Privacy policy – time for review and update

At the Policy Place we’ve just finished reviewing and updating the core content of our online privacy policy pages.  The policy content is aimed at helping our members comply with the Privacy Act 2020 and if they are a health agency, the Health Information Privacy Code 2020.

We review and update core policies regularly based on a 2- year cycle. We let our members know beforehand and invite their feedback on the policies that are scheduled for review. Using their feedback and reviewing legislation and relevant developments, such as the commencement in February 2022 of Ngā Paerewa Health and Disability Standard, we then review and update the policies.

It doesn’t seem that long ago that we drafted the policy content to reflect the content of NZ’s new Privacy Act 2020, which commenced in December 2020. Now, with nearly 2 years of the new legislation under our belt, we’ve been able to review and update the policy content with the benefit of good working knowledge.

So what’s remained the same and what’s changed through the policy review process?

Privacy Policy topics

We’ve continued to address privacy in terms of 4 main “chunks” or pages:

• Protection of privacy – which covers obligations relating to collecting, using, accessing and correction of personal information.
• Information safeguards- dealing with operational and electronic basics to protect personal information.
• Information-sharing – outlines general rules like getting a person’s consent to sharing personal information before you do it as well as law allowing an agency to share a person’s health or other personal information without their consent
• Managing privacy breaches – which includes notifying the Privacy Commissioner and affected people of any breach which causes or could have caused serious harm.

Each of the pages include a Helpful Links section that enable easy movement across pages and to relevant sites like the Office of the Privacy Commissioner.

Privacy policy updates – what’s different

Shorter and more succinct

We treat reviews as opportunities to improve on what we’ve done previously.

With most of our members having a strong operational focus and few opportunities to read and digest a lot of text, we’ve taken the chance to edit the pages to make them more succinct and get rid of “fluff” like duplication.

Guidance on disclosing personal information for health and safety reasons

A key change our members will see is to the Information-sharing page.

We’ve updated the page to reflect the case law arising out of two High Court judgements issued in 2021 (Te Pou Matakana Limited v Attorney-General judicial review (No 1) [2021] NZHC 2942 and (No 2) [2021] NZHC 3319

These considered the Ministry of Health’s decisions declining requests for vaccination status information of Māori in Te Ika a Maui from Te Pou Matakana Limited (trading as Whānau Ora Commissioning Agency (WOCA)).

From these decisions, we’ve updated the Information-Sharing page to include the following:

Disclosure of health information may be allowed if it’s needed for health and safety purposes. The statutory wording of “necessary” doesn’t involve a higher bar.

When considering whether to disclose personal/health information concerning tangata Māori, in addition to the above, Tīkanga Māori and the principles of Te Tiriti o Waitangi should be considered. While personal data may be a taonga protected under Te Tiriti of Waitangi, when disclosure of health information is needed to improve health outcomes for Māori, the “highly prized” taonga of life and health will win out. Treaty principles such as the principle of options will also be relevant because sharing of personal/health information can be a vital resource for a kaupapa Māori service to do its mahi with tangata Māori.