Privacy Policy


This document outlines the practice policy related to the Privacy, in line with the Privacy Act 2020, which promotes and protects the privacy of individual personal information and the Health Information Privacy Code, which specifically relates to the management of health information.

Northland Health & Weight Ltd and its related bodies corporate (“we”, “our” and “us”) respects individual privacy and the rights of individuals to control their personal information. We are committed to protecting your personal information. This Privacy Policy sets out our policies and practices regarding the collection, use and disclosure of personal information that you provide to us and which we collect from you. By accessing or otherwise using the website at (the “Website”), contacting us by email or telephone or acquiring our services you agree to the terms and conditions set out in this Privacy Policy and consent to the processing of your personal information in accordance with this Privacy Policy and any other arrangements that apply between us.


Northland Health & Weight Ltdwillcomply with the following rules when collecting, using, storing, or disclosing information about patients’ personal or health or the treatment that they are receiving.


Northland Health & Weight Ltd understand, comply with and implement the requirements of the Privacy Act 2020 and the Health Information Privacy Code 2020, as outlined in this document which state the processes to be followed by our staff in handling personal and health information.

  • Northland Health & Weight Ltd will collect personal and health information in a manner that complies with the Privacy Act and the Health Information Privacy Code.
    • only collect the information for the purpose of treating the patient or for some other legal purpose;
    • collect the information directly from the patient unless they have consented to you collecting the information from someone else or one of the other exceptions to this rule applies; and
    • collect information from children and young people in a fair manner
    • let the patient know why you are collecting the information, who will have access to the information and that the patient is entitled to access and correct the information. You will not need to tell patients this if you have collected the same type of information from them before.
    • collect information in an unidentifiable way if appropriate
  • Northland Health & Weight Ltd complies with the Privacy Act and Health Information Privacy Code requirements when using personal and health information.
    • When we have collected personal information from an individual for one purpose, it cannot used for any other purpose without the individual’s consent.
    • There are some exceptions to this principle. These exceptions include where the information is publicly available, or where you use the information in a way that does not identify the individual. You will find a full list of the exceptions to this principle in the Privacy Act.
    • Before using individuals’ personal information, Northland Health & Weight Ltd will do whatever it can to make sure that the information is accurate and up to date.
  • Northland Health & Weight Ltd complies with the Privacy Act and Health Information Privacy Code when storing and destroying personal and health information.
    • We will ensure that the personal information that our practice holds is stored securely so that it cannot be accessed or used by unauthorised people. We may store your information in cloud or other types of networked or electronic storage.
    • When transferring patients’ health information to someone else, we will do what we can to prevent unauthorised people from accessing or using the information. We will take reasonable technical and organisational precautions to prevent the loss, misuse or unauthorised alteration of your personal information. However, due to the nature of email and the internet, we cannot guarantee the privacy or confidentiality of your personal information.
    • Northland Health & Weight Ltd can keep patients’ health information for as long as we need the information to treat patients and must keep patients’ health information for a minimum of 10 years from the date that treatment was last provided.
    • Northland Health & Weight Ltd will destroy patients’/clients information in a way that ensures the confidentiality of the information.
    • Patients/clients are entitled to ask our practice to confirm whether we hold information about them and to access the information unless we have lawful reasons for withholding the information.
    • Patients/clients are also entitled to ask our practice to correct the information that we hold about them.
    • We will assist patients/clients who ask to access their information.
  • Northland Health & Weight Ltd complies with the Privacy Act and Health Information Privacy Code requirements when disclosing health information.
    We will not disclose a patient’s information without their consent (or the consent of their representative) unless we reasonably believe that it is not possible to get the patient’s consent and:
    • the disclosure is for the purposes of the patient’s treatment (e.g. a referral);
    • the disclosure is to the patient’s caregiver and the patient hasn’t objected to the disclosure;
    • it is necessary to disclose the information to prevent a serious and immediate threat to the patient or another person’s life or health;
    • the disclosure is made for the purposes of a criminal proceeding;
    • the patient is, or is likely to become dependent on a drug and we need to report under the Misuse of Drugs Act or the Medicines Act;
    • the disclosure is to a social worker or the police and concerns suspected child abuse;
    • the disclosure is made by a doctor to the Director of Land Transport Safety and concerns the patient’s ability to drive safely.

    • Our Privacy Officer must be consulted before disclosing a patient’s health information without his/her consent.
  • Northland Health & Weight Ltd complies with the Privacy Act and Health Information Privacy Code when correcting health information.
  • The practice will ensure confidentiality of information.

Privacy officer

The Privacy Officer has overall responsibility for privacy issues in the practice, but all staff are responsible for ensuring they keep up to date with their obligations under this legislation.

Privacy Officer role:

  • Ensure that the practice has a current privacy policy and procedures and that all staff can easily access these documents.
  • Ensure that all staff members have read and understood the policy and procedures, and this has been documented.
  • Ensure that the practice complies with the Privacy Act, both in regard to personal patient information and employee information.
  • Deal with requests made to the practice about personal or employment information.
  • Ensure compliance with the Health Information Privacy Code in relation to patient information.
  • Brief the practice team on changes to legislation and/or practice processes.
  • Use team meetings to discuss privacy complaints received, the part of the procedure that failed and ways to improve the process.
  • Continuous improvement process and education.
  • Induction of new staff on Privacy and HIPC.
  • Source suitable training opportunities.
  • Ensure that any complaints received are dealt with in accordance with legislation. If referred to Privacy Commission work with them to resolve.
  • Provide clear guidelines to staff around who has access to health information and how it is handled.

Privacy Breaches

We note that agencies are now legally required to notify breaches in privacy if the breach poses a risk of serious harm or causes serious harm to an individual or group. There are three reasons why this is important:

  • People cannot protect themselves from the impact of privacy breaches if they do not know a breach has occurred
  • The speed at which data can be transferred and copied means the potential for harm is much greater
  • Sharing the lessons from privacy breaches that have already occurred can help to prevent similar beaches in the future

If a notifiable privacy breach occurs, Northland Health & Weight Ltd will notify the affected people. If the breach poses a risk of serious harm or causes serious harm to an individual or group, the Privacy Commissioner must be notified.

Examples of likelihood of serious harm being caused by a breach include:

  • Physical harm or intimidation 
  • Financial fraud including unauthorised credit card transactions or credit fraud 
  • Family violence
  • Psychological, or emotional harm

When assessing whether a privacy breach is likely to cause serious harm to decide whether the breach is a notifiable privacy breach, Northland Health & Weight Ltd will consider the following:

  • any action taken by the agency to reduce the risk of harm following the breach:
  • whether the personal information is sensitive in nature:
  • the nature of the harm that may be caused to affected individuals:
  • the person or body that has obtained or may obtain personal information as a result of the breach (if known):
  • whether the personal information is protected by a security measure:
  • any other relevant matters.

If Northland Health & Weight Ltd think a data breach has occurred, we will:

  1. Inform the Privacy Officer/management as soon as you are aware of a data breach
  2. Privacy Officer/Management will notify the Privacy Commissioner and potentially affected individuals of the privacy breach, where the breach caused or is likely to cause serious harm
  3. The breach notice made by Privacy office/management must contain:
    1. Your contact details,
    2. Timeline,
    3. Information around the breach itself,
    4. Likely harm
    5. What you have done about notifying affected people, or organisations
    6. Any other relevant information


All staff members have understood and signed a confidentiality agreement as part of their employment agreement or contract of service. The obligations under this clause extend after the agreement or contract has ended.

Destruction of Confidential material

All confidential material is either shredded on site or placed in secure destruction bin.

IT Security

Each staff member should have their own unique login name and it is protected by at least 8 characters passwords mixed of letters and numbers. Two factor identification is required.

Patient Management Software

Northland Health & Weight Ltd uses Elixir Software Ltd and is hosted in a secured offsite sever by the company. This is a secured cloud-based patient management software system.

Staff access to Elixir is through secured PMS login.

Staff login is password protected with two factor identification.

Health information privacy rules


  1. The purpose of collection of health information
  2. Source of health information
  3. Collection of health information from an individual
  4. Manner of collection of health information
  5. Storage and security of health information
  6. Access to personal health information
  7. Correction of health information
  8. Accuracy of health information to be checked before use
  9. Retention of health information
  10. Limits on use of health information
  11. Limits on disclosure of health information
  12. Disclosure of health Information outside New Zealand
  13. Unique identifiers

Policy review date: Jan 2027