-
Report of a Privacy Impact Assessment
Prepared for the Ministry of Health by John Edwards (Barrister and Solictor)
Steps taken to address concerns
In order to address these concerns the Ministry has:
- Appointed representatives of three responsible authorities (the New Zealand Medical Council, the Pharmacy Council of New Zealand and the Nursing Council of New Zealand) to the steering group of the HPI project that originally delivered on the HPI system in 2008.
- Commissions and consults on a Privacy Impact Assessment. Parties consulted include the Privacy Commissioner and responsible authorities.
- Obtained legal opinions (including from the Crown Law Office) on privacy aspects of the 2008 project and made these opinions available to the Privacy Commissioner and to responsible authorities.
Much of the information required for the HPI is ‘publicly available information’ by virtue of its inclusion in public registers under the Health Practitioners Competence Assurance Act 2003 (and predecessor Acts). As such, its disclosure by responsible authorities to the Ministry for inclusion on the HPI will not breach any aspect of the Privacy Act.
In respect of information required for the HPI that is not ‘publicly available information’ (for example, information required to verify identity, such as practitioner’s date of birth), it may still be disclosed to the Ministry provided that certain protocols in respect of the collection, use and subsequent disclosure (if any) of that information are observed. The Ministry is working with responsible authorities to ensure that they comply with these legal requirements.
Other steps that are being taken to manage risk to the project, to the Ministry and, to responsible authorities and to health agencies include:
- The development implementation of Data Provision Agreements, by which the Ministry will agree with responsible authorities and health agencies, as a condition of providing their register and other information, on what information will be provided to the HPI, and who will be entitled to have access to it.
- The development implementation of Data Access Agreements, by which the Ministry will agree with organisations (such as DHBs and ACCACC and health providers) what personal information from the HPI they will be able to have access to.
- The development of Application Programming Interfaces (API) that limit disclosure to only what is already publicly available and logs all access to HPI records.
The Ministry has sought to identify, analyse, manage and minimise the risks of any breaches of individual privacy in all its preparations for the HPI. The Privacy Act does not contemplate ‘definitive rulings’ being given in advance as to the compliance or non-compliance of any given activity with the Act. Complaints can only be investigated and adjudicated upon as they arise.
It should be noted, however, that the risks of any successful claim for damages being brought against any responsible authority in respect of any alleged breach of privacy for the provision of public register information are negligible. An action is not a breach of an information privacy principle if the information at issue is ‘publicly available’. An allegation of breach of a public register privacy principle can only result in the Privacy Commissioner making a report and recommendations on the legislation governing the administration of the public register.