My Health Account Privacy Notice

Effective 10 November 2021

At the Ministry of Health (‘Health’), we know how important privacy is to New Zealanders. We created this Privacy Notice to make sure you understand how we collect and use your personal information for a My Health Account (‘Account’).

  • Registration for your Account is voluntary.
  • It is designed to make it easy for you to access your health information, and to interact with the New Zealand health system.
  • If you are 12 years or older you can create your own My Health Account. Your parent or legal guardian could also complete on your behalf with your permission if you are aged 12 to 15 years old.
  • The information Services you can access and share via your Account is limited by the level at which you have verified your identity. 
  • You can read more about the Account in our Privacy Impact Assessment.

What information is collected

Account confidence level

What do you need to provide?

Mandatory or optional for this level

Level 1: This Level does not require you to identify yourself other than to provide an email address. This Level gives access to useful information about health services and supports, but not identifiable information

Your email address is your username which is also used to communicate with you.

Mandatory

Your mobile phone number

Optional

Level 2 – This Level verifies your documented identity attributes.

 

First name

Middle name(s) (if you have them)

Surname

Date of birth

Document number, and other details (depending on the document).

Mandatory

We will send the information you give us to our document checking partner, Cloudcheck for verification the document matches the details you provide.

Cloudcheck is a New Zealand company who check records such as passports, drivers’ licenses, birth certificates and other records with the Department of Internal Affairs, Waka Kotahi NZTA and Australian authorities on our behalf. We do not retain the details you submit to us but we do record when and how you verified, and the type of document you used (but do not retain the unique identifiers associated with those forms of ID).

View the Cloudcheck Privacy Statement.

Level 2-N: NHI Binding. The NHI is bound to the matching Level 2 documented identity attributes. This level of account will enable additional booking services

First name

Preferred name (if different to first name)

Middle name(s) (if you have them)

Surname

Date of birth

Your NHI number if you have it (optional)

Your Level Two documented identity (which must match the above details you have provided for the NHI match)

Mandatory

We will link these details to your National Health Index number (NHI): This number is a unique person identifier attached to health records.

It will also be linked to your Level Two documented identity

We will use your NHI to enable access to other Services, and to link you to your information, so we can provide it to you if you give your consent.

Level 3 –N:  This Level involves checking that it is really you that has created your account. This will be in person verification you are a real person and the right person. It will bind your documented identity and NHI to this Level so that there can be confidence in your identity. This level will give you access to sensitive health information about yourself.

If you choose to share your RealMe Verified identity with us as part of creating your account, then we will give you a level 3N account once we have bound your NHI number.

Email address you used to create your account Mandatory
You’ll only be asked to do complete an in-person check if a health information service needs you to. You can:
  • Take a unique code we give you to your provider. Your provider will confirm that it is really you that created your account and it is your NHI; or
  • If you use your RealMe verified identity, then your identity is automatically confirmed to level 3. In most cases we be able to automatically match your NHI number as well so you achieve Level 3N.
We will retain confirmation from a trusted third party (or RealMe confirmation) that it was really you who created your Level 3N Account.

How we use your information for the Account

The Account is used for the following purposes:

  • To identify and authenticate you so you may securely use the Account, and related Services to match the Level of Account you have chosen;
  • To allow you to interact with and use participating Health and third-party apps and Services. We will disclose to those participants your documented identity attributes such as the name and date of birth you have verified via Cloudcheck and your account confidence level. Services currently approved to interact with the My Health Account include:
    • The COVID Consumer channel for access to a Consumer’s own COVID-19 vaccination records and test results (My Covid Record).
  • To respond to your requests and inquiries made through or about the Account;
  • To protect against and identify fraud and other criminal activity. It is important to note that it is an offence under section 212(2)(c) of the Privacy Act 2020 to falsely pretend to be an individual or falsely claim to be acting under their authority to obtain access to that individual’s personal information;
  • To comply with and enforce applicable legal requirements, relevant standards and our policies, including this Privacy Notice.
  • To enable us to prepare reports of statistical information about use of the services (you will not be identified in the reports produced) so that we can monitor and improve the performance of My Health Account and monitor interactions with participating third-party applications and services using My Health Account.
  • The Account will allow you to interact with and use participating third-party apps and Services.
  • You will need to review relevant information from those other Services before your sign up to them.
  • We will disclose to those participating apps and Services your documented identity attributes such as the name and date of birth you have verified via Cloudcheck and your account confidence level.
  • Age limits may apply to some services that require My Health Account verification. If your date of birth is not within the permitted age range you will be refused access to those services.
  • Services currently approved to interact with the My Health Account include:
    • Level 1: The Vaping Retailer Regulatory Platform.
    • Level 2N: My Covid Record: the COVID Consumer channel for access to a Consumer’s own COVID-19 vaccination records and test results and to enable creation of vaccination certificates. You must be aged 12 or over to use this service.
    • Level 3N: The End-of-Life Choice Regulatory Platform Access for Consumers (restricted to those age 18 and over). Provider access to this platform will be available at Level 3 for service providers, and 3N for individuals using this service. You must be aged 18 or over to use this service.
    • We will update this Privacy Statement each time we add new services.

Your email address: To help keep your Account secure we email ‘One Time Passwords’ (OTPs) to use when you login. This can also be used to help maintain your Account, like when you change your password. The email address must be one that is unique to you and you have control over, not one that is already linked to another Account.

Your mobile number: We can communicate with you via SMS (text message) for ‘One Time Passwords’ (OTPs) rather than email. We will verify your mobile number with you before using it.

What steps have been taken to protect your privacy?

We take your privacy seriously.

We have discussed the Account with the Office of the Privacy Commissioner and the Government Chief Privacy Officer and are taking their advice as we continue to develop the Service.

A Privacy Impact Assessment (PIA) has been completed. The PIA will be updated to reflect new features and functionality as they become available.

The latest version is available:

Will my information be secure?

Your personal information will be held and managed in accordance with the Privacy Act and Health Information Privacy Code.

Any information you share with the Ministry of Health will not be shared with other Government agencies without your consent. It will not be used for enforcement purposes unless there is evidence of fraudulent use of the account.

Information you choose to share with us will be held securely in compliance with Ministry standards. Security measures are in place to protect your information from unauthorised access.

In order to deliver the Service we use Microsoft Azure Services located in Australia. Use of other third-party Services is detailed in the current Privacy Impact Assessment.

How long will my information be kept for? 

Contact information, the link to your National Health Index number, your identity confidence level, and your consent information will be stored for the life of your Account.

Identity document checking information that is used for NHI matching will be kept until you have completed the verification of your Account (to Level 3N). It will then be deleted. We will keep information on when and how you verified and the type of document you used. This information will be kept for 5 years after which you will need to verify again.

You can request for your account to be deleted by calling the Contact Centre 0800 222 478 or +64 6 927 6900.

How do I secure My Health account?

  • Do not share your account with other people.
  • Keep your password safe.
  • Use of screen lock on a device is recommended.

If you believe your password may have been compromised, please change it. If you believe your account has been compromised, please call the Contact Centre on 0800 222 478 or +64 6 927 6900 or email [email protected] as soon as you can.

How can I view or change my information?

To view any personal information held by the Ministry of Health about you, or if you have any concerns or questions about the personal information that we hold and wish to request a correction, please write to:
 
The Privacy Officer
Ministry of Health
PO Box 5013
Wellington
Email: [email protected] 

We may require proof of your identity before being able to provide you with any personal information.

When you contact us to provide assistance your communications, including any information you provide regarding your identity and the Service you’re contacting us about, will be collected.

How can I give feedback?
Phone: 0800 222 478 during standard office hours Monday to Friday
Email: [email protected]

Feedback is important and is used to evaluate and improve the Service. If you provide feedback by email, that feedback is sent to the appropriate Ministry of Health staff. This could include your email address and other identifying information that you have provided.

Statistical information

We may collect statistical information to help us improve the Service and understand how it is being used. In summary, this includes the event type and session, timestamps, and the type of device being used. This information is aggregated and doesn't identify you personally. Full details about the statistical information collected is addressed in the PIA.

Your My Health Account details (including NHI, and related attributes of age, address (suburb, town and postcode and relevant DHB district), ethnicity, gender, New Zealand citizenship / residency status may be used for statistical reporting on the performance of My Health Account to enable monitoring of performance and improvement of services. It may also include interactions with integrating applications such as My COVID Record to identify usage statistics. Your personal information will remain securely contained in the Ministry of Health systems and only aggregated information (without your name details, NHI or street address) will be used in reports created, to preserve individual privacy for reporting purposes.

The website uses cookies for the purpose of monitoring website usage. A cookie is a piece of code that creates a file on your computer to track the pages that you view on our website. The cookies do not collect personal information. You can disable them or clear them out of your web browser without affecting your ability to use the website.

Cloudcheck also collects statistical information about visitors to its websites such as the number of visitors, pages viewed, types of transactions conducted, time online and documents downloaded. It also collects cookies that you may disable or deleted from your computer after they have been created: See more details here.

Who can I contact if I have a privacy concern?

Please contact us by email: [email protected]

If you are not satisfied with the response to any privacy concern you can contact the Office of the Privacy Commissioner.

Updates to this Privacy Notice

This Privacy Notice may be updated to let you know about changes in how we collect and process your information in the Services or changes in related laws. The date when the document was last updated is shown at the top of this Privacy Notice.

Back to top