Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Feb 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

New Zealand: Health and Pharma Overview

Health and Pharmaceutical
MF3d / Signature collection / istockphoto.com

1. INTRODUCTION

1.1. LEGISLATION

Overview of privacy law in New Zealand

Privacy in the context of health and pharmaceuticals in New Zealand is primarily regulated by New Zealand's overarching privacy legislation, the Privacy Act 2020 ('the Privacy Act'). The Privacy Act came into force on 1 December 2020, repealing and replacing the Privacy Act 1993.

The Privacy Act applies across all sectors, including government, with limited exceptions to New Zealand 'agencies'. The definition of 'agency' is broad, and includes public sector and private sector bodies, as well as individuals (although the application of the Privacy Act to individuals in the context of their processing of personal information is narrower than that in respect of other agencies). The Privacy Act also applies to the actions of overseas agencies occurring in the context of those agencies carrying on business in New Zealand.

The Privacy Act sets out 13 information privacy principles ('IPPs'), which govern the collection, use, disclosure, and retention of personal information. However, the IPPs are subordinate to other express requirements of New Zealand law. Accordingly, actions authorized or required by legislation, regulations, or otherwise under New Zealand law will not breach the IPPs.

In addition to the Privacy Act, agencies operating in the health sector must also comply with, or otherwise be aware of:

  • the Rules set out in the Health Information Privacy Code 2020 ('HIPC'), which sets out specific rules that modify the application of the IPPs as they apply to the collection, use, disclosure, and retention of 'health information' (see section 1.4. on definitions below);
  • Sections 22B to 22H of the Health Act 1956 ('the Health Act'), which sets out additional regulatory obligations with respect to the disclosure of certain health information within the health sector (including duties of disclosure); and
  • the Health (Retention of Health Information) Regulations 1996 ('the Retention Regulations'), which, among other things, prescribe minimum retention periods in relation to health information that relates to an identifiable individual.

Certain sections of the Health Act and the COVID-19 Public Health Response Act 2020 may also be relevant to agencies operating in the health sector in the context of contact tracing and vaccination records. The application of these sections is outside the scope of this Guidance Note.

Additional requirements applicable in the health sector

Many agencies operating in the health sector may also be required (by way of a policy decision or a contractual obligation) to comply with additional requirements imposed directly or indirectly by the Ministry of Health ('the Ministry') in connection with the collection, use, disclosure, and retention of health information in the context of public health services. For example:

Regulation of pharma

The regulation of pharma in New Zealand is primarily governed by the Medicines Act 1981 and the Medicines Regulations 1984. The Medicines Act imposes controls on:

  • clinical trials;
  • the manufacture and distribution of medicines and related products; and
  • the advertising and sale of medicines, related products, and medical devices.

The Medicines Act and associated Medicines Regulations are the subject of public consultation by the government, in the context of a review and replacement of the regulatory scheme for therapeutic products. The Ministry consulted on a draft Therapeutic Products Bill from December 2018 to April 2019, and also released the Therapeutic Products Regulatory Scheme consultation document.

Medicines that are hazardous substances or 'new organisms' not previously approved may be regulated by the Hazardous Substances and New Organisms Act 1996 ('the HSNO Act').

Other relevant considerations

Other consumer protection and criminal legislation may also impact the collection, use, disclosure, and retention of personal information at a more general level. Examples of such legislation include:

  • the Fair Trading Act 1986 ('the Fair Trading Act') (and in particular, the prohibition on misleading and deceptive conduct in trade); and
  • Part 9A of the Crimes Act 1961 on crimes against personal privacy.

1.2. SUPERVISORY AUTHORITIES

Privacy Act and other privacy matters

The Privacy Act (including the HIPC) is enforced by the Office of the Privacy Commissioner of New Zealand ('OPC').

Individuals may make a complaint to the OPC. The OPC may:

  • decide to investigate the complaint; and
  • explore the possibility of settlement and assurance without investigating the complaint.

If the OPC is unable to secure a settlement or satisfactory assurance in connection with a complaint; it appears that a term of settlement previously secured between the agency and the aggrieved individual or aggrieved individuals has not been complied with; or it appears that the action that was the subject of the complaint was done in contravention of any term of settlement or an assurance previously secured under the Privacy Act, the OPC may refer the complaint to the Director of the Office Human Rights Proceedings appointed under Section 20A of the Human Rights Act 1993. If the OPC does so, the Director of Human Rights Proceedings may commence proceedings in the Human Rights Review Tribunal ('HRRT') in respect of the complaint.

An aggrieved individual, or a representative on behalf of an aggrieved individual (including a representative on behalf of a class), may also commence proceedings in the HRRT in certain circumstances, including where the Director of Human Rights Proceedings decides not to commence proceedings (following a referral from the OPC), and where the OPC decides not investigate or further investigate the complaint.

Decisions of the HRRT made in exercise of its jurisdiction under the Privacy Act (including the Privacy Act 1993) are publicly available here; decisions of the HRRT may be appealed to the High Court.

The recent case of Taylor v. Chief Executive of the Department of Corrections [2020] NZHC 383 was a rare example of judicial consideration of New Zealand privacy law. The case concerned the interpretation of the term 'personal information' in the context of a request for personal information. See section 1.4. on definitions below for further discussion.

New Zealand courts have also considered the scope of the tort of invasion of privacy, most notably in the case of Hosking v. Runting [2004] NZCA 34. While the full scope of that tort has not been finally determined by the New Zealand courts, an individual may be able to establish a claim (in respect of which remedies available include an injunction against publication and/or damages) where there is:

  • the existence of a fact in respect of which there is a reasonable expectation of privacy; and
  • publicity given to those private facts that would be considered highly offensive to an objective, reasonable person.

Pharma

The Medicines Act is administered by the New Zealand Medicines and Medical Devices Safety Authority ('Medsafe'), which is a business unit of the Ministry. In this context, Medsafe is responsible for the assessment and approval of new medicines, including the approval of clinical trials.

1.3. GUIDELINES

Privacy

The OPC frequently issues case notes concerning complaints investigated and/or resolved by the OPC concerning all privacy matters. These case notes, while not binding, are often indicative of the OPC's likely approach to the interpretation and application of the Privacy Act and the HIPC.

The OPC has also issued guidance notes and training materials.

Pharma

Medsafe has issued Guidelines on the Regulation of Therapeutic Products in New Zealand, which address matters, such as:

  • approvals for new and changed medicines;
  • pharmacovigilance; and
  • regulatory approval and good clinical practice requirements.

1.4. DEFINITIONS

Personal information

Under the Privacy Act, 'personal information:'

The definition is broad. 'Personal information' may include information that does not actually identify the individual concerned, including information that is only about an 'identifiable' individual by reason of extrinsic knowledge or information, or information that can be linked to an identifiable individual through the use of other information.

However, there are contextual limits on what may be considered to fall within the definition of 'personal information'. In the case of Taylor (see above in section 1.3.), in the context of an individual's request for information about themselves, the High Court held that:

  • information is not deemed to be personal information simply because that information is sought and obtained in connection with processes relating to an individual; and
  • the definition of 'personal information' should be assessed in light of the specific context in which a request is made.

Health information

Health information, in the context of the HIPC, is information to which the HIPC applies. The HIPC applies to the following information, or classes of information, about an identifiable individual, but only in respect of the collection, use, disclosure, and retention of such information by a 'health agency:'

  • information about the health of an individual, including their medical history;
  • information about any disabilities that an individual has, or has had;
  • information about any health services or disability services that are being provided, or have been provided, to that individual;
  • information provided by that individual in connection with the donation, by that individual, of any body part or any bodily substance of that individual or derived from the testing or examination of any body part, or any bodily substance of that individual; or
  • information about that individual which is collected before or in the course of, and incidental to, the provision of any health service or disability service to that individual.

A 'health agency' includes any agency which provides health or disability services, an agency which provides services in respect of health information (including an agency which provides those services under an agreement with another agency), and an agency which manufactures, sells, or supplies medicines, medical devices, or related products.

The definition of 'health information' as used in the Health Act is broader than that of the HIPC, in that it applies to all information of the following kinds (regardless of whether the 'agency' in question is a 'health agency' for the purposes of the HIPC):

  • information about the health of an individual, including that individual's medical history;
  • information about any disabilities an individual has, or has had;
  • information about any services that are being provided, or have been provided, to that individual;
  • information provided by an individual in connection with the donation, by that individual, of any body part, or any bodily substance, of that individual; and
  • for the purposes of Section 22E of the Health Act (which deals with the provision of information for blood collection purposes) only, information:
    • derived from the testing or examination of any body part, or any bodily substance, donated by an individual; or
    • otherwise relating to any part or substance so donated, or relating to the donor and relevant (whether directly or indirectly) to the donation.

Sensitive information

Neither the Privacy Act nor the HIPC specifically define 'sensitive information'. However, the sensitivity of personal information may impact the application of the obligations imposed on an agency under the Privacy Act and/or the HIPC and, in particular, the standard to which an agency is held with respect to the protection afforded to that information.

The OPC has released guidelines titled Sensitive Personal Information and the Privacy Act 2020, which contemplate that health information is inherently sensitive.

2. CLINICAL RESEARCH AND CLINICAL TRIALS

Clinical trials of new medicines are regulated under Section 30 of the Medicines Act, which requires an importer or manufacturer in New Zealand of any medicine (not previously approved in New Zealand) to seek the approval of the Director-General of Health to the distribution of the medicine for the purposes of a clinical trial.

Per the Guidelines on the Regulation of Therapeutic Products in New Zealand - Part 11: Clinical trials - regulatory approval and good clinical practice requirements ('the Good Clinical Practice Guidelines'), Medsafe administers the application and approval process for clinical trials of new medicines, which anticipates the following:

  • Medsafe will forward the application to the Health Research Council of New Zealand ('HRC');
  • a committee of the HRC considers the application and makes a recommendation to the Director-General of Health; and
  • Medsafe (under delegated authority from the Director-General of Health) issues approval or provisional approval of the trial, or declines the application, based on the HRC's recommendation.

Most clinical trials (whether or not involving new medicines) must also comply with the requirements of, and are subject to review and approval by, the Health and Disability Ethics Committee ('HDEC'), which is a ministerial committee established under Section 11 of the New Zealand Public Health and Disability Act 2000 ('the Disability Act').

Clinical studies that may not require HDEC review or approval include those which:

  • involve participants recruited other than in their capacity as consumers of health and disability services, relatives of consumers, or volunteers in early-phase clinical trials (for instance, health professionals or members of the general public);
  • involve the use of existing anonymized human tissue samples with consent;
  • involve low-risk (class I) medical devices;
  • are audits or related studies (except where HDEC review is required by law);
  • are observational studies that do not involve more than minimal risk; or
  • are to be conducted wholly or principally for the purposes of an educational qualification, in some circumstances.

However, every person conducting a clinical trial must comply with their obligations and duties as a provider under the Health and Disability Commissioner (Code of Health and Disability Services Consumers' Rights) Regulations 1996.

The National Ethical Standards ('the Standards') issued by the National Ethics Advisory Committee set out the ethical requirements that researchers must meet or exceed when undertaking health and disability research.

Additional requirements may also apply to clinical trials involving certain uses of human embryos and human gametes (under the Human Assisted Reproductive Technology Act 2004), or involving other human tissue (under the Human Tissue Act 2008 ('the Human Tissue Act')). See section 4 on biobanking below.

2.1. DATA COLLECTION AND RETENTION

Further details on the requirements applicable to the collection, use, disclosure, and retention of personal information (including in the context of clinical research and clinical trials) are set out in section 5 on data management below.

2.1.1. CONSENT

New Zealand privacy law does not generally rely on 'consent' as the basis for processing personal information, including health information, provided that the processing undertaken is for the purpose for which the information was obtained. Accordingly, health information collected from a willing participant in a clinical trial may be processed for the purposes of that clinical trial without the need to seek consent.

However, an agency that collects personal information from an individual (or from the individual's representative) must take any steps that are, in the circumstances reasonable, to ensure that the individual concerned (and the representative, if collection is from the representative) is aware of:

  • the fact that the information is being collected;
  • the purpose for which the information is being collected;
  • the intended recipients of the information;
  • the name and address of:
    • the agency that is collecting the information; and
    • the agency that will hold the information;
  • whether or not the supply of the information is voluntary or mandatory and, if mandatory, the particular law under which it is required;
  • the consequences (if any) for that individual if all or any part of the requested information is not provided; and
  • the rights of access to, and correction of, health information provided by the Privacy Act or the HIPC, as the case may be (see section 5 below).

The agency must take such steps before the information is collected or, if that is not practicable, as soon as practicable after it is collected.

Guidance from the OPC suggests that the steps that an agency must take to ensure that the individual concerned is aware of the relevant information must take into account the circumstances of the individual, and their ability to 'digest' the information in the disclosure made. While not an express requirement of New Zealand privacy law, privacy disclosures should be transparent, written in plain English, and presented to individuals in a way that makes it clear to the individual concerned that the disclosure will apply to the agency's collection and processing of personal information from them.

In any event, the Standards impose a duty on researchers to provide participants with information about the research they are being asked to participate in, and the potential risks and benefits, as well as the opportunity to ask questions and give their free and informed consent to participate in research, or to decline to do so. In order to ensure that the consent given to participate in the trial is 'informed consent', the agency conducting the trial must provide the 'information that a reasonable consumer, in that consumer's circumstances, would need to make an informed choice or give informed consent prior to their decision to participate in research'.

That information must be communicated in a form, language, and manner that enables participants to understand the information provided. Key information that is required to be disclosed to a participant to ensure that participant's 'informed consent' (as contemplated by the Standards) include:

  • information about the purpose of the research;
  • relevant information about the participant's rights;
  • information about the proposed use of the participant's tissue, including whether research using their tissue is likely to provide information that may be important to their health or to the health of their blood relatives or their community, how this kind of information will be managed, and whether they have a choice about receiving the information;
  • information about:
    • how study data will be used and where it will be stored (including any specified or unspecified future use or uses); and
    • whether any data linkage will be performed and whether the data will be stored in a databank;
  • the form (identifiable, re-identifiable, or non-identifiable) in which the data will be accessed, used, and stored during the life cycle of the research data;
  • how long the data will be retained;
  • who will access the data, and the form in which it will be accessed and shared;
  • whether data will be transferred to other countries and, if so, the impact (if any) of this on participants' rights;
  • whether participants may be able to withdraw their data, including the date up to which they can withdraw it;
  • procedures for withdrawing their data; and
  • whether their data will be destroyed, and the procedures for destroying data.

Where the agency wishes to use personal information obtained for a certain purpose and use the data for another purpose, the agency must do so only where permitted by IPP 10 (or Rule 10 of the HIPC, where applicable). This includes where:

  • The use of the information for that other purpose is authorized by the individual concerned or the individual's representative where the individual is unable to give their authority. For this purpose, OPC guidance suggests that 'authorisation' must be given in circumstances where the nature of the matter in respect of which authorization is purported to be given is made clear to the individual concerned. While the Privacy Act does not specify a minimum age for a person to have given valid authorization, the age of the individual concerned will be a factor for determining whether or not the 'authorisation' of the matter in question was given. In the context of a clinical trial to which the Standards apply, consent may be sought (at the time of the trial) to the future use of health data or human tissue, including for the purposes of biobanking.
  • The information is to be used for research purposes (for which approval by an ethics committee, if required, has been given) and will not be published in a form that could reasonably be expected to identify the individual concerned. However, in the context of a clinical trial to which the Standards apply, researchers must use information and tissue collected about or from research participants only in the specific project to which the participant has consented.

In all cases, an agency may collect personal information only:

  • by a lawful means; and
  • by a means that, in the circumstances of the case (particularly in circumstances where personal information is being collected from children or young persons):
    • is fair; and
    • does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

2.1.2. DATA OBTAINED FROM THIRD PARTIES

Personal information must be collected from the individual concerned, unless the agency collecting the information believes, on reasonable grounds, that one of the exceptions contemplated by IPP 2 (or Rule 2 of the HIPC, where applicable) applies, including where:

  • the individual concerned authorizes collection of the information from someone else (in the case of health information to which the HIPC applies, having been made aware of the matters set out in Rule 3 of the HIPC); and
  • the information is to be used for research purposes (for which approval by an ethics committee, if required, has been given) and will not be published in a form that could reasonably be expected to identify the individual concerned; in the context of a clinical trial to which the Standards apply, researchers must use information and tissue collected about or from research participants only in the specific project to which the participant has consented.

3. PHARMACOVIGILANCE

Section 41 of the Medicines Act requires an importer or manufacturer in New Zealand of any medicine (including one that is the subject of a clinical trial) to report to the Director-General of Health on any 'substantial untoward effects' that have arisen from the use of the medicine, whether in New Zealand or elsewhere.

The function of receiving those reports has been delegated to Medsafe. Suspected adverse reactions to unapproved medicines must be reported directly to Medsafe.

Medsafe has issued Guidelines on the Regulation of Therapeutic Products in New Zealand - Part 8: Pharmacovigilance and, in the Good Clinical Practice Guidelines, information on reporting adverse events in the context of clinical trials of unapproved medicines. The reporting requirements follow those set out in the Guideline for good clinical practice E(R2).

Post-market reports of suspected adverse reactions to approved medicines are collected by the Centre for Adverse Reactions Monitoring ('CARM') under a contractual arrangement between CARM and Medsafe. Adverse event reports may be submitted to CARM by a health professional, the patient, or any other person (although reports by health professionals are preferred).

Reporting is subject to the Privacy Act and the HIPC. In this regard, where personal information is to be disclosed by a health professional in connection with an adverse event report, disclosure of the patient's personal information will be justified where the disclosure is authorized by:

  • the individual concerned; or
  • the individual's representative where the individual is dead or is unable to give their authority.

That said, in the absence of authority from the individual concerned, the health professional is likely to be justified in disclosing the patient's personal information in connection with an adverse event report (if it is necessary to do so) where the health professional believes on reasonable grounds, that it is either not desirable or not practicable to obtain authorization from the individual concerned, and one of the criteria in Rule 11(2) of the HIPC is met, including where:

  • the disclosure of the information is directly related to one of the purposes in connection with which the information was obtained;
  • the information is to be used in a form in which the individual concerned is not identified; and/or
  • the disclosure of the information is necessary to prevent or lessen a serious threat to:
    • public health or public safety; or
    • the life or health of the individual concerned or another individual.

Where personal information is provided to CARM in connection with an adverse event report, CARM undertakes to anonymize information that is extracted from the CARM database. Reports issued by CARM are generally provided in summary format, although anonymized individual reports may be issued. Medsafe has limited access to original reports submitted to CARM (although these are also anonymized where possible).

4. BIOBANKING

The establishment of a biobank is primarily governed by the Human Tissue Act, which regulates the collection and use of 'human tissue' (being material that is, or is derived from, a body, or material collected from a living individual or from a body, and is or includes human cells). Human embryos and human gametes are not human tissue for the purposes of the Human Tissues Act, but their collection and use is governed by the Human Assisted Reproductive Technology Act 2004 ('the HART Act').

Information relating to human tissue and/or human embryos and human gametes that can be linked to an identifiable individual is personal information to which the Privacy Act and the HIPC apply, alongside any additional requirements of the Human Tissue Act and/or the HART Act (as the case may be).

Unless an exception applies, human tissue, human embryos, and human gametes may only be collected with informed consent. See section 2.1.1. on consent above for further discussion on the nature of informed consent in the context of research projects generally, in connection with the disclosure requirements necessary under IPP 3 and/or Rule 3 of the HIPC at the time the human tissue, human embryos, and/or human gametes and/or any information about them is collected.

Further guidelines in respect of the rights of participants in a biobank are set out in Part 15 of the Standards.

The HART Act specifically regulates the collection and disclosure of information about donors (that is, a person from whose cells a donated embryo is formed or from whose body a donated cell is derived) by a provider of services in which donated embryos or donated services are used, including by specifically regulating the information that must be provided to donors prior to collection, and regulating access by donor offspring and/or donors to information held by the provider and/or the Registrar-General of Births, Deaths and Marriages. In this regard, in the context of donations of sperm, eggs, or embryos made at a fertility clinic after 22 August 2005 that result in a birth, information about donors, offspring, and guardians must be included on the mandatory HART Register.

Schedule 3 of the HIPC specifically regulates the use and disclosure of information derived from new-born babies' blood spot samples.

5. DATA MANAGEMENT

The 13 IPPs govern the collection, use, disclosure, and retention of personal information. The application of the IPPs is modified by the Rules in respect of 'health information' to which the HIPC applies.

Each IPP is summarized below (including commentary, where relevant, as to how the relevant Rule of the HIPC modifies the application of the IPP as it applies to health information).

IPP/Rule - Purpose of collection of personal information

Personal information must only be collected by an agency if such collection is necessary for a lawful purpose.

If that purpose does not require the collection of an individual's identifying information, then the agency may not collect that identifying information.

IPP/Rule - Source of personal information

Personal information about an individual must generally be collected from the individual concerned. However, personal information may be collected from another person if an exception applies, including where the agency collecting the information has reasonable grounds for believing that:

  • the individual concerned or their representative authorizes such collection (in the case of 'health information' to which Rule 2 of the HIPC applies, where such individual or representative has been made aware of the matters required by Rule 3 of the HIPC);
  • compliance would prejudice:
    • the interests of the individual concerned;
    • the purposes of the collection; or
    • the health or safety of any individual; or
  • compliance is not 'reasonably practicable in the circumstances of the particular case.'

IPP/Rule - Collection of information from subject

When an agency collects personal information from the person the information is about, it must take reasonable steps to make sure that person knows (through the disclosure of a privacy statement or similar) certain prescribed matters, including:

  • the fact that their information is being collected and the purposes for which their information is being collected;
  • the intended recipients of the information;
  • if the collection of the information is authorized or required by or under law, including whether the supply of the information is voluntary or mandatory;
  • the consequences if the information is not provided; and
  • information about their rights of access to, and correction of, the information.

See also comments in section 2.1.1. on consent above concerning information that must be provided to a participant in a clinical trial in order for the participant to be held to have given informed consent to participation in the trial.

IPP/Rule - Manner of collection of personal information

Personal information must not be collected by unlawful means, or by means that are unfair or unreasonably intrusive in the circumstances (particularly in circumstances where personal information is being collected from children or young persons).

IPP/Rule - Storage and security of personal information

An agency must ensure that there are reasonable safeguards in place to prevent loss, misuse, or unauthorized disclosure of personal information that it holds (having regard to the nature of the information in question).

The agency's obligations extend to ensuring that any person who holds or processes the personal information on their behalf (as a 'processor') also has reasonable safeguards in place. See section 6 on outsourcing below for further details.

Documents containing 'health information' to which the HIPC applies must also be disposed of in a manner that preserves the privacy of the individual.

IPP/Rule - Access to personal information

An agency must grant individuals access to the information the agency holds about them.

See section 9 on data subject rights below for further details.

IPP/Rule - Correction of personal information

Individuals may request that an agency correct information that the agency holds about them.

See section 9 on data subject rights below for further details.

IPP/Rule - Accuracy, etc. of personal information to be checked before use or disclosure

Before an agency uses or discloses personal information, the agency must take reasonable steps to check that information is accurate, complete, relevant, up-to-date, and not misleading.

IPP/Rule - Agency not to keep personal information for longer than necessary

An agency must not keep personal information for longer than is necessary for the purposes for which the information may lawfully be used. This obligation is subject to any statutory minimum retention periods.

In the case of health information to which the Retention Regulations apply, the minimum retention period is 10 years beginning on the day after the date shown in the health information as the most recent date on which a provider provided services to that individual.

IPP/Rule - Limits on the use of personal information

Where the agency wishes to use personal information that was obtained for one purpose for another purpose, the agency must do so only where permitted by IPP 10 (or Rule 10 of the HIPC, where applicable). This includes where:

  • The use of the information for that other purpose is authorized by the individual concerned or the individual's representative where the individual is unable to give their authority under this Rule. For this purpose, OPC guidance suggests that 'authorisation' must be given in circumstances where the nature of the matter in respect of which authorization is purported to be given is made clear to the individual concerned. While the Privacy Act does not specify a minimum age for a person to have given valid authorization, the age of the individual concerned will be a factor for determining whether or not the 'authorisation' of the matter in question was given. In the context of a clinical trial to which the Standards apply, consent may be sought (at the time of the trial) to the future use of health data or human tissue, including for the purposes of biobanking.
  • The information is to be used for research purposes (for which approval by an ethics committee, if required, has been given) and will not be published in a form that could reasonably be expected to identify the individual concerned. However, in the context of a clinical trial to which the Standards apply, researchers must use information and tissue collected about or from research participants only in the specific project to which the participant has consented.

See Part 4 on biobanking above for further discussion on consent to the use of human tissue, human embryos, and human gametes for undefined future purposes.

IPP/Rule - Limits on disclosure of personal information

Generally speaking, an agency must not disclose personal information unless the agency believes that the disclosure is authorized by the individual concerned, is one of the purposes in connection with which the information was obtained, or the agency is otherwise permitted by IPP 11 (or Rule 11 of the HIPC, where applicable).

Agencies may be permitted to disclose certain health information in accordance with Section 22C of the Health Act, including where that information is required by any employee of a district health board, for the purposes of exercising or performing any of that board's powers, duties, or functions under the Disability Act, and the information is essential for that purpose.

Anonymous health information may be freely disclosed (that is, health information that does not enable the identification of the individual to whom the information relates, such as aggregated data).

IPP/Rule - Disclosure of personal information outside New Zealand

Except in limited circumstances, if an agency (a 'disclosing agency') wants to disclose information to a foreign person or entity (an 'overseas agency'), it may only do so if one of the grounds for a cross-border disclosure applies under IPP 12 (or Rule 12 of the HIPC, if applicable).

See section 7 on data transfers for further details.

IPP/Rule - Unique identifiers

An agency may only assign a unique identifier to an individual for use in its operations if it is necessary for it to carry out its functions, and that identifier has not already been used by another agency, except in limited circumstances.

6. OUTSOURCING

New Zealand privacy law imposes obligations on all agencies who collect, use, disclose, and/or retain personal information. However, where personal information is 'held' by a representative or agent for another agency (for example, for the purposes of 'safe custody' or 'processing') - in other words, as a processor:

  • the agency who instructs the agent (or 'provider') to hold the personal information is deemed to continue to 'hold' the personal information; and
  • the transfer of personal information is not a 'use' or 'disclosure' of the personal information for the purposes of the Privacy Act or the HIPC.

In this regard, the agency instructing the processor to hold the personal information, among other matters:

  • remains responsible for ensuring compliance with IPP 5 (or, where applicable, Rule 5 of the HIPC) - that is, ensuring that the information is protected, by such security safeguards as are reasonable in the circumstances to take, against loss, access, use, modification, or disclosure that is not authorized by the agency, and other misuse; and
  • remains responsible for the obligations arising in connection with any privacy breach in connection with that personal information while held by the provider on its behalf, including any obligations to notify a notifiable privacy breach (see section 8 on breach notification below).

With that in mind, an agency who is instructing a processor (such as a cloud service provider) to hold personal information as its agent should seek to manage its risk contractually, by imposing obligations on the processor that will assist the agency to comply with the Privacy Act, including:

  • obligations to only process the personal information in accordance with the instructions given;
  • restrictions on the further transfer or disclosure of the information without consent;
  • obligations with respect to the implementation of appropriate technological and organizational measures to protect the information, including evidence of any certification and/or compliance with standards;
  • obligations to promptly advise of any privacy breaches, and cooperate in respect of any notification requirements;
  • geographical limitations on where the information can be held;
  • obligations to implement back-ups; and/or
  • obligations to cooperate in respect of the exercise of any data subject rights and/or any investigations by or inquiries from the OPC.

7. DATA TRANSFERS

Under IPP 12 (or, where applicable, Rule 12 of the HIPC), and except in limited circumstances, if an agency (a 'disclosing agency') wishes to disclose personal information to a foreign person or entity (an 'overseas agency'), it may only do so if one of the following grounds applies:

  • the individual concerned authorizes the disclosure (after being expressly informed by the disclosing agency that the overseas agency may not be required to protect the information in a way comparable with the Privacy Act);
  • the overseas agency is carrying on business in New Zealand and, in relation to the relevant information, the disclosing agency reasonably believes that the overseas agency is subject to the Privacy Act;
  • the disclosing agency believes, on reasonable grounds, that one of the following circumstances apply:
  • that the overseas agency is subject to privacy laws that provide comparable safeguards to the Privacy Act;
  • that the overseas agency is a participant in a prescribed binding scheme (none have been so prescribed as of the date of this Guidance Note);
  • that the overseas agency is subject to privacy laws of a 'prescribed country' (none have been so prescribed as of the date of this Guidance Note); and
  • that the overseas agency is required to protect the information in a way that provides comparable safeguards to those in the Privacy Act (for example, under an agreement between the agencies, such as one based on the model clauses promoted by the OPC).

As mentioned in section 6 on outsourcing above, a transfer of personal information by an agency to any person who will hold that information as 'agent' does not constitute a 'disclosure' for the purposes of the Privacy Act. Accordingly, any transfer to an offshore processor, where that processor is only processing the personal information on instructions of the agency, will not trigger the requirements of IPP 12 (although the considerations mentioned in section 6 on outsourcing above will continue to be relevant).

Many agencies operating in the health sector may also be required (whether by way of a policy decision, or a contractual obligation) to comply with additional requirements imposed directly or indirectly by the Ministry in connection with the collection, use, disclosure, and retention of health information in the context of public health. More frequently, and in particular with respect to Māori health information, the Ministry imposes 'data sovereignty' requirements which require information to be stored within New Zealand and not transferred off-shore without the Ministry's prior consent. Data sovereignty is likely to become more popular as data center providers establish physical data center infrastructure within New Zealand.

Any disclosure of personal information (whether or not made on a cross-border basis) must also comply with IPP 11 (or, where applicable, Rule 11 of the HIPC). See section 5 on data management for further details.

8. BREACH NOTIFICATION

The Privacy Act defines 'privacy breach' as meaning, in relation to personal information held by an agency:

  • unauthorized or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
  • any action that prevents the agency from accessing the information on either a temporary or permanent basis.

For the purposes of the Privacy Act, it does not matter whether or not the breach was caused by a person inside or outside the agency, is attributable in whole or in part to any action by the agency, or is ongoing.

However, not all privacy breaches trigger notification requirements under the Privacy Act. A privacy breach is a 'notifiable privacy breach' for the purposes of the Privacy Act if it is reasonable to believe that breach has caused 'serious harm' to an affected individual, or whether it is likely to do so.

The Privacy Act sets out the considerations an agency must take into account when assessing whether a privacy breach is likely to cause serious harm, namely:

  • any action taken by the agency to reduce the risk of harm following the breach;
  • whether the personal information is sensitive in nature;
  • the nature of the harm that may be caused to affected individuals;
  • the person or body that has obtained or may obtain personal information as a result of the breach (if known);
  • whether the personal information is protected by a security measure; and
  • any other relevant matters.

In the event of a notifiable privacy breach, an agency must notify:

  • the OPC (where notification may be given through the OPC's online tool, NotifyUs); and
  • in most cases, any affected individuals (that is, the individuals to whom the information relates, whether such individuals are inside or outside New Zealand).

If it is not reasonable to notify all affected individuals, the agency may give 'public' notice of the breach.

There are certain exceptions to the requirement to notify affected individuals or give public notice (but not to the requirement to notify the OPC), including where:

  • in the case of an affected individual under the age of 16, notification would be contrary to that individual's interests; or
  • after consultation with the individual’s health practitioner (where practicable), the agency believes the notification would be likely to prejudice the health of the individual.

If an agency considers that an affected individual should not be notified (or public notice should not be given), the agency must:

  • consider whether it would be appropriate to notify a representative (instead of the individual), if a representative is known or can be readily identified;
  • before deciding whether to notify a representative, take into account the circumstances of both the individual and the privacy breach; and
  • if the agency decides that it is appropriate to notify an identified representative, notify that person.

The Privacy Act requires an agency to notify both the OPC and affected individuals (or give public notice, as the case may be), as 'soon as practicable' after becoming aware of the breach.

However, an agency may delay notifying affected individuals or delay giving public notice (but not delay notifying the OPC) if:

  • the agency believes, on reasonable grounds, that a delay is necessary because notification (or public notice) may have risks for the security of personal information held by the agency, and that those risks outweigh the benefits of informing the affected individuals (for instance, where notification risks exposing an ongoing security vulnerability); and
  • only for a period during which those risks continue to outweigh those benefits.

To the extent that an agency intends to delay notification, it must notify the OPC of this intention (and provide reasons for the delay and an expected timeframe).

There is no 'bright-line test' as to what 'as soon as practicable' means, and that term is not defined in the Privacy Act. However, the OPC has noted that notifiable breaches should be reported within 72 hours of the agency becoming aware of the breach. An agency may provide the information required to be notified on an 'incremental' basis, as it becomes available.

9. DATA SUBJECT RIGHTS

Personal information held by an agency may be subject to a request by an individual to:

  • access that information; and
  • have that information corrected.

Section 4 of the Privacy Act sets out how an agency must respond to such requests, including the timeframe and other procedural requirements within which an agency must comply, and the circumstances in which the agency may decline a request.

Generally, an agency must provide an individual with access to the personal information it holds about that individual, on request from that individual.

An agency may only decline a request for access if one of the following 'good reasons for refusal' applies:

  • if disclosure of the information would be likely to pose a serious threat to the life, health, or safety of any individual, create a significant likelihood of serious harassment of an individual, or include disclosure about another person (where that person is the victim of an offense, or would be caused significant distress);
  • in circumstances where the specific characteristics of the requestor means that disclosure would be harmful to that requestor, including if disclosure would be contrary to the interests of a requestor aged under 16;
  • if the information requested is evaluative material and disclosure would be contrary to an obligation to the person that supplied the material (for example, information compiled by an agency to determine a job candidate's suitability); or
  • if the information cannot or should not otherwise be disclosed, for instance if disclosure would prejudice New Zealand's security interests, reveal a trade secret, or if the information cannot be found.

The OPC may issue a 'binding access direction,' requiring an agency to provide access in a manner considered appropriate by the OPC if the agency refuses to provide an individual access to their information when required to do so under the Privacy Act.

In the case of health information to which the HIPC applies, an individual is also entitled to receive confirmation of whether a health agency holds any health information about them. In addition, under the Health Act and unless a relevant exception applies, agencies must disclose health information where requested to do so by:

  • the individual about whom the information is held; or
  • a representative of that individual or any other person that is providing, or is to provide, services to that individual, unless the agency has reasonable grounds for believing that the individual does not wish for the information to be disclosed.

In response to a request from an individual to correct their personal information held by an agency, the agency must take such steps (if any) that are reasonable in the circumstances to ensure that the information is accurate, up-to-date, and not misleading. Subject to that obligation, the agency is not required to grant the request to correct the information (for example, where the agency does not consider that the information is incorrect).

However, if the agency is not willing to accede to the request, the agency must take such steps (if any), that are reasonable in the circumstances, to ensure that a 'statement of correction' (if provided by the individual) is attached to the information in a manner that ensures that the statement will always be read with the information.

10. PENALTIES

The OPC does not have the power to issue fines for non-compliance with the IPPs (or the Rules of the HIPC).

However, the OPC may:

  • issue binding access directions requiring an agency to make personal information available to an individual (in situations where the agency is required to under the Privacy Act);
  • issue enforceable compliance notices requiring an agency to remedy a breach of the Privacy Act; and
  • specify the time frame within which an agency must provide the OPC with information, documents, or things required by the OPC during the course of an investigation.

An agency subject to a binding access direction or compliance notice may appeal the issue of the direction or notice to the HRRT.

The following are offenses under the Privacy Act, each punishable on conviction by a fine of up to NZD 10,000 (approx. €5,900):

  • failure to comply with (without reasonable excuse):
    • a binding access direction; or
    • a compliance notice validly issued by the OPC;
  • obstructing, hindering, or resisting the OPC (or any other person) in the exercise of their powers under the Privacy Act;
  • refusing or failing to comply with a lawful requirement of the Privacy Commissioner (or any other person) under the Privacy Act;
  • making false or misleading statements to the OPC (or any other person exercising powers under the Privacy Act); and
  • destroying documents containing personal information, knowing that a request has been made for that information.

While the OPC cannot levy fines against an agency in connection with a breach of the IPPs, each of the following may bring proceedings in the HRRT in connection with a breach of the IPPs or other breaches of the Privacy Act:

  • an aggrieved individual;
  • a representative on behalf of an aggrieved individual; or
  • a representative lawfully acting on behalf of a class of aggrieved individuals.

The OPC may also, of its own volition, refer any complaint to the Director of Human Rights Proceedings, who may also bring proceedings in the HRRT. See section 1.2. on supervisory authorities above for further commentary on referrals to the HRRT.

The HRRT has the jurisdiction to award damages of up to NZD 350,000 (approx. €206,610) to each aggrieved individual in connection with an interference of the individual's privacy. In practice, the quantum of damages awarded by the HRRT is significantly less than the jurisdictional cap, and damages are only likely to be awarded in the case of the most egregious breaches of privacy law (often in connection with other breaches, such as in an employment context).

While unlikely, misleading and deceptive conduct (in the context of representatives made to consumers, including misleading privacy statements) may be the subject of enforcement under the Fair Trading Act. The maximum penalty available for contravention of the Fair Trading Act is substantially higher than that contemplated by the Privacy Act (a fine not exceeding NZD 600,000 (approx. €354,200) in the case of a body corporate). However, the regulator under the Fair Trading Act, the Commerce Commission, has never brought proceedings in connection with conduct solely relating to misleading privacy statements.

11. OTHER AREAS OF INTEREST

Māori data sovereignty over health information

The recent cases of Te Pou Matakana Limited v. Attorney-General [2021] NZHC 2942 and Te Pou Matakana Ltd v. Attorney-General [2021] NZHC 3319 concerned a judicial review by a Māori health provider of a decision by the Ministry not to provide individual data of unvaccinated Māori, to enable targeted delivery of COVID-19 vaccinations. The court upheld all grounds of review, finding that the Ministry:

  • erred in fact and law in assessment of whether disclosure of the data was necessary under Rule 11(2)(d) of the HIPC;
  • breached the applicants' right to natural justice through its consultation process; and
  • acted inconsistently.

These two cases highlight a recent trend concerning the delivery of Māori healthcare services, in particular with respect to health information (which is considered 'taonga', or a 'treasured possession'), and indicate a shift towards Māori-led health initiatives, delivered by Māori, to Māori. In this regard, there is a significant shift towards Māori data sovereignty, with a push towards storing Māori health information on-shore.

Hayley Miller Partner
[email protected]
Kensington Swan, Auckland

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback