the courts 

A freely functioning press is vital to a healthy democracy. Press freedom, and freedom of expression are not absolute values, and are like other rights, subject to limitations. That’s why we have defamation laws, laws against incitement, and limits to protect  privacy.   

This is also why Nicky Hager ultimately succeeded in his judicial review of a warrant to search his property for evidence that might identify the source of the information Hager used for his book Dirty Politics. 

I agree with critics that consistency in the law and its application is an important value. With the Government committed to reform of the Privacy Act, it could be timely to take the opportunity to clarify the position of journalists, privacy, discovery and the Courts.

media

Back

Source:

So you are hiring. What do you need to do to meet your privacy obligations? Here’s an easy checklist of do’s and don’ts. They all relate back to the 12 privacy principles that guide the collection, use, storage and disposal of personal information.   

Applications

When calling for applications, the key thing to remember is to only ask for information that is relevant to the applicant’s suitability for the particular role. For example, an airline might need to know certain medical information about a candidate because a flight attendant might not be able to work safely if they had certain health conditions. But if it’s not relevant to the role, don’t ask for it.

Other considerations:

• It’s important to keep the identities of applicants and their personal information confidential.
• Disclose the information only to those who are directly involved in the recruitment. It is not okay to share the applications around your workplace or talk about them with anyone else.
• Make sure you store the information safely and securely from unauthorised access.

Interviews

It is also important at the interview stage to take reasonable steps to protect the identity of your applicants including, and perhaps especially, for internal candidates. 

You might want to consider holding the interviews away from the office if you think it might be more appropriate, especially if candidates will be easily recognised. You have a duty not to breach an applicant’s privacy by doing anything that might reveal they have applied for the role.  

Reference and other checks

You can only contact the referees that an applicant nominates. This includes for internal applicants. If the applicant has not agreed to the employer approaching a person, the employer should not approach that person for information.

If there is someone other than an applicant’s nominated referees whom you would like to get a reference from, you must first get the applicant’s express consent.

If the applicant doesn’t consent:

• You can’t go ahead and speak to that other person anyway;
• But you can draw your own conclusions on what this might say, or might not say, about an applicant’s suitability. 

Remember to always check with the referee if their comments are provided in confidence to you. Otherwise, you may be obliged to disclose their comments if the applicant asks for them.

Get the applicant’s prior consent to any vetting you are going to do. This includes checking for qualifications, criminal convictions, police vetting (which is necessary for particular types of jobs), and credit checks. But only undertake credit checks if the role carries a significant financial risk. Even asking for consent to do a credit check requires justification.

You can use publicly available information to help inform your assessment of an applicant’s suitability. Some employers might carry out a Google search to find out what is out there about an applicant. 

But it is not okay to:

• ask applicants for their social media login details
• ask them to befriend you online so you can check them out
• ask an existing online friend to check them out for you.

After the recruitment

Check with your successful applicant what they are happy for you to disclose about them when you announce their appointment, and when. The personal information they provided you in their application is not necessarily information they are happy to share more widely.

Take care with the way information you have gathered is handled:

• You cannot use the information you obtained in a recruitment process for any other purpose, except with the applicant’s express consent. 
• Securely destroy the applications of unsuccessful candidates, unless you have received their prior consent to keep their personal information on file in case another suitable opportunity should arise. 
• If you used a recruitment agency, make sure they do the same. As they were working for you, you are responsible for ensuring that they meet your privacy obligations to applicants.

Further references

See our case notes on this subject, including these relevant cases:

 Image credit: Clint Tierney (2008) via Digital NZ.

employment

Back

Source:

A complainant seeking $100,000 in damages for Westpac’s disclosure of a debit card statement to his employer has had his case dismissed by the Human Rights Review Tribunal.

The complainant was a chartered accountant employed by an accounting firm. He explained that a debit card issued by the firm was registered in his name and the statements were sent to his home address. He said the statements recorded personal transactions as well as work-related transactions and that the information should not have been disclosed to his employer.

The accountant said Westpac had breached principles 5 and 11 of the Privacy Act. Principle 5 says an agency shall take the necessary safeguards to protect personal information against loss and access, use, modification, or disclosure. Principle 11 says an agency shall not disclose personal information unless the agency believes the disclosure is for one of the purposes in connection with which the information was obtained.

Debit card dispute

In its decision, the Tribunal said the outcome of the case depended on whether the debit card was in effect the accountant’s personal card or whether it was for the purposes of his employment at the accounting firm.

Under the accounting firm’s instructions, Westpac issued debit cards to four of its team leaders, including the complainant. The firm said the cards were intended to be used from time to time to pay for work-related expenses such as coffees for team members. At the time the cards were issued, the firm credited $820 to each card.

The complainant said the card he was issued was not linked to his employer and the firm was not provided with, or did not seek any authority to obtain, information about it from Westpac.

But the accounting firm’s business manager said the requirement to account for expenses reconciliation purposes had been verbally communicated to the four team leaders, including the complainant, on a number of occasions. With the exception of the complainant, the other team leaders complied with the requirement and provided the firm with their expenditure information.

Cash advance

A month later, Westpac sent the complainant an account statement of the card’s transactions. This included details of a cash advance of $700 and a cash deposit for the same amount some days later.

The firm’s business manager who set up the four pre-paid debit cards with Westpac said she asked the bank to provide a copy of the complainant’s debit card statement for accounting reconciliation purposes and to ensure that the transactions recorded on it complied with the firm’s rules for the use of cash loaded onto the card.

She did this because, despite numerous requests, the complainant did not provide the information requested. The bank complied with the request.

The complainant then complained to Westpac that the disclosure of the debit card statement to the firm was a breach of the Privacy Act. In its initial response, Westpac said the release of the statement had happened in error. Westpac then contacted the firm and asked it to destroy or return the statement. The bank also apologised to the complainant.

After further consideration, the bank concluded the disclosure of the debit card statement to the complainant’s employer was justified because the card had been authorised by the employer. In other words, the accounting firm that employed the complainant had made it clear that it needed to maintain proper oversight of the transactions carried out using the debit card.

Sum for damages

The accountant took his complaint to the Tribunal. He nominated $100,000 as the sum for damages for emotional harm suffered and damage to his career and employment relationships, plus $4,000 for legal fees.

The Tribunal said in its decision the outcome of the case depended on whether the debit card was the complainant’s personal card, or whether it was for business purposes. The Tribunal overwhelming established it was for business purposes. It noted that in Westpac’s records, the transactions were recorded under the firm’s profile.

The Tribunal’s decision described the accountant as an opportunist. It noted what it called the “noticeably self-serving tone to (the complainant’s) evidence and his shutting of the eyes to the overwhelming evidence” that the card was provided to him for work purposes only.

The Tribunal members assessed the complainant as a person whose career aspirations at the firm had been thwarted by circumstances of his own making. The ‘error’ initially admitted by Westpac for sending a copy of the debit card statement to the employer had encouraged the complainant to seek a windfall financial gain.

It observed that it would be astonishing if a firm did not put in place conditions that required documentation to ensure oversight of spending and an audit trail to help with the calculation of expenses for tax purposes. The Tribunal found there had been no breach of an information privacy principle and dismissed the complainant’s case.

Image: “Prosperity” metal elephant coin bank, ca. 1900, USA (Creative Commons licence).

complaints, Human Rights Review Tribunal, IPP5 – storage & security, IPP11 – disclosure

Back

Source:

What happens when an agency’s record of your identity conflicts with who you actually are? This is the question we grappled with in an Immigration New Zealand (INZ) case that we recently referred to the Director of Human Rights Proceedings.

Update: INZ and the Director of Human Rights Proceedings have since settled this case on a confidential basis that will avoid the need to take the case to the Human Rights Review Tribunal. INZ has acknowledged it breached principle 7 of the Privacy Act (which deals with the requirement that agencies correct personal information upon request). Read the media release here.

Estimating a birth date

Here’s what happened: in 2011, a young Ethiopian man immigrated to New Zealand, sponsored by his aunt. He did not know how old he was, as his parents had died when he was very young and there was no record of his birth – birth registration is not compulsory in Ethiopia. In order to obtain a birth certificate to support his refugee application, his aunt consulted with locals and estimated his birthday to be in early 2000. Immigration NZ used this birth date on his refugee visa.

When he arrived, a paediatrician commented that he looked big for an 11 year old boy. These comments were echoed the next year by his teacher and another doctor, so he had a bone density scan and dental examination to double-check his birth date. Both indicated  he was at least 16 years old at the time and could be as old as 18.

Based on this information, the young man asked Immigration NZ to correct his birth date on two occasions: once in 2013 based on the medical and dental examinations, and once in 2014 after getting an amended birth certificate from Ethiopia with a 1996 birth date. On both occasions, the agency said no. 

What’s in a date?

When he made his privacy complaint late last year, the young man was physically, mentally and emotionally in late teens, but his visa said he was 14. The discrepancy between the young man’s actual age and the age on his visa prevented him: 

• Earning the adult minimum wage
• Accessing financial assistance from  Studylink and WINZ
• Getting a driver’s licence

These were entitlements that he should have received as a New Zealand resident. He was prevented from receiving them because Immigration NZ’s version of his identity did not match his actual identity.  

Correcting vs annotating

Immigration NZ offered to add a note, in line with principle 7 of the Privacy Act, indicating that he had requested a correction, but that the change had not been made. Immigration NZ declined to go as far as to correct his birth date because the medical records, dental records and amended birth certificate could not verify that the young man was born on a specific date. All that evidence did was show  that the date they were using was wrong.

We do not agree with this view. While the tests do not prove that the date on his new birth certificate is correct, they do prove that it is significantly more accurate than the date on his current visa. In a perfect world, the correct date would be available and verifiable, but in this imperfect situation, we believe that Immigration NZ should adopt the position supported by evidence rather than stick to a position based purely on supposition.

Case law gives us a steer  

Case law provides more guidance by saying that while agencies can choose to correct or annotate incorrect information, they need to consider the potential ramifications of their actions when deciding which path to take.  

As a hypothetical example, consider a medical file incorrectly indicating that someone is not allergic to penicillin. Failure to correct this information could result in the person’s death, so a note indicating that they had asked to correct the information would be insufficient.

This case is in a similar category to the penicillin example. The incorrect birth date caused significant harm on an ongoing basis by cutting off the young man’s access to services that he should have been entitled to. Correcting his birth date was the only way to stop this harm, so an annotation was not sufficient in this instance.   

Referring it on

We disagreed with Immigration NZ’s view that a note on the complainant’s file was sufficient and we referred the case to the Director of Human Rights Proceedings to consider bringing before the Human Rights Review Tribunal. We’ll keep you posted on the outcome.

A few more resources

For more information, you can look at:

The case note with more detail on the case and case law

The media release about the case

IPP7 – correction, IPP8 – accuracy, Human Rights Review Tribunal, customs & immigration

Back

Source:

Privacy authorities typically perform regulatory and enforcement functions on their own – or occasionally with another public body – within their domestic jurisdiction. They know the domestic law they enforce. The law will clearly lay out the authority’s role and provide a clear pathway to the intended outcomes.

By contrast, cross-border cases offer none of these certainties.

We were recently asked the question: “What international privacy enforcement cooperation initiatives are in operation and what practical tools are available to facilitate cooperation?”

There are several difficulties:

• It may not be clear what authorities might or should be involved.
• The applicable law may be uncertain or unknown to authorities contemplating involvement in a case.
• The roles may not be clear or may be contested.
• The possible outcomes may not be known and the pathway to any outcome may not be clear.

For the past 10 years, much effort has been expended at an international level to create conditions whereby the chances of successful cross-border cooperation amongst regulators are improved. Here are some of those efforts and examples of the practical tools that now exist.

Building the right environment

Before turning to precise enforcement cooperation tools, it may be helpful first to canvas cooperation more widely.

It is probably unrealistic to expect instant success in cross-border enforcement, if an authority remains entirely domestically focused until it encounters its first case with a cross-border element.

Where would such a domestically focused authority turn? How would they know who to approach for assistance in a foreign jurisdiction? What would they know of the other jurisdictions law and how would they find out? What would an authority in another jurisdiction think of a request for assistance arriving ‘out of the blue’ from an authority it had never heard of?

Three approaches to creating cooperation might briefly be mentioned:

1. Networking with peers.
2. Connecting with stakeholders.
3. Access to law.

1. Networking with peers

The likelihood of successful cooperation across borders may be enhanced if you know your counterpart before that first case arises.Privacy authorities have networked with their peers for four decades through the International Conference of Data Protection and Privacy Commissioners.

Privacy authorities also network at a regional level. In our region this happens through the Asia Pacific Privacy Authorities Forum. Our French and Spanish speaking counterparts also have networks of their fellow-linguistic colleagues. 

There are also two specialised enforcement cooperation networks set up in 2010:

• APEC has established the Cross-border Privacy Enforcement Arrangement (CPEA), with 25 participating authorities.
• Global Privacy Enforcement Network (GPEN) was set up with the assistance of OECD, and now has participating authorities from 46 countries.

More information on these networks is available at the ICDPPC website.  

2. Connecting with stakeholders

Regulators and privacy enforcement bodies should engage with stakeholders such as global business, privacy professionals and civil society to build an environment for successful cooperation. Efforts by groups such as IAPP and iappANZ to build compliance capacity are positive steps that create an environment for cooperation.

3. Access to law

While no regulator has the time or inclination to become an expert in every other economy’s law, there are clearly benefits in some general information sharing about laws and legal interpretations. There is also benefit in being able freely to access legal information in greater detail as needed. In the area of privacy law, many of the key interpretations are issued by regulators rather than in court decisions, and may not be available through mainstream law reports.

There have been various efforts to address these deficits in legal information. Three examples from our own region are:

• APEC has each economy describe its privacy laws in a structured standardised way called an Individual Action Plan or Data Privacy IAP.
• The APPA Forum has issued standards for privacy authorities on citation and dissemination of case reports.
• The World Legal Information Institute (maintained in Australia) operates a huge free access repository of case reports and laws known as the International Privacy Law Library.

Tools for cooperation

The following are a selection of the practical tools developed in the last 10 years to promote enforcement cooperation:

• Policy guidance for updating existing privacy laws
• Cooperation networks
• Templates for requesting cross-border assistance
• Directories of enforcement contact points
• Standard statements of enforcement cooperation practices
• Discussion networks
• Templates for information sharing agreements
• Secure information exchange platforms
• Published guides

Updating existing laws

The OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy (2007) provides a blueprint for upgrading privacy laws more effectively to deal with cross-border cooperation.

Cooperation networks

The OECD Recommendation on Cross-border Cooperation suggested a need for cooperation networks of privacy authorities. Several networks have accordingly been established since 2007:

Templates for cross-border assistance

Both the OECD and APEC have released Request for Assistance templates for seeking assistance from authorities in other member economies.

Directories of enforcement contacts

The OECD, APEC and Council of Europe have each established processes for nominating and listing national or economy contact points. These three international organisations have cooperated in maintaining a combined directory which is maintained for access by authorities through the GPEN website.

Standard statements

APEC has established a requirement for authorities that participate in the CPEA to publish standard statements of enforcement cooperation practices. This is published both on the authority’s own website and centrally on APEC’s system.

Discussion networks

GPEN has a facility for general discussions amongst enforcement staff on its password-protected forum pages. It also hosts 20 discussion teleconferences each year. These are split into two regions – Pacific and Atlantic.

Information sharing agreements

GPEN has a standard information sharing agreements applicable to the GPEN Alerts System. ICDPPC’s Enforcement Cooperation Arrangement also features an optional template for an information sharing agreement.

Information exchange platforms

GPEN has established the secure GPEN Alerts System.

Published guides

The EU’s PHAEDRA Project produced several reports useful to enforcement cooperation. The ICDPPC has produced an enforcement cooperation handbook. In 2016, an Enforcing Privacy textbook was published.

Conclusion

In the past 10 years, and particularly since the publication of the OECD’s 2007 Recommendation, considerable progress has been made in creating conditions conducive to cross-border cooperation and to provide privacy authorities with the tools they need.

Cross-border cooperation remains difficult and the greatest progress will probably only been made when all privacy laws are upgraded, as recommended by the OECD, with cross-border action in mind.

Image credit: Wagah border ceremony – Wikipedia

Asia Pacific Privacy Authorities (APPA), Global Privacy Assembly (GPA), International Association of Privacy Professionals (IAPP), OECD, International, Europe, legal, Asia Pacific

Back

Source:

Reviewed for relevance April 2025.

As parents, we expect to be told everything about our infants when we take them to the doctor. The same with our toddlers. By the time they get to their teens, it gets a little more complicated. Should parents have the right to know about all about their under 16-year-old’s healthcare?

That issue was the subject of a recent petition to Parliament. It asked:

That the Parliament pass legislation providing that a parent of a woman under the age of 16 years has the right to know if that woman has a pregnancy confirmed before she is referred for any resulting medical procedure, and that any consent sought for the medical procedure be fully informed as to procedure, possible repercussions, and after-effects.

The Select Committee that considered that petition has just made its report. Read the report, ‘Petition 2014/11 of Hillary Kieft and six others‘. We were asked to make a contribution to the debate and we made a submission to the Select Committee. You can read our submission where we set out how the law currently works and how the Privacy Act applies.

Medical information is universally understood to be sensitive information. Reproductive health information is generally accepted as being particularly so.

The Privacy Act’s Health Information Privacy Code says a health agency is entitled to disclose information to a parent or representative if a patient is unable to consent. If a young person objects or specifically requests privacy, it is open to the health agency to make an assessment of the young person’s ability to make that request. A test called ‘Gillick competence’ is used by doctors to evaluate a patient’s competency in this regard.

If a young person, a minor, wants to keep her request for reproductive health advice or services secret from her parents, a health agency is not automatically required to tell her parents. Under the Privacy Act, anyone has the right to protect the privacy of their personal information.

Other laws also need to be considered. In general, doctors cannot treat any person without obtaining their informed consent. Anyone over the age of 16 can refuse or consent to medical treatment but legislation is silent on the consent of minors. Section 22F of the Health Act permits a parent or representative of a child to request information about that child. But section 22F also says a doctor must still consider whether it could be contrary to a minor’s interests to disclose the information.

Our submission to the Justice and Electoral Committee says if a girl, who has been found to be mentally competent, is able to give or refuse consent for a termination, she also has the right to keep their personal medical information private from her parents. Current privacy laws protect a minor’s right to privacy while also giving an appropriate level of discretion to doctors when faced with whether or not to disclose their personal information.

Such an approach is consistent with the United Nations Convention on the Rights of the Child which recognises that children and young people have legal and social rights when seeking consent to healthcare. 

children, health, Health Information Privacy Code

Back

Source:

Mrs Patel was outraged. She’d visited her GP for a follow-up check after her hand surgery, and he’d asked her about her history of depression. She didn’t think she’d had anything of the sort, and decided to ask the receptionist for a copy of all her medical notes to see what else was in there. The young receptionist assured her that the doctor owned the notes so she couldn’t have them. 

“But they are about me and I have never seen them!” Mrs Patel protested. 

The receptionist paused for a moment. “Well,” she said, “put your request in writing and your doctor might let you see some of the notes. Our administrative charge for dealing with your request is $50. Now, shall we make an appointment to see your doctor about this?” Mrs Patel looked at her writing hand, which was still feeling tender, and decided to call the Privacy Commissioner.

The above (fabricated) scenario is an example of the sort of enquiries I receive. Just in March this year we had 145 enquiries from individuals and agencies for guidance about access requests. Medical centres in particular are often keen to understand their obligations around access requests.

Access to personal information

Individuals have a fundamental right to ask for access to any health information held about them. This right also extends to a “representative”: a parent or guardian of a child under the age of 16 years, an executor or administrator of a deceased individual’s estate or the person who has an activated enduring power of attorney for the individual concerned or someone acting in the individual’s best interests. 

We encourage individuals to put their request in writing – this way there is a record of the request and the health agency knows exactly what information is required – but there is no prescribed way to make an access request. Many health agencies have their own forms to make sure all the necessary details are collected. However, since Mrs Patel has an injured hand, she could make a verbal access request and the health agency should give her any assistance she needs to do that. Mrs Patel definitely doesn’t need to pay for an appointment with the doctor to make her request.

From the day after the health agency receives an access request, it has 20 working days to decide if it will release the information. Once it’s decided to release the information, it should do so without undue delay, and if it wants to withhold anything, it should specify the withholding grounds set out in the Privacy Act it is relying upon to do so.

What about information ownership?

Who owns the information is irrelevant. A health agency can’t refuse an access request because it owns the information. Nor can it refuse an access request because the requester owes a debt.

Information should be made available to individuals in the way they prefer. If Mrs Patel has asked for a copy of her health information that’s what she should get unless it would impair the efficient administration of the health agency. 

Charging

Because this is the first time that Mrs Patel has asked for her notes it’s not permissible to charge. But if copying her medical file requires copying an x-ray, video recording, MRI, PET or CAT scan photograph, the medical centre can levy a reasonable charge. 

Verifying identity

But a word of caution: before handing over the information to the requester, the health agency must be satisfied concerning the identity of the requester. Don’t hand sensitive health information over to the wrong person.

Sometimes requesters confuse making an access request for their information with wanting their physical file instead. What matters is the information itself – ownership of the health information is irrelevant. That said, a health provider can release the physical copy of the information to the individual the information relates to even though they don’t have to. Sometimes a doctor will hand over her notes to the patient, say, when the patient is moving permanently overseas or to a different region in New Zealand. This means the patient has possession of their health information and can immediately give their medical file to their new health provider. 

It can be difficult remembering all the procedural aspects, both for the busy health agency and the mystified requester. The Privacy Commissioner recognises this and is determined to make privacy easy. 

New tool: AboutMe

To this end, we have developed an online tool to help called “AboutMe”. This online tool helps you make an access request. The request is then emailed to the agency you choose. We never see what is being requested, we just provide the mechanism. The request includes a standard note from us about what the agency needs to do to respond to the request and by when. 

Returning to Mrs Patel – she made a verbal request to the medical centre which was noted down by the privacy officer (every agency should have one). Mrs Patel received the information promptly and immediately saw the inaccuracy. Her doctor agreed with her and made an appropriate correction in her medical file. Furthermore, Mrs Patel is thrilled that she has full use of her hand again, her trust in her doctor is restored, and she is back playing tennis and tending her roses!

First published in NZ Doctor on 25 May 2016

Image credit: Artist Paul Holmes via Vincents Art Workshop.

IPP6 – access, health, Health Information Privacy Code

Back