If you're operating in New Zealand, or hold information about any individual in New Zealand, then the New Zealand Privacy Act 2020 applies to you.
We've listed out the principles below, a short description of each, and details on how Finger-Ink complies, and helps your clinic to comply.
Principle 1 - Purpose for collection
Principle 1 states that organisations must only collect personal information if it is for a lawful purpose connected with their functions or activities, and the information is necessary for that purpose. This principle is about data minimisation.
Principle 2 - Source of information - collection from the individual
Principle 2 states that personal information should be collected directly from the person it is about. The best source of information about a person is usually the person themselves. Collecting information from the person concerned means they know what is going on and have some control over their information.
Finger-Ink only collects personal information that is provided to us directly.
Most of the time, you'll be using Finger-Ink to collect information directly from patients. Sometimes that's not possible, and the Act accounts for this — please see this article for more.
Principle 3 - What to tell the individual about collection
Principle 3 means that organisations should be open about why they are collecting personal information and what they will do with it. This principle is about helping people understand the reasons you are collecting their information.
Principle 4 - Manner of collection
Principle 4 states that personal information must be collected in a way that is lawful and seen as fair and reasonable in the circumstances.
Finger-Ink only collects personal information necessary for providing our service to you.
You'll need to make sure that your clinic only collects information with our Forms in a way that is fair, reasonable and lawful.
Principle 5 - Storage and security of information
Principle 5 states that organisations must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information.
Privacy and security is always thoroughly considered in everything we do here at Finger-Ink. You can read about how Finger-Ink secures your data in our Your data in Finger-Ink article.
If there is a breach and your Personal Information is at risk, you will be notified within 72 hours of the breach being discovered.
Principle 6 - Providing people access to their information
Principle 6 states that people have a right to ask for access to their own personal information.
As Finger-Ink just passes information along to Cliniko, you can export your patients' information from Cliniko and send it to them if requested.
Principle 7 - Correction of personal information
Principle 7 states that a person has a right to ask an organisation or business to correct information about them if they think it is wrong.
If you need to correct any of the personal information we have on file for you, email us and we'll sort it for you.
For patient data, since the primary records are maintained in Cliniko, corrections should be made directly there.
Principle 8 - Ensure accuracy before using information
Principle 8 states that an organisation must check before using or disclosing personal information that it is accurate, up to date, complete, relevant and not misleading.
Finger-Ink helps you comply with this principle by facilitating collection of patient information directly from the patient through Forms.
Principle 9 - Limits on retention of personal information
Principle 9 states that an organisation should not keep personal information for longer than it is required for the purpose it may lawfully be used.
You can delete any Form Response that is no longer required to be stored within the Finger-Ink Portal.
Principle 10 - Use of personal information
Principle 10 means that organisations can generally only use personal information for the purpose it was collected, and there are limits using personal information for different purposes.
Principle 11 - Disclosing personal information
Principle 11 means that an organisation may generally only disclose personal information for the purpose for which it was originally collected or obtained. Sometimes other reasons for disclosure are allowed, such as disclosure for a directly related purpose, or if the person in question gives their permission for the disclosure.
Principle 12 - Disclosure outside New Zealand
Principle 12 means that an organisation may only disclose personal information to another organisation outside New Zealand if that organisation is subject to the Privacy Act, will adequately protect the information, or is subject to privacy laws that provide comparable safeguards to the Privacy Act.
We ensure that any organisation we work with, where personal information might be disclosed, is compliant with this principle.
Your clinic can use this decision tree to determine if this principle applies to any disclosure of yours.
Principle 13 - Unique identifiers
Principle 13 sets restrictions on assigning identifying numbers and other unique identifiers to individuals. The principle states that an organisation can only assign unique identifiers to people when it is necessary for its functions. Unique identifiers are individual numbers, references, or other forms of identification allocated to people by organisations as a way to uniquely identify the person to the organisation assigning the identifier. Examples include driver’s licence numbers, passport numbers, IRD numbers, or National Health Index (NHI) numbers.
Finger-Ink does not generate nor require these numbers to be stored from patients, and we do not collect them from Finger-Ink users.