My Health Account Privacy Notice

Effective 31 March 2022.

At the Ministry of Health (‘Health’), we know how important privacy is to all people in New Zealand. We created this Privacy Notice to make sure you understand how we collect and use your personal information for a My Health Account (‘Account’).

  • Registration for your Account is voluntary.
  • It is designed to make it easy for you to access your health information, and to interact with the New Zealand health system.
  • If you are 12 years or older you can create your own My Health Account. Your parent or legal guardian could also complete it on your behalf with your permission if you are aged 12 to 15 years old.
  • The information Services you can access and share via your Account are limited by the level at which you have verified your identity. 
  • You can read more about this in our Privacy Impact Assessment.

What information is collected

Account confidence level

What do you need to provide?

Mandatory or optional for this level

Level 1: This level does not require you to identify yourself other than to provide an email address. This level gives access to useful information about health services and supports, but not identifiable information.

Your email address is your username, which is also used to communicate with you.

Mandatory

Your mobile phone number

Optional

Level 2: This level verifies your documented identity attributes.

 

First name

Middle name(s) (if you have them)

Last name

Date of birth

Document number, and other details (depending on the document).

Mandatory: there are currently two options. One of these must be chosen.

Document Check

We will send the information you give us to our document-checking partner, Cloudcheck, for verification the document matches the details you provide.

Cloudcheck is a New Zealand company that check records such as passports, driver licences, birth certificates, and other records with the Department of Internal Affairs, Waka Kotahi NZTA and Australian authorities on our behalf. We do not retain the details you submit to us, but we do record when and how you verified your identity, and the type of document you used (but do not retain the unique identifiers associated with those forms of ID).

View the Cloudcheck Privacy Statement.

or

Healthcare provider check

We will check the details you give us against the NHI database to link them to a unique NHI number.

We will then check the contact details held about you by your general practice (if you authorise us to do so). We will send you a one-time code challenge to the mobile phone number you have provided to your general practice.

If you have that mobile phone, you can obtain the one-time code and then input the one-time code successfully into the My Health Account screen. Your account will then be upgraded to Level 2N should you decide to add your NHI number to your My Health Account.

Level 2N: NHI Binding. The NHI number is bound to the matching Level 2 documented identity attributes should you decide to add your NHI number to your My Health Account. This level of account will enable additional booking services.

First name

Preferred name (if different to first name)

Middle name(s) (if you have them)

Last name

Date of birth

Your NHI number if you have it (optional)

Your Level Two documented identity (which must match the above details you have provided for the NHI match)

Mandatory

We will link these details to your National Health Index (NHI) number: this number is a unique person identifier attached to health records.

It will also be linked to your Level Two documented identity.

We will use your NHI number to enable access to other Services, and to link you to your information, so we can provide it to you if you give your consent.

Level 3N: This level involves checking that it is really you that has created your account. This will be in-person verification that you are a real person and the right person. It will bind your documented identity and NHI number to this level so that there can be confidence in your identity. This level will give you access to sensitive health information about yourself.

If you choose to share your RealMe Verified identity with us as part of creating your account, then we will give you a Level 3N account once we have bound your NHI number.

Email address you used to create your account Mandatory
You’ll only be asked to do an in-person check if a health information service needs you to. You can:
  • take a unique code we give you to your provider. Your provider will confirm that it is really you who has created your account and that it is your NHI number; or
  • if you use your RealMe verified identity, then your identity is automatically confirmed to Level 3. In most cases, we will be able to automatically match your NHI number as well, so you achieve Level 3N.
We will retain confirmation from a trusted third party (or RealMe confirmation) that it was really you who created your Level 3N Account.

How we use your information for the Account

The Account is used for the following purposes:

  • To identify and authenticate you so you may securely use the Account, and related Services to match the Level of Account you have chosen.
  • To respond to your requests and inquiries made through or about the Account.
  • To protect against and identify fraud and other criminal activity. It is important to note that it is an offence under section 212(2)(c) of the Privacy Act 2020 to falsely pretend to be an individual or falsely claim to be acting under their authority to obtain access to that individual’s personal information.
  • To comply with and enforce applicable legal requirements, relevant standards and our policies, including this Privacy Notice.
  • To enable us to prepare reports of statistical information about use of the services (you will not be identified in the reports produced) so that we can monitor and improve the performance of My Health Account and monitor interactions with participating third-party applications and services using My Health Account.

The Account will allow you to interact with and use participating third-party apps and Services, as described below:

  • You will need to review relevant information from those other Services before you sign up to them.
  • We will disclose to those participating apps and Services your documented identity attributes, such as your first name, middle name, preferred name (if one is provided), last name, date of birth, email address, mobile phone number, NHI number, and your account confidence level. Attributes will only be shared with Service Providers as necessary for that service. If the details are not necessary for operation of the application, they will not be supplied. The list of which attributes Service Providers can receive is agreed and configured during the application onboarding process.
  • Age limits may apply to some services that require My Health Account verification. If your date of birth is not within the permitted age range, you will be refused access to those services.
  • Services currently approved to interact with the My Health Account include:
    • Level 1: The Vaping Retailer Regulatory Platform.
    • Level 2: The End-of-Life Choice Regulatory Platform Access for Assisted Dying Service providers.
    • Level 2N: My Covid Record: the COVID Consumer channel for access to a Consumer’s own COVID-19 vaccination records, your My Vaccine Pass, International Travel Vaccination Certificate and test results. The results of Rapid Antigen Tests can also be uploaded by you and may be referred to contact tracing processes if you register a positive test. You must be aged 12 or over to use this service.
    • Level 3N: The End-of-Life Choice Regulatory Platform Access for Consumers (restricted to those age 18 and over). Access to this platform will be available at Level 3N for individuals using this service. You must be aged 18 or over to use this service.
    • We will update this Privacy Statement each time we add new services.

Your email address: To help keep your Account secure, we email ‘One Time Passwords’ (OTPs) to use when you log in. This can also be used to help maintain your Account, like when you change your password. The email address must be one that is unique to you and you have control over, not one that is already linked to another Account.

Your mobile number: We can communicate with you via SMS (text message) for ‘One Time Passwords’ (OTPs) rather than email. We will verify your mobile number with you before using it. The mobile phone number details held within My Health Account will be provided to other services that are authorised to use the My Health Account verification processes. Service Providers may display the stored mobile phone number from My Health Account to enable you to give consent for that number to be used for communications by the Service Provider.

What steps have been taken to protect your privacy?

We take your privacy seriously.

We have discussed the My Health Account with the Office of the Privacy Commissioner and the Government Chief Privacy Officer and are taking their advice as we continue to develop the Service.

A Privacy Impact Assessment (PIA) has been completed. The PIA will be updated to reflect new features and functionality as they become available.

The latest version is available:

Will my information be secure?

Your personal information will be held and managed in accordance with the Privacy Act and Health Information Privacy Code.

Any information you share with the Ministry of Health will not be shared with other Government agencies without your consent. It will not be used for enforcement purposes unless there is evidence of fraudulent use of the account.

Information you choose to share with us will be held securely in compliance with Ministry standards. Security measures are in place to protect your information from unauthorised access.

We use Microsoft Azure Services in Australia to deliver the Service. Use of other third-party Services is detailed in the current Privacy Impact Assessment.

How long will my information be kept?

Contact information, the link to your National Health Index number, your identity confidence level, and your consent information will be stored for the life of your Account.

For the duration of the My Health Account, Applicant name, date of birth, gender, address, preferred name, email, mobile phone number, and supplied and verified NHI number will be retained. These details will be supplied to authorised services connecting to the My Health Account service as identified in the PIA for each of those services (and as approved by the My Health Account service). This information will be kept for five years, after which you will need to verify again.

You can ask for your account to be closed by calling the Contact Centre on 0800 222 478 or +64 9 307 6155. The account will not be able to be used to validate further activities into the future, and all details other than those required for audit activity will be deleted. The email associated with the account, the confidence level obtained, and the related dates and the NHI number (if linked) will be retained.

How do I keep My Health Account secure?

  • Do not share your account with other people.
  • Keep your password safe.
  • We recommend using a screen lock on your device.

If you believe your password may have been compromised, please change it. If you believe your account has been compromised, please call the Contact Centre on 0800 222 478 or +64 9 307 6155 as soon as you can.

How can I view or change my information?

To view any personal information held by the Ministry of Health about you, or if you have any concerns or questions about the personal information that we hold and wish to request a correction, please write to:
 
The Privacy Officer
Ministry of Health
PO Box 5013
Wellington
Email: [email protected]

We may require proof of your identity before being able to provide you with any personal information.

When you contact us for help, your communications, including any information you provide regarding your identity and the Service you’re contacting us about, will be collected.

Giving feedback

Feedback is important and is used to evaluate and improve the Service. If you provide feedback by email, that feedback is sent to the appropriate Ministry of Health staff. This could include your email address and other identifying information that you have provided.

Statistical information

We may collect statistical information to help us improve the Service and understand how it is being used. In summary, this includes the event type and session, timestamps, and the type of device being used. This information is aggregated and doesn't identify you personally. Full details about the statistical information collected is addressed in our Privacy Impact Assessment.

Your My Health Account details (including NHI, and related attributes of age, address (suburb, town, and postcode and relevant DHB district), ethnicity, gender, New Zealand citizenship / residency status may be used for statistical reporting on the performance of My Health Account to enable monitoring of performance and improvement of services. It may also include interactions with integrating applications, such as My Covid Record, to identify usage statistics. Your personal information will remain securely contained in the Ministry of Health systems and only aggregated information (without your name details, NHI or street address) will be used in reports created, to preserve individual privacy for reporting purposes.

The website uses cookies for the purpose of monitoring website usage. A cookie is a piece of code that creates a file on your computer to track the pages that you view on our website. The cookies do not collect personal information. You can disable them or clear them out of your web browser without affecting your ability to use the website.

Cloudcheck also collects statistical information about visitors to its websites such as the number of visitors, pages viewed, types of transactions conducted, time online and documents downloaded. It also collects cookies that you may disable or deleted from your computer after they have been created: See more details here.

Who can I contact if I have a privacy concern?

Please contact us by email: [email protected]

If you are not satisfied with the response to any privacy concern, you can contact the Office of the Privacy Commissioner.

Updates to this Privacy Notice

This Privacy Notice may be updated to let you know about changes in how we collect and process your information in the Services or changes in related laws. The date when the document was last updated is shown at the top of this Privacy Notice.

Back to top