Steps the Ministry has taken to address privacy issues

• Appointed representatives of three responsible authorities (the New Zealand Medical Council, the Pharmacy Council of New Zealand and the Nursing Council of New Zealand) to the steering group of the HPI project.
• Commissioned and consulted on a Privacy Impact Assessment. Parties consulted include the Privacy Commissioner and responsible authorities.
• Obtained legal opinions (including from the Crown Law Office) on privacy aspects of the project, and made these opinions available to the Privacy Commissioner and to responsible authorities.
  
  

Much of the information required for the HPI is ‘publicly available information’ by virtue of its inclusion in public registers under the Health Practitioners Competence Assurance Act 2003 (and predecessor Acts). As such, its disclosure by responsible authorities to the Ministry for inclusion on the HPI will not breach any aspect of the Privacy Act.

In respect of information required for the HPI that is not ‘publicly available information’ (for example, information required to verify identity, such as practitioner’s date of birth), it may still be disclosed to the Ministry provided that certain protocols in respect of the collection, use and subsequent disclosure (if any) of that information are observed. The Ministry is working with responsible authorities to ensure that they comply with these legal requirements. For example, the Ministry funded legal resource to ensure that the Nursing Council met its obligations under the Privacy Act.

• The development of Data Provision Agreements, by which the Ministry will agree with responsible authorities, as a condition of providing their register and other information, on what information will be provided to the HPI, and who will be entitled to have access to it.
• The development of Data Access Agreements, by which the Ministry will agree with organisations (such as DHBs and ACC) what personal information from the HPI they will be able to have access to.
  
  

The Ministry has sought to identify, analyse, manage and minimise the risks of any breaches of individual privacy in all its preparations for the HPI. The Privacy Act does not contemplate ‘definitive rulings’ being given in advance as to the compliance or non-compliance of any given activity with the Act. Complaints can only be investigated and adjudicated upon as they arise.

It should be noted, however, that the risks of any successful claim for damages being brought against any responsible authority in respect of any alleged breach of privacy for the provision of public register information are negligible. An action is not a breach of an information privacy principle if the information at issue is ‘publicly available’. An allegation of breach of a public register privacy principle can only result in the Privacy Commissioner making a report and recommendations on the legislation governing the administration of the public register.