Privacy guidance (working document)

introduction veterinary practices collect and hold personal information about clients as a routine part of providing veterinary services the privacy act 2020 (the act) sets out principles that govern how personal information is collected, held, and shared veterinarians have both a legal and professional obligation to manage personal information appropriately this guidance is intended to help veterinary practices understand their obligations under the act, and to provide practical support for meeting those obligations it is not a substitute for legal advice the code of professional conduct requires veterinarians to treat all client information and information related to the provision of veterinary services as private, except where the client has consented to its sharing, where disclosure is authorised under the act, or where disclosure is required under the veterinarians act 2005 what is personal information in a veterinary context? personal information is any information about an identifiable living individual in a veterinary context, this includes • client contact details (name, address, phone number, and email address) • billing and payment records • records of communications between the practice and the client • clinical records relating to an animal owned by the client the privacy commissioner has confirmed that veterinary records about a client's animal constitute personal information about that client, where the animal is owned by an identifiable individual note that this may not apply where an animal is owned by a trust or limited liability company note animal health data itself (e g species, diagnosis, treatment) is not personal information about the animal — animals do not have privacy rights however, the same data, when connected to an identifiable client, is personal information about that client the information privacy principles the privacy act 2020 contains 13 information privacy principles (ipps) that govern how agencies, including veterinary practices, collect, use, store, correct, and disclose personal information the following principles are particularly relevant to veterinary practice collecting personal information (ipps 1–4) when collecting personal information from clients, practices must • collect only information that is necessary for the purpose of providing veterinary services • collect it directly from the client unless an exception applies (for example, where a referring veterinarian provides information relevant to the patient's care) • tell clients what information is being collected, why it is collected, who it may be shared with, and that they have rights to access and correct it in practice, this means your client registration process and privacy notice should clearly explain how you use client information many practices include this information in their client registration forms or on their website storage and security (ipp 5) practices must take reasonable steps to protect personal information from • unauthorised access or disclosure • loss, alteration, or misuse this applies to both paper records and electronic systems reasonable security measures may include password protected practice management software, restricted access to client records, and secure disposal of records that are no longer required where practices use third party cloud based software to manage clinical records, they remain responsible for ensuring that the provider manages personal information in accordance with the act this is especially important where the software provider is based overseas access and correction (ipps 6–7) clients have the right to • ask whether the practice holds personal information about them • access that information, subject to limited grounds for withholding request correction of any information they believe is incorrect the act requires a response to an access request within 20 working days practices should treat this as an outer limit and aim to respond as promptly as possible access can be provided through copies of the records, the opportunity to view the records, or a summary of the information if that is acceptable to the client the clinical records are the property of the veterinary clinic or business clients do not own the clinical records but have rights under the privacy act to access and correct personal information that is contained within the records when responding to a privacy act request, you may ask the client to verify their identity before releasing information where a practice incurs reasonable costs to duplicate records (copying or scanning clinical records), those costs can be passed on to the client use and disclosure of personal information (ipps 10–11) personal information collected for one purpose must not be used for another purpose without the client's consent, unless an exception in the act applies personal information must not be disclosed to a third party without the client's consent unless one of the exceptions in ipp 11 applies relevant exceptions for veterinary practice include • disclosure that is directly related to the purpose for which the information was collected (for example, sharing clinical records with a specialist to whom the client has been referred) • disclosure authorised by the client • disclosure necessary to prevent or lessen a serious threat to public health or safety, or the life or health of an individual • disclosure required to avoid prejudice to the maintenance of the law (for example, where a recognised and authorised investigator is investigating alleged breaches of the animal welfare act) – usually requested through a production order • disclosure required by the vet council as part of a complaints assessment committee investigation note sharing client information with a referring or subsequent veterinarian is generally consistent with the purpose for which it was collected and does not require separate consent, provided it is limited to clinically relevant information however, clients may limit the scope of such sharing, and this should be respected and documented specific situations client registrations and privacy notices at the point of client registration, practices should provide clients with a clear and accessible privacy notice that explains • what personal information the practice collects and why • how the information will be used and who it may be shared with • how clients can access and correct their information • how to contact the practice’s privacy officer with questions or complaints a privacy notice may be provided in written form (for example, on a registration form or as a separate document), on the practice website, or as a combination it does not need to be lengthy the key requirement is that clients are clearly informed the client registration form should document who is the legal owner of the animal whether any other person has authority to act on the owner's behalf, including authority to consent to treatment and procedures whether any other persons are authorised to request access to, or consent to the disclosure of, clinical records (for example, where the animal is co owned) veterinary practices can include a section in the terms of service or terms of engagement that they may disclose personal information to law enforcement agencies in situations where there are reasonable grounds to suspect unlawful activity this disclosure is permitted under the privacy act 2020 referrals and transfers of care when a client is referred to another veterinary practice or specialist, relevant clinical information should be shared with the receiving practice as part of the referral process this is generally consistent with the purpose for which the information was collected and does not require separate consent however • clients may set limits on what information is shared, and these limits should be respected and documented • financial information should generally not be shared without specific consent from the client • where a client requests transfer of their records to another practice, copies should be provided as soon as practicable use of third party technology and cloud services many practices use third party software for practice management, communications, and clinical records where personal information is processed or stored by a third party on your behalf, you remain responsible for compliance with the act before using a new software provider, practices should • check whether the provider is based in new zealand or overseas • review the provider’s data processing terms and privacy policies • ensure there are contractual protections limiting the provider’s use of your client data • consider how data would be retrieved if the relationship with the provider ended ai transcription and digital tools practices increasingly use digital tools, including ai powered transcription services, to support clinical documentation separate vet council guidance addresses the privacy implications of ai transcription tools in more detail the key principles are • clients should be informed that such tools are being used and given the opportunity to decline • practices must carefully vet the data handling and storage practices of any ai tool provider • consent should be documented where ai tools process consultation audio or content disclosure to third parties requests to disclose client information to third parties, including insurers, government agencies, law enforcement, or other parties, should be considered carefully in general • disclose only with the client’s consent unless an exception under the act applies • if in doubt, contact the privacy commissioner’s office (0800 803 909) or the vet council for guidance • ask for the request to be made in writing, naming the client and animal/s • document the basis for any disclosure made without client consent privacy breaches a privacy breach occurs where personal information is accessed, used, or disclosed in a way that is not authorised or intended the act requires agencies to notify the privacy commissioner and affected individuals if a privacy breach is likely to cause or has caused serious harm the privacy commissioner has published a self assessment tool to help businesses determine the seriousness of a breach practices should have a process for identifying and responding to privacy breaches when a breach is identified, the practice should • assess the severity of the breach and the risk of harm to affected individuals • take steps to contain the breach and prevent further harm • notify affected clients and the privacy commissioner if the breach has caused, or is likely to cause, serious harm • document the breach and the response practices should appoint a privacy officer (often the practice manager) to oversee privacy act requests serious harm indicators include physical harm, financial fraud, family violence risk, psychological harm, or exposure of sensitive information to a person who may misuse it retention and disposal of records practices should retain client and clinical records for as long as they are required there is no specific statutory retention period prescribed for veterinary clinical records under new zealand law, but records should generally be retained for at least seven years from the last consultation to which they relate, or longer if they may be relevant to ongoing care or potential legal proceedings when records are no longer required, they must be disposed of securely paper records should be shredded or destroyed by a secure disposal service electronic records should be permanently deleted in a manner that prevents recovery specialist input required the appropriate minimum retention period for veterinary clinical records in new zealand has not been legislatively prescribed this guidance applies a seven year period by analogy with acc and health sector practice, but legal advice should be sought to confirm this approach this should be flagged for further review before finalisation obligations of employed veterinarians veterinarians employed by a practice carry personal professional obligations under the code of professional conduct in addition to those of the practice as an entity in particular, veterinarians must • treat client information as private and confidential • not access, use, or disclose client information except for legitimate purposes related to the client’s care or as authorised by law • raise concerns with practice management if they believe client information is being handled in a way that does not comply with the act or professional standards further resources veterinarians and practice staff with questions about privacy obligations can contact • the privacy commissioner’s office — www privacy org nz | 0800 803 909 • the veterinary council of new zealand — www vetcouncil org nz • your practice’s legal advisor the vet council has published separate guidance on ai transcription and client privacy, which practices that use ai tools should read alongside this guidance footnotes 1\ privacy act 2020 (nz) — www legislation govt nz/act/public/2020/0031 2\ veterinarians act 2005 (nz) — www legislation govt nz/act/public/2005/0126 3\ vcnz code of professional conduct, section 2 1 4\ vcnz code of professional conduct, section 5 4 12 5\ vcnz guidance ai transcription and client privacy (2025) 6\ privacy commissioner’s office www privacy org nz