My Health Account Privacy Notice

Effective 21 July 2022.

At Te Whatu Ora - Health New Zealand, we know how important privacy is to all people in New Zealand. We created this Privacy Notice to make sure you understand how we collect and use your personal information for a My Health Account (‘Account’).

  • Registration for your Account is voluntary.
  • It is designed to make it easy for you to access your health information, and to interact with the New Zealand health system.
  • If you are 12 years or older you can create your own My Health Account. Your parent or legal guardian could also complete it on your behalf with your permission if you are aged 12 to 15 years old.
  • The information and services you can access and share via your Account are limited by the level at which you have verified your identity. 

What information is collected

We collect information you provide to us as part of confirming who you are. The information provided and the identity verification process completed is used to associate a 'Level of identification' with your account. This will enable you to interact with digital health services that match your Level of identification. The higher the account Level of identification, the greater assurance we have about who you are, and more services can be accessed by you.

If you are a consumer of healthcare services, you can add your National Health Index (NHI) number to your account if you wish.

Level of Identification

What this level means

Attributes that My Health Account stores

Options to achieve level of identification

Level 1

This level does not require you to identify yourself other than to provide an email address.  There are very few services that will allow you access at this level of identification as you have not yet confirmed who you are.

Email address

Preferred name (if provided)

Mobile number (if provided)

Signing up to My Health Account will achieve a Level 1 account

Level 2

This level verifies your documented identity attributes or uses your healthcare provider information to verify who you are.

Email address

Preferred name (if provided)

Mobile number (if provided)

First name

Middle name(s) (if you have them)

Last name

Date of birth

There are currently two options to achieve Level 2. One of these must be chosen:

  1. Document Identity check
  2. Healthcare Provider Check

Level 3:

This level involves checking that it is really you that has created your account, and the right person has been connected to your Account.

Email address

Preferred name (if provided)

Mobile number (if provided)

First name

Middle name(s) (if you have them)

Last name

Date of birth

There are currently two options to reach Level 3:

  1. Use of your RealMe verified account
  2. The combination of the Document Check and the Healthcare Provider Check

Level 2N or 3N

This level involves you adding your NHI number to your account which will allow you to access information and services related to your health information.

Email address

Preferred name (if provided)

Mobile number (if provided)

First name

Middle name(s) (if you have them)

Last name

Date of birth

NHI number

Your account will be upgraded from Level 2 to 2N or Level 3 to 3N should you decide to add your NHI number to your Account

Document Check

The document check process verifies your identity document details provided such as name, date of birth, document number, and other details (depending on the document).

We will send the information you give us to our document-checking partner, Cloudcheck, for verification the document matches the details you provide.

Cloudcheck is a New Zealand company that check records such as passports, driver licenses, birth certificates, and other records with the Department of Internal Affairs, Waka Kotahi NZTA and Australian authorities on our behalf. We do record when and how you verified your identity, and the type of document you used, but do not retain the unique identifiers associated with those forms of ID.

Healthcare provider check

The healthcare provider check process verifies your identity using details held by the general practice you are enrolled with.

If you have not already added your NHI number to your account, we will check the details you give us against the NHI database to link them to a unique NHI number.

We will then check the contact details held about you with the general practice you are currently enrolled with (if you authorise us to do so). We will send you a one-time code challenge to the mobile phone number you have provided to your general practice.

If you have that mobile phone, you will be able to obtain and input the one-time code into My Health Account. If this is successful, the Level of identification associated with your account will be updated.

How we use your information for the Account

The Account is used for the following purposes:

  • To respond to your requests and inquiries made through or about your Account.
  • To protect against and identify fraud and other criminal activity. It is important to note that it is an offence under section 212(2)(c) of the Privacy Act 2020 to falsely pretend to be an individual or falsely claim to be acting under their authority to obtain access to that individual’s personal information.
  • To comply with and enforce applicable legal requirements, relevant standards and our policies, including this Privacy Notice.
  • To enable us to prepare reports of statistical information about use of the services (you will not be identified in the reports produced) so that we can monitor and improve the performance of My Health Account and monitor interactions with participating third-party applications and services using My Health Account.

The Account will allow you to interact with and use participating third-party apps and Services, as described below:

  • You will need to review relevant information from those other Services before you sign up to them, and grant permissions to sharing your information with those other Services at the time you first access the Services.
  • We will disclose to those participating apps and Services your documented identity attributes, such as your first name, middle name, preferred name (if one is provided), last name, date of birth, email address, mobile phone number, NHI number, and level of identification associated with your account.
    • Attributes will only be shared with Service Providers as necessary for that service. If the details are not necessary for operation of the application, they will not be supplied.
    • The list of which attributes Service Providers can receive is agreed upon and configured during the application onboarding process. My Health Account will ask you to grant permissions when first accessing the service and those permissions will be displayed to you as part of the Account services.
    • You can also choose to stop sharing your information within your My Health Account to an application if you have previously given permission. They may retain any information supplied about you while the permission was granted but will not be able to access your Account information in future.
  • Age limits may apply to some services that require My Health Account verification. If your date of birth is not within the permitted age range, you will be refused access to those services.
  • Services currently approved to interact with the My Health Account include:
    • Level 1: The Vaping Retailer Regulatory Platform.
    • Level 2: The End-of-Life Choice Regulatory Platform Access for Assisted Dying Service providers.
    • Level 2N: My Covid Record: the COVID Consumer channel for access to a Consumer’s own COVID-19 vaccination records, your My Vaccine Pass, International Travel Vaccination Certificate, and test results. The results of Rapid Antigen Tests can also be uploaded by you and may be referred to contact tracing processes if you register a positive test. You must be aged 12 or over to use this service.
    • Level 3N: The End-of-Life Choice Regulatory Platform Access for Consumers (restricted to those age 18 and over). Access to this platform will be available at Level 3N for individuals using this service. You must be aged 18 or over to use this service.
    • We will update our My Health Account webpage each time we add new services.

Your email address: To help keep your Account secure, we may email a verification code to use when you log in. This can also be used to help maintain your Account, like when you change your password. The email address must be one that is unique to you and you have control over, not one that is already linked to another Account. We will use this email address to make contact with you and may email you with updates to My Health Account Privacy Notice and services, and applications that you can access via My Health Account.

Your mobile number: We can communicate with you via SMS (text message) for ‘One Time Passwords’ (OTPs) rather than email. We will verify your mobile number with you before using it. The mobile phone number details held within My Health Account will be provided to other services that are authorised to use My Health Account. Service Providers may display the stored mobile phone number from My Health Account to enable you to give permission for that number to be used for communications by the Service Provider.

What steps have been taken to protect your privacy?

We take your privacy seriously.

We have discussed the My Health Account with the Office of the Privacy Commissioner and the Government Chief Privacy Officer and are taking their advice as we continue to develop the Service.

A Privacy Impact Assessment (PIA) has been completed. The PIA will be updated to reflect new features and functionality as they become available.

The latest version is available:

Will my information be secure?

Your personal information will be held and managed in accordance with the Privacy Act and Health Information Privacy Code.

Any information you share with Te Whatu Ora - Health New Zealand will not be shared with other Government agencies without your permission. It will not be used for enforcement purposes unless there is evidence of fraudulent use of the account.

Information you choose to share with us will be held securely in compliance with Te Whatu Ora’s – Health New Zealand’s standards. Security measures are in place to protect your information from unauthorised access.

We use Microsoft Azure Services in Australia to deliver the Service. Use of other third-party Services is detailed in the current Privacy Impact Assessment.

We use Google reCAPTCHA v3 during the account sign-up stage as a security measure to defend My Health Account against bots. reCAPTCHA will collect information such as IP address, hardware and software information, and device and application data. This information will be used only for the purpose of providing, maintaining, and improving reCAPTCHA and for general security purposes.

How long will my information be kept?

The following information will be retained for the duration of the My Health Account, Applicant name, date of birth, gender, address, preferred name, email, mobile phone number, and supplied and verified NHI number. These details will be supplied to authorised services connecting to the My Health Account service as identified in the PIA for each of those services (and as approved by the My Health Account service). 

You can ask for your account to be closed by calling the Contact Centre on 0800 222 478 or +64 9 307 6155. The account will not be able to be used to validate further activities into the future, and all details other than those required for audit activity will be deleted. The email associated with the account, the level of identification obtained, and the related dates and the NHI number (if added) will be retained.

How do I keep My Health Account secure?

  • Do not share your account with other people.
  • Keep your password safe.
  • We recommend using a screen lock on your device.

If you believe your password may have been compromised, please change it. If you believe your account has been compromised, please call the Contact Centre on 0800 222 478 or +64 9 307 6155 as soon as you can.

How can I view or change my information?

To view any personal information held by us about you, or if you have any concerns or questions about the personal information that we hold and wish to request a correction, please write to:
 
The Privacy Officer
Te Whatu Ora - Health New Zealand
PO Box 5013
Wellington
Email: [email protected]

We may require proof of your identity before being able to provide you with any personal information.

When you contact us for help, your communications, including any information you provide regarding your identity and the matter you’re contacting us about, will be collected.

Giving feedback

Feedback is important and is used to evaluate and improve the Service. If you provide feedback by email, that feedback is sent to the appropriate Te Whatu Ora - Health New Zealand staff. This could include your email address and other identifying information that you have provided.

Statistical information

We may collect statistical information to help us improve the Service and understand how it is being used. In summary, this includes the event type and session, timestamps, and the type of device being used. This information is aggregated and doesn't identify you personally. Full details about the statistical information collected is addressed in our Privacy Impact Assessment.

Your My Health Account details (including NHI, and related attributes of age, address (suburb, town, and postcode and relevant DHB district), ethnicity, gender, New Zealand citizenship / residency status may be used for statistical reporting on the performance of My Health Account to enable monitoring of performance and improvement of services. It may also include interactions with integrating applications, such as My Covid Record, to identify usage statistics. Your personal information will remain securely contained in our systems and only aggregated information (without your name details, NHI, or contact details) will be used in reports created, to preserve individual privacy for reporting purposes.

The website uses cookies for the purpose of monitoring website usage. A cookie is a piece of code that creates a file on your computer to track the pages that you view on our website. The cookies do not collect personal information. You can disable them or clear them out of your web browser without affecting your ability to use the website.

Cloudcheck also collects statistical information about visitors to its websites such as the number of visitors, pages viewed, types of transactions conducted, time online and documents downloaded. It also collects cookies that you may disable or delete from your computer after they have been created: See more details here.

Who can I contact if I have a privacy concern?

Please contact us by email: [email protected]

If you are not satisfied with the response to any privacy concern, you can contact the Office of the Privacy Commissioner.

Updates to this Privacy Notice

This Privacy Notice may be updated to let you know about changes in how we collect and process your information in the Services or changes in related laws. The date when the document was last updated is shown at the top of this Privacy Notice.

 

Back to top