Career practice and the Privacy Act

When working in New Zealand, we need to ensure that we are working within the new Privacy Act (2020). Depending on the nature of our work, we need to first consider what information we might need to keep information under the Health Act. Then if we don't need to keep records under the Health Act, then the Privacy Act 2020 applies.

Firstly, the Privacy Act terms us as an "agency". An agency is any individual, organisation or business, whether in the public sector or the private sector (there are a few exceptions such as MPs, courts, and the news media, but they are not usually career practitioners!). Generally, though, if a person or body holds personal information, they have to comply with the privacy principles. See the Privacy Act, section 2, for the full definition of "agency".

Secondly, "Personal information" is any information about a client (a living natural person) as long as that client can be identified.

There are now 13 privacy principles:

1. We can only collect client information for the purpose we have communicated to the client
2. The personal information must be sourced directly from the client
3. The client must be aware that the information is being collected, and why
4. The client information must be collected in a lawful, fair, and non-intrusive way
5. The collected client information must be safeguarded, stored and secured in a way to reasonably avoid loss, change, access, misuse, or disclosure
6. The client is entitled to know what information is held by us, and we must advise them that they may request correction if the data we hold is incorrect. There are some exceptions here though: where disclosure would prevent a criminal offence coming to light; or where disclosure would breach another client’s privacy
7. The client is entitled to ask for correction of the information we hold. We must ensure that the client information is accurate, up to date, complete, and not misleading
8. We are responsible for accuracy, and for checking data before use or disclosure that the client information is accurate, up to date, complete, relevant, and not misleading
9. We must not keep client information for longer than 'necessary'
10. There are limits on use of client information. The client data we collect can only be used for the purpose it was collected. But there are but some outs: e.g. where we reasonably believe that the client has authorised an additional use, or where the information is publicly available, and we can use statistical summaries providing our clients cannot be identified
11. There are also limits on the disclosure of client information. We can disclose client data if it is directly related to the data collection purpose; if the data source is publicly available; and where disclosure has been authorised by the client. But there are some outs: e.g. we can pass on information if the client is in danger or doing something illegal.
12. We may not disclose client information outside New Zealand unless we have express permission to do so, and those other countries have the same level of protection that NZ has
13. We can use unique identifiers for our clients only if it is necessary for us to carry out our work. We also need to try to avoid using any unique identifier that has been assigned to that individual by another agency (this relates to numbers like IRD/GST numbers, Government IDs etc). We also need to take 'reasonable steps' to prevent any unique identifiers from being misused.

There are time when the Privacy Act doesn’t apply, although they are limited. For example, private personal information held by households is not covered, UNLESS information is 'highly' offensive; or where another law is inconsistent with the Privacy Act, where the other law will subsume the Privacy Act. Also, the Privacy Commissioner may authorise the collection, use or disclosure of data even though that might breach 'normal' privacy principles (think ACC, MSD, IRD etc).

I hope that is helpful :-)

Sam

References:

• CDANZ (19 November 2020). Maintaining Professional Records and The Privacy Act 2020. http://old.cdanz.org.nz/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=457&cntnt01returnid=19
• Consumer (26 January 2021). Privacy Law. https://www.consumer.org.nz/articles/privacy-law
• Privacy Act 2020. https://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23223.html
• Privacy Commissioner (2021). The privacy principles - overview. https://www.privacy.org.nz/privacy-act-2020/privacy-principles/
• PrivacyNZ (14 July 2020). Privacy Act 2020 [video]. https://youtu.be/WFCARvh6ps4