top of page

Privacy Policy

POLICY

1. This policy sets out Te Whare Tohu Tapuhi o Aotearoa |The College of Nurses Aotearoa (College) approach to complying with the Privacy Act 2020 (Act) and the Health Information Privacy Code 2020 (Code), including how the College collects, stores, accesses, uses, corrects and discloses personal and health information in the course of its activities.

SCOPE

2. This policy applies to all personal and health information collected, held, used and/or disclosed by the College in relation to its Board members, College members, staff, contractors and other individuals it interacts with in carrying out its functions, including information provided in the context of complaints.

POLICY STATEMENT

3. The College is committed to complying with the Act and the Code in its handling of personal and health information and will take reasonable steps to ensure that such information is:

 

a. Collected for lawful and appropriate purposes;

b. Used and disclosed only for purposes for which it was collected or as otherwise permitted by law;

c. Stored securely and protected against loss, unauthorised access, use, modification or disclosure;

d. Accurate, up-to-date, and corrected where appropriate;

e. Accessible to individuals in accordance with their rights.

 

4. The College’s privacy statement is available on its website and is provided to members when they join the College (link).

KEY DOCUMENTS

5. The following documents support the College’s privacy framework:

 

a. Privacy Act 2020. Privacy Act 2020 | Information Privacy Principles

b. Health Information Privacy Code 2020 (HIPC). Office of the Privacy Commissioner | Health Information Privacy Code 2020

c. Privacy Policy (this document).

d. Privacy Statement.

DEFINITIONS

6. Board means the governing body of the College responsible for its governance, strategic direction, and oversight.

 

7. Health information means personal information about an identifiable individual’s health or disability, or the provision of health services, as defined in the Code.

 

8. Member means a person admitted to membership of the College in accordance with the College rules, including any registered nurse, nurse practitioner and other recognised membership categories.

 

9. Personal information means information about an identifiable individual as defined in the Act.

MEMBERS: INFORMATION COLLECTED AND PURPOSE

10. The College collects personal information from its members, including:

 

a. name, or other names the member is known by;

b. contact information, including email, phone number and residential address;

c. billing or purchase information;

d. professional qualifications and scope of practice;

e. ethnicity and/or Iwi affiliation;

f. employer;

g. professional areas of interest.

 

11. The College collects members’ personal information for the purposes of administering membership, providing professional indemnity cover and advice, managing financial and banking processes, and communicating with members.

 

12. Sharing of members’ personal information is limited to what is necessary to:

 

a. operate and maintain the College’s membership, accounting, and banking systems; and 

b. share information with insurers or legal advisers to support the provision of professional indemnity advice and services to members.

 

13. Where required, consent for the above information sharing will be obtained from members, including through a Consent Form provided at the beginning of membership. The College privacy Consent Form is available here: Link

 

14. Members have the right to request access to their personal information and to request correction of that information in accordance with the Act.

BOARD MEMBERS: INFORMATION COLLECTED AND PURPOSE

15. In addition to the personal information collected from members, the College may collect additional information from Board members.

 

16. This information will be limited to what is necessary to support the governance and administration of the College, including maintaining a Conflict of Interests register and complying with obligations under the Incorporated Societies Act 2022. Incorporated Societies Act 2022 | New Zealand Legislation.

STAFF: INFORMATION COLLECTED AND PURPOSE

17. The College collects and holds personal information about its employees and contractors.

 

18. The information collected may include:

 

a. name, address and contact details;

b. emergency contact details;

c. IRD information; and

d. bank account details.

 

19. The College collects this information for the purposes of managing employment and contractor relationships, administering payroll, and meeting its legal obligations, including under the Health and Safety at Work Act 2015. This may also include information necessary for human resources management and organisational operations. Health and Safety at Work Act 2015 | New Zealand Legislation

PATIENT/CLIENT HEALTH INFORMATION PROVIDED BY MEMBERS

20. The College does not generally collect or hold identifiable patient or client information. In most circumstances, information provided to the College by members should be de-identified.

 

21. When members seek assistance from the College, they are expected to provide information in de‑identified form wherever possible. Members should not disclose identifiable health information unless they reasonably believe that disclosure is permitted under Rule 11 of the Code, including where:

 

a. the disclosure is necessary to avoid prejudice to the maintenance of the law, including the prevention, detection, investigation, prosecution, or punishment of offences;

b. the disclosure is necessary for the conduct of proceedings before a court or tribunal that have commenced or are reasonably in contemplation;

c. another exception under Rule 11 applies.

 

22. In matters relating to a member’s professional conduct, where proceedings have commenced or are reasonably in contemplation, members may disclose identifiable information about a client/patient or others to their legal advisers where necessary for the conduct of those proceedings. Such disclosures should be limited to what is necessary and within the scope of the member’s professional indemnity cover.

 

23. It will not typically be necessary for identifiable information to be disclosed to the College itself.

 

24. Members remain responsible for ensuring that any disclosure of health information complies with their professional, legal, and employer obligations.

INFORMATION PRIVACY PRINCIPLE (IPP) 3A: INFORMATION COLLECTED INDIRECTLY

25. From 1 May 2026, where members, the College, or legal advisers collect personal information indirectly (that is, from a third party rather than directly from the individual), reasonable steps must be taken to ensure that the individual concerned (or their representative) is made aware, as soon as reasonably practicable, of the matters required under IPP 3A, unless an exception applies.

 

26. Exceptions may include where:

 

a. the individual has already been made aware;

b. notifying the individual would prejudice the purpose of collection;

c. notifying the individual is not reasonably practicable in the circumstances.

 

27. An individual is considered to be “made aware” if they are informed of:

 

a. the fact that the information has been collected;

b. the purpose of the collection;

c. the intended recipients of the information;

d. the name and address of the agency that is collecting and holding the information;

e. if the collection is authorised or required by law, the relevant law; and

f. their rights of access to, and correction of, their information.

 

28. IPP 3A does not apply where the information collected is not identifiable.

 

29. Nothing in this policy requires a member to act inconsistently with lawful directions, policies, or systems imposed by their employer or contracting organisation.

INDEMNITY IMPLICATIONS

30. To support compliance with IPP 3A, the College recommends that members ensure their own privacy statements address the handling of information in the context of complaints and investigations.

 

31. An example statement may include:

 

“For the purposes of meeting our obligations under Right 10 of the Code of Health and Disability Services Consumers' Rights, we may at times seek advice from the College, our legal representative or professional advisers. As part of seeking this advice, we may disclose some of your health information to them. The information shared will be limited to that which is relevant to the matter.”

 

32. Members practising within an organisation should act consistently with their employer’s privacy policies and systems. Any concerns that an organisation’s policies do not adhere to IPP 3A should be raised internally in the first instance.

Complaints

33. The College will manage privacy complaints and investigations in a fair, timely and transparent manner in accordance with the Act and the Code and may refer complaints to the Office of the Privacy Commissioner where appropriate.

 

34. In responding to privacy complaints the College will:

 

a. designate appropriate personnel to receive and manage the complaint;

b. acknowledge receipt of the complaint;

c. assess whether the complaint raises a potential breach of the Act or Code;

d. take reasonable steps to investigate the complaint and determine whether it is substantiated;

e. take reasonable steps to respond to the complaint and address any issues identified; and

f. inform the complainant of the outcome and any actions the College proposes to take.

 

35. Nothing in this policy limits the complainant’s rights under the Act or the Code.

 

36.The College will aim to resolve complaints as quickly as practicable and will keep complainants informed of progress where appropriate.

SECURITY AND DESTRUCTION OF PERSONAL AND HEALTH INFORMATION

37. The College takes seriously its responsibility to securely hold members’, staff and complaint-related information.

 

38. The College has in place reasonable safeguards to protect personal and health information against loss, unauthorised access, use, modification, disclosure or other misuse.

 

39. The College will maintain appropriate physical, administrative and technical security measures, including measures relating to cybersecurity, access controls, authentication, secure storage, and system security having regard to the nature and sensitivity of the information held.

 

Retention and Disposal

 

40. The College will retain personal and health information only for as long as necessary for lawful purposes, including to meet statutory, regulatory, professional, administrative or legal obligations.

 

41. When personal or health information is no longer required, the College will take reasonable steps to securely destroy, delete, or dispose of the information.

PRIVACY AND SECURITY INCIDENTS

42. The College will respond to privacy and security incidents, including suspected or actual data breaches in accordance with applicable legal obligations and the College’s relevant policies and procedures, including notification requirements under the Act where applicable.

 

Cyber security

 

43. The College maintains appropriate cybersecurity measures to protect personal and health information, including:

 

a. Multi-factor authentication on all College systems and devices 

b. Secure document and information management systems

c. Access controls based on roles and responsibilities 

d. Regular monitoring and review of systems for unauthorised access or activity .

 

44. Staff are provided with training on privacy and information security obligations.

 

45. Cyber security incidents, including suspected or actual data breaches will be promptly escalated to the Board Co-Chairs and managed in accordance with the College’s data breach response procedures.

 

46. In responding to a cyber-security breach, the College will take appropriate steps to:

 

a. contain and mitigate the source of the breach

b. assess the nature and extent of the information involved 

c. identify individuals affected by the breach 

d. notify affected individuals and the Office of the Privacy Commissioner where required under the Act 

e. review and strengthen security measures as appropriate

 

47. The College will review its cybersecurity measures and processes at least annually to ensure they remain effective and appropriate.

DESTRUCTION OF RECORDS

48. Historic hard copy records are stored securely in an offsite facility and destroyed using secure disposal methods when no longer required.

 

49. Since 2025, the College maintains records in digital form where practicable.

​

50. The College retains financial records for a minimum period of 7 years to comply with the requirements of the Incorporated Societies Act 2022 and relevant tax legislation. 

 

51. In accordance with the Code, professional and legal files containing health information will be kept for a minimum period of 10 years. Since 2022, these files have been maintained in digital form. 

bottom of page