Category: MIL-OSI

Source:

A chiropractor being investigated by ACC made numerous requests for information about the investigation. When ACC withheld some of the information, he complained to the Privacy Commissioner, and then took his case to the Human Rights Review Tribunal.

Dr L is a chiropractor and acupuncturist from the United States who moved to New Zealand in 2009. He opened a clinic in Tauranga in 2010. After closing that business, he opened another clinic in Wellington in 2013.

In 2011, ACC began an investigation into Dr L’s business to determine whether a number of ACC claims submitted by him were genuine. ACC had concerns over the possible duplication of claims and other issues.

Requests to ACC

To find out more about the allegations against him, Dr L made a large number of requests to ACC for information under both the Privacy Act and the Official Information Act. He hoped that if he found out what was behind the investigation, he would be able to correct what he believed was misinformation held by ACC.

However, after ACC discontinued its investigation in 2014, it decided to give Dr L almost all the information previously withheld from him. But it withheld information about:

• ACC’s investigative techniques and the names of the informants; and
• information that would involve the unwarranted disclosure of the affairs of other people.

The Tribunal

The Human Rights Review Tribunal recently published its decision on Dr L’s Privacy Act complaints. The complaint centred on information privacy principle 6 of the Privacy Act which gives individuals the right to request their personal information from an agency.   

When the case went before the Tribunal, both parties initially could not agree on what the Tribunal was there to decide. Dr L wanted any and every one of ACC’s withholding decisions leading up to the eventual release of his information reviewed by the Tribunal. He also wanted the Tribunal to review whether ACC acted properly during its entire investigation.

On the other hand, ACC said the only issue the Tribunal needed to decide was whether ACC was right to withhold a list of clients spoken to by the agency during its investigation, because it had already released almost all the previously withheld information.

The Tribunal decided that the core of the case lay in whether ACC had properly continued to withhold the two restricted types of information. The issue was whether, when releasing the information it had previously withheld, ACC was right to hold on to some information. That information related to its investigative techniques, and information which would involve the affairs of other persons.

Duty to investigate

In its decision, the Tribunal said ACC, like other agencies that spend public money, had a duty to prevent, investigate and detect offences concerning its payments. To be able to carry out this duty, ACC must encourage members of the public to provide relevant information. The detection and investigation of fraud is particularly reliant on public information.

The Tribunal said the Privacy Act’s maintenance of the law reasons for withholding information specifically concerning the “prevention, investigation and detection of offences” were justified when related to its investigative techniques.

The Tribunal said ACC’s use of section 27(1)(c) of the Act in this case was proper – “that is, the information relates to ACC’s investigative techniques and methodologies and includes the names of confidential informants”.

Affairs of another

On the second withholding ground – the unwarranted disclosure of the affairs of another individual – the Tribunal said it was clear the information did indeed contain the names and contact details of people who provided information to the ACC investigators, including employees and patients.

“The salient point is that information about Dr L was provided to ACC by a range of persons, but particularly by those working with him and by patients. It is clear from what we have seen and heard the information was provided in expectation the identity of the informants would be withheld from Dr L.”

The Tribunal concluded the disclosure of the information about the identities of informants and others would have been unwarranted. The information had little direct relevance to the issue between Dr L and ACC. It added there was a real risk the information would be misused, including being published on the internet.  

The Tribunals said ACC had properly withheld the information and dismissed Dr L’s claim.

Image credit: Creative Commons via Pixabay.

Human Rights Review Tribunal, health, ACC, IPP6 – access

Back

Source: Tairāwhiti Graduates Celebrate Success – Press Release/Statement:

Headline: Petdirect Expands From Digital To Physical Retail

In a bold move against prevailing economic trends, New Zealand’s leading online pet retailer, Petdirect, announces plans for major retail expansion with new stores opening in Mt Roskill, Auckland and Tower Junction, Christchurch in the coming months. Following the tremendous success of its first brick-and-mortar location in Takapuna, which opened in October 2024, this strategic expansion solidifies the company’s position as a dominant force in New Zealand’s pet retail sector. The 100% Kiwi-owned and operated company, which just celebrated its 5th birthday, has rapidly evolved from an online startup during the pandemic to capturing a majority share of the online pet supply market.

The post Petdirect Expands From Digital To Physical Retail first appeared on PR.co.nz.

– –

Source:

There has been a significant amount of media coverage about our investigation into Westpac bank disclosing journalist Nicky Hager’s bank account information to Police in 2014. In the course of that reporting, some misconceptions have emerged. Because of the interest in the case, and the potential implications for future practice, we have noted some points of clarification and context below.

Coverage of the story has focussed on our final opinion letter to Mr Hager that he chose to make public. The final opinion is the tail end of a long process that involved submissions, meetings and careful consideration of the facts of the case.

Key background facts

1. Westpac disclosed Mr Hager’s account information during a Police investigation that followed the publication of Mr Hager’s book Dirty Politics.  In the course of investigating how Mr Hager got the information he used to write the book, Police asked Westpac for information about Mr Hager. Westpac provided Police with several months of Mr Hager’s transaction information.

Privacy Commissioner’s legal opinion

The Privacy Commissioner’s opinion is just that – it is not a ‘ruling’ and it is not legally binding. The Human Rights Review Tribunal – where Mr Hager has taken his case now – issues rulings. It hears evidence and argument afresh and comes to its own conclusion.

1. We form a view of each case based on its specific facts. The law describes a range of circumstances where organisations like banks can disclose customer information, but they have to be able to justify why they did so
2. The views expressed in our correspondence are not changing or reforming the law. The Police sought Mr Hager’s information without seeking a production order from a court. That in itself is unremarkable; there is nothing in the Privacy Act that requires a production order before information may be released.

Westpac’s decision to disclose the information

1. Westpac told us its authority to disclose Mr Hager’s banking details came from its terms and conditions, which Mr Hager had accepted. Principle 11(d) of the Privacy Act allows agencies to disclose personal information if the agency believes on reasonable grounds that the disclosure is authorised by the individual concerned. For example, a home insurer may share information with a mortgage holder, with customer consent.
2. The relevant clause said that Westpac would disclose information to Police whenever it “reasonably believes that the disclosure will assist it to comply with any law, rules and regulations in New Zealand or overseas or will assist in the investigation, detection and/or prevention of fraud, money laundering or other criminal offences.”

Privacy Commissioner’s view of Westpac’s reasoning

1. We found that a reasonable Westpac customer would think the phrase “fraud, money laundering or other criminal offences” suggests “other criminal offences” would be similar sorts of financial crimes. Police asked for Mr Hager’s information as part of an investigation involving section 249 of the Crimes Act (accessing a computer for a dishonest purpose), and fraud. Mr Hager himself was not a suspect in this investigation. Westpac has noted that this latter fact was not clear at the time the information was requested. We therefore formed our view that Westpac could not reasonably believe Mr Hager had given his consent for his account information to be disclosed to the Police, given that set of specific facts.
2. When an agency sets its terms and conditions, it needs to abide by them. Our view was that Westpac’s interpretation of its terms and conditions was too broad, particularly in its definition of “other criminal offences”.
3. Westpac also argued that the disclosure was allowed under principle 11(e)(i), which allows agencies to disclose information “to avoid prejudice to the maintenance of the law.” We thought this argument was difficult to sustain. If Westpac thought that Mr Hager had authorised it to disclose his information to Police, then “maintenance of the law” didn’t need to enter consideration. It is not consistent to disclose information based on both criteria because they address different circumstances, and one of the two should be enough to authorise disclosure.

Why do production orders and search warrants exist?

1. Production orders oblige agencies to provide information. The Privacy Act exceptions do not oblige an agency to disclose information – they enable an agency to disclose information.

How does the “maintenance of the law” exception work?

1. The Privacy Act maintenance of the law exception (principle 11(e)(i)) allows an agency to give information to the Police, provided certain criteria are met.
2. This exception does not give Police the right to see any information they would like in order to maintain the law. Rather, it only applies to situations where not seeing the information would prejudice, or do some harm to, maintaining the law. Fraud is a good example. If banks suspect fraud, they are absolutely within their rights to disclose information to the authorities. Police cannot investigate without good information from the bank. Similarly, in missing persons’ cases, bank transactions could indicate where someone is. Under these circumstances, if the agency refused to provide the information to Police, it could be hindering an investigation or, in other words, prejudicing the maintenance of the law, and they could therefore provide the information without breaching the individual’s privacy.
3. A good way to think of the maintenance of the law exception is that it functions as “a shield, not a sword.” Rather than a government agency saying “you must give this information so we can maintain the law”, the exception enables an agency receiving the request to say “explain to me why not giving this information would stop you from maintaining the law.”
4. The case law in this area underlines that when government agencies ask for information under this exception, they need to provide reasons why they think the exception applies. In the Westpac-Hager complaint, Police did not provide any reasons, so Westpac had no way to assess whether the “maintenance of the law” exception applied.

Role of the Human Rights Review Tribunal

1. Mr Hager’s legal counsel has indicated that he will be taking the case to the Human Rights Review Tribunal. The Tribunal will hear the case “afresh” (i.e: without taking the Privacy Commissioner’s view into consideration), and then issue a judgment. Tribunal judgments, unlike findings from this office, are enforceable rulings. We will be keeping a keen eye on the outcome in order to inform our approach to future cases.

finance, law enforcement, IPP11 – disclosure

Back

Source:

A recent data breach involved a deliberate email phishing attack on an organisation. The email looked like it came from the chief executive and requested a copy of the membership list (names and email addresses).

At the time, the CEO was away from the office. This fact could have been known by the person who sent the phish, as a high-profile person’s travel for work is often publicly known. Because this attack was targeted, it was not easy to spot. One of the reply addresses was unfamiliar, but the other was the CEO’s work email address so the unfamiliar one could have been assumed to be their personal email address.

The request was also plausible, particularly since the information asked for was limited to names and email addresses.

Preventing against these attacks

The most effective way for an organisation to protect against this form of attack would be to have a policy of independently verifying requests for sensitive information. Since this might involve junior staff having to contact senior management to verify a request, employees need to be confident that they are expected to do so.

Take time to investigate before you act

A basic phish can usually be spotted by moving your mouse cursor over the link without clicking. The text that pops up when you do that will usually look different from what you might expect. This difference might be just one character. Moving the mouse cursor over the reply email address can also be helpful when in doubt.

The basic phishing email below is an example. It shouldn’t have been addressed to “undisclosed-recipients” as your bank can address an email just to you. And you can see the box that popped up when the mouse cursor was held over the link. An address of “alex-parus.ru/” does not seem likely for a New Zealand company to use.

Three things to do when you get a phishing message

1. Report it!

• Let others in your organisation know. If you have IT support people, forward the email with a warning that it’s a phishing email. They should handle the rest. In a small organisation, let everyone know – but do not forward the message. People have been known to click on the links in such situations “to see what happens”! You can convert the link to plain text so people can see it, without it being so dangerous.
• Report the phish to the Electronic Messaging Compliance Unit at the Department of Internal Affairs (DIA) by forwarding the email to scam@reportspam.co.nz or by forwarding the TXT for free to the shortcode 7726 (SPAM).
• Let the other organisation know. If the message pretended to come from an organisation, then it’s helpful to let them know. It can take a little time looking on the organisation’s website (type the real web address in yourself – don’t click on that link in the phishing email!) to find where to report the spam

2. Delete it!

3. Get help!

• If you responded to the phishing email with personal information, contact us using this form or phone us on 0800 803 909 (Monday-Friday between 10am-3pm).
• You may want to seek help in handling enquiries by affected people. IDCARE is a sponsored support service. Contact them on 0800 201 415 or contact@idcare.org.
• You should still report it as above. DIA may pass on your report to the Police, Netsafe or MBIE (Consumer Affairs) for further help.

Back

Source:

Sir Bruce Houlton Slane KNZM, CBE, LLB practiced law in New Zealand for almost 50 years, including 11 years as the country’s first Privacy Commissioner.

Sir Bruce won many admirers in New Zealand and abroad for his work as Privacy Commissioner. He played a major role in drafting the legislation which established the office from scratch.

Early years

Born in 1931, Sir Bruce was educated at Takapuna Grammar School, later graduating with a law degree from Auckland University College.

In 1957, he became a partner in the firm that was to become Cairns Slane Fitzgerald and Phillips. He recognised early on that the law profession needed to do a better job at promoting itself and responding to public enquiries and criticisms. This awareness led Sir Bruce to take on the public relations functions at the Auckland District Law Society. He established the society’s Northern Law News newsletter and edited it for 13 years from 1967 to 1980. Sir Bruce’s “gregarious and affable character helped him to win the confidence of many journalists and the profession’s image was polished as a result”, Graham Wear noted in the Auckland District Law Society book, It Was All Legal.

Media roles

Sir Bruce’s relationship with the news media resulted in part time roles as a radio commentator on 1ZB and a newspaper columnist on privacy matters. His radio career was at a time when the Law Society prohibited lawyers from advertising themselves. He was known to listeners by the pseudonym “Bruce Christopher”. Later, he was to become chairman of the Broadcasting Tribunal for the entirety of the organisation’s 12 year life.

Sir Bruce remained a partner at Cairns Slane Fitzgerald and Phillips until his appointment as Privacy Commissioner in 1992. He was also a Human Rights Commissioner from 1992 to 2001. He also served as president of the Auckland District Law Society – twice – and president of the New Zealand Law Society – three times.

The law was one of Sir Bruce’s four main interests in life. Apart from his three children and grandchildren, including his cartoonist son Chris, he had a deep interest and engagement with  communications and current affairs. In 1989, he was presented with a special award at the radio industry awards “in recognition of an outstanding contribution to radio in New Zealand”. In 1993, he was named communicator of the year by the Public Relations Institute.

Honours

He held various official posts at the International Bar Association, and in 2007 was granted an Honorary Life Membership of that organisation.

Sir Bruce was also active in the business world, holding directorships on various company boards including deputy chairman of the Countrywide Building Society for five years.

In 1985, Sir Bruce received a CBE and in 2003 was appointed a Distinguished Companion of the New Zealand Order of Merit (DCNZM). In 2009, Sir Bruce was knighted for services to personal and human rights.

After retirement

Even in retirement, Sir Bruce remained accessible to the news media and was active in challenging misreporting. Until recently, he was a regular guest on RNZ afternoon programme The Panel. On one earlier occasion, he challenged the Sunday News about an inaccuracy. As a result, he secured a weekly Privacy Matters column.

He also remained an activist, as recently as 2010 lending his name to a campaign to retain New Zealand rural land in New Zealand ownership.

His many friends and former colleagues can relate that the qualities that characterised him were his wry sense of humour, keen sense of a good story, enthusiasm for the law, insatiable appetite for news and current affairs and an enduring concern that legal redress should be available to ordinary people.

Sir Bruce Slane is survived by his children, Peter, Chris and Judith, and seven grandchildren.

Image credit: Portrait of my Grandfather by Henry Christian-Slane.

International, media

Back

Source:

I was recently lucky enough to attend the Asian Privacy Scholars Network 5^th International Conference, hosted by the Business School at the University of Auckland.

The inspiring line up of privacy thinkers from around the world included the Honourable Michael Kirby, Prof Kiyoshi Murata from Japan’s Meiji University, and Professor Dr Sarah Hosell of the University of Applied Sciences in Cologne. You can find out more about the speakers and topics here. Their presentations will also be published in due course. 

Snapchat and sexting

One outstanding privacy commentator was Prof Woodrow Hartzog of Samford University, Alabama. Prof Hartzog is the Starnes Professor of Law at Cumberland School of Law, as well as being an Affiliate Scholar at The Center for Internet and Society at Stanford Law School and he spoke about his upcoming book – Privacy’s Blueprint: The battle to control the design of new technology.

Prof Hartzog began his presentation with the example of Snapchat- a smart phone application with an invitation by design to send sensitive information. Its picture messages disappear within seconds of the recipient opening them. When Prof Hartzog asked what the purpose of such an app might be, there were delighted calls of “sexting!” from the mostly middle aged scholarly audience.

Third party operators soon appeared after the advent of Snapchat and these provided ways for snap-chatterers to capture the images before they disappeared. Inevitably, this led to the data breach known as ‘The Snappening’. But shouldn’t Snapchat have been prepared for this eventuality?

Hacks and data breaches

Recently, there have been many other hacks and data breaches in the news media – Ashley Madison, the Australian Census site, Hacking Team, Yahoo to name a few – and yet we see agencies applying sticking-plaster solutions and some governments even acting to criminalise ‘white hat’ (or ethical) hackers who work to expose vulnerabilities safely and alert the relevant agency.

What’s the answer? Prof Hartzog makes three broad points:

1. Design matters for privacy;
2. Privacy law should take design more seriously; and
3. A design agenda should have its roots in consumer protection and surveillance law. 

Making Privacy by Design meaningful

There are huge gaps in privacy law concerning the design of new technology, and Privacy by Design (PBD) has a long way to go before it reaches the universal acceptance it deserves, according to Hartzog.  Furthermore, we need to make sure PBD is a meaningful concept and not just a slogan.

Prof Hartzog says privacy’s three basic rules are:

1. Give individuals some control over their own data;
2. Don’t tell lies; and
3. Don’t cause any harm.

But what do these three aspirational points mean in the real world? How can people control what they don’t understand? How can you understand what you are consenting to with a single click as you eagerly wait to use your new app? And how realistic is to go back and check the 50 apps you already have on your phone?

Also while designers might not deliberately tell lies, what about obscuring the important stuff in the usual “accept all” requirement before downloading a new app?

And finally, how do we define harm? In New Zealand, we have a definition in our Privacy Act and some guidance from the Human Rights Review Tribunal, particularly following this precedent-setting case, and others like this one. But harm can be difficult to attribute to a single cause when your personal information is leaking from numerous sources.

Prof Hartzog says the big problem is the overwhelming incentive to design technology which maximises the collection, use, and disclosure of personal information. The value of personal information encourages a “collect first, ask questions later mentality” which marginalises the virtue of being transparent.

While there are some good examples of privacy-protective design, many new digital products and services are not good enough and erode our privacy rights.

In short, the design in new information technologies is failing us.

Three values for design

The three values of Prof Hartzog’s blueprint for designing for privacy are trust, obscurity and autonomy. These three values are intertwined. Autonomy is furthered as a design value when privacy law nurtures technologies that protect our ability to trust and maintain obscurity. Trust and obscurity are complementary values. Trust protects our information within relationships. Obscurity protects us when there is no one to trust.

He also says designers need to design to standards so their products are not deceptive, abusive or dangerous. Lawmakers and the courts need the right tools to discourage deceptive, abusive or dangerous design. These tools vary in strength from soft to moderate to robust. Robust responses should be used to confront the most serious privacy design problems. Lawmakers should seek balance and fit when choosing the appropriate legal response. Their toolbox should include privacy enhancing technologies, education, investigations and enforcement, fines and penalties and international collaboration. If you have others, we welcome your suggestions.

In conclusion, Woodrow Hartzog is a bit of a privacy hero with some really cool ideas. You can follow him on Twitter at @hartzog. When his book is published in 2017, I will be reading it.

Image credit: Red and white bullseye design by Peter Kratochvil

International, research, Asia Pacific

Back

Source:

“I was never ruined but twice: once when I lost a lawsuit, and once when I won one.” Voltaire’s words encapsulate the sharp reality that it can cost a lot of money for cases to be heard and decided in a court of law – even if you are the successful party. A recent Human Rights Review Tribunal case, for example, cost ACC just over $33,000.

In that case, Dr L had complained to the Privacy Commissioner’s Office and subsequently to the Tribunal because ACC had withheld personal information about an investigation it had carried out into his practice as a chiropractor. You can read about the case in this earlier blog post.

Application for costs

After the Tribunal had decided in favour of ACC, the agency made an application for costs of $15,000. In its submission to the Tribunal, ACC said an award of costs was justified because:

• Dr L repeatedly ignored the Tribunal’s directions, including when to file his witness statements;
• He raised issues that were without merit or that were a waste of time;
• He behaved in a manner that was neither reasonable nor appropriate;
• He put ACC to substantial additional and wholly unnecessary costs and he was therefore liable to compensate ACC for some of that cost.

Not a model litigant

The Tribunal said it was true that Dr L had not been a model litigant – “but few self-represented parties are”. While it had been at times frustrating for both the Tribunal and ACC to deal with Dr L, the Tribunal was not persuaded there had been needless, inexcusable conduct justifying an award of costs.

It noted the most important factor, not addressed by ACC, is that a person who has had personal information withheld by an agency has only one practical remedy –  to ask the Tribunal to view the withheld information and to reach an independent decision whether the withholding ground was justified.

“In our view, it would be wrong in principle for an individual to be deterred from challenging the decision by the prospect of an adverse award of costs should that challenge fail. After all, the individual does not know what is in the withheld information or what evidence the agency has in its possession to justify the withholding decision,” the Tribunal said.

In other words, the complainant has no practical way of knowing what his or her litigation risks are when deciding to test an agency’s case before the Tribunal.

Justice is expensive

The Tribunal referred to the decision in the High Court by Justice Mallon in Commissioner of Police v Andrews and said it provided a forum “through which individuals, who are potentially vulnerable, can challenge the exercise of state power over them”.

While justice can be a costly business, the Tribunal took the view that bringing a case before it should not be a prohibitive factor for complainants seeking redress for a perceived wrong. It said the decision to award costs should “promote, not negate, the protection of individual privacy, and access to the Tribunal should not be unduly deterred”.

On that basis, the Tribunal dismissed ACC’s application for costs.

Image credit: Portrait of François-Marie Arouet (Voltaire) via Open Culture.

Human Rights Review Tribunal, ACC

Back

Source:

In their job, health professionals have to look after some of the most intimate details of their patients’ lives. This is a great responsibility, and patients trust and expect doctors, nurses and others to not just tell anyone. This obligation is recognised in the Health Information Privacy Code.

Rule 11 of the Code says health professionals cannot disclose health information they hold about an individual, unless there is a valid reason to do so.

But when can you release information? Will you be breaching a patient’s privacy if you talk to a police officer about them? Can you hand over everything you can find; or just a little bit, or nothing at all? Watch what the Privacy Commissioner has to say.

Section 22C of the Health Act 1956 allows, but doesn’t require, health professionals to disclose information to a police officer (and some other officials), if they need the information to do their job. Where the treatment relates specifically to drug dependency, then the information is privileged against disclosure in criminal court proceedings under section 59 of the Evidence Act 2006.

If you believe that any child or young person has been or is likely to be harmed, whether physically, emotionally or sexually, you can report the matter to a social worker or Police. This is vital, as there is little that is more serious than the need to protect a child.

Disclosure to a social worker or Police is allowed under section 15 of the Children, Young Persons, and Their Families Act 1989. Health professionals are protected under section 16 of that Act from any civil, criminal, or disciplinary proceedings if they do so. Importantly, this authority and immunity is not limited to the extreme end of imminent risk to children, but incorporates a wide range of harms, including suspected ill-treatment, neglect, abuse or deprivation. If you have concerns about a child, you can report it under section 15.

Search warrants and production orders

If Police have a search warrant or a production order for information about a patient, health professionals have to hand it over to them under the Search and Surveillance Act. A search warrant or production order is approved and issued by the Court, if Police have met the grounds required under the Act. If Police have a search warrant they can search a health provider’s premises. If they have a production order, health professionals have to release the information requested. It is an offence to refuse.

But sometimes Police do not have enough information to obtain a compulsory order. The Privacy Act is flexible enough to allow health professionals to disclose information under an exception to rule 11, when necessary “to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution and punishment of offences”.

You may have information that could help Police in their investigations. There will be no breach of rule 11 of the Code if you can demonstrate you have considered this exception, and you acted in good faith.

To be clear, this is your discretion, and there are several things to consider before exercising it.  

Things to consider

First, unless Police have a search warrant or production order health professionals don’t have to give them anything.

Secondly, you need to turn your mind to whether this disclosure is reasonably necessary in these particular circumstances. It’s Police’s job to convince you. If you are convinced, then you can release the information.

If Police’s request is vague or informal, or you question why they really need all that information, then follow up. They should provide you with a form or an explanation explaining why the information is needed. If you are unsure whether to disclose information, you may wish to seek legal advice or contact the Medical Protection Society for further guidance. If you are still in doubt, you don’t have to tell them, and you can ask them to go back and get a production order.

If you decide to disclose to a police officer, it is up to you to ensure the information you do disclose is proportionate and necessary in the circumstances.

Police don’t necessarily have to request information from you for this exception to apply. If you are concerned about a potential crime, or the health and wellbeing of someone, then you can disclose information to the appropriate authorities.

But again, before you do so, consider what information needs to be disclosed, why this particular information should be disclosed, and why it is necessary for the purpose you are disclosing it.

Also, consider who you are disclosing to. Make sure you send it to the people who can do something about it. Don’t set up a Facebook name and shame page about thieves, or arrange a public campaign against possible criminals. Let the professionals look into it and let them do their job.

If you have any concerns or questions, please try AskUs, an interactive FAQ tool on our website, or call our enquiries line on 0800 803 909.

Acknowledgement: This article was first published in NZ Doctor.

Image credit: Doctor examining a patient – Creative Commons.

Health Information Privacy Code, health, IPP11 – disclosure, law enforcement

Back