Clutha Health First (CHF, “we”, “us”) is committed to protecting your personal and health information in accordance with the Privacy Act 2020 and the Health Information Privacy Code 2020. Privacy Act 2020  and Health Information Privacy Code 2020

This statement explains how we collect, use, store, and share your information when providing health services. It complements other consent forms and enrolment documentation you may receive.

This statement does not replace more specific Clutha Health First Privacy statements on our consent forms, or other ways that we may communicate with you in your specific circumstances such as enrolment forms and procedural consent forms.

Clutha Health First via Health New Zealand recognises the Government’s Data Protection and Use Policy (DPUP) Data Protection and Use Policy (DPUP) | NZ Digital government and applies its principles to ensure respectful, trusted, and transparent use of personal and health information.

We may update this privacy statement from time to time. Please check this privacy statement regularly for modifications and updates.

This privacy statement was last updated on 25 May 2026.

The Purpose

We provide Primary Care, Inpatient, Outpatient and Community Health Services. To deliver safe, effective care, we need to collect and use and share information about people receiving healthcare and, where necessary, those involved in service delivery, compliance, and monitoring activities.

What Personal and Health Information we Collect

We collect:

• Personal details (e.g. name, date of birth, contact details, NHI number)
• Health information (e.g. medical history, symptoms, treatments, test results)
• Administrative and eligibility information

This helps us identify you, provide care, and determine eligibility for publicly funded services.

Why we Collect and use your Information

We use your information to:

• Provide and support appropriate care and treatment
• Coordinate services across healthcare providers
• monitor quality of care/treatment delivery and compliance activities
• maintain and improve the services we deliver including the quality of our services (for example feedback, enquiries, and other communications)  
• Support funding, planning, and quality care / treatment delivery
• Inform you about relevant health services (e.g. vaccinations or screening programmes)
• Meet legal, regulatory, and contractual obligations
• Meet objectives and functions set out in Health NZ Pae Ora Healthy Futures Act and CHF Strategic Objectives

Your information may also be used for research, audit, and reporting, but is not published   in a way that identifies you unless authorised.

How we Collect Your Information

We aim to collect information directly from you. however if this is not possible or practical we may collect it from another person — for example a whānau member or other support person who is with you at hospital. If this happens, we will check the information with you for accuracy as soon as practical.

When collecting your information, we will explain the purpose for collection, how we will handle and protect your information, and the choices you have. We will ensure we provide you with sufficient detail to have a good understanding and, where appropriate, make informed choices regarding the collection and handling of your personal and health information.

In many cases, it will not be mandatory to provide the information. However, if you choose not to, we may not be able to provide appropriate support you seek or require.  

Where necessary, we may receive and collect your health information indirectly (i.e. from another person or organisations) such as;

• Receipt of laboratory, radiology or other results
• Correspondence from after-hours services, hospitals and specialists which can include discharge summaries, specialist letters, laboratory and imaging results.
• Letters and notifications from referral providers reporting back on health or screening programmes for which you have been referred (for example, Green Prescription, smoking cessation, dietitian).
• Information from Health NZ and WellSouth in regard to updated demographic, NHI or eligibility information.
• Contact from or correspondence from non-health agencies such as Police, legal representatives, Oranga Tamariki, insurance companies, Ministry of Social Development (Work and Income New Zealand) and the Accident Compensation Corporation
• Receipt of correspondence from employers, regarding, for example, fitness to work

The information we receive about you may include details about your health, treatment, or support needs, your contact or demographic details, or other information relevant to your wellbeing and care. We collect this information to ensure your care is connected, safe and effective and where it is lawful and necessary to do so under the Privacy Act 2020 and the Health Information Privacy Code 2020

How we Disclose or Share Your Health Information

In most cases we require your authorisation before we share information that is about you with somebody else.  It is normal practice to share relevant information with:

• Your GP and healthcare team
• Health New Zealand services and specialists
• Other healthcare professionals involved in your ongoing care
• Primary Health Organisations (PHOs) and the Ministry of Health
• Programme providers (e.g. screening or chronic care services)

In some circumstances your information may be shared with your whānau (family) support people or with other agencies — for example ACC, the Police, Oranga Tamariki). This may happen: 

• If you have authorised this sharing
• If we think it is necessary for your care and treatment
• If your safety or the safety of others, or
• If authorised by law. 

We may share your information with the Ministry of Health and other government agencies where required for administrative, legal, funding, research, or public health purposes.

Your information is treated as confidential and protected through appropriate security measures. We may also share it with contracted service providers (e.g. IT systems) and other organisations on a need-to-know basis to support your care and our operations, while remaining responsible for its protection.

If you visit another GP, you may be asked by them to consent to sharing the visit details with your usual provider.

Shared Electronic Records (HealthOne)

We use HealthOne, a secure South Island shared record system, to safely access and share key health information with providers involved in your care;

HealthOne is fully compliant with the Privacy Act 2020 and the Health Information Privacy Code 2020. I can ask the practice for more information, or I can restrict the sharing of my records by contacting HealthOne directly on 0508 837 872 or healthone.privacy@pegasus.org.nz.

Requesting Access to Your Health Information

You have the right to request access to your health information.

Requests are usually processed within 20 working days, depending on the information requested and depending on the urgency. To help us respond promptly, please be as specific as possible – Clutha Health First may contact you for clarification if needed.

For more information: Requesting Health Information Fact Sheet 

To request your information, please complete the Clutha Health First Release of Personal health information Request Form.

Requests are managed in line with the Privacy Act 2020 and the Health Information Privacy Code 2020 and as such some information may be withheld in certain circumstances, for example where your health or the privacy or safety of another person is at risk. If this is the case CHF will provide an explanation.

Correcting Your Information

You have the right to request a correction to your information if you think it is wrong.

You can make a request by:

• asking the clinical staff treating you
• emailing  feedback@chf.co.nz

If we cannot make the requested changes, CHF will provide an explanation. A statement with a record of your request will be kept with your information.

Storage and Security

We take reasonable steps to protect your information from loss, misuse, modification , disclosure or unauthorised access. Information may be securely stored electronically, and original records may be digitised.

Retention of Health Records

We retain information in accordance with the Public Records Act 2005 and approved retention schedules set out by the Functional Disposal Authorities (DA707) approved by the Chief Archivist.

From time to time, original sources of information may be destroyed once it has been digitised. Source information will only be destroyed when certain conditions are met. The electronic form of the information then becomes the authoritative record.  

Audit and Compliance

In the case of financial audits, my health information may be reviewed by an Auditor for checking a financial claim made by the General Practice, but only according to the terms and conditions of section 22G of the Health Act (or any subsequent applicable Act).  The Auditor may contact me to check that services have been received.  If the audit involves checking on health matters, an appropriately qualified healthcare Practitioner will view the health records.

Artificial Intelligence (AI)

Our facility may use an AI tool to assist in providing healthcare services.  

We are committed to protecting your personal information when using artificial intelligence (AI) technologies. All data processed by AI tools will be handled securely and in compliance with data protection regulations. You will be informed about how AI tools are being used and can ask questions or request more information at any time. You can also withdraw my consent at any point by notifying the practice.

When we use AI, it operates in a closed environment that means your personal information will not leave our technology and cannot be used to design or make commercial AI technology or generative AI (such as large language models).

We may use AI tools to support healthcare delivery (e.g. transcription, documentation, clinical support).

Important notes:

• AI operates in secure environments
• Information is protected and not used to train external systems
• Clinicians review all AI-supported outputs
• AI does not replace clinical decision-making.

Any information generated by AI, which might have an impact on patient records or clinical decision making, is reviewed by the responsible clinician before it becomes part of the clinical record or decision. 

CCTV

CCTV cameras are operating in some areas of our hospital, such as the entrances and reception areas, waiting areas and corridors, external public areas.  This is to keep our patients, visitors, and kaimahi safe.

Where we have concerns regarding threats to the safety of people or property, we will engage an appropriate authority (such as the NZ Police) and CCTV footage, if still available, may be released to support the purpose of collection.

Clutha Health First may engage third parties to support the security function and/ or deliver threat risk assessments to enable us to meet our objective of keeping people and assets safe. Release of CCTV footage to these third parties may be required to deliver this outcome.

Your Privacy Rights

You have the right to:

• Access and correct your information (Rules 6 & 7)
• Be informed about how your information is used
• Request limits on information sharing (where possible)

Confidentiality

Your health information is treated as confidential and will not be disclosed outside CHF unless:

• You have given consent
• It is required for your care
• It is required by law

Contact

For questions or concerns about how your personal or health information has been managed,:

• Email: feedback@chf.co.nz

• You may also contact the Office of the Privacy Commissioner if you are not satisfied with our response. Office of the Privacy Commissioner