This is the html version of the file http://www.nzhis.govt.nz/documentation/mhinc/ak983340.pdf.
G o o g l e automatically generates html versions of documents as we crawl the web.


Google is neither affiliated with the authors of this page nor responsible for its content.

Page 1
Privacy Impact Assessment
and
Commentary
on the
Mental Health Information Project
for
New Zealand Health Information Service
Elisabeth Harding
February 1999

Page 2
Table of Contents
Page
1.
Executive Summary
1
Part 1: Background to the Mental Health Information Project
2.
Introduction
6
2.1
Summary of the Mental Health Information Project
6
3.
National Mental Health Strategy
7
Looking Forward
7
Moving Forward
9
4.
National Mental Health Standards
11
5.
New Zealand Health Information Service
11
6.
"The Mason Report" - Inquiry under section 47 of the Health and Disability Services
Act in respect of certain mental health services (May 1996)
13
7.
Mental Health Commission
13
8.
Legal requirements
15
8.1
Privacy Act 1993
15
8.2
Health Information Privacy Code 1994
17
8.3
Health Act 1956
19
8.4
Hospitals Act 1957
20
8.5
Official Information Act 1982
20
9.
Professional and Ethical Codes of Practice
21
10.
Standards New Zealand
21
11.
Health Research Council Guidelines on research involving personal information
21
12.
Database management
22
13.
Databases and the privacy legislation
24

Page 3
14.
Current monitoring of mental health data
27
15.
Purpose of the Mental Health Information Project
27
16.
Content Mental Health Information Database
28
17.
Conclusion Part 1
29
Part 2: Privacy Impact Assessment
18.
General overview of the project from a privacy perspective
31
19.
Collecting/obtaining information: HIPC Rules 1-4
33
20.
Purpose of collection: Rule 1
34
21.
Source of health information: Rule 2
35
22.
Collection of information from individual: Rule 3
37
23.
Manner of collection: Rule 4
37
24.
NZHIS response to collections issues
38
25.
Collection issues: Discussion
38
26.
Storage and security: Rule 5
40
27.
NZHIS response to the storage and security issues
42
28.
Storage and security issues: Discussion
43
29.
Accuracy: Rule 8
44
30.
NZHIS response to accuracy issues
45
31.
Accuracy: Discussion
45
32.
Retention: Rule 9
46
33.
NZHIS response to retention issues
47
34.
Retention: Discussion
47

Page 4
35.
Use and disclosure: Rules 10 and 11
48
36.
NZHIS response to use issues
48
37.
NZHIS response to disclosure issues
49
38.
Use and Disclosure: Discussion
50
39.
Requests for official information
52
40.
Unique identifiers: Rule 12
53
41.
NZHIS response to unique identifier issues
53
42.
Unique identifiers: Discussion
53
43.
Access and Correction: Rules 6 and 7
54
44.
NZHIS response to access and correction issues
55
45.
Access and correction: Discussion
55
46.
Conclusions
55
47.
Recommendations
60
Bibliography
62
Appendix 1
Health Information Privacy Code Rules
64
Appendix 2
Mental Health Commission Act 1998, section 6
70

Page 5
1.
Executive Summary
1.1
In September 1997, the Minister of Health authorised the New Zealand
Health Information Service (NZHIS) to develop a high level database
containing information on the provision of secondary mental health and
alcohol and drug services. The need to develop such a database flowed
from the acknowledged need for national level information about the
mental health sector.
1.2
In response to this requirement the Mental Health Information Project
(MHIP) was established. The objective of the project is to provide
complete, accurate and timely information on secondary mental health
services.
1.3
This report focuses on privacy implications associated with the
development of a database under the MHIP. It is split into two major parts:
Part 1 provides a background to the MHIP.
Part 2 provides a privacy impact assessment of the MHIP.
Part 1
1.4
Part 1 of the report provides a general overview of the MHIP in the context
of:
National mental health strategy;
National mental health standards;
NZHIS;
The Mason Report;
Mental Health Commission;
Various legislative requirements; and
Professional and ethical codes, Standards New Zealand requirements,
and Health Research Council guidelines.
Further contextual background information is provided on:
Database management;
Databases and their relationship to privacy legislation;
Current state of monitoring of mental health data; and
Content of mental health information database.
1.5
The following conclusions were reached in relation to Part 1 of this
report:

Page 6
1.5.1
Conclusion 1: The Ministry of Health has made a commitment
to ensure that mental health services are available to those who
need them. In order to monitor the success of implementing this
commitment, it has been considered necessary to measure the
delivery of secondary mental health services by both the public
sector and non-governmental organisations.
1.5.2
Conclusion 2: One of the objectives of the MHIP is to provide a
mechanism for monitoring the implementation of the mental
health strategy with respect to the delivery of secondary care
services.
1.5.3
Conclusion 3: Although there is no statutory requirement for
providers to supply this information, the funding agreement for
1998/99 includes, as part of the performance measures for the
Health Funding Authority (HFA) five year plan, a commitment
from the HFA for "requirement for compliance with the NZHIS
National Mental Health Information System to be included in
1998/2000 service specifications".
1.5.4
Conclusion 4: Providing NZHIS is able to gain the commitment
of the providers, NZHIS is in an excellent position to be able to
carry out the development of a secondary database for the
provision of aggregate data to effectively monitor the delivery of
secondary mental health services.
1.5.5
Conclusion 5: However, NZHIS must ensure that all the
purposes of the database are properly contemplated prior to
implementation and that the mental health service providers are
aware of these purposes so they may be conveyed to individuals
receiving services, and whose information is to be provided.
1.6
Part 2: Privacy Impact Assessment
Part 2 of the report assesses privacy issues in relation to the development
and operation of the Mental Health Information Database.
This part of the report is constructed in the following way:
General overview of the project from a privacy perspective.
Collecting/obtaining information: HIPC rules 1-4, with associated
NZHIS response to collection issues and subsequent discussions.
Storage and security: rule 5, with associated NZHIS response to storage
and security issues and associated discussion.

Page 7
Accuracy: rule 8, with associated NZHIS response to accuracy issues
and associated discussion.
Retention: rule 9, with associated NZHIS response to retention issues
and associated discussion.
Use and disclosure: rules 10 and 11, with associated NZHIS response to
use and disclosure issues and associated discussion.
Unique identifiers: rule 12, with associated NZHIS response to unique
identifiers issues and associated discussion.
Access and correction: rules 6 and 7, with associated NZHIS response
to access and correction issues and associated discussion.
1.7
Conclusions to Part 2 of the report:
1.7.1
Conclusion 1: Any centralised database containing identifiable
information raises issues concerning the extent of information
obtained and the purpose of such a database.
1.7.2
Conclusion 2: Overall, the way the project has been developed
indicates that NZHIS is committed to taking a leadership role
with respect to the provision of health information services
generally, and in this instance the implementation of the MHIP.
1.7.3
Conclusion 3: In doing so it has recognised the need to ensure
that its own staff are familiar with the requirements of the Privacy
Act and the Health Information Privacy Code. In addition,
NZHIS has acknowledged that in order to build a trusting
relationship with health service providers, it is important that
NZHIS help providers fulfil their obligations when collecting
information from individuals.
1.7.4
Conclusion 4: NZHIS has taken the potential privacy impacts
seriously and acknowledged the role it needed to play in ensuring
that the providers are aware of the purposes of the information
and their privacy obligation with respect to their patients.
1.7.5
Conclusion 5: Trust in NZHIS and value in the benefits of the
MHIP by both the providers of mental health services and the
individuals receiving those services, will be the deciding factor to
the ultimate success of the project.
1.8
Recommendations (not in any order of priority)
1.8.1
Recommendation 1: NZHIS needs to document its information
management policy regarding the MHIP. This policy should

Page 8
provide an overview of how the information will be protected
from potential privacy intrusions including:
how NZHIS will ensure that providers are aware of their
obligations when collecting information from individuals for
the MHIP;
storage and security safeguards in place to protect the
information;
retention periods for electronic and paper records;
how accuracy of the information will be achieved;
restrictions on access to identifiable information by staff of
NZHIS and a policy for dealing with unanticipated requests for
information held on the database;
protocol for dealing with research projects;
restrictions on the linking, by NHI number, of information
obtained from the MHIP;
a procedure enabling individuals to access their personal
information and request correction;
1.8.2
Recommendation 2: NZHIS should consider the possibility of
appointing a group to monitor the implementation of MHIP on an
on-going basis, including monitoring how effective the project is
in supplying the statistics necessary to measure the
implementation of the National Mental Health Strategy. Such a
group could also have responsibility for protecting the
information and considering requests for access for research
projects and official information requests. For example, NZHIS
may chose to invite interested groups to be represented on the
group such as Mental Health Commission, the Office of the
Privacy Commissioner, and mental health consumer groups.
1.8.3
Recommendation 3: NZHIS needs to develop education
materials such as posters and pamphlets, use of web site for both
providers and individuals to gain an awareness and understanding
about the MHIP. These materials should explain:
the objectives of the project and why specific information
needs to be collected;
how the information will be protected, and who will be able to
use the information;
individual's right to access and correct information held by
NZHIS.

Page 9
NZHIS should work with the Office of the Privacy Commissioner
in developing these materials.
1.8.4
Recommendation 4: NZHIS needs to provide on-going training
for staff to ensure that they are aware of how personal health
information should be protected from potential privacy risks.
1.8.5
Recommendation 5: NZHIS needs to consider whether it is
necessary to retain information about deceased persons in an
identifiable form as there will be no need to add further
information to those records.
1.8.6
Recommendation 6: NZHIS needs to ensure that a field is
included on the database to provide an alert where an individual
has requested the correction of information or the inclusion of a
statement of correction. This will alert those considering
disclosing information for research purposes of the possible
inaccuracy of the information.

Page 10
Part 1: Background to the Mental Health Information Project
2.
Introduction
Databases have the potential to monitor and enhance the value of health care
services, consequently improving the outcomes for those receiving such services.
1
Good quality information provides a base for assessing performance of a system.
However, it has also been noted that the usefulness of the databases for planning and
co-ordination of health care and the benefits to the individual concerned should not
be assumed without investigation and informed debate.
2
Over the last 40 years mental health services in New Zealand have shifted from
institutional care toward providing community-based services. During this period
there has been much criticism regarding the delivery of the service including the
lack of provider responsiveness to the needs of consumers, caregivers and their
families.
Over the last four years the Ministry of Health has made significant efforts to
identify the needs to be addressed in the delivery of mental health services. The aim
of the Mental Health Information Project is to provide complete accurate and timely
information on secondary mental health services
3
and alcohol and drug services.
4
2.1
Summary of the Mental Health Information Project
2.1.1
In September 1997, the Minister of Health authorised the New
Zealand Health Information Service ("NZHIS") to develop a
high-level database containing information on the provision of
secondary mental health and alcohol and drug services.
5
The
need to develop such a database flowed from the acknowledged
need for national-level information about the mental health
sector.
6
1
Health Data in the Information Age: Use Disclosure and Privacy; Molla S Donaldson; Kathleen N Lohr, Ed. Committee on
Regional Health Data Networks, Institute of Medicine, National Academy Press, Washington DC (1994) 61. Improving
outcomes may include making available information on access to care, costs, appropriateness, effectiveness and quality of
health care services and health care providers.
2
Medical Record Databases: Just what you Need? Report prepared for the Privacy Commissioner by Robert Stevens, April
1998, 1.
3
Secondary mental health services are defined as services provided by specialist community and hospital based organisations in
the public and private sectors.
4
http://www.nzhis.govt.nz/projects/mental.html
5
Ibid.
6
This statement was made following a pilot project. The object of the pilot project was to ascertain whether information could
be collected in a way that was cost effective and which would have a minimal impact on provider organisations. The pilot
phase confirmed that it was possible to extract and store data and to report on the information obtained from mental health

Page 11
2.1.2
The object of the Mental Health Information Project ("MHIP") is
to provide complete, accurate and timely information on
secondary mental health services. It is intended that this will:
allow adequate monitoring of the implementation of the
National Mental Health Strategy;
7
provide a database for research into the provision of mental
health services;
provide aggregated information to providers, consumer
groups, the Health Funding Agency ("HFA"), the Mental
Health Commission and other interested parties in the health
sector.
2.1.3
Although it was initially contemplated that the database could, in
the future, be used for clinical purposes in the treatment of
individual patients, this proposed use has now been excluded
from the scope of the project.
2.1.4
Information to be collected and collated relates to secondary
mental health services, and drug and alcohol services which are
funded by the HFA. These secondary services are provided by
Hospital and Health Services ("HHS")
8
as either inpatient or
community services, or by non-government organisations
("NGO").
3.
National Mental Health Strategy
Looking Forward
3.1
In June 1994 the Ministry of Health released the document Looking
Forward: Strategic Directions for the Mental Health Services.
9
This
document provided the mental health strategy and outlined the goals,
principles and national objectives that were intended to reshape New
Zealand's mental health services. Acknowledging the shift away from
institutional care towards community-based care as the most cost effective
way of providing mental health services, the Government stated a
commitment to the community based model backed by in-patient services
for acute and secure care.
7
Paragraph 3.
8
Hospital and Health Services were previously referred to as CHEs or Crown Health Enterprises.
9

Page 12
3.2
In Looking Forward the Ministry identified that two of the problems with
the existing mental health service were:
a lack of provider responsiveness to the needs of consumers, caregivers,
and their families;
a lack of a systematic database that would show who uses the mental
health services, and a lack of detailed information about who would
potentially use the mental health services.
10
3.3
Two goals were set to guide the work of the mental health services. These
goals were to:
decrease the prevalence of mental illness; and
increase the health status of and reduce the impact of mental disorders
on the individual, their family and caregivers and the community.
3.4
Fourteen principles were identified to define the quality standards to be met
by mental health services. The principles which most closely relate to the
need to develop some form of centralised database were those:
giving priority to cost effective services that provide the best value in
terms of health gains;
encouraging service provision to be integrated at all levels and to be
focused on achieving maximum wellness and independence for all
consumers.
3.5
Five key strategic directions incorporating the national objectives were set
out in the document. These directions were:
1.
Implementing community-based and comprehensive mental health
services;
2.
Encouraging Maori involvement in planning, developing and
delivering mental health services;
3.
Improving the quality of care;
4.
Balancing personal rights with protection of the public;
5.
Developing a national alcohol and drugs policy.
3.6
The aim of Strategic Direction 3: Improving the Quality of Care
11
was:
To establish and revise mechanisms for the monitoring of community
mental health needs and services;
10
Ibid. 6-7.
11

Page 13
To promote co-ordination between all agencies involved in the mental
health system and to ensure that clear lines of accountability exist;
To develop data collection and analysis systems which provide adequate
information for continued long-term planning within the mental health
system;
To review and revise if necessary the Government's objectives every five
years.
3.7
Strategic Direction 5: Developing a National Alcohol and Drugs Policy
12
also identifies the need to monitor the effectiveness of the alcohol and drug
services. It was stated that the National Minimum Dataset should be
extended to monitor the performance of these services and to assess their
ability to meet consumer demand.
13
3.8
The Mental Health Strategy Advisory Group 1996 reported to the Minister
of Health in 1996 that the progress towards goals in Looking Forward
needed to be measurable. The Advisory Group recommended the adoption
of a goals and targets approach. Such an approach would involve the
establishment of measurable goals and objectives and the development of
targets and milestones which could be used to map progress towards
objectives.
The Advisory Group generally endorsed the allocation of priority issues and
strategy development. Gaps in the Looking Forward document were
identified in the areas of:
consumer and Pacific Island perspectives;
mental health promotion;
primary mental health;
child and adolescent mental health; and
intersectorial issues.
14
Moving Forward
3.9
Three years after Looking Forward the Ministry of Health produced the
Moving Forward: The National Mental Health Plan for More and Better
Services.
15
This document is also referred to as the National Mental Health
Plan (the "Plan"). The purpose of Moving Forward was to ensure that
Looking Forward was implemented, dividing the process into two parts:
12
Ibid. 24.
13
Paragraph 14.
14
Mental Health Strategy Advisory Group - Statement to the Minister of Health, April 1996.
15

Page 14
First Steps; and
Next Steps.
3.10
Moving Forward recognised that in the previous three years although more
mental health services had been provided it was difficult to measure the
quality of those services.
3.11
The Plan aimed to achieve more and better mental health services that
worked together with other health and social services so that the right
people got services and those services meet their needs.
16
The document
sets out strategic directions which contain national objectives and targets.
3.12
Specifically, the Plan included an additional strategic direction to cover the
infrastructure necessary for delivering more and better services including
data collection and analysis, Strategic Direction 6: Developing a Mental
Health Infrastructure.
17
3.13
Under First Steps there are three National Objectives for Strategic
Direction 6 and four under Next Steps.
3.14
The most relevant to the development of the MHIP is National Objective
6.2
18
(First Steps):
To improve the accuracy, timeliness and appropriateness of mental
health data collection, in order to help monitor the achievement of a
number of targets in the National Mental Health Plan.
3.15
Acknowledging that the information currently being collected is limited in
terms of accuracy and coverage
19
the aim of this objective is to collect
national data on services in ways that are consumer based, flexible, timely
and accurate, and to allow access to the information derived from the data
at agreed levels of security.
3.16
The target is that by July 2000 there will be a national health data-
collection process which:
provides accurate and timely information that can be used to help
monitor a number of targets in the Mental Health Plan;
includes mental health and drug and alcohol data collection.
16
Ibid. 9.
17
Ibid. 31.
18
Ibid. 32.
19

Page 15
3.17
Under Next Steps the relevant provision is found in National Objective
6.7:
20
To improve the health status of New Zealanders and to enhance the
quality of mental health decision-making by providing up-to-date
knowledge based on research information.
4.
National Mental Health Standards
4.1
The National Mental Health Standards (Standards) project was funded by
Mental Health Services, Ministry of Health. It was described as a
sub-project of the National Mental Health Strategy Moving Forward. The
Standards apply to all mental health services. Mental health service was
defined as an organisation that provides, as its core business, treatment or
support to people with mental illness or mental health problems.
21
4.2
The purpose of the Standards is to establish a consistent level of care and
support throughout the country. The document includes a form for
conducting self assessment/audit on the implementation of the Standards
and suggests that in addition an external audit be undertaken before 2000.
4.3
Monitoring of the performance in regard to the criteria set out in each of the
twenty standards is the responsibility of the mental health service. The
information obtained is to be used by the provider for improving their
service delivery.
4.4
The Standards and the form for self assessment indicate an intention on the
part of the Ministry for mental health services to monitor their own clinical
service delivery.
5.
New Zealand Health Information Service
5.1
New Zealand Health Information Service (NZHIS) has been given the task
of developing and maintaining the MHIP database.
5.2
NZHIS is a group within the Ministry of Health responsible for the
collection and dissemination of health-related information. It is a health
agency under the Health Information Privacy Code 1994. It is also a public
sector agency and subject to the Official Information Act 1982.
20
Ibid. 47.
21

Page 16
5.3
NZHIS has as its foundation the goal of making accurate information
readily available and accessible in a timely manner throughout the health
sector.
5.4
The vision of NZHIS is to be recognised as the world-leader in the
provision of health information services, and to support the health sector's
ongoing effort to improve the health status of New Zealanders. It sees the
effective and timely use of information as crucial to achieving this vision.
5.5
High quality information is vital to both the provision of services and the
efficient operation of the health and disability support sector. The Health
Information Strategy for the Year 2000
22
provides the framework for the
development and maintenance of health information to meet national
requirements. The strategy aims to ensure that an accurate, timely and
consistent set of data is available nationally, while protecting the
confidentiality of information and avoiding undue compliance and
collection costs on the sector.
5.6
The Ministry of Health has given NZHIS responsibility
23
for:
the collection, processing, maintenance, and dissemination of health
data, health statistics and health information;
the continuing maintenance and development of the national health and
disability information systems;
the provision of appropriate databases, systems and information
products;
the development and provision of health and disability information
standards and quality-audit programmes for data;
co-ordination of ongoing national health and disability information
collections and proposals for their development;
analysis of health information and advice on the use of information
obtained from NZHIS.
5.7
The guiding principles for national health information are:
the need to protect patient confidentiality and privacy;
the need to collect data once, as close to the source as possible, and use it
as many times as required to meet different information requirements;
the need for standard definitions, classification and coding systems;
the requirement for national health data to include only that data which
is used, valued and validated at the local level;
22
Health Information Strategy for the Year 2000; http://www.health.govt.nz/ ; Privacy Impact Assessment and Commentary on
the Health Intranet Project for New Zealand Health Information Service, paragraph 3.
23

Page 17
the need for connectivity between health information systems to promote
communication and integrity;
the need to address Maori issues.
6.
"The Mason Report" - Inquiry under section 47 of the Health and Disability
Services Act in respect of certain mental health services (May 1996)
6.1
The purpose of the Ministerial Inquiry was to consider the availability and
delivery of aspects of mental health services relating to semi-acute and
acute mental disorder.
In particular, it was to consider recent
recommendations from previous inquiries and international reports,
consider amendments to the Mental Health (Compulsory Assessment and
Treatment) Act 1992) and review how the Health Information Privacy Code
was being used by mental health service providers.
6.2
The Ministerial Inquiry also considered the rights of family members, the
use of drugs and alcohol, and the provision and co-ordination of services.
6.3
In the report, numerous recommendations were made. The most relevant
recommendation relating to the development of a national database of
mental health information was the requirement for the development of a
new organisation to act as a catalyst to improve the performance and lift the
priority given to Mental Health in New Zealand.
24
This organisation was to
provide national leadership and direction in the delivery of mental health
services including the promotion of research to enable planning on an
informed basis for mental health needs in New Zealand.
This
recommendation was implemented by the formation of the Mental Health
Commission.
7.
Mental Health Commission
7.1
The Mental Health Commission Act 1998 establishes a Mental Health
Commission comprised of three commissioners being one full time
chairperson, a second commissioner who is an experienced mental health
professional and a third commissioner who is to be a consumer or family
representative with an interest in mental health.
7.2
The role of the Mental Health Commission is to ensure the implementation
of the national mental health strategy, and by carrying out that task, to
improve services that affect people with mental illness and to improve
outcomes for people with mental illness and their families and caregivers.
25
24
Inquiry under section 47 of the health and Disability Services Act 1993 in respect of certain mental health services. Report of
the Ministerial Inquiry to the Minister of Health Hon Jenny Shipley, May 1996, 102
25

Page 18
7.3
Functions of the Commission are found in section 6 of the Act and
include:
26
reporting to the Minister of Health ("Minister") on the implementation of
the national mental health strategy (section 6(1)(a));
reporting to the Minister when requested on any matter relating to the
implementation of the national mental health strategy (section 6(1)(b));
7.4
The matters to be included in the report are:
the extent which the Ministry of Health ("Ministry") has exercised
leadership in the implementation of the mental health strategy;
the extent to which the Health Funding Authority ("HFA") (previously
regional health authorities) has exercised leadership in the
implementation of the mental health strategy
7.5
Mental Health Commission's Blueprint for Mental Health Services in New
Zealand
27
sets out the service developments needed to ensure that mental
health services and the mental health workforce are developed so that in
time
28
they deliver a range of services provided by the right combination of
people responding appropriately to the needs of those affected by mental
illness, including their families/whanau.
29
7.6
In addressing infrastructure issues the Commission notes the lack of good
information about:
what services are being provided;
where those services are being provided;
for which diagnosis; and
for whom.
30
7.7
However, it notes that this lack of information is being remedied. It states:
The Ministry of Health and New Zealand Health Information
Service(NZHIS) have completed a successful pilot
[31]
of the new national
mental health data collection system, and the Minister of Health has now
approved full national implementation which will be completed by the end
26
Mental Health Act 1998 section 6 Appendix 3.
27
Blueprint for Mental Health Services in New Zealand. How things need to be. November 1998, Mental Health Commission.
28
Ibid. Five years from the date of the document.
29
Ibid. Foreword vi.
30
Ibid. 9.7 Mental Health Information, 81.
31
The pilot phase of the MHIP took place between March and May 1997. This phase confirmed that it was possible to extract
and store data, and to report on the information obtained from mental health service providers, and that it could be done in a

Page 19
of 1999. The new system collects information about services used by clients
and is linked to the client's National Health Index (NHI) number.
All CHE
[
32
]
and NGO mental health service providers will provide data on:
descriptive information about their client group (age, ethnicity, domicile
code, gender)
diagnosis - to get a clearer picture of the problems which are being
addressed by mental health services
service provided-based on the National Mental Health Common Base
Definitions
referral source
where the service is being provided
Information collected will be made available to all those who provide data
and to the Ministry of Health, Mental Health Commission, and [HFA]
through a series of standard reports. Issues of privacy are being addressed
as part of the project to ensure clients get good information about their
rights, and about what data is being collected and how it will be used.
This new Mental Health Information Service will greatly aid service
planning and measurement of progress towards achievement of the goals,
objectives and targets of the National Mental Health strategy. For the full
benefits of the data collections to be realised it is vital that providers
forward data which is as accurate as possible.
8.
Legal requirements
There are several enactments which concern the management of personal health
information, including information contained on a database such as the one
contemplated by NZHIS. The Privacy Act and Health Information Privacy Code set
out controls for the management of such information. However, other Acts may
impinge on these controls, for example by requiring information to be collected or
disclosed in certain circumstances for specified purposes.
33
8.1
Privacy Act 1993
The Privacy Act came into force on 1 July 1993. It aims to protect personal
information about identifiable individuals in accordance with international
guidelines already developed overseas. Underlying the Act is the idea that
32
Hospital and Health Services were previously referred to as CHEs or Crown Health Enterprises.
33
For example, Misuse of Drugs Act 1975, s.20; Medicines Act 1981, s.49A. Other enactments may also contain provisions

Page 20
individuals should be able to exercise some control over the way in which
their personal information is managed by others. This requires agencies
holding personal information to be open with the individual about the way
in which it will be managed.
In particular, the Act:
(a)
Establishes information privacy principles which:
control the collection, storage and security, retention, use and
disclosure of personal information by public and private sector
agencies;
provide the right for an individual to access his or her personal
information held by public and private sector agencies and the
right to request to have that information corrected;
control the management of unique identifiers.
(b)
Enables the appointment of a Privacy Commissioner to:
investigate complaints about interference with individual privacy;
carry out other functions including:
education and publicity;
auditing personal information maintained by an
agency;
monitoring compliance with public register privacy
principles;
reporting to the Prime Minister;
advising a Minister or any agency on any matter
relevant to the operation of the Act.
At the heart of the Act are 12 information privacy principles. These
principles promote and protect an individual's personal information. Nearly
everything else in the Act flows from them. Rather than providing a set of
prescriptive rules, the principles provide a framework for agencies to
develop their own personal information management policy taking into
account the particular nature of their industry.
Section 7 of the Privacy Act is a savings provision. In summary, it
provides that if another enactment authorises or requires personal
information to be made available or authorises or requires an action that
would otherwise be a breach of one of the information privacy principles,
then the provision of the other enactment applies rather than the provisions
of the information privacy principles.

Page 21
8.2
Health Information Privacy Code 1994
Under the Privacy Act the Privacy Commissioner may issue a code of
practice which modifies the application of one or more of the information
privacy principles taking into account the particular nature of the
information involved.
Within a month of the Privacy Act coming into force the Privacy
Commissioner issued the Health Information Privacy Code 1993
(Temporary). A permanent Health Information Privacy Code was
subsequently issued in June 1994 replacing the Temporary Code. The
Health Information Privacy Code 1994 (HIPC) modified all of the
information privacy principles taking into account the sensitive nature of
health information. The HIPC works in conjunction with the Privacy Act
so that where there is no specific provision within the HIPC, the relevant
provision of the Privacy Act applies. The principles in the HIPC are
referred to as rules.
34
The numbering of the rules follows the numbering of
the information privacy principles.
35
The Code applies to health agencies in their management of identifiable
health information.
Health information: The Code applies to the following information or
classes of information about an identifiable individual:
36
(a)
information about the health of that individual, including his or her
medical history;
(b)
information about any disabilities that individual has, or has had;
(c)
information about any health services or disability services that are
being provided, or have been provided, to that individual;
(d)
information provided by that individual in connection with the donation
by that individual, of any body part or any bodily substance of that
individual or derived from the testing or examination of any body part,
or any bodily substance of that individual; or
(e)
information about that individual which is collected before or in the
course of, and incidental to, the provision of any health service or
disability service to that individual.
The Ministry of Health is a health agency as defined by the HIPC. NZHIS,
as part of the Ministry of Health, is also a health agency as it holds personal
34
Health Information Privacy Code rules, appendix 2.
35
The Health Information Privacy Code 1994 was last amended September 1998.
36

Page 22
health information. The HIPC applies to the way NZHIS manages health
information about identifiable individuals. Information on the MHIP
database will be identified by the NHI number. As the NHI number may be
linked to an identifiable individual, the information on the database will fall
within the definition of health information.
The rules of the Code should not be considered in isolation. The Code
works as a whole so that while an issue may appear to fall within the
disclosure rule (rule 11) it has to be considered in the context of the
collection rules (rules 1-4) to ascertain the purpose for which information
was collected and whether the individual was told of that purpose. For
instance, while immediate liability might fall with a provider for breach of
rule 3 (collection of information from individual), the responsibility lies
with the ultimate receiver of the information to ensure that the provider
knows the facts and the obligation to make the individual aware of the
purposes.
There are specific provisions within the HIPC rules regarding the
collection, use and disclosure of health information for statistical or
research purposes. Unless the particular research project is one of the
purposes for obtaining the information and the information is collected
directly from the individual, the HIPC requires that:
if the research project requires the approval of an ethics committee,
approval must have been given before the information may be collected,
used or disclosed; and
the information must not be published in a form that could reasonably be
expected to identify the individual concerned.
The savings provision of the Privacy Act (section 7) applies to the Health
Information Privacy Code as it does to the information privacy principles.
In other words, if another enactment contains provision about personal
health information management then that provision will prevail over the
Code. However, even though the information may be required, for instance
to be disclosed, there will still be a requirement (unless also specified in the
other enactment), for the individual to be informed of that information flow
even though she or he may not be able to veto the action. However, the
means of collection must not be unfair, unlawful or intrusive.
Although the HIPC sets a framework for how personal health information
should be managed, the Privacy Commissioner still has the power to vary
the code or issue a code to cover a specific activity if he considers it
necessary.

Page 23
8.3
Health Act 1956
The Health Act contains several provisions which relate to the management
of personal health information. Only the provisions relevant to NZHIS's
role in maintaining the MHIP database are referred to below.
8.3.1
Section 22C gives a discretionary power to an agency providing
health services or disability services or a purchaser of such
services to disclose information to specified persons for specified
purposes.
8.3.2
Section 22C(2)(g)(ii) provides that an employee of the Ministry
of Health may request information for the purpose of compiling
statistics for health purposes. NZHIS may request information
for the MHIP under this provision.
8.3.3
Section 22D enables the Minister of Health to require any
purchaser or hospital and health service (HHS) to provide
specified returns or other information concerning the condition or
treatment of, or the health services or disability service provided
to any individual in order to obtain statistics for:
health purposes; or
the purposes of advancing:
health knowledge;
health education; or
health research.
8.3.4
This information must be provided in an anonymous form unless
the individual has consented to the provision of the information
or the identifying information is essential for the purpose for
which the information is sought. This information may be
compiled in statistical form by NZHIS. However, to ensure the
information is stored against the correct health care user it must
be supplied to NZHIS with an NHI number attached.
8.3.5
Section 22D does not enable collection from a non-government
organisation (NGO).

Page 24
8.3.6
Section 22F provides that every person who holds health
information of any kind shall, at the request of the individual, or
their representative, or person that is providing or is to provide
health care services to an individual, disclose the information.
Where there is a refusal to provide the information, the person
whose request is refused may complain to the Privacy
Commissioner.
8.3.7
Section 22H provides that any person may supply to any other
person health information that does not enable the identification
of the individual to whom the information relates. This section
would not be applicable to collecting information for the MHIP
as the information will need to be provided in an identifiable
form, usually with the NHI number as the unique identifier, so
that subsequent information may be added to the record.
8.4
Hospitals Act 1957
Section 139A of the Hospitals Act enables the Director General of Health to
request certain information concerning the condition or treatment of
patients in a private hospital in order to obtain statistics for medical
purposes or for the purpose of advancing medical knowledge, education or
research.
8.5
Official Information Act 1982
NZHIS, as part of the Ministry of Health, is subject to the Official
Information Act (OIA). Underlying the OIA is the principle of availability
of official information, although the Act does provide some grounds for
withholding official information. The definition of official information is
broad and includes information held by NZHIS. This would include
personal health information found on the National Health Information
Systems (NHIS). A request for information by a third party would be dealt
with under this Act.
A request for personal information by the individual (or her representative)
must be considered under the Health Information Privacy Code or section
22F of the Health Act.
Any person may make a request for official information. NZHIS would
have to consider the request taking into account any of the withholding
grounds under section 6, which provide conclusive reasons for withholding
official information, and section 9 which provides other reasons for
withholding official information. If any of the section 9 reasons are used

Page 25
then the grounds for withholding information have to balanced against any
other considerations which render it desirable, in the public interest, to
make that information available.
One of the grounds for withholding information is to protect the privacy of
natural persons including that of deceased natural persons (section 9(2)(a)).
Obviously, the information held on the MHIP database will have significant
privacy interests and it would be difficult to find public interest factors of
sufficient weight to outweigh the privacy interest and hence justify making
the information available. In fact it could be considered that there are
public interest factors indicating that this information should not be made
available. Of course, each request must be assessed on its own merits and
occasionally the request may be such that there is a public interest in some
information being made available to a third party.
9.
Professional and Ethical Codes of Practice
9.1
Health professionals have duties also to ensure that they adhere to their own
professional codes of practice and conduct. Many of these codes create
standards that are idealistic. Health professionals are then faced with
balancing the discretion provided by legislation, enabling the disclosure of
personal information, against the ethical standards imposing a duty to
respect the secrets which have been confided in health professionals, even
after the patient has died.
10.
Standards New Zealand
10.1
There are international standards for the security and privacy of information
held on information systems which also apply in New Zealand. One such
standard is the Australia/New Zealand Standard on "Information Security
Management" AS/NZS 4444.
10.2
The three basic components of information security are identified as:
10.2.1
confidentiality: meaning the need to protect sensitive information
from unauthorised disclosure or intelligible interception;
10.2.2
integrity: requiring safeguards to protect the accuracy and
completeness of information and computer software; and
10.2.3
availability: ensuring that information and vital services are
available to users when required.

Page 26
11.
Health Research Council Guidelines on research involving personal
information
11.1
The Health Research Council has developed some guidance notes for those
anticipating research involving personal information. The standards set by
the guidance notes are generally more stringent than those required by the
HIPC.
37
11.2
These guidance notes will be relevant if a researcher wishes to search the
MHIP database for a particular group of people. For example, to identify a
group of people diagnosed with a similar condition.
38
11.3
The function of these guidance notes are:
39
To highlight matters in the HIPC which are especially relevant to health
research;
To provide guidance for health researchers, ethics committees and
custodians or health information where the HIPC leaves them with a
discretion. The guidance notes indicate matters which should be taken
into account in making decisions in such cases;
To deal with matters beyond the provisions or framework of the HIPC.
The notes recommend good practice, in the use of personal information
for research, which goes beyond the requirements of the Code.
12.
Database management
12.1
The Oxford English reference Dictionary defines database as a structured
set of data held in a computer especially one that is accessible in various
ways. Elsewhere it has been defined as a large collection of information
held on a computer.
40
Generally a database is organised in such a way that
information may be added to update and expand a record and information
may be retrieved rapidly by authorised users for various purposes. The use
of the information will depend on the purpose of the database.
12.2
Databases provide an important solution for managing large quantities of
personal information. However, the temptation always exists to collect lots
of information, often as a result of optimising the use of database software
packages with multiple fields and linking features. In some cases
information use is determined by posing the question 'we have the
information, what can we do with it?'. In contrast, determining the
37
http://www.hrc.govt.nz/ethguid9.htm.
38
This illustrates the importance that the information contained on the database is accurate.
39
http://www.hrc.govt.nz/ethguid9.htm page 3.
40
Health Data in the Information Age: Use Disclosure and Privacy; Molla S Donaldson; Kathleen N Lohr, Ed. Committee on

Page 27
objectives for collecting and retaining information at the development
phase and first asking 'what do we want to achieve, how much information
do we need to be able to achieve that purpose?' may streamline database
development. This would also be consistent with the HIPC.
12.3
Obviously, it is impossible to make people aware of the purposes of the
database if these have not been decided at the time when the information is
collected.
12.4
Unlimited collection of information for unanticipated purposes may lead to
future frustrations for agencies wishing to use that information. An agency
which has the ability to use personal information in a new way may be
thwarted if that potential use or disclosure was not ascertained at the time of
collection.
12.5
The structure and content of a database will depend on the purpose for
which it has been developed. Planning is an essential first step in
developing the database.
12.6
Databases containing health information can be divided into two
categories:
41
12.6.1
Primary patient record used by health care professionals who
provide clinical patient care services. The purpose of the
database is to review patient data or document observations,
actions, or instructions by health care providers;
12.6.2
Secondary patient record is derived from the primary record and
contains selected data elements to aid non-clinical users (i.e.
persons not involved in direct patient care) in supporting,
evaluating, or advancing patient care.
12.7
The MHIP database will be a secondary patient record. Information will be
obtained from primary records but the database will be held quite separately
from the clinical or primary patient record.
[Secondary files] are not under the control of a practitioner or anyone
designated by the practitioner, nor are they under the management of any
health institution (e.g. the medical records department of a hospital).
Furthermore they are not intended to be the major source of information
about specific patients for the treating physicians. Secondary databases
41
The Computer-Based Patient Record: An Essential Technology for Health Care Richard S Dick, Elaine B. Steen, and Don E.
Detmer, Editors, Committee on Improving the Patient Record Division of Health Care Services, Institute of Medicine, National

Page 28
facilitate reuse of data that have been gathered for another purpose (e.g.
patient care, billing, or research) but that, in new application, may
generate new knowledge.
42
12.8
Attributes of a database can be divided into comprehensiveness and
inclusiveness
43
.
12.8.1
Comprehensiveness describes the completeness of the patient
record or the amount of information held about that particular
person. For instance this may include:
demographic information such as age, gender, ethnicity;
administrative information;
details of health risks and health status;
medical history;
current management of health conditions;
outcomes.
12.8.2
Inclusiveness refers to the populations included in a database:
national;
geographic area;
care setting e.g. hospital, community;
medical condition, e.g. Cancer Registry, trauma;
age or other demographic characteristic.
12.9
The usefulness of a database is directly related to the quality of the
information it contains. The information must be accurate and regularly
updated. Where information is added to an existing record, there needs to
be a mechanism for updating the correct record. Consequently, such
records cannot be made anonymous. At best the identifiers may be
encrypted and decrypted to enable the information to be updated.
12.10
Furthermore, if organisations providing information, in this instance the
mental health service providers, are not convinced about the purposes of the
database, or perhaps do not trust the management of the database the
integrity of the information may be compromised. A lack of commitment
to provide adequate, accurate and timely information imperils the
usefulness and integrity of the database.
42
Health Data in the Information Age: Use Disclosure and Privacy; Molla S Donaldson; Kathleen N Lohr, Ed. Committee on
Regional Health Data Networks, Institute of Medicine, National Academy Press, Washington DC (1994) 42.
43

Page 29
13.
Databases and the privacy legislation
13.1
The following are suggestions of checks which may be taken into account
when considering database development:
13.1.1
Define the purpose of the database;
13.1.2
Identify legislation which may impact on the development and
use of the database;
13.1.3
Consider ethical issues. Professional codes of practice sometimes
set higher standards than those required by legislation;
13.1.4
Identify industry codes of practice or standards which need to be
considered;
13.1.5
Identify the agency’s policy on the management of personal
information;
13.1.6
Ensure that staff who are going to be involved using the database
are aware of its potential scope and limitations and are given the
opportunity to be included in the development phase;
13.1.7
If the information is already held, identify what the current
practice is for managing personal information;
13.1.8
Identify what has motivated the need for change;
13.1.9
Identify who will be responsible for developing and maintaining
the database;
13.1.10 Consider the privacy implications of the project and identify
whether there may be individual resistance. If so, identify ways
in which privacy intrusions may be reduced and protections
implemented;
13.1.11 Define what sort of information will be held. Identify whether
the information may be considered sensitive by the individual;
13.1.12 Determine how much information needs to be collected to
achieve the objectives of the database;
13.1.13 Ascertain whether the information will be collected directly from
the individual or via a third party. When information is to be

Page 30
collected by another agency, ensure background details are
provided to the other agency to enable it to explain to the
individual the purpose of the information flow;
13.1.14 Ascertain how the individual or the representative of the
individual, for example the parent of a child, will be informed of
the purposes the agency may make of their personal information,
including identifying any third parties information may be
disclosed to. This may be included on an application form, part
of an information booklet or explained orally at the time of
collection;
13.1.15 Determine how the individual will be informed of her or his right
to access and correction of their personal information held by the
agency and develop procedures to enable such access and
correction (Rules 3, 6 and 7 of the HIPC);
13.1.16 Decide whether it is necessary to assign a unique identifier to
enable the agency to carry out any one or more of its functions
efficiently;
13.1.17 Consider storage and security safeguards which need to be
implemented to protect the information. For example:
operational (secure physical site, staff training);
technical (authorised access, passwords, screen-savers);
disciplinary action (warning for misuse, dismissal);
audit trails to detect misuse.
13.1.18 Decide how long the information should be retained including
considering any legislative requirements;
13.1.19 Develop procedures to ensure that information is accurate before
it is used. One of the greatest difficulties in managing large
databases containing personal information is maintaining its
accuracy;
13.1.20 Develop staff training programmes prior to implementation of the
database;
13.1.21 Appoint a person or committee to decide when personal
information may be used or disclosed outside the scope of the
original objectives;

Page 31
13.1.22 Develop procedures for dealing with third party requests for
personal information. In the public sector third party requests for
information will have to be considered under freedom of
information legislation;
13.1.23 Define lines of staff accountability in relation to collection,
maintenance and release of information;
13.1.24 Practical training programmes need to be developed for staff
dealing with information requests under both privacy and
freedom of information legislation.
14.
Current monitoring of mental health data
14.1
Currently, information about in-patient mental health data is collected as
part of the National Minimum Dataset (NMDS) maintained by NZHIS.
This database contains information from psychiatric hospitals, hospitals or
services that provide care for people with intellectual disability, psychiatric
units or public hospitals and facilities that are licensed under the
Alcoholism and Drug Addiction Act (1966).
44
14.2
Since community-based mental health information programmes are not
included, the NMDS underestimates the number of people receiving
secondary mental health services. In addition, the NMDS does not contain
information from NGOs providing secondary mental health services.
14.3
Consequently, the mental health data statistics available from the NMDS
are not sufficient to be able to provide the type of analysis required by the
national mental health strategy.
15.
Purpose of the Mental Health Information Project
15.1
The July 1998 issue of the Mental Health Information Project Newsletter
45
states that:
The aim [of the project] is to provide complete, accurate and timely
information on the provision of specialist mental health services. When the
project is fully implemented, we will provide a range of reports to providers
of secondary and community mental health services, as well as health
agencies such as the Health Funding Authority, the Ministry of Health and
the Mental Health Commission. These reports will provide a variety of
44
Mental Health Data 1993 Revised Editions, Ministry of Health, New Zealand Health Information Service 1996.
45

Page 32
information regarding the provision of these health services, such as usage
and trends.
15.2
Information to be collected relates to the provision of secondary mental
health and alcohol and drug services funded by the Health Funding
Authority.
15.3
Information will be collected on a national basis from all the hospital and
health services and over 450 NGOs providing mental health services.
15.4
Information will be supplied on a regular basis, using the NHI number as an
identifier. This information may be supplied in either electronic or paper
form, using the NHI number to ensure that there is no duplication of
records. Using the NHI will also enable on-going information to be linked
to a particular individual. However, all the reports will be based on
aggregated data so that individuals cannot be identified.
15.5
It is crucial that NZHIS is clear about the purposes of the MHIP database,
including potential future uses. If these are not contemplated at the
development stage, and prior to collection of any information, subsequent
unanticipated use may be prevented or at least impeded.
16.
Content Mental Health Information Database
16.1
The database consists of six primary tables recording details of:
16.1.1
Health care users:
NHI;
date of birth;
date of death;
gender;
ethnicity;
domicile code indicating the area in which the person lives.
16.1.2
Diagnosis:
organisation diagnosing the individual;
date of diagnosis;
clinical coding system used;
type of diagnosis (e.g. provisional, principal, other);
diagnosis code.
16.1.3
Legal status:
organisation making the assessment for legal status;
legal status code;

Page 33
date of legal status.
16.1.4
Service provided:
organisation providing service to person;
group or team providing service to person;
service of treatment provided to person;
date service starts;
date service ends;
flag indicating information is suppressed in the national
system. (The default setting is that the information will be
suppressed.)
16.1.5
Access to services:
location of service provided (e.g. inpatient, outpatient,
community);
number of times service provided in reporting period;
type of service provided (e.g. bed day, attendance);
period of data reported.
16.1.6
Referrals:
organisation person referred to or from;
date of referral;
type of referral (to or from mental health service).
16.2
At an early stage of the project it was considered necessary to include a
suppression flag as a privacy protection if the information on the database
was to be used in the future for clinical purposes. This was to enable
individuals who did not want their details used for clinical purposes to
suppress this use. As already discussed, it is not longer one of the purposes
of this project to use the database for clinical purpose. Consequently, a
suppression flag is not necessary as identifiable information on the database
will be encrypted.
16.3
Non-government organisations will only provide details of legal status or
diagnosis if this is information which they obtain clinically. In most cases
NGOs do not employ clinicians so the information on legal status and
diagnosis will be obtained only in relation to contact with the HHS.
However, the role of NGOs is evolving, so the flexibility to allow this
information to be picked up from NGOs is included in the design on the
data collection.

Page 34
17.
Conclusion Part 1
17.1
The Ministry of Health has made a commitment to ensure that mental
health services are available to those who need them. In order to monitor
the success of implementing this commitment, it has been considered
necessary to measure the delivery of secondary mental health services by
both public sector and non-government organisations.
17.2
One of the objectives of the MHIP is to provide a mechanism for
monitoring the implementation of the mental health strategy with respect to
the delivery of secondary care services.
17.3
Although there is no statutory requirement for providers to supply this
information, the funding agreement for 1998/99 includes, as part of the
performance measures for the HFA five year plan, a commitment from the
HFA for "requirement for compliance with the NZHIS national mental
health information system to be included in 1999/2000 service
specifications".
17.4
Providing NZHIS is able to gain the commitment of the providers, NZHIS
is in an excellent position to be able to carry out the development of a
secondary database for the provision of aggregate data to effectively
monitor the delivery of secondary mental health services.
17.5
However, NZHIS must ensure that all the purposes of the database are
properly contemplated prior to implementation and that the mental health
service providers are aware of these purposes so that they may be conveyed
to individuals receiving services, and whose information is to be provided.

Page 35
Part 2: Privacy Impact Assessment
18.
General overview of the project from a privacy perspective
18.1
As discussed in Part 1, the origins of the MHIP are found in the national
mental health strategy and the need, identified in the Mason Report and by
the Mental Health Commission, for a collection of national mental health
information.
18.2
Privacy concerns and risks associated with the MHIP arise out of the way
the information is collected and how it will be managed and used once
contained on the database.
18.3
The purpose of the MHIP is to provide statistical information, reports and
analysis about the trends and delivery of secondary mental health services
both nationally and on a provider basis. One of the key benefits of this
project is the regular supply of reports to the provider both about their own
services, and also regional and national trends. The reports will be based
on aggregated information so that people cannot be identified.
18.4
NZHIS has also envisaged that from time to time researchers may also
request to use the database for research purposes. NZHIS has procedures
for dealing with this type of request for information.
46
18.5
A distinction should be made between the role of NZHIS in developing the
MHIP and the use of the National Mental Health Standards. The Standards
have been developed to ensure consistent provision of mental health service
by providers. Providers are encouraged to assess and audit their clinical
delivery of care to individuals against these standards.
47
Consequently,
measurement of mental health services providers delivery of clinical care is
outside the scope of the MHIP.
18.6
Health information is sensitive and mental health information even more so
because of the stigma that sometimes attaches to a person identified as
having a mental illness whether or not this is shown to be the case. This
stigma has been acknowledged to the extent that the Mental Health
Commission has been given the role of reducing the stigma associated with
mental illness and the prejudice shown to people with mental illness and
their families and caregivers.
46
Paragraph 37.
47

Page 36
18.7
It had previously been suggested that, at some time in the future,
information about individual consumers obtained by NZHIS may be made
available to clinicians.
48
This possibility raised significant privacy issues
relating to the amount of information required to be collected and the
accuracy of that information. A database developed for the purpose of
providing reports and statistics, has different information requirements to a
database to be used for clinical purposes. It is no longer an objective of the
project to provide identifiable information for clinical purposes.
18.8
Furthermore, NZHIS would not be the most appropriate agency to be
providing a database of information for clinical purposes, or, in other terms,
a primary patient record.
49
Indeed this has never been considered as a
possibility. However, NZHIS is able to develop the MHIP database as a
secondary patient record
50
to facilitate statistical analysis and reporting on
the delivery of mental health services by secondary health providers.
18.9
Generally, the management of the information contained on the database
will fall within the provisions of the Health Information Privacy Code 1994
("HIPC"). The HIPC and in particular the rules do not specify how
databases may be used. What the rules do provide is a framework which
enables agencies to implement their desired database objectives.
18.10
Increasingly, as personal information becomes a commodity of significant
value, agencies, in this instance the mental health services providers and
NZHIS, need to be aware of the privacy impacts of a proposal. Taking
individuals' concerns seriously may enhance trust in the provider, building
the relationship between it and the individual, and between the provider and
NZHIS. In contrast, failing to address privacy concerns may lead to
complaints and undermine the objectives of the MHIP. An extreme
scenario would be an individual deciding not to seek treatment because of
distrust of the mental health service provider, or the NZHIS.
18.11
The policy underlying the development of the database associated with the
MHIP needs to be explored to establish clearly what its parameters may be
and the extent of information required to achieve the objectives of the
MHIP. It has been suggested that when considering the privacy impact of a
proposal the following seven questions could be posed:
51
1. What is the purpose of the information?
2. Will collection achieve a compelling public health purpose?
48
http://www.nzhis.govt.nz/projects/mental.html
49
Paragraph 12.5.1.
50
Paragraph 12.5.2.
51
Health Data in the Information Age: Use Disclosure and Privacy; Molla S Donaldson; Kathleen N Lohr, Ed. Committee on

Page 37
3. Will collection result in effective health policy; that is, might it drive
people underground if they fear the consequence of disclosure?
4. Who will have access to the information? Can it be disclosed by force
or law? What will be the effect of negligent disclosure?
5. What impact will it have on human rights - is there a stigma to
individuals or communities?
6. Are there less invasive alternatives?
7. What safeguards are available to reduce the risk?
18.12
These questions will be addressed below.
19.
Collecting/obtaining information: HIPC Rules 1-4
19.1
There is no statutory provision requiring the development of the MHIP,
although the project was authorised by the Minister of Health in September
1997. Consequently, provision for collecting, storing, retaining, using and
disclosing information, and providing the right to access and request
correction of it, must be considered under the existing legislation.
19.2
In order to update existing records, identifiable information will need to be
collected. Under section 22D the Minister of Health could require the
Health Funding Authority or a hospital and health service to provide non-
identifiable information, or identifiable information if it was essential for
the MHIP or if the consent of the individual had been obtained. However,
relying solely on this provision does not address the need to collect
information from the non government organisations providing secondary
mental health services which are not covered by a section 22D notice.
52
19.3
NZHIS may request information from a provider of mental health services
under section 22C(2)(g)(ii) the Health Act for statistical purposes.
53
19.4
The information could also be provided under rule 11 of the HIPC, if
disclosure of the information by the provider was one of the purposes for
which the information was obtained, or directly related, or the disclosure
falls within one of the exceptions to rule 11.
54
19.5
Under both the Health Act and the HIPC the disclosure of information to
NZHIS is discretionary on the part of the provider. Consequently, the
success of the MHIP will depend on mental health service providers
agreeing to provide the information to NZHIS.
52
To date, no such notice has been given by the Minister.
53
Paragraph 8.3.
54

Page 38
19.6
The Health Funding Authority now includes a provision in the funding
contracts with providers requiring the providers to supply information to
NZHIS for the MHIP database. This will add to the weight of having to
provide such information, although providers still need to exercise their
discretion when deciding whether to disclose the requested information.
19.7
However, the question remains open about whether the Health Funding
Authority can require the provider to supply the information when section
22C of the Health Act provides a health agency with a discretion to provide
the information requested.
19.8
Such a condition will not entitle the Health Funding Authority to identify
information from the database, as the purpose of NZHIS collecting the
information is limited to statistical and research purposes. If information
were to be provided to the Health Funding Authority, or any other
organisation, in an identifiable form, then the purpose for that information
flow would need to be ascertained and individuals made aware of the
purposes of the information flow at the time the information was collected
by the mental health services provider.
55
19.9
The HIPC requires openness in the process of collecting personal health
information. The requirements of the Code are set out in rules 1-4. These
rules directly link with the other rules in the Code. For instance, the
purposes for which information is collected directly relate to how that
information may subsequently be used or disclosed. Deciding what
information is required, the purposes for which it is required and telling the
person about those purposes ensures that there are fewer difficulties in
using information subsequently.
19.10
The collection issues discussed below concern NZHIS collecting
information for the purposes of compiling and maintaining the mental
health information database. Information is collected from providers who
have collected the information directly from the individual.
20.
Purpose of collection: Rule 1
20.1
Rule 1 of the HIPC states that health information must not be collected by
any health agency unless the information is collected for a lawful purpose
and that purpose is connected with a function or activity of the health
agency. In addition, the collection of information must be necessary for
that purpose.
55

Page 39
20.2
The National Mental Health Strategy sets out the need for an information
database. The purpose of the MHIP is to provide national-level information
about the secondary mental health, alcohol and drug services. The MHIP
will provide a mechanism for measurable analysis of the delivery of mental
health services.
20.3
In addition section 22C of the Health Act provides a lawful purpose for
NZHIS to collect the information, being for the administering of the Health
Act or the Hospitals Act and for compiling statistics for health purposes.
20.4
NZHIS has defined the purpose of collating the information on the database
as:
enabling adequate monitoring of the implementation of the national
mental health strategy;
providing a database for research into the provision of mental health
services;
providing aggregated information to providers, consumer groups, the
HFA, the Mental Health Commission and other interested parties in the
health sector.
20.5
One of the roles of NZHIS is the responsibility for the collection and
dissemination of health related information on a national basis.
56
Collecting information for the purposes of developing a database as part of
the MHIP would be consistent with its role.
20.6
Research is also an important part of measuring and analysing of the
delivery of services. It will be important that providers are made aware that
this is also one of the purposes of the MHIP, although safeguards will be in
place to protect the use of the information for research purposes.
57
20.7
There are no statutory provisions which require providers to provide the
information for the MHIP database. NZHIS will have to rely on the co-
operation of the mental health services providers to enable a comprehensive
database with accurate and up to date information to be established.
21.
Source of health information: Rule 2
21.1
Rule 2 of the HIPC requires that where a health agency collects health
information, it must collect the information directly from the individual.
56
Paragraph 5.
57

Page 40
21.2
The rule then provides several exceptions including where the agency
believes on reasonable grounds that the individual concerned authorises
collection of the information from someone else having been made aware
of the matters set out in rule 3(1).
58
21.3
There are two exceptions which are relevant to NZHIS collecting
information indirectly:
21.3.1
Rule 2(2)(d): that compliance is not reasonably practicable in the
circumstances of the particular case;
21.3.2
Rule 2(2)(g): that the information will not be used in a form in
which the individual concerned is identified, or in the case of
statistical and research purposes that it will not be published in a
form that could reasonably be expected to identify the individual
concerned.
21.4
The nature of NZHIS and it role means that it is not in a position to collect
information directly from the individual. Instead, NZHIS will have to rely
on the information being collected by the provider of mental health
services. The provider will have to comply with the obligations set out
under rule 3. However, for the provider to be able to fulfil its obligations,
NZHIS will have to ensure that the provider is aware of the purposes for
which information is going to be disclosed to NZHIS. This will include
any disclosures of information about identifiable individuals NZHIS may
subsequently make.
21.5
A third party agency obtaining information from a source other than the
individual can use the information only if the use is consistent with the
purposes for which it was obtained by that agency. In other words,
individuals need to be made aware that one of the purposes the mental
health services provider is collecting the information is to disclose
information to NZHIS for statistical and research purposes. NZHIS can
only use the information consistently with the objectives of the MHIP and
cannot initiate the use or disclosure of that health information for other
purposes.
21.6
For instance, if NZHIS collects information for statistical and research
purposes it cannot then use that information for other purposes unless the
authorisation of the individual has been obtained or the use or disclosure
falls within one of the exceptions found in the HIPC and any prerequisites
58

Page 41
for use and disclosure are satisfied. The only other exception is where the
disclosure is required by law.
22.
Collection of information from individual: Rule 3
22.1
The HIPC places an onus on the provider of health services, as collector of
personal health information, to ensure that the individual is aware of the
information flows and the purpose of those flows.
22.2
Rule 3 sets certain requirements for a health agency collecting information
directly from the individual. As discussed above, the nature of NZHIS's
functions means that it will not be in position to collect information directly
from the individual.
22.3
However, NZHIS has a responsibility to ensure that a provider of mental
health services is aware of the purposes of the MHIP. When a provider
collects information the provider needs sufficient information about the
MHIP to ensure that the individual is made aware that one of the purposes
of collecting the information is to provide information to NZHIS for entry
on the MHIP database. If it is not practicable to tell the person at the time
the information is being collected, then she or he must be made aware as
soon as practicable after it is collected.
22.4
Once a provider agrees to provide information to NZHIS as part of the
MHIP, and has taken reasonable steps to ensure that the individual is made
aware of this information flow and the purpose of it, the individual does not
have any right to veto that disclosure as the requirement of rule 3 is to
ensure awareness and not obtain authorisation.
22.5
As the supply of the information is not mandatory under law, the supply of
information needs to be considered voluntary. However, the individual
must be told of the consequences of not supplying the information. For
example, if the provision of funding is conditional on the supply of
information to a third party, then the consequence of not supplying
information may be that the provider does not receive funding. This may
mean that the individual has to pay or pay more to the provider to receive
treatment.
59
23.
Manner of collection: Rule 4
23.1
Rule 4 of the HIPC states that health information must not be collected by
unlawful means or by means that in the circumstances of the case are unfair
59
Review of the National Health Index Number: Privacy Considerations. Report prepared for NZHIS, February 1999. Paragraphs

Page 42
or intrude to an unreasonable extent upon the personal affairs of the
individual concerned.
23.2
The responsibility of ensuring that the information is collected by means
which are in a lawful, fair and not intrusive will lie with the health agency
collecting the information, the provider.
24.
NZHIS response to collections issues
24.1
NZHIS has been working with mental health service providers to ensure
that they understand the objectives of the MHIP. This has been an exercise
in building the relationship between NZHIS and providers. Initially,
employees from NZHIS meet with the information technology management
team, clinical team leaders and staff working in the mental health area. At
this stage NZHIS provides an overview of the project. At the request of the
mental health service provider, NZHIS will provide further presentations to
staff regarding the MHIP.
24.2
In addition to discussing the technical aspects of the MHIP, employees
from NZHIS have been explaining to providers the information
requirements from a privacy perspective.
24.3
Newsletters about the MHIP are freely available on the NZHIS web site.
60
24.4
Generally, providers are being told that the information being collected is
about the type and amount of secondary mental health services being used,
including, for instance, the number of nights spent in a residential home, the
number of group sessions attended and details of gender, age and ethnicity.
The providers are told that the information will be used to show how mental
health services are being used and to help ensure that appropriate mental
health services are being provided.
25.
Collection issues: Discussion
25.1
The first issue which needs to be addressed is whether it is necessary for
NZHIS to have a database of identifiable information to achieve the
objectives of the MHIP.
25.2
Taking into consideration the National Mental Health Strategy, and the
need to provide a mechanism for measuring its implementation, it is
appropriate to say that a database, as a secondary patient record,
61
is an
appropriate tool to monitor the implementation of the strategy.
60
http://www.nzhis.govt.nz/projects/mental.html
61

Page 43
25.3
Privacy risks may arise if other uses of the information are suggested in the
future. For example, the suggestion that the information on the database
could be used by providers simply to find out where an individual had
previously received care would be an extended use of the database and not
within the scope of the MHIP and not within the functions of NZHIS.
25.4
Furthermore, even if NZHIS were to contemplate this as one of the
purposes of the database, it may be difficult to include such a use as being
consistent with NZHIS's functions. It would also be difficult to link the use
to the objectives of the MHIP.
25.5
NZHIS will not be the health agency collecting the information directly
from the individual. Consequently, it will need to rely on the mental health
service providers to ensure that individuals are aware of the information
flows and the purpose and extent of those information flows.
25.6
Openness is the key to acceptability of information flows for specified
purposes. Openness is also crucial for building trust between both the
individual and the provider and the providers and NZHIS. Individuals need
to be aware of what information is being collected about them and who or
which other agencies will have access to that information and for what
purposes.
25.7
Trust will be an important aspect of the success of this project. Individuals
will need to trust those who are providing mental health services to
properly manage their health information. If this trust is not present the risk
is that someone may not seek appropriate care for fear of being labelled
with a mental illness.
25.8
NZHIS will have to gain the trust of the mental health service providers to
ensure that the information provided is accurate and complete, and that only
relevant information is provided. This will be reflected in the quality of the
information used to provide the statistics and reports to measure the
implementation of the National Mental Health Strategy. Consequently, the
success of the project will depend on the acceptance and participation by
mental health services providers.
25.9
Providers will want reassurance from NZHIS that the information it obtains
from individuals, on behalf of NZHIS, will be used consistently with the
purposes of the MHIP. Mental health service providers will also need to be
convinced of the usefulness of the MHIP. A lack of interest or belief in the
project's objectives may directly or indirectly cause the project to be
sabotaged by inaccurate or incomplete information.

Page 44
25.10
While the immediate liability for breach of the collection rules might lie
with the provider, responsibility lies also with the NZHIS ensuring that the
provider knows the purposes of supplying NZHIS with the information.
This will enable the provider to comply with its obligation to ensure the
individual is aware of the purposes of disclosing information to NZHIS.
25.11
The HIPC places the responsibility on the mental health care provider
collecting the information directly from the individual to ensure that the
individual is aware that health information is being collected about them
and exactly what those information flows that information may be subject
to. NZHIS, having taken on responsibility for the development of the
MHIP, needs to be involved in helping providers fulfil their obligations.
25.12
To ensure the success of the project, NZHIS will need to work with
providers to produce education and training materials to ensure that both
the provider is aware of its responsibilities when collecting the information
directly from the individual and that individuals are also aware of the
project, its objectives and the information flows.
25.13
With the existing pressures from the changing structure of the health sector
already facing many health care providers it will be important that NZHIS,
as leader of the project, co-ordinates education programmes and materials
for mental health care providers and for individuals. These materials need
to clarify the purposes of the MHIP.
25.14
Overall, the providers need to be convinced that there is a benefit to both
individuals and the providers in participating in the project.
26.
Storage and security: Rule 5
26.1
A health agency holding health information must ensure that the
information is protected, by such security safeguards as it is reasonable in
the circumstances to take, against:
loss;
access use modification or disclosure except with the authority of the
agency; and
other misuse.
26.2
The words 'reasonable in the circumstances' indicate that the standards
required will depend on the sensitivity of the information. Mental health
information is particularly sensitive and so security and storage safeguards
will be very important.

Page 45
26.3
NZHIS as administrator and holder of the information will need to ensure
that there are adequate storage and security safeguards to prevent both
internal and external unauthorised access to the information contained on
the database.
26.4
Security safeguards raise operational and technical challenges.
26.4.1
Operational threats arise from inappropriate uses and disclosure
of personal information by individuals within the organisation
and from outsiders. Operational threats may depend on physical
access to the premises, although purely technical attacks may take
place without requiring physical access.
26.4.2
Consequently, technical threats are a subset of operational threats,
relating more to the type of software and electronic mechanisms
for protecting information such as access control, authentication
and encryption. Technical safeguards protect information from
internal misuse and external attack.
26.5
At one end of the breach of the security spectrum is the innocent misuse of
personal health information by authorised employees while at the other end
is the intentional unauthorised attack by outsiders on the information
system.
26.6
For the present, security threats will only arise internally as no access by
external agencies is contemplated at this stage.
26.7
Vulnerabilities of the MHIP database may be categorised as follows:
26.7.1
Internal threats:
62
authorised users making innocent mistakes:
63
leaving an active screen unattended;
discussion concerning personal health information in
a public place.
opportunist unauthorised users taking advantage of the
innocent mistakes of others:
62
See For the record: Protecting Electronic Health Information Committee on Maintaining Privacy and Security in Health
Care Applications of the National Information Structure, National Academy Press, Washington DC (1997), p 59-60.
63
The examples provided are just some illustrations of how information may be misused. Some examples fall into more than one

Page 46
curiosity about a friend, relative, neighbour, co-
worker, high profile person.
authorised users deliberately abusing access rights:
curiosity about a friend, relative, neighbour, co-
worker, high profile person;
information obtained for personal reasons rather than
work-related.
abuse of access rights for personal gain:
64
access may be by authorised users, or by users with
limited user rights who are able to access
unauthorised information;
information is deliberately obtained for a commercial
purpose.
abuse of access rights for vengeance:
access may be by authorised users, or by users with
limited user rights who are able to access
unauthorised information;
information is deliberately obtained for a specific
purpose, not associated with the objectives of the
MHIP.
26.7.2
External threats would be limited to an unauthorised physical
intrusion of the site where the MHIP database is to be held.
unauthorised physical intruders, no access rights:
outsiders who walk into NZHIS presenting
themselves as employees or authorised users and start
using computer systems.
64
The London Sunday Times reported in November 1995 that the contents of anyone's electronic health record in Great Britain
could be purchased on the street for about £150. In New Zealand, the Crimes Act 1961, section 105A makes it an offence for
an official to corruptly use or disclose any information acquired in her or his capacity to obtain directly or indirectly an

Page 47
27.
NZHIS response to the storage and security issues
27.1
At this stage the MHIP database will only be accessible by NZHIS staff.
Only those updating and entering new records will be able to see the
information in an unencrypted form and only the database
administrator/manager will hold the de-code table for unencrypting the
information.
27.2
All other NZHIS staff who have authorised access to the database for
statistical analysis will see the information in an encrypted form.
27.3
The MHIP database is not to be linked by any external network enabling
access by other health agencies. If, in the future, other agencies were to be
allowed access to the database or copies of the database, this would be in an
encrypted form so that the information would be anonymous.
27.4
Physical access to NZHIS premises is protected by access cards. Other
than a reception area, areas where access to the NHIS is available is limited
to those with authorised physical access. In addition, only those with
authorised computer access to specific databases are able to access those
databases. Access to identifiable information on computer systems is
limited to those involved in updating the information or the database
administrator/manager. Analysts are only able to access encrypted
information.
27.5
NZHIS is currently providing on-going training to its staff on the safe
management of personal information.
28.
Storage and security issues: Discussion
28.1
One of the most effective ways of ensuring the security of information is to
develop a "culture" within an organisation which recognises the importance
of protecting health information. Staff training is essential.
28.2
Generally speaking, internal security and storage threats are countered by
education, training, deterrents and obstacles, preventing those with
authorised access misusing those access rights either inadvertently or
deliberately. External threats are countered by restricting physical access
and technical safeguards to restrict access to computer systems.
28.3
The HIPC requires storage and security safeguards to be reasonable in the
circumstances. NZHIS must be satisfied that its own storage and security
safeguards are sufficient to adequately protect the information. In some
circumstances, information will be supplied by providers in hard copy

Page 48
format rather than electronic format. NZHIS needs to ensure that if it
retains the hard copy information, that this information is also stored
securely.
28.4
Organisational security safeguards such as those noted below should be
implemented:
staff training;
identification of authorised users;
providing access controls and privileges of users;
audit trails to identify misuse;
disciplinary action, warning for misuse, dismissal;
automatic log off after a certain period;
system backup disaster recovery where information is lost.
28.5
Security safeguards should also be in place to identify when there has been
a misuse of authorised access rights. This may be easier to identify when
the information is in electronic format as monitoring footsteps can be
developed as part of the system. Systems for monitoring access to hard
copy information should also be implemented.
28.6
Storage and security issues are an important aspect of gaining support for
the MHIP. NZHIS will need to convince both users and individuals that
there are sufficient physical and technological safeguards in place to protect
the information while it is held by NZHIS.
28.7
Consequently, in taking on a leadership role NZHIS needs to be seen to be
taking the security and storage issues seriously. In other words it is not
sufficient to say that NZHIS has a particular policy. It must also implement
that policy and enforce proper sanctions, such as warnings or dismissal, if
the policy is not complied with.
28.8
NZHIS must have in place the means to identify, audit and monitor users so
that misuse can be detected
28.9
Monitoring users will in itself be a type of surveillance so that employees,
contractors, and agents need to be aware of how NZHIS monitors use of the
MHIP database. The knowledge that monitoring takes place is a deterrent
in itself.
29.
Accuracy: Rule 8
29.1
Rule 8 requires NZHIS to ensure that any personal health information it
makes available, is not used without taking reasonable steps in the

Page 49
circumstances to ensure that, having regard to the purpose for which the
information is proposed to be used, the information is accurate, up to date,
complete, relevant and not misleading. In other words, if the information is
going to be used in an identifiable form, care must be taken regarding the
accuracy of the information.
29.2
In fact, the purpose of compiling the information is to provide statistical
and aggregate data. Only when the information is used for research
purposes will there be issues associated with the accuracy of the
information as the information will be identifiable. If inaccurate
information is used to compile statistical data this will not impact on the
individual. However, the accuracy of the information will have an impact
on the usefulness of the statistical information.
29.3
NZHIS does not have the ability to check the accuracy of the information
supplied with the individual. In fact to do so would be quite intrusive in
privacy terms, and outside the scope of NZHIS's functions. Therefore,
responsibility for the accuracy of the information rests with the mental
health service providers.
29.4
As discussed earlier, one of the purposes of the MHIP is to report back to
the mental health service providers, statistical or aggregate information
about the services they provide. By giving providers feedback regarding
their services, the providers are more likely to see the value in providing
accurate information to NZHIS.
30.
NZHIS response to accuracy issues
30.1
NZHIS is setting up regular auditing of mental health service provider sites
to help those agencies provide high quality information for the MHIP.
There will be an on-going programme to assess the data quality.
30.2
It has been accepted by NZHIS that not all providers will be able to supply
all the information requested by NZHIS straight away. Consequently, data
received from providers may not be complete. NZHIS will develop a gaps
and issues database to hold information about the data collected. This will
ensure that when data is analysed people will be aware of any gaps or
assumptions behind the data.
30.3
In the area of mental health there are always concerns about attaching a
particular diagnosis to an individual. NZHIS acknowledges that in some
instances contact with a specialist mental health service may not result in a
specific diagnosis. To allow for this, the diagnostic categories include
codes which acknowledge relational problems and other conditions which

Page 50
may be the focus of clinical attention. The use of these codes will be more
common in services which assess and treat children and young people.
30.4
Data will be provided to NZHIS monthly and must be received by the 20th
day of the following month, i.e. data for January 1999 must be received by
20 February 1999.
31.
Accuracy: Discussion
31.1
Generally, privacy risks associated with this project include the fact that a
person may be labelled with a particular diagnosis and that the label sticks.
Using inaccurate information in an identifiable form may have an adverse
outcome, or a potential adverse outcome, for the individual.
31.2
Extreme caution will need to be taken in providing that there is every
opportunity to ensure that the information is updated regularly so that it
retains its accuracy.
31.3
Another way of checking information is accurate is to ensure that
individuals are aware of their right to access their personal information held
by NZHIS and request correction.
65
31.4
Trust is an important aspect in ensuring that providers supply information
that is accurate. Once again this is linked to the relationship that NZHIS
has with the providers and the providers with individuals. Both individuals
and mental health service providers need to be satisfied that the objectives
of the MHIP are worth pursuing.
31.5
The quality of the information, which relates to accuracy, will depend on
the confidence the providers have in the MHIP and that NZHIS will
administer the MHIP database in accordance with the project's objectives.
31.6
If there is a lack of trust in the security of the system, or the way the
information may be used there will be an increased risk that the quality of
the information supplied will be inadequate to monitor the implementation
of the National Mental Health Strategy and achieve the project's objectives.
31.7
Accuracy issues relate to using the information in an identifiable form.
From a privacy perspective, this will be relevant where the database is to be
used for research purposes and identifiable information is required. If the
information is inaccurate then this may make the information unsuitable for
65

Page 51
research purposes. In addition, there is the potential for an adverse outcome
for individuals incorrectly selected for research projects.
31.8
All other uses of the information relate to compiling statistical and
aggregate data. Obviously, if the information provided is inaccurate this
will have an impact on the quality of the statistics although it is unlikely
that there will be an adverse outcome for particular individuals.
31.9
There will be occasions where identifiable information is requested for
unanticipated purposes. In those circumstances, the accuracy of the
information is an important factor to be taken into account and NZHIS may
want to either refer such a request to another agency, or check with the
agency which provided the information about its accuracy before disclosing
the information.
66
32.
Retention: Rule 9
32.1
Rule 9 states that a health agency must not hold health information longer
than is required for the purposes for which the information may lawfully be
used. The purposes for which NZHIS requires the information is to
monitor the implementation of the National Mental Health Strategy. This
will be an ongoing purpose.
32.2
Under the Health (Retention of Health Information) Regulations 1996, an
obligation is placed on the providers of health of disability services
regarding how long health information may be retained. It imposes a
minimum period of 10 years beginning the day after the date shown in the
health information as the most recent date on which a provider provided
health or disability services to the individual. As NZHIS is not a provider
of health care services these regulations will not apply. However, the
provisions of the HIPC will apply.
33.
NZHIS response to retention issues
33.1
NZHIS has decided not to place a time limit on how long it will retain the
information. This is because to monitor the delivery of mental health
service, NZHIS needs to retain the information long term to provide on-
going statistical information.
33.2
There will be provision on the database to enter the date of death of an
individual.
NZHIS intends to retain information about deceased
individuals.
66
Generally, unanticipated requests for information will be made under the Official Information Act. This is discussed in more

Page 52
34.
Retention: Discussion
34.1
Providing NZHIS can justify the need to retain the information on the
database for providing on-going statistics that will be a lawful purpose for
retaining the information. However, there may be a time in the future when
certain information will not need to be retained. For instance the records of
deceased individuals. NZHIS needs to consider whether it is appropriate to
consider a time limit for retaining the information of deceased individuals
after their date of death. Information about deceased individuals can be
made non-identifiable, as there will be no need to add further information to
these records.
34.2
In addition, NZHIS needs to consider how long it needs to retain any hard
copy information supplied by mental health service providers. Once the
information has been entered onto the database, and verified for accurate
entry, there should be no need to retain this information.
34.3
From a security point of view this is important as retaining the hard copy
adds to the risk of potential breaches of security and storage safeguards.
Hard copies of information will require additional storage safeguards which
may create an unnecessary risk (and cost), if there is no need to retain the
hard copy of the information.
35.
Use and disclosure: Rules 10 and 11
35.1
The HIPC places limits on the use and disclosure of health information
(rules 10 and 11). Generally, a health agency has the discretion to use or
disclose health information if that is one of the purposes for which it was
obtained or directly related to those purposes. Consequently, it is very
important to establish at the outset the intended purposes of collecting
information. These purposes have been specified in the MHIP objectives.
35.2
All the rules in the HIPC are interrelated, but particularly the collection and
the use and disclosure rules. For instance, with the collection rules the
individual must be told of the information flows and the purpose of those
flows at the time the information is collected. Information may
subsequently be used or disclosed if it is consistent with those purposes.
35.3
However, a health agency obtaining information for one purpose may not
then use that information for another purpose without the authorisation of
the individual unless another exception to one of the rules applies.
Alternatively, the health agency would have to rely on a statutory provision
to enable the information to be used for a different purpose.

Page 53
35.4
As already discussed under security and storage safeguards, compiling
individual information creates a valuable record, in which other parties may
have an interest. Wherever possible, the MHIP must provide adequate
safeguards to protect the information from third party requests for
information, unrelated to the purpose of the project. NZHIS will have to
consider third party requests for information under the Official Information
Act 1982.
36.
NZHIS response to use issues
36.1
NZHIS has specified that the purposes of obtaining the information are to:
enable adequate monitoring of the implementation of the National
Mental Health Strategy;
provide a database for research into the provision of mental health
services;
provide aggregate information to providers, consumer groups, HFA, the
Mental Health Commission and other interested parties in the health
sector.
36.2
By defining the scope of the project NZHIS has limited the extent to which
the information may be used.
37.
NZHIS response to disclosure issues
37.1
Generally, the information disclosed by NZHIS will be in a statistical or
aggregate format and consequently the information will be anonymous.
37.2
NZHIS has a protocol for dealing with the provision of information to
researchers. Any recipient of the information must fulfil the following
requirements:
37.2.1
The research protocol must be approved by an accredited ethics
committee. This means an ethics committee approved by the
Health Research Council or the Director-General of Health;
37.2.2
A copy of the approved research protocol must be provided to
NZHIS;
37.2.3
The recipient must complete a declaration prior to receiving
information about identifiable individuals from NZHIS.

Page 54
37.3
The declaration made by the recipient requires the recipient to undertake
to:
67
37.3.1
Abide by the terms of the research protocol approved by an
accredited ethics committee;
37.3.2
Use the information provided by NZHIS only for the purpose
approved by an accredited ethics committee and as agreed in the
job specification;
37.3.3
Provide a secure storage environment and restrict access to
personal information supplied by NZHIS. Access to such
information should be limited to members of the research project
team (the personal information must not be provided, sold or
otherwise transferred to any third party in any shape, manner or
form);
37.3.4
Provide the NZHIS with an advance copy of any article,
documents, analyses, compilations, or any form of material
produced from the personal information released by the NZHIS
intended for publication. It is the responsibility of the author(s)
of any publications to ensure that information is not published in
a manner which could reasonably be expected to identify any
individual concerned. However, should the NZHIS be concerned
that privacy provisions may be breached it has the right to delay
publication until the issue has been resolved.
37.3.5
Acknowledge the NZHIS as a source of information;
37.3.6
Destroy all personal information on completion of the project and
notify the Manager, Information Services, NZHIS when this has
been done;
37.3.7
Comply in all respects with the relevant requirements of the
Privacy Act 1993 and the Health Information Privacy Code 1994.
37.4
From time to time requests for official information are made to NZHIS for
identifiable information compiled on the National Health Information
Systems. Each request is dealt with on its own merits, but generally,
information is withheld to protect the privacy of natural persons, including
deceased natural persons and the need to protect information which is
67

Page 55
subject to an obligation of confidence and where making the information
available would be likely to damage the public interest.
38.
Use and Disclosure: Discussion
38.1
NZHIS has clearly confined the extent to which the information compiled
on the MHIP database may be used and disclosed. In addition it already
has in place safeguards to protect information disclosed for research
purposes.
38.2
Before NZHIS could contemplate initiating any use or disclosure of
identifiable information outside the scope of the project's objectives it
would have to address the following questions:
38.2.1
Is there any statutory authority:
requiring;
providing a discretion;
68
or
prohibiting,
disclosure of the information?
38.2.2
If there is no statutory authority, has the authorisation of the
individual been obtained?
38.2.3
If it is not practicable to obtain the authorisation of the individual,
is use or disclosure permitted under rule 10 or rule 11(2);
38.2.4
How much information needs to be disclosed to achieve the
purpose of the disclosure?
38.2.5
To whom should the information be disclosed? Who is the
appropriate person or authority to affect the purpose?
38.3
In certain circumstances it may be appropriate to seek the authorisation of
the Privacy Commissioner under section 54 of the Privacy Act to use or
disclose personal information even though that use or disclosure would
otherwise be in breach or rule 10 or 11. In deciding whether or not to give
the authorisation the Commissioner must be satisfied that either:
that the interest in the use or disclosure of the information outweighs any
interference with the privacy of the individual; or
68
Professional and ethical codes of practice provide guidance when exercising a discretion regarding the release of health

Page 56
that the use of disclosure involves a clear benefit to the individual
concerned that outweighs any interference with the privacy of the
individual.
38.4
One of the suggestions for using the information that has been discussed
between NZHIS and providers is the use of the information for clinical
purposes. This has now been rejected as one of the purposes of the project.
However, this does not mean that the information could not be used for
clinical purposes. It could be used for clinical purposes providing the
authorisation of the individual was obtained.
38.5
For example, many people receive a variety of mental health services from
numerous providers. Not all individuals may remember from whom they
have received mental health services. In such cases providers have
suggested that it would be useful to know who else has provided services to
a particular individual. If providers were to seek this information from
NZHIS they could either do so by obtaining the individual's authorisation or
by suggesting the individual makes a request for her or his personal
information held on the MHIP database by NZHIS.
38.6
This is a much better solution than incorporating the clinical purposes as
part of the objectives of the project. Information may be disclosed as
required and on the authorisation of the individual. Obviously, if the
individual did not want a provider to know who else has provided to her or
him, she or he retains the ability to veto the disclosure of the information.
This is consistent with section 22F of the Health Act which requires
information to be communicated between different providers of health
services unless the holder of the information has reasonable grounds for
believing the individual does not want the information disclosed.
38.7
From time to time NZHIS may be asked to provide information from the
MHIP database to other health agencies, such as the Health Funding
Authority. In such cases the information might be requested in either an
identifiable or unidentifiable form.
38.8
However, to be consistent with the objectives of the MHIP, the information
may only be provided for purposes consistent with the objectives of the
MHIP. Generally, that would be for statistical purposes. If the information
is required for statistical purposes, there will be no need to provide
identifiable information, as identifiable information is only required by
NZHIS to enable it to update the information. Consequently the
information should be encrypted so that the name and NHI number cannot

Page 57
be identified. It is important that the recipient agency does not have the
ability to unencrypt the information.
38.9
If identifiable information is disclosed, NZHIS must know the purposes the
information is to be used for by the recipient. It would also need to
consider whether information should be provided in an identifiable format
when the same purposes could be achieved by the recipient agency by
providing non-identifiable information.
38.10
However, if NZHIS provides identifiable information without ascertaining
the purpose of the disclosure and the recipient agency uses the information
for anything other than statistical purposes then NZHIS may be vulnerable
to complaints regarding the disclosure of information for purposes outside
the scope of the MHIP.
38.11
The recipient agency may also be vulnerable to complaints, if it obtains
information on the basis that the information is for statistical purposes, but
in fact uses the information for other purposes.
39.
Requests for official information
39.1
Third party requests for information need to be considered under the
Official Information Act rather than rule 11, although this rule may be used
to provide guidance to whether or not there may be grounds for withholding
the information.
39.2
Although each request must be considered on its own merits, in most cases
there will be grounds under section 9 of the Official Information Act to
withhold the information to protect the privacy of natural persons. In
addition, there is a public interest, in order to maintain the integrity of the
database, that this sort of information should not be made available.
39.3
If information were to be made available it is quite likely that this would
have a flow on effect to the providers of mental health services, who may
be reluctant to supply the information.
39.4
Once again the importance of maintaining the trust of the providers is
essential to the success of the MHIP, as there is no compulsion for the
mental health service providers to supply the information.

Page 58
40.
Unique identifiers: Rule 12
40.1
Rule 12 sets out several provisions which concern the use of unique
identifiers. A health agency must not assign a unique identifier to an
individual unless the assignment of that identifier is necessary to enable the
health agency to carry out any one or more of its functions efficiently.
40.2
Unique identifiers are a means of distinguishing one individual from
another. Unlike a name, where there may be several people with the same
name, a unique identifier provides a means of accurately linking and
indexing information about an identifiable individual. The NHI number is
a unique identifier.
40.3
Using a unique identifier when communicating health information between,
say, providers who are able to link the number to the person, prevents an
opportunist unauthorised user from immediately identifying a particular
piece of information to a named person. However, it does not make the
information unidentifiable.
40.4
There is no statutory provision which requires all individuals to have an
NHI number. However, this number has become established as the main
identifier used in the provision of health care services.
41.
NZHIS response to unique identifier issues
41.1
The NHI number is considered to be the most suitable unique identifier for
the MHIP, as records will be updated by a variety of different service
providers. Using an alternative unique identifier would create a huge
administrative burden on providers.
42.
Unique identifiers: Discussion
42.1
Administratively, it is appropriate for NZHIS to use the NHI as the
common unique identifier for obtaining and updating information on the
MHIP database. An alternative unique identifier system is not a practical
option.
42.2
From time to time information for inclusion on the MHIP will be obtained
by NZHIS from other sources. An example is the date of death. As this
information is also provided with an NHI number attached, this will enable
NZHIS to update the MHIP database.
42.3
The privacy risks associated with the use of unique identifiers, and in
particular with the NHI, is the facility to link information that was

Page 59
previously held separately, simply because compiling the information into
one record was inhibited by uncertainty about the identity of individuals.
42.4
Information with a unique identifier attached is still identifiable information
for any one who has the key to link the number to an individual. As there is
an increase in the use of the NHI number and more health agencies have
access to the NHI database the ability to link an NHI number to an
individual increases.
42.5
NZHIS has been open about what information will be collected and the
purposes. The greatest concerns lie in other organisations obtaining the
information from the MHIP database with an unencrypted NHI number
which allows that other agency to link information it may also have about
the individual.
42.6
Consequently, NZHIS must ensure that information it obtains for the MHIP
database, is not made available to any other agency with an unencrypted
NHI number attached.
43.
Access and Correction: Rules 6 and 7
43.1
The HIPC creates a right for individuals to access personal health
information held about them and request correction of that information.
43.2
Under rule 3, when information is being collected, individuals have a right
to know which agencies will hold their personal health information. As
part of the MHIP, individuals are able to request access to their information
held by NZHIS.
43.3
Individuals have a right to ensure that they know what personal health
information is held about them by different health agencies. The right to
access information helps to keep those holding the information accountable
to the individual about the way in which it manages personal information.
43.4
An individual would be entitled to make an access request to NZHIS for a
copy of her or his personal information. If that information were incorrect
the individual has the right to request correction of that information, or have
a statement of correction attached to the record.

Page 60
44.
NZHIS response to access and correction issues
44.1
To date, NZHIS has not received many request by individuals for access to
their information. However, once an individual has been able to show
some form of identification, access is generally provided.
44.2
Where an individual requests a correction be made to the information, the
request for correction has to be referred to the agency which supplied the
information. The correction is subsequently made on the relevant NZHIS
database once updated information is supplied by the provider of the
information.
45.
Access and correction: Discussion
45.1
The type of information compiled on the MHIP will be very sensitive.
Consequently, it is important that individuals are aware of their rights to
access and request correction of their information.
45.2
Even though NZHIS is not in a position to correct the information directly,
it could consider providing a field on the database which allows the entry of
a flag to indicate that the individual is not in agreement with some of the
information contained on the database.
46.
Conclusions
46.1
Any centralised database containing identifiable information raises issues
concerning the extent of information obtained and the purpose of such a
database.
46.2
Having measured the MHIP against the HIPC rules, it is useful to now
address the questions raised in paragraph 18.11.
46.3
What is the purpose of the information?
46.3.1
NZHIS have clearly defined the purpose of the database as a
secondary database for providing statistical and aggregate
information and for providing a database of research into the
provision of mental health services. This purpose is consistent
with the objectives of the National Mental Health Strategy.
NZHIS is an appropriate agency to be carrying out this project.
46.3.2
Providing clinical information would have been beyond the scope
of the MHIP and beyond the functions of NZHIS. It is

Page 61
appropriate that this is no longer a potential use of the MHIP
database.
46.4
Will collection achieve a compelling public health purpose?
46.4.1
Depending on the success of NZHIS in obtaining complete and
accurate information for the database, and the use of that
information to measure and assess the implementation of the
National Mental Health Strategy, it is possible to say that
collecting information for the objectives of the MHIP will
achieve a compelling public health purpose. That purpose being
the monitoring of the National Mental Health Strategy.
46.5
Will collection result in effective health policy: that is, might it drive people
underground if they fear the consequence of disclosure?
46.5.1
There will always be a risk that if an individual considers the
actions of a provider of health services inappropriate that the
individual will seek health services elsewhere, or not seek any
health services. Consequently, to avoid the risk of someone
deciding not to seek mental health services, it will be essential
that individuals are fully aware of the purposes of the MHIP and
understand that safeguards are in place to protect their personal
information.
46.6
Who will have access to the information? Can it be disclosed by force or
law? What will be the effect of negligent disclosure?
46.6.1
Only authorised staff of NZHIS will have access to identifiable
information contained on the MHIP database. Such access will
be provided to those who need to update the database. Analysts
working for NZHIS will only be able to view encrypted
information.
46.6.2
The only other person entitled to access the information will be
the individual, or that person's agent. All other anticipated
disclosures of identifiable information will be subject to the
criteria set out under the research protocol.
46.6.3
The information is vulnerable to requests made under the Official
Information Act.
If a request is made for identifiable
information, it may only be withheld in certain circumstances,
and where there is no overriding factor which renders it desirable
in the public interest to make the information available.

Page 62
However, in most circumstances it should be possible to withhold
the information to protect the privacy of natural persons. Indeed,
routinely releasing the information on request would have serious
implications on the ability of NZHIS to be able to administer the
National Health Information Systems in a way which protects the
personal information contained on those databases.
46.6.4
If personal information is disclosed either negligently or
deliberately a complaint may be made to the Privacy
Commissioner regarding an interference with privacy. In
addition, it is a criminal offence for an official to corruptly use or
disclose any information acquired in her or his capacity to obtain
directly or indirectly an advantage or pecuniary gain for her or
himself or for any other person.
46.7
What impact will it have on human rights - is there a stigma to individuals
or communities?
46.7.1
It is acknowledged that there is a stigma associated to any person
diagnosed with having a mental illness. The Mental Health
Commission has taken on the role of reducing such stigma.
However, there will always be a risk that information compiled
about the delivery of secondary mental health services has the
potential to further stigmatise those individuals receiving
treatment if the information is not properly safeguarded from the
disclosure of identifiable information.
46.7.2
The objective of the MHIP is to be able to measure the
implementation of the National Mental Health Strategy, which
should result in better provision and targeting of mental health
services.
46.7.3
In balancing the risk of further stigmatisation against the benefits
of better service provision, account must be given for providing
safeguards to protect the information and minimising the risk of
stigmatisation. NZHIS has done this by limiting the use and
disclosure of identifiable information.
46.7.4
Without safeguards to protect the information there is a risk that
the quality of information provided may be compromised as
providers and individuals will not want to participate. In turn this
will affect NZHIS's ability to obtain accurate and complete
information and compromise its ability to provide useful statistics

Page 63
measuring the implementation of the National Mental Health
Strategy.
46.8
Are there less invasive alternatives?
46.8.1
NZHIS has taken privacy considerations very seriously.
However, because each record needs to be updated it is necessary
to collect identifiable information. If NZHIS only collected
statistical information from providers, each set of information
obtained would only provide a frozen picture of the delivery of
services at any one particular time. It would not enable NZHIS to
identify trends or patterns of service delivery or identify
particular needs.
46.8.2
Consideration was also given to the use of a different unique
identifier, other than the NHI number. However, as the NHI
number is increasingly being used by health service providers, the
administrative aspects of developing another unique identifier
specifically for the mental health sector is not a practical
alternative at this stage.
46.8.3
However, protections will be in place to ensure that, other than in
the case of research projects, information will not be provided by
NZHIS with an unencrypted NHI number.
46.9
What safeguards are available to reduce the risk?
46.9.1
NZHIS has confined the scope of the MHIP, limiting the
information to be collected to that sufficient to measure the
implementation of the MHIP and enable research projects which
are also concerned with the provision of mental health services.
46.9.2
NZHIS has worked within the framework of the HIPC to measure
the development of the project alongside the requirements of the
health information privacy rules.
46.10
Overall, the way the project has been developed indicates that NZHIS is
committed to taking a leadership role with respect to the provision of health
information services generally, and in this instance in the implementation of
the MHIP.
46.11
In doing so it has recognised the need to ensure that its own staff are
familiar with the requirements of the Privacy Act and the Health
Information Privacy Code. In addition NZHIS has acknowledged that in

Page 64
order to build a trusting relationship with health service providers, it is
important that NZHIS help providers fulfil their obligations when collecting
information from individuals.
46.12
NZHIS has taken the potential privacy impacts seriously and acknowledged
the role it needs to play in ensuring that the providers are aware of the
purposes of the information and their privacy obligation with respect to
their patients.
46.13
Trust in NZHIS and value in the benefits of the MHIP by both the providers
of mental health services and the individuals receiving those services, will
be the deciding factor to the ultimate success of the project.

Page 65
47.
Recommendations (not in any order of priority)
47.1
Recommendation 1:
NZHIS needs to document its information
management policy regarding the MHIP. This policy should provide an
overview of how the information will be protected from potential privacy
intrusions including:
how NZHIS will ensure that providers are aware of their obligations
when collecting information from individuals for the MHIP;
storage and security safeguards in place to protect the information;
retention periods for electronic and paper records;
mechanism for secure destruction of records;
how accuracy of the information will be achieved;
restrictions on access to identifiable information by staff of NZHIS and a
policy for dealing with unanticipated requests for information held on
the database;
protocol for dealing with research projects;
restrictions on the linking, by NHI number, of personal information
obtained from the MHIP;
a procedure enabling individuals to access their personal information and
request correction.
47.2
Recommendation 2: NZHIS should consider the possibility of appointing
a group to monitor the implementation of MHIP on an on-going basis,
including monitoring how effective the project is in supplying the statistics
necessary to measure the implementation of the National Mental Health
Strategy. Such a group could also have responsibility for protecting the
information and considering requests for access for research projects and
official information requests. For example, NZHIS may chose to invite
interested groups to be represented on the group such as Mental Health
Commission, the Office of the Privacy Commissioner, and mental health
consumer groups.
47.3
Recommendation 3: NZHIS needs to develop education materials such as
posters and pamphlets, use of web site for both providers and individuals to
gain an awareness and understanding about the MHIP. These materials
should explain:
the objectives of the project and why specific information needs to be
collected;
how the information will be protected, and who will be able to use the
information;
individual's right to access and correct information held by NZHIS.

Page 66
NZHIS should work with the Office of the Privacy Commissioner in
developing these materials.
Health agencies should be encouraged to have adequate training
programmes.
47.4
Recommendation 4: NZHIS needs to provide on-going training for their
staff to ensure that they are aware of how personal health information
should be protected from potential privacy risks.
47.5
Recommendation 5: NZHIS needs to consider whether it is necessary to
retain information about deceased persons in an identifiable form as there
will be no need to add further information to those records.
47.6
Recommendation 6: NZHIS needs to ensure that a field is included on the
database to provide an alert where an individual has requested the
correction of information or the inclusion of a statement of correction. This
will alert those considering disclosing information for research purposes of
the possible inaccuracy of the information.

Page 67
Bibliography
Statutes
Alcoholism and Drug Addiction Act 1966.
Crimes Act 1961.
Health Act 1956.
Hospitals Act 1957.
Medicines Act 1981.
Mental Health Act 1998.
Mental Health Commission Act 1998.
Misuse of Drugs Act 1975.
Official Information Act 1982.
Privacy Act 1993.
Rules, Codes and Standards
Australia/New Zealand Standard on "Information Security Management" AS/NZS 4444.
Health Information Privacy Code 1994.
Health Information Privacy Code Rules.
National Mental Health Standards, Ministry of Health, Wellington, January 1997.
Secondary materials
Reports
Blueprint for Mental Health Services in New Zealand. How things need to be. Mental Health
Commission, November 1998.
Looking Forward: Strategic Directions for the Mental Health Services, Ministry of Health,
Wellington, June 1994.
Medical Record Databases: Just what you Need? Report prepared for the Privacy
Commissioner by Robert Stevens, April 1998.
Mental Health Data 1993 Revised Editions, Ministry of Health, New Zealand Health
Information Service 1996.
Mental Health Strategy Advisory Group - Statement to the Minister of Health, April 1996.
Moving Forward: The National Mental Health Plan for More and Better Services, Ministry
of Health, Wellington, 1997.
Report ("The Mason Report")of the Ministerial Inquiry to the Minister of Health Hon Jenny
Shipley, May 1996.
Books

Page 68
For the record: Protecting Electronic Health Information Committee on Maintaining Privacy
and Security in Health Care Applications of the National Information Structure, National
Academy Press, Washington DC, 1997.
Health Data in the Information Age: Use Disclosure and Privacy; Molla S Donaldson;
Kathleen N Lohr, Ed. Committee on Regional Health Data Networks, Institute of Medicine,
National Academy Press, Washington DC, 1994.
Health Information Strategy for the Year 2000, Ministry of Health, 1996.
The Computer-Based Patient Record: An Essential Technology for Health Care Richard S
Dick, Elaine B. Steen, and Don E. Detmer, Editors, Committee on Improving the Patient
Record Division of Health Care Services, Institute of Medicine, National Academy Press,
Washington DC, 1997.
The Oxford English Reference Dictionary (2nd ed), Oxford University Press, Oxford, 1996.
Periodicals
Sunday Times, London, November 1995.
Internet Web sites
http://www.health.govt.nz/
http://www.hrc.govt.nz/ethguid9.htm.
http://www.moh.govt.nz
http://www.nzhis.govt.nz/projects.mhnews-current.html
http://www.nzhis.govt.nz/projects/mental.html

Page 69
Appendix 1
HEALTH INFORMATION PRIVACY RULES
Rule 1
Purpose of Collection of Health Information
Health information must not be collected by any health agency unless:
(a) the information is collected for a lawful purpose connected with a function or activity of the health
agency; and
(b) the collection of the information is necessary for that purpose.
Rule 2
Source of Health Information
(1)
Where a health agency collects health information, the health agency must collect the information directly
from the individual concerned.
(2) It is not necessary for a health agency to comply with subrule (1) if the agency believes on reasonable
grounds:
(a) that the individual concerned authorises collection of the information from someone else having
been made aware of the matters set out in subrule 3(1);
(b) that the individual is unable to give his or her authority and the health agency having made the
individual’s representative aware of the matters set out in subrule 3(1) collects the information from
the representative or the representative authorises collection from someone else;
(c) that compliance would:
(i)
prejudice the interests of the individual concerned;
(ii)
prejudice the purposes of collection; or
(iii) prejudice the safety of any individual;
(d) that compliance is not reasonably practicable in the circumstances of the particular case;
(e) that the collection is for the purpose of assembling a family or genetic history of an individual and
is collected directly from that individual;
(f) that the information is publicly available information;
(g) that the information:
(i)
will not be used in a form in which the individual concerned is identified;
(ii) will be used for statistical purposes and will not be published in a form that could reasonably
be expected to identify the individual concerned; or
(iii) will be used for research purposes (for which approval by an ethics committee, if required,
has been given) and will not be published in a form that could reasonably be expected to
identify the individual concerned;
(h) that non-compliance is necessary:
(i)
to avoid prejudice to the maintenance of the law by any public sector agency, including the
prevention, detection, investigation, prosecution, and punishment of offences;
(ii)
for the protection of the public revenue; or
(iii) for the conduct of proceedings before any court or tribunal (being proceedings that have been
commenced or are reasonably in contemplation); or
(i)
that the collection is in accordance with an authority granted under section 54 of the Act.
Rule 3
Collection of Health Information from Individual
(1)
Where a health agency collects health information directly from the individual concerned, or from the
individual’s representative, the health agency must take such steps as are, in the circumstances, reasonable
to ensure that the individual concerned (and the representative if collection is from the representative) is
aware of:
(a)
the fact that the information is being collected;
(b)
the purpose for which the information is being collected;
(c)
the intended recipients of the information;
(d)
the name and address of:
(i)
the health agency that is collecting the information; and

Page 70
(ii) the agency that will hold the information;
(e) whether or not the supply of the information is voluntary or mandatory and if mandatory the
particular law under which it is required;
(f) the consequences (if any) for that individual if all or any part of the requested information is not
provided; and
(g) the rights of access to, and correction of, health information provided by rules 6 and 7.
(2) The steps referred to in subrule (1) must be taken before the information is collected or, if that is not
practicable, as soon as practicable after it is collected.
(3) A health agency is not required to take the steps referred to in subrule (1) in relation to the collection of
information from an individual, or the individual’s representative, if that agency has taken those steps in
relation to the collection, from that individual or that representative, of the same information or
information of the same kind for the same or a related purpose, on a recent previous occasion.
(4) It is not necessary for a health agency to comply with subrule (1) if the agency believes on reasonable
grounds:
(a)
that non-compliance is authorised by the individual concerned;
(b)
that compliance would:
(i)
prejudice the interests of the individual concerned; or
(ii) prejudice the purposes of collection;
(c) that compliance is not reasonably practicable in the circumstances of the particular case; or
(d) that non-compliance is necessary to avoid prejudice to the maintenance of the law by any public
sector agency, including the prevention, detection, investigation, prosecution, and punishment of
offences.
Rule 4
Manner of Collection of Health Information
Health information must not be collected by a health agency:
(a) by unlawful means; or
(b) by means that, in the circumstances of the case:
(i)
are unfair; or
(ii) intrude to an unreasonable extent upon the personal affairs of the individual concerned.
Rule 5
Storage and Security of Health Information
(1)
A health agency that holds health information must ensure:
(a) that the information is protected, by such security safeguards as it is reasonable in the circumstances
to take, against:
(i)
loss;
(ii) access, use, modification, or disclosure, except with the authority of the agency; and
(iii) other misuse;
(b) that if it is necessary for the information to be given to a person in connection with the provision of
a service to the health agency, including any storing, processing, or destruction of the information,
everything reasonably within the power of the health agency is done to prevent unauthorised use or
unauthorised disclosure of the information; and
(c) that, where a document containing health information is not to be kept, the document is disposed of
in a manner that preserves the privacy of the individual.
(2) This rule applies to health information obtained before or after the commencement of this code.
Rule 6
Access to Personal Health Information
(1)
Where a health agency holds health information in such a way that it can readily be retrieved, the
individual concerned is entitled:
(a) to obtain from the agency confirmation of whether or not the agency holds such health information;
and
(b)
to have access to that health information.

Page 71
(2) Where, in accordance with paragraph (1)(b), an individual is given access to health information, the
individual must be advised that, under rule 7, the individual may request the correction of that
information.
(3) The application of this rule is subject to:
(a) Part IV of the Act (which sets out reasons for withholding information);
(b) Part V of the Act (which sets out procedural provisions relating to access to information); and
(c) clause 6 (which concerns charges).
(4) This rule applies to health information obtained before or after the commencement of this code.
Rule 7
Correction of Health Information
(1)
Where a health agency holds health information, the individual concerned is entitled:
(a)
to request correction of the information; and
(b) to request that there be attached to the information a statement of the correction sought but not
made.
(2) A health agency that holds health information must, if so requested or on its own initiative, take such
steps (if any) to correct the information as are, in the circumstances, reasonable to ensure that, having
regard to the purposes for which the information may lawfully be used, it is accurate, up to date,
complete, and not misleading.
(3) Where an agency that holds health information is not willing to correct the information in accordance with
such a request, the agency must, if so requested, take such steps (if any) as are reasonable to attach to the
information, in such a manner that it will always be read with the information, any statement provided by
the individual of the correction sought.
(4) Where the agency has taken steps under subrule (2) or (3), the agency must, if reasonably practicable,
inform each person or body or agency to whom the health information has been disclosed of those steps.
(5) Where an agency receives a request made under subrule (1), the agency must inform the individual
concerned of the action taken as a result of the request.
(6) The application of this rule is subject to the provisions of Part V of the Act (which sets out procedural
provisions relating to correction of information).
(7) This rule applies to health information obtained before or after the commencement of this code.
Rule 8
Accuracy etc of Health Information to be Checked Before Use
(1)
A health agency that holds health information must not use that information without taking such steps (if
any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the
information is proposed to be used, the information is accurate, up to date, complete, relevant, and not
misleading.
(2) This rule applies to health information obtained before or after the commencement of this code.
Rule 9
Retention of Health Information
(1)
A health agency that holds health information must not keep that information for longer than is required
for the purposes for which the information may lawfully be used.
(2) Subrule (1) does not prohibit any agency from keeping any document that contains health information the
retention of which is necessary or desirable for the purposes of providing health services or disability
services to the individual concerned.
(3) This rule applies to health information obtained before or after the commencement of this code.
Rule 10
Limits on Use of Health Information
(1)
A health agency that holds health information obtained in connection with one purpose must not use the
information for any other purpose unless the health agency believes on reasonable grounds:
(a) that the use of the information for that other purpose is authorised by:
(i)
the individual concerned; or
(ii) the individual’s representative where the individual is unable to give his or her authority
under this rule;

Page 72
(b) that the purpose for which the information is used is directly related to the purpose in connection
with which the information was obtained;
(c) that the source of the information is a publicly available publication;
(d) that the use of the information for that other purpose is necessary to prevent or lessen a serious and
imminent threat to:
(i)
public health or public safety; or
(ii)
the life or health of the individual concerned or another individual;
(e) that the information:
(i)
is used in a form in which the individual concerned is not identified;
(ii) is used for statistical purposes and will not be published in a form that could reasonably be
expected to identify the individual concerned; or
(iii) is used for research purposes (for which approval by an ethics committee, if required, has
been given) and will not be published in a form that could reasonably be expected to identify
the individual concerned;
(f) that non-compliance is necessary:
(i)
to avoid prejudice to the maintenance of the law by any public sector agency, including the
prevention, detection, investigation, prosecution, and punishment of offences; or
(ii) for the conduct of proceedings before any court or tribunal (being proceedings that have been
commenced or are reasonably in contemplation);
(g) that the use of the information is in accordance with an authority granted under section 54 of the
Act.
(2) This rule does not apply to health information obtained before [1 July 1993].
Rule 11
Limits on Disclosure of Health Information
(1)
A health agency that holds health information must not disclose the information unless the agency
believes, on reasonable grounds:
(a)
that the disclosure is to:
(i)
the individual concerned; or
(ii) the individual’s representative where the individual is dead or is unable to exercise his or her
rights under these rules;
(b)
that the disclosure is authorised by:
(i)
the individual concerned; or
(